From 3b459012b6d0001f8ccd3237caae55dfe4722e96 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Thu, 6 Apr 2023 15:04:13 +0800 Subject: [PATCH] docker:fix CVE-2023-28840 CVE-2023-28841 CVE-2023-28842 --- VERSION-vendor | 2 +- docker.spec | 8 +- git-commit | 2 +- ...erlay-extract-VNI-match-rule-builder.patch | 90 ++++++ ...verlay-document-some-encryption-code.patch | 143 +++++++++ ...-overlay-add-BPF-powered-VNI-matcher.patch | 276 ++++++++++++++++++ series.conf | 3 + 7 files changed, 521 insertions(+), 3 deletions(-) create mode 100644 patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch create mode 100644 patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch create mode 100644 patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch diff --git a/VERSION-vendor b/VERSION-vendor index ce8dfc3..7ba9d16 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.322 +18.09.0.323 diff --git a/docker.spec b/docker.spec index 3195cac..7f8eca5 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 322 +Release: 323 Epoch: 2 Summary: The open-source application container engine Group: Tools/Docker @@ -229,6 +229,12 @@ fi %endif %changelog +* Thu Apr 06 2023 zhongjiawei - 18.09.0-323 +- Type:CVE +- CVE:CVE-2023-28840,CVE-2023-28841,CVE-2023-28842 +- SUG:NA +- DESC:fix CVE-2023-28840,CVE-2023-28841,CVE-2023-28842 + * Wed Mar 29 2023 zhongjiawei - 18.09.0-322 - Type:bugfix - CVE:NA diff --git a/git-commit b/git-commit index 72b3530..d2dac95 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -4c4d6bc65a4aed3a9f32ddce05f022aa79302364 +172f8daba189d1c50663a252a90b2780f13f7f87 diff --git a/patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch b/patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch new file mode 100644 index 0000000..684aa5c --- /dev/null +++ b/patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch @@ -0,0 +1,90 @@ +From d95faf745be50c948cc26e5d870da8fb870de887 Mon Sep 17 00:00:00 2001 +From: Cory Snider +Date: Mon, 6 Mar 2023 17:50:30 -0500 +Subject: [PATCH] libnet/d/overlay: extract VNI match rule builder + +The iptables rule clause used to match on the VNI of VXLAN datagrams +looks like line noise to the uninitiated. It doesn't help that the +expression is repeated twice and neither copy has any commentary. +DRY out the rule builder to a common function, and document what the +rule does and how it works. + +Signed-off-by: Cory Snider +--- + .../libnetwork/drivers/overlay/encryption.go | 12 +++----- + .../drivers/overlay/encryption_u32.go | 30 +++++++++++++++++++ + 2 files changed, 34 insertions(+), 8 deletions(-) + create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +index a97e73df82..be09c70d7a 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +@@ -200,11 +200,9 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error { + + func programMangle(vni uint32, add bool) (err error) { + var ( +- p = strconv.FormatUint(uint64(vxlanPort), 10) +- c = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8) + m = strconv.FormatUint(uint64(r), 10) + chain = "OUTPUT" +- rule = []string{"-p", "udp", "--dport", p, "-m", "u32", "--u32", c, "-j", "MARK", "--set-mark", m} ++ rule = append(matchVXLAN(overlayutils.VXLANUDPPort(), vni), "-j", "MARK", "--set-mark", m) + a = "-A" + action = "install" + ) +@@ -227,12 +225,10 @@ func programMangle(vni uint32, add bool) (err error) { + + func programInput(vni uint32, add bool) (err error) { + var ( +- port = strconv.FormatUint(uint64(vxlanPort), 10) +- vniMatch = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8) +- plainVxlan = []string{"-p", "udp", "--dport", port, "-m", "u32", "--u32", vniMatch, "-j"} ++ plainVxlan = matchVXLAN(overlayutils.VXLANUDPPort(), vni) + ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...) +- block = append(plainVxlan, "DROP") +- accept = append(ipsecVxlan, "ACCEPT") ++ block = append(plainVxlan, "-j", "DROP") ++ accept = append(ipsecVxlan, "-j", "ACCEPT") + chain = "INPUT" + action = iptables.Append + msg = "add" +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go +new file mode 100644 +index 0000000000..c93f7c96fc +--- /dev/null ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go +@@ -0,0 +1,30 @@ ++package overlay ++ ++import ( ++ "fmt" ++ "strconv" ++) ++ ++// matchVXLAN returns an iptables rule fragment which matches VXLAN datagrams ++// with the given destination port and VXLAN Network ID utilizing the xt_u32 ++// netfilter kernel module. The returned slice's backing array is guaranteed not ++// to alias any other slice's. ++func matchVXLAN(port, vni uint32) []string { ++ dport := strconv.FormatUint(uint64(port), 10) ++ ++ // The u32 expression language is documented in iptables-extensions(8). ++ // https://ipset.netfilter.org/iptables-extensions.man.html#lbCK ++ // ++ // 0>>22&0x3C ; Compute number of octets in IPv4 header ++ // @ ; Make this the new offset into the packet ++ // ; (jump to start of UDP header) ++ // 12&0xFFFFFF00 ; Read 32-bit value at offset 12 and mask off the bottom octet ++ // = ; Test whether the value is equal to a constant ++ // ++ // A UDP header is eight octets long so offset 12 from the start of the ++ // UDP header is four octets into the payload: the VNI field of the ++ // VXLAN header. ++ vniMatch := fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8) ++ ++ return []string{"-p", "udp", "--dport", dport, "-m", "u32", "--u32", vniMatch} ++} +-- +2.33.0 + diff --git a/patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch b/patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch new file mode 100644 index 0000000..907d640 --- /dev/null +++ b/patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch @@ -0,0 +1,143 @@ +From e83ba81129646c3242ed96496cf2d503f977a2e0 Mon Sep 17 00:00:00 2001 +From: Cory Snider +Date: Tue, 7 Mar 2023 13:51:57 -0500 +Subject: [PATCH] libnet/d/overlay: document some encryption code + +The overlay-network encryption code is woefully under-documented, which +is especially problematic as it operates on under-documented kernel +interfaces. Document what I have puzzled out of the implementation for +the benefit of the next poor soul to touch this code. + +Signed-off-by: Cory Snider +--- + .../libnetwork/drivers/overlay/encryption.go | 46 +++++++++++++++---- + 1 file changed, 38 insertions(+), 8 deletions(-) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +index be09c70d7a..2084351624 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +@@ -19,8 +19,31 @@ import ( + "github.com/vishvananda/netlink" + ) + ++/* ++Encrypted overlay networks use IPsec in transport mode to encrypt and ++authenticate the VXLAN UDP datagrams. This driver implements a bespoke control ++plane which negotiates the security parameters for each peer-to-peer tunnel. ++IPsec Terminology ++ - ESP: IPSec Encapsulating Security Payload ++ - SPI: Security Parameter Index ++ - ICV: Integrity Check Value ++ - SA: Security Association https://en.wikipedia.org/wiki/IPsec#Security_association ++Developer documentation for Linux IPsec is rather sparse online. The following ++slide deck provides a decent overview. ++https://libreswan.org/wiki/images/e/e0/Netdev-0x12-ipsec-flow.pdf ++The Linux IPsec stack is part of XFRM, the netlink packet transformation ++interface. ++https://man7.org/linux/man-pages/man8/ip-xfrm.8.html ++*/ ++ + const ( +- r = 0xD0C4E3 ++ // Value used to mark outgoing packets which should have our IPsec ++ // processing applied. It is also used as a label to identify XFRM ++ // states (Security Associations) and policies (Security Policies) ++ // programmed by us so we know which ones we can clean up without ++ // disrupting other VPN connections on the system. ++ mark = 0xD0C4E3 ++ + pktExpansion = 26 // SPI(4) + SeqN(4) + IV(8) + PadLength(1) + NextHeader(1) + ICV(8) + ) + +@@ -30,7 +53,9 @@ const ( + bidir + ) + +-var spMark = netlink.XfrmMark{Value: uint32(r), Mask: 0xffffffff} ++// Mark value for matching packets which should have our IPsec security policy ++// applied. ++var spMark = netlink.XfrmMark{Value: mark, Mask: 0xffffffff} + + type key struct { + value []byte +@@ -49,6 +74,9 @@ type spi struct { + reverse int + } + ++// Security Parameter Indices for the IPsec flows between local node and a ++// remote peer, which identify the Security Associations (XFRM states) to be ++// applied when encrypting and decrypting packets. + func (s *spi) String() string { + return fmt.Sprintf("SPI(FWD: 0x%x, REV: 0x%x)", uint32(s.forward), uint32(s.reverse)) + } +@@ -200,7 +228,7 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error { + + func programMangle(vni uint32, add bool) (err error) { + var ( +- m = strconv.FormatUint(uint64(r), 10) ++ m = strconv.FormatUint(mark, 10) + chain = "OUTPUT" + rule = append(matchVXLAN(overlayutils.VXLANUDPPort(), vni), "-j", "MARK", "--set-mark", m) + a = "-A" +@@ -239,10 +267,12 @@ func programInput(vni uint32, add bool) (err error) { + msg = "remove" + } + ++ // Accept incoming VXLAN datagrams for the VNI which were subjected to IPSec processing. + if err := iptables.ProgramRule(iptables.Filter, chain, action, accept); err != nil { + logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err) + } + ++ // Drop incoming VXLAN datagrams for the VNI which were received in cleartext. + if err := iptables.ProgramRule(iptables.Filter, chain, action, block); err != nil { + logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err) + } +@@ -268,7 +298,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f + Proto: netlink.XFRM_PROTO_ESP, + Spi: spi.reverse, + Mode: netlink.XFRM_MODE_TRANSPORT, +- Reqid: r, ++ Reqid: mark, + } + if add { + rSA.Aead = buildAeadAlgo(k, spi.reverse) +@@ -294,7 +324,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f + Proto: netlink.XFRM_PROTO_ESP, + Spi: spi.forward, + Mode: netlink.XFRM_MODE_TRANSPORT, +- Reqid: r, ++ Reqid: mark, + } + if add { + fSA.Aead = buildAeadAlgo(k, spi.forward) +@@ -343,7 +373,7 @@ func programSP(fSA *netlink.XfrmState, rSA *netlink.XfrmState, add bool) error { + Proto: netlink.XFRM_PROTO_ESP, + Mode: netlink.XFRM_MODE_TRANSPORT, + Spi: fSA.Spi, +- Reqid: r, ++ Reqid: mark, + }, + }, + } +@@ -557,7 +587,7 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr + Proto: netlink.XFRM_PROTO_ESP, + Mode: netlink.XFRM_MODE_TRANSPORT, + Spi: fSA2.Spi, +- Reqid: r, ++ Reqid: mark, + }, + }, + } +@@ -624,7 +654,7 @@ func clearEncryptionStates() { + } + } + for _, sa := range saList { +- if sa.Reqid == r { ++ if sa.Reqid == mark { + if err := nlh.XfrmStateDel(&sa); err != nil { + logrus.Warnf("Failed to delete stale SA %s: %v", sa, err) + continue +-- +2.33.0 + diff --git a/patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch b/patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch new file mode 100644 index 0000000..58b58af --- /dev/null +++ b/patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch @@ -0,0 +1,276 @@ +From a8d7747e2ebc37b63558475b73e1d0a2dee2625e Mon Sep 17 00:00:00 2001 +From: Cory Snider +Date: Fri, 10 Mar 2023 15:29:27 -0500 +Subject: [PATCH] libnet/d/overlay: add BPF-powered VNI matcher + +Some newer distros such as RHEL 9 have stopped making the xt_u32 kernel +module available with the kernels they ship. They do ship the xt_bpf +kernel module, which can do everything xt_u32 can and more. Add an +alternative implementation of the iptables match rule which uses xt_bpf +to implement exactly the same logic as the u32 filter using a BPF +program. Try programming the BPF-powered rules as a fallback when +programming the u32-powered rules fails. + +Signed-off-by: Cory Snider +--- + .../docker/libnetwork/drivers/overlay/bpf.go | 47 +++++++++++++++++++ + .../libnetwork/drivers/overlay/bpf_test.go | 14 ++++++ + .../libnetwork/drivers/overlay/encryption.go | 37 +++++++++++++-- + .../drivers/overlay/encryption_bpf.go | 17 +++++++ + .../drivers/overlay/encryption_u32.go | 10 ++-- + .../drivers/overlay/overlayutils/utils.go | 46 ++++++++++++++++++ + 6 files changed, 162 insertions(+), 9 deletions(-) + create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go + create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go + create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go + create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go +new file mode 100644 +index 00000000..cb96fb7a +--- /dev/null ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go +@@ -0,0 +1,47 @@ ++package overlay ++ ++import ( ++ "fmt" ++ "strings" ++ ++ "golang.org/x/net/bpf" ++) ++ ++// vniMatchBPF returns a BPF program suitable for passing to the iptables bpf ++// match which matches on the VXAN Network ID of encapsulated packets. The ++// program assumes that it will be used in a rule which only matches UDP ++// datagrams. ++func vniMatchBPF(vni uint32) []bpf.RawInstruction { ++ asm, err := bpf.Assemble([]bpf.Instruction{ ++ bpf.LoadMemShift{Off: 0}, // ldx 4*([0] & 0xf) ; Load length of IPv4 header into X ++ bpf.LoadIndirect{Off: 12, Size: 4}, // ld [x + 12] ; Load VXLAN ID (UDP header + 4 bytes) into A ++ bpf.ALUOpConstant{Op: bpf.ALUOpAnd, Val: 0xffffff00}, // and #0xffffff00 ; VXLAN ID is in top 24 bits ++ bpf.JumpIf{Cond: bpf.JumpEqual, Val: vni << 8, SkipTrue: 1}, // jeq ($vni << 8), match ++ bpf.RetConstant{Val: 0}, // ret #0 ++ bpf.RetConstant{Val: ^uint32(0)}, // match: ret #-1 ++ }) ++ // bpf.Assemble() only errors if an instruction is invalid. As the only variable ++ // part of the program is an instruction value for which the entire range is ++ // valid, whether the program can be successfully assembled is independent of ++ // the input. Given that the only recourse is to fix this function and ++ // recompile, there's little value in bubbling the error up to the caller. ++ if err != nil { ++ panic(err) ++ } ++ return asm ++} ++ ++// marshalXTBPF marshals a BPF program into the "decimal" byte code format ++// which is suitable for passing to the [iptables bpf match]. ++// ++// iptables -m bpf --bytecode ++// ++// [iptables bpf match]: https://ipset.netfilter.org/iptables-extensions.man.html#lbAH ++func marshalXTBPF(prog []bpf.RawInstruction) string { //nolint:unused ++ var b strings.Builder ++ fmt.Fprintf(&b, "%d", len(prog)) ++ for _, ins := range prog { ++ fmt.Fprintf(&b, ",%d %d %d %d", ins.Op, ins.Jt, ins.Jf, ins.K) ++ } ++ return b.String() ++} +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go +new file mode 100644 +index 00000000..f636d14e +--- /dev/null ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go +@@ -0,0 +1,14 @@ ++package overlay ++ ++import ( ++ "testing" ++) ++ ++func FuzzVNIMatchBPFDoesNotPanic(f *testing.F) { ++ for _, seed := range []uint32{0, 1, 42, 0xfffffe, 0xffffff, 0xfffffffe, 0xffffffff} { ++ f.Add(seed) ++ } ++ f.Fuzz(func(t *testing.T, vni uint32) { ++ _ = vniMatchBPF(vni) ++ }) ++} +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +index 20843516..513de71e 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go +@@ -1,3 +1,6 @@ ++//go:build linux ++// +build linux ++ + package overlay + + import ( +@@ -12,9 +15,11 @@ import ( + + "strconv" + ++ "github.com/docker/libnetwork/drivers/overlay/overlayutils" + "github.com/docker/libnetwork/iptables" + "github.com/docker/libnetwork/ns" + "github.com/docker/libnetwork/types" ++ "github.com/hashicorp/go-multierror" + "github.com/sirupsen/logrus" + "github.com/vishvananda/netlink" + ) +@@ -226,7 +231,31 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error { + return nil + } + +-func programMangle(vni uint32, add bool) (err error) { ++type matchVXLANFunc func(port, vni uint32) []string ++ ++// programVXLANRuleFunc returns a function which tries calling programWithMatch ++// with the u32 match, falling back to the BPF match if installing u32 variant ++// of the rules fails. ++func programVXLANRuleFunc(programWithMatch func(matchVXLAN matchVXLANFunc, vni uint32, add bool) error) func(vni uint32, add bool) error { ++ return func(vni uint32, add bool) error { ++ if add { ++ if err := programWithMatch(matchVXLANWithU32, vni, add); err != nil { ++ // That didn't work. Maybe the xt_u32 module isn't available? Try again with xt_bpf. ++ err2 := programWithMatch(matchVXLANWithBPF, vni, add) ++ if err2 != nil { ++ return multierror.Append(err, err2) ++ } ++ } ++ return nil ++ } else { ++ // Delete both flavours. ++ err := programWithMatch(matchVXLANWithU32, vni, add) ++ return multierror.Append(err, programWithMatch(matchVXLANWithBPF, vni, add)).ErrorOrNil() ++ } ++ } ++} ++ ++var programMangle = programVXLANRuleFunc(func(matchVXLAN matchVXLANFunc, vni uint32, add bool) (err error) { + var ( + m = strconv.FormatUint(mark, 10) + chain = "OUTPUT" +@@ -249,9 +278,9 @@ func programMangle(vni uint32, add bool) (err error) { + } + + return +-} ++}) + +-func programInput(vni uint32, add bool) (err error) { ++var programInput = programVXLANRuleFunc(func(matchVXLAN matchVXLANFunc, vni uint32, add bool) (err error) { + var ( + plainVxlan = matchVXLAN(overlayutils.VXLANUDPPort(), vni) + ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...) +@@ -278,7 +307,7 @@ func programInput(vni uint32, add bool) (err error) { + } + + return +-} ++}) + + func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) { + var ( +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go +new file mode 100644 +index 00000000..de57c217 +--- /dev/null ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go +@@ -0,0 +1,17 @@ ++package overlay ++ ++import ( ++ "strconv" ++) ++ ++// matchVXLANWithBPF returns an iptables rule fragment which matches VXLAN ++// datagrams with the given destination port and VXLAN Network ID utilizing the ++// xt_bpf netfilter kernel module. The returned slice's backing array is ++// guaranteed not to alias any other slice's. ++func matchVXLANWithBPF(port, vni uint32) []string { ++ dport := strconv.FormatUint(uint64(port), 10) ++ vniMatch := marshalXTBPF(vniMatchBPF(vni)) ++ ++ // https://ipset.netfilter.org/iptables-extensions.man.html#lbAH ++ return []string{"-p", "udp", "--dport", dport, "-m", "bpf", "--bytecode", vniMatch} ++} +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go +index c93f7c96..94a74031 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go +@@ -5,11 +5,11 @@ import ( + "strconv" + ) + +-// matchVXLAN returns an iptables rule fragment which matches VXLAN datagrams +-// with the given destination port and VXLAN Network ID utilizing the xt_u32 +-// netfilter kernel module. The returned slice's backing array is guaranteed not +-// to alias any other slice's. +-func matchVXLAN(port, vni uint32) []string { ++// matchVXLANWithU32 returns an iptables rule fragment which matches VXLAN ++// datagrams with the given destination port and VXLAN Network ID utilizing the ++// xt_u32 netfilter kernel module. The returned slice's backing array is ++// guaranteed not to alias any other slice's. ++func matchVXLANWithU32(port, vni uint32) []string { + dport := strconv.FormatUint(uint64(port), 10) + + // The u32 expression language is documented in iptables-extensions(8). +diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go +new file mode 100644 +index 00000000..73136e8e +--- /dev/null ++++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go +@@ -0,0 +1,46 @@ ++// Package overlayutils provides utility functions for overlay networks ++package overlayutils ++ ++import ( ++ "fmt" ++ "sync" ++) ++ ++var ( ++ mutex sync.RWMutex ++ vxlanUDPPort uint32 ++) ++ ++const defaultVXLANUDPPort = 4789 ++ ++func init() { ++ vxlanUDPPort = defaultVXLANUDPPort ++} ++ ++// ConfigVXLANUDPPort configures the VXLAN UDP port (data path port) number. ++// If no port is set, the default (4789) is returned. Valid port numbers are ++// between 1024 and 49151. ++func ConfigVXLANUDPPort(vxlanPort uint32) error { ++ if vxlanPort == 0 { ++ vxlanPort = defaultVXLANUDPPort ++ } ++ // IANA procedures for each range in detail ++ // The Well Known Ports, aka the System Ports, from 0-1023 ++ // The Registered Ports, aka the User Ports, from 1024-49151 ++ // The Dynamic Ports, aka the Private Ports, from 49152-65535 ++ // So we can allow range between 1024 to 49151 ++ if vxlanPort < 1024 || vxlanPort > 49151 { ++ return fmt.Errorf("VXLAN UDP port number is not in valid range (1024-49151): %d", vxlanPort) ++ } ++ mutex.Lock() ++ vxlanUDPPort = vxlanPort ++ mutex.Unlock() ++ return nil ++} ++ ++// VXLANUDPPort returns Vxlan UDP port number ++func VXLANUDPPort() uint32 { ++ mutex.RLock() ++ defer mutex.RUnlock() ++ return vxlanUDPPort ++} +-- +2.33.0 + diff --git a/series.conf b/series.conf index 331804f..96aee21 100644 --- a/series.conf +++ b/series.conf @@ -252,4 +252,7 @@ patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch patch/0252-docker-Prevent-panic-on-network-attach.patch patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch +patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch +patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch +patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch #end -- Gitee