--data-path-addr does not set listen address of VXLAN port

[mghahari]

Description

The docker swarm init command with --data-path-addr flag does not set the listen address of the VXLAN port.
This causes that VXLAN port be accessible on other interfaces that may be publicly accessible.
This makes security issues that discussed in following advisory:
GHSA-vwm3-crmr-xfxw

Is there way to limit listen address for VXLAN port?
I understand that we can block access to this port on other interface with firewall. But I think it's a expected behavior that when we specify this setting the listen address respect this setting. Like --listen-addr.

Reproduce

1. docker swarm init --data-path-addr 192.168.1.2
2. netstat -tulpn | grep 4789

Expected behavior

The VXLAN port be accessible just from specified address.

docker version

Client: Docker Engine - Community
 Version:           26.0.0
 API version:       1.45
 Go version:        go1.21.8
 Git commit:        2ae903e
 Built:             Wed Mar 20 15:18:01 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          26.0.0
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       8b79278
  Built:            Wed Mar 20 15:18:01 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    26.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.25.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 18
  Running: 4
  Paused: 0
  Stopped: 14
 Images: 5
 Server Version: 26.0.0
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: active
  NodeID: mrybr34l4b8iik44zywl0z2bj
  Is Manager: true
  ClusterID: dvr986kw7xgjqpyzmvycmilne
  Managers: 1
  Nodes: 1
  Default Address Pool: 10.0.0.0/8  
  SubnetSize: 24
  Data Path Port: 4789
  Orchestration:
   Task History Retention Limit: 5
  Raft:
   Snapshot Interval: 10000
   Number of Old Snapshots to Retain: 0
   Heartbeat Tick: 1
   Election Tick: 10
  Dispatcher:
   Heartbeat Period: 5 seconds
  CA Configuration:
   Expiry Duration: 3 months
   Force Rotate: 0
  Autolock Managers: false
  Root Rotation In Progress: false
  Node Address: 192.168.1.2
  Manager Addresses:
   192.168.1.2:2377
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.1.0-9-amd64
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 961MiB
 Name: debian-s-1vcpu-1gb-sfo3-01
 ID: e88fe560-a36c-44bc-ba5a-1a481df0eb15
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

[thaJeztah]

cc @corhere @akerouanton

[corhere]

--data-path-addr sets the destination address which remote nodes should use when forwarding VXLAN overlay traffic to the local node, like --advertise-addr for control plane traffic. It does not restrict which interfaces or source IP addresses the VXLAN socket is bound to, and never has. Unfortunately the implementation of VXLAN in Linux does not support binding to a specific interface or source IP address, either. Restricting access to the VXLAN port using firewall rules is unfortunately your only option.

[thaJeztah]

cc @dvdksn perhaps something to clarify in the docs (and maybe the flag description)

[mghahari]

@corhere thanks for your reply. I understand the usage of this flag and the linux limitation about vxlan.
As @thaJeztah mentioned, I think it should be clarified in the docs with a warning for possibility of security problem.
Another thing is that setting firewall rule for each new node we add to the cluster makes an extra step in the scaling process and makes it error prone. It is possible to use another implementation for VXLAN that supports interface binding but I think it's not feasible for this use case.