libnetwork: support encrypted overlay networks on systems without xt_u32 kernel module #45118
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
The
xt_u32kernel module provides the xtablesu32match, which allows firewall rules to be written which match on the contents of the raw packet. The libnetwork overlay network driver creates firewall rules usingu32matches to match the VXLAN ID (VNI) of VXLAN datagrams so that the rules are selectively applied only to packets associated with VXLANs for the overlay networks managed by the driver. RHEL/CentOS 8 no longer ship thext_u32kernel module by default, and RHEL/CentOS 9 do not build it at all.- What I did
I added an alternative implementation of the iptables rules to the overlay driver which does not depend on the
xt_u32kernel module. It can be selected at compile-time using thelibnetwork_overlay_bpfbuild tag.- How I did it
I wrote a BPF filter which is a drop-in replacement for the
u32expression and used that filter with thext_bpfkernel module to match using the filter in the iptables rules.- How to verify it
Spin up a Swarm cluster with at least two nodes, at least one of which is v23.0.1 (to test back-compatibility). Create an encrypted overlay network, start a container on each node attached to the network, and verify that processes on one node's container can connect to processes listening in the other node's container.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)