From f6ff82666dd6d03d21e1a880cb8d406434fdad85 Mon Sep 17 00:00:00 2001 From: Cory Snider Date: Fri, 26 May 2023 14:36:34 -0400 Subject: [PATCH] libn/d/overlay: support encryption on any port While the VXLAN interface and the iptables rules to mark outgoing VXLAN packets for encryption are configured to use the Swarm data path port, the XFRM policies for actually applying the encryption are hardcoded to match packets with destination port 4789/udp. Consequently, encrypted overlay networks do not pass traffic when the Swarm is configured with any other data path port: encryption is not applied to the outgoing VXLAN packets and the destination host drops the received cleartext packets. Use the configured data path port instead of hardcoding port 4789 in the XFRM policies. Signed-off-by: Cory Snider (cherry picked from commit 9a692a38028f4914a3a914c9a229e61bb3fbaf66) Signed-off-by: Cory Snider --- libnetwork/drivers/overlay/encryption.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go index 5b76f7793d..4896d3fbf4 100644 --- a/libnetwork/drivers/overlay/encryption.go +++ b/libnetwork/drivers/overlay/encryption.go @@ -400,8 +400,8 @@ func programSP(fSA *netlink.XfrmState, rSA *netlink.XfrmState, add bool) error { Src: &net.IPNet{IP: s, Mask: fullMask}, Dst: &net.IPNet{IP: d, Mask: fullMask}, Dir: netlink.XFRM_DIR_OUT, - Proto: 17, - DstPort: 4789, + Proto: syscall.IPPROTO_UDP, + DstPort: int(overlayutils.VXLANUDPPort()), Mark: &spMark, Tmpls: []netlink.XfrmPolicyTmpl{ { @@ -614,8 +614,8 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr Src: &net.IPNet{IP: s, Mask: fullMask}, Dst: &net.IPNet{IP: d, Mask: fullMask}, Dir: netlink.XFRM_DIR_OUT, - Proto: 17, - DstPort: 4789, + Proto: syscall.IPPROTO_UDP, + DstPort: int(overlayutils.VXLANUDPPort()), Mark: &spMark, Tmpls: []netlink.XfrmPolicyTmpl{ {