Merge pull request #1652 from aboch/iec

Once a network is encrypted, do not accept clear packets from it
2022-11-09 12:21:53 -05:00 · 2017-02-19 12:26:59 -08:00 · 2017-02-19 12:26:59 -08:00 · f6b3b3675c
commit f6b3b3675c
parent 1b8c4b421b 91f5b1669e
2 changed files with 36 additions and 0 deletions
--- a/libnetwork/drivers/overlay/encryption.go
+++ b/libnetwork/drivers/overlay/encryption.go
@ -138,6 +138,11 @@ func setupEncryption(localIP, advIP, remoteIP net.IP, vni uint32, em *encrMap, k
 		logrus.Warn(err)
 	}

+	err = programInput(vni, true)
+	if err != nil {
+		logrus.Warn(err)
+	}
+
 	for i, k := range keys {
 		spis := &spi{buildSPI(advIP, remoteIP, k.tag), buildSPI(remoteIP, advIP, k.tag)}
 		dir := reverse
@ -219,6 +224,35 @@ func programMangle(vni uint32, add bool) (err error) {
 	return
 }

+func programInput(vni uint32, add bool) (err error) {
+	var (
+		port       = strconv.FormatUint(uint64(vxlanPort), 10)
+		vniMatch   = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
+		plainVxlan = []string{"-p", "udp", "--dport", port, "-m", "u32", "--u32", vniMatch, "-j"}
+		ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...)
+		block      = append(plainVxlan, "DROP")
+		accept     = append(ipsecVxlan, "ACCEPT")
+		chain      = "INPUT"
+		action     = iptables.Append
+		msg        = "add"
+	)
+
+	if !add {
+		action = iptables.Delete
+		msg = "remove"
+	}
+
+	if err := iptables.ProgramRule(iptables.Filter, chain, action, accept); err != nil {
+		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
+	}
+
+	if err := iptables.ProgramRule(iptables.Filter, chain, action, block); err != nil {
+		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
+	}
+
+	return
+}
+
 func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
 	var (
 		action      = "Removing"
--- a/libnetwork/drivers/overlay/ov_network.go
+++ b/libnetwork/drivers/overlay/ov_network.go
@ -154,6 +154,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d
 	if !n.secure {
 		for _, vni := range vnis {
 			programMangle(vni, false)
+			programInput(vni, false)
 		}
 	}

@ -204,6 +205,7 @@ func (d *driver) DeleteNetwork(nid string) error {
 	if n.secure {
 		for _, vni := range vnis {
 			programMangle(vni, false)
+			programInput(vni, false)
 		}
 	}