From 88c1023ce35d9f882038864a6b39ed92da5dc47f Mon Sep 17 00:00:00 2001 From: Santhosh Manohar Date: Sun, 28 May 2017 12:57:14 -0700 Subject: [PATCH] Fix container access issue when it moves across hosts Signed-off-by: Santhosh Manohar --- drivers/overlay/ov_network.go | 2 +- osl/interface_linux.go | 44 +++++++++++++++++++++++++---------- osl/options_linux.go | 6 +++++ osl/sandbox.go | 4 ++++ 4 files changed, 43 insertions(+), 13 deletions(-) diff --git a/drivers/overlay/ov_network.go b/drivers/overlay/ov_network.go index 64e5744403..2b65cd68ef 100644 --- a/drivers/overlay/ov_network.go +++ b/drivers/overlay/ov_network.go @@ -439,7 +439,7 @@ func (n *network) restoreSubnetSandbox(s *subnet, brName, vxlanName string) erro Ifaces = make(map[string][]osl.IfaceOption) vxlanIfaceOption := make([]osl.IfaceOption, 1) - vxlanIfaceOption = append(vxlanIfaceOption, sbox.InterfaceOptions().Master(brName)) + vxlanIfaceOption = append(vxlanIfaceOption, sbox.InterfaceOptions().Master(brName), sbox.InterfaceOptions().DisableLearning()) Ifaces[fmt.Sprintf("%s+%s", vxlanName, "vxlan")] = vxlanIfaceOption err = sbox.Restore(Ifaces, nil, nil, nil) if err != nil { diff --git a/osl/interface_linux.go b/osl/interface_linux.go index 8e8a830ce9..9c07cfc20a 100644 --- a/osl/interface_linux.go +++ b/osl/interface_linux.go @@ -19,18 +19,19 @@ import ( type IfaceOption func(i *nwIface) type nwIface struct { - srcName string - dstName string - master string - dstMaster string - mac net.HardwareAddr - address *net.IPNet - addressIPv6 *net.IPNet - ipAliases []*net.IPNet - llAddrs []*net.IPNet - routes []*net.IPNet - bridge bool - ns *networkNamespace + srcName string + dstName string + master string + dstMaster string + mac net.HardwareAddr + address *net.IPNet + addressIPv6 *net.IPNet + ipAliases []*net.IPNet + llAddrs []*net.IPNet + routes []*net.IPNet + bridge bool + ns *networkNamespace + disableLearning bool sync.Mutex } @@ -130,6 +131,13 @@ func (n *networkNamespace) Interfaces() []Interface { return ifaces } +func (i *nwIface) DisableLearning() bool { + i.Lock() + i.Unlock() + + return i.disableLearning +} + func (i *nwIface) Remove() error { i.Lock() n := i.ns @@ -338,6 +346,7 @@ func configureInterface(nlh *netlink.Handle, iface netlink.Link, i *nwIface) err {setInterfaceMaster, fmt.Sprintf("error setting interface %q master to %q", ifaceName, i.DstMaster())}, {setInterfaceLinkLocalIPs, fmt.Sprintf("error setting interface %q link local IPs to %v", ifaceName, i.LinkLocalAddresses())}, {setInterfaceIPAliases, fmt.Sprintf("error setting interface %q IP Aliases to %v", ifaceName, i.IPAliases())}, + {disableLearning, fmt.Sprintf("disabling mac learning failed for interface %q", ifaceName)}, } for _, config := range ifaceConfigurators { @@ -409,6 +418,17 @@ func setInterfaceIPAliases(nlh *netlink.Handle, iface netlink.Link, i *nwIface) return nil } +func disableLearning(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { + if !i.DisableLearning() { + return nil + } + if i.DstMaster() == "" { + return fmt.Errorf("mac learning can be disabled only for slave interfaces") + } + + return nlh.LinkSetLearning(iface, false) +} + func setInterfaceName(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { return nlh.LinkSetName(iface, i.DstName()) } diff --git a/osl/options_linux.go b/osl/options_linux.go index 64309d0506..c826aaed57 100644 --- a/osl/options_linux.go +++ b/osl/options_linux.go @@ -77,3 +77,9 @@ func (n *networkNamespace) Routes(routes []*net.IPNet) IfaceOption { i.routes = routes } } + +func (n *networkNamespace) DisableLearning() IfaceOption { + return func(i *nwIface) { + i.disableLearning = true + } +} diff --git a/osl/sandbox.go b/osl/sandbox.go index 64288f9307..17aba177a0 100644 --- a/osl/sandbox.go +++ b/osl/sandbox.go @@ -101,6 +101,10 @@ type IfaceOptionSetter interface { // Address returns an option setter to set interface routes. Routes([]*net.IPNet) IfaceOption + + // DisableLearning returns an option setter to disable mac learning on a bridge + // interface + DisableLearning() IfaceOption } // Info represents all possible information that