142f46cac1
The iptables rules which make encryption mandatory on an encrypted overlay network are only programmed once there is a second node participating in the network. This leaves single-node encrypted overlay networks vulnerable to packet injection. Furthermore, failure to program the rules is not treated as a fatal error. Program the iptables rules to make encryption mandatory before creating the VXLAN link to guarantee that there is no window of time where incoming cleartext VXLAN packets for the network would be accepted, or outgoing cleartext packets be transmitted. Only create the VXLAN link if programming the rules succeeds to ensure that it fails closed. Signed-off-by: Cory Snider <csnider@mirantis.com> |
||
|---|---|---|
| .. | ||
| bridge | ||
| host | ||
| ipvlan | ||
| macvlan | ||
| null | ||
| overlay | ||
| remote | ||
| windows | ||