beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #45280 from corhere/libnet/no-overlay-accept-rule

Browse source 
libnetwork/drivers/overlay: stop programming INPUT ACCEPT rule
This commit is contained in:
Sebastiaan van Stijn 2023-05-25 21:03:32 +02:00 committed by GitHub
commit d5dc675d37
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
libnetwork/drivers/overlay/encryption.go
View file

@ -274,12 +274,6 @@ func programInput(vni uint32, add bool) error {
return a
}
// Accept incoming VXLAN datagrams for the VNI which were subjected to IPSec processing.
// Append to the bottom of the chain to give administrator-configured rules precedence.
if err := iptable.ProgramRule(iptables.Filter, chain, action(iptables.Append), rule("ipsec", "ACCEPT")); err != nil {
return fmt.Errorf("could not %s input accept rule: %w", msg, err)
}
// Drop incoming VXLAN datagrams for the VNI which were received in cleartext.
// Insert at the top of the chain so the packets are dropped even if an
// administrator-configured rule exists which would otherwise unconditionally