Browse code
Vendoring libnetwork @ce28404
Signed-off-by: Alessandro Boch <aboch@docker.com>
Alessandro Boch authored on 2017/02/20 06:35:31Showing 3 changed files
- vendor.conf
- vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
- vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go
| ... | ... |
@@ -23,7 +23,7 @@ github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5 |
| 23 | 23 |
github.com/imdario/mergo 0.2.1 |
| 24 | 24 |
|
| 25 | 25 |
#get libnetwork packages |
| 26 |
-github.com/docker/libnetwork bba65e5e191eccfbc8e2f6455c527b407c2be5ff |
|
| 26 |
+github.com/docker/libnetwork ce28404512e8fac9b8103b9072e75cf8d4339302 |
|
| 27 | 27 |
github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894 |
| 28 | 28 |
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 |
| 29 | 29 |
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec |
| ... | ... |
@@ -138,6 +138,11 @@ func setupEncryption(localIP, advIP, remoteIP net.IP, vni uint32, em *encrMap, k |
| 138 | 138 |
logrus.Warn(err) |
| 139 | 139 |
} |
| 140 | 140 |
|
| 141 |
+ err = programInput(vni, true) |
|
| 142 |
+ if err != nil {
|
|
| 143 |
+ logrus.Warn(err) |
|
| 144 |
+ } |
|
| 145 |
+ |
|
| 141 | 146 |
for i, k := range keys {
|
| 142 | 147 |
spis := &spi{buildSPI(advIP, remoteIP, k.tag), buildSPI(remoteIP, advIP, k.tag)}
|
| 143 | 148 |
dir := reverse |
| ... | ... |
@@ -219,6 +224,35 @@ func programMangle(vni uint32, add bool) (err error) {
|
| 219 | 219 |
return |
| 220 | 220 |
} |
| 221 | 221 |
|
| 222 |
+func programInput(vni uint32, add bool) (err error) {
|
|
| 223 |
+ var ( |
|
| 224 |
+ port = strconv.FormatUint(uint64(vxlanPort), 10) |
|
| 225 |
+ vniMatch = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
|
|
| 226 |
+ plainVxlan = []string{"-p", "udp", "--dport", port, "-m", "u32", "--u32", vniMatch, "-j"}
|
|
| 227 |
+ ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...)
|
|
| 228 |
+ block = append(plainVxlan, "DROP") |
|
| 229 |
+ accept = append(ipsecVxlan, "ACCEPT") |
|
| 230 |
+ chain = "INPUT" |
|
| 231 |
+ action = iptables.Append |
|
| 232 |
+ msg = "add" |
|
| 233 |
+ ) |
|
| 234 |
+ |
|
| 235 |
+ if !add {
|
|
| 236 |
+ action = iptables.Delete |
|
| 237 |
+ msg = "remove" |
|
| 238 |
+ } |
|
| 239 |
+ |
|
| 240 |
+ if err := iptables.ProgramRule(iptables.Filter, chain, action, accept); err != nil {
|
|
| 241 |
+ logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
|
|
| 242 |
+ } |
|
| 243 |
+ |
|
| 244 |
+ if err := iptables.ProgramRule(iptables.Filter, chain, action, block); err != nil {
|
|
| 245 |
+ logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
|
|
| 246 |
+ } |
|
| 247 |
+ |
|
| 248 |
+ return |
|
| 249 |
+} |
|
| 250 |
+ |
|
| 222 | 251 |
func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
|
| 223 | 252 |
var ( |
| 224 | 253 |
action = "Removing" |
| ... | ... |
@@ -154,6 +154,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d
|
| 154 | 154 |
if !n.secure {
|
| 155 | 155 |
for _, vni := range vnis {
|
| 156 | 156 |
programMangle(vni, false) |
| 157 |
+ programInput(vni, false) |
|
| 157 | 158 |
} |
| 158 | 159 |
} |
| 159 | 160 |
|
| ... | ... |
@@ -204,6 +205,7 @@ func (d *driver) DeleteNetwork(nid string) error {
|
| 204 | 204 |
if n.secure {
|
| 205 | 205 |
for _, vni := range vnis {
|
| 206 | 206 |
programMangle(vni, false) |
| 207 |
+ programInput(vni, false) |
|
| 207 | 208 |
} |
| 208 | 209 |
} |
| 209 | 210 |
|