Fix container access issue when it moves across hosts

drivers/overlay/ov_network.go

@@ -439,7 +439,7 @@ func (n *network) restoreSubnetSandbox(s *subnet, brName, vxlanName string) erro
 
 	Ifaces = make(map[string][]osl.IfaceOption)
 	vxlanIfaceOption := make([]osl.IfaceOption, 1)
-	vxlanIfaceOption = append(vxlanIfaceOption, sbox.InterfaceOptions().Master(brName))
+	vxlanIfaceOption = append(vxlanIfaceOption, sbox.InterfaceOptions().Master(brName), sbox.InterfaceOptions().DisableLearning())
 	Ifaces[fmt.Sprintf("%s+%s", vxlanName, "vxlan")] = vxlanIfaceOption
 	err = sbox.Restore(Ifaces, nil, nil, nil)
 	if err != nil {

osl/interface_linux.go

@@ -19,18 +19,19 @@ import (
 type IfaceOption func(i *nwIface)
 
 type nwIface struct {
-	srcName     string
-	dstName     string
-	master      string
-	dstMaster   string
-	mac         net.HardwareAddr
-	address     *net.IPNet
-	addressIPv6 *net.IPNet
-	ipAliases   []*net.IPNet
-	llAddrs     []*net.IPNet
-	routes      []*net.IPNet
-	bridge      bool
-	ns          *networkNamespace
+	srcName         string
+	dstName         string
+	master          string
+	dstMaster       string
+	mac             net.HardwareAddr
+	address         *net.IPNet
+	addressIPv6     *net.IPNet
+	ipAliases       []*net.IPNet
+	llAddrs         []*net.IPNet
+	routes          []*net.IPNet
+	bridge          bool
+	ns              *networkNamespace
+	disableLearning bool
 	sync.Mutex
 }
 
@@ -130,6 +131,13 @@ func (n *networkNamespace) Interfaces() []Interface {
 	return ifaces
 }
 
+func (i *nwIface) DisableLearning() bool {
+	i.Lock()
+	i.Unlock()
+
+	return i.disableLearning
+}
+
 func (i *nwIface) Remove() error {
 	i.Lock()
 	n := i.ns
@@ -338,6 +346,7 @@ func configureInterface(nlh *netlink.Handle, iface netlink.Link, i *nwIface) err
 		{setInterfaceMaster, fmt.Sprintf("error setting interface %q master to %q", ifaceName, i.DstMaster())},
 		{setInterfaceLinkLocalIPs, fmt.Sprintf("error setting interface %q link local IPs to %v", ifaceName, i.LinkLocalAddresses())},
 		{setInterfaceIPAliases, fmt.Sprintf("error setting interface %q IP Aliases to %v", ifaceName, i.IPAliases())},
+		{disableLearning, fmt.Sprintf("disabling mac learning failed for interface %q", ifaceName)},
 	}
 
 	for _, config := range ifaceConfigurators {
@@ -409,6 +418,17 @@ func setInterfaceIPAliases(nlh *netlink.Handle, iface netlink.Link, i *nwIface)
 	return nil
 }
 
+func disableLearning(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+	if !i.DisableLearning() {
+		return nil
+	}
+	if i.DstMaster() == "" {
+		return fmt.Errorf("mac learning can be disabled only for slave interfaces")
+	}
+
+	return nlh.LinkSetLearning(iface, false)
+}
+
 func setInterfaceName(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
 	return nlh.LinkSetName(iface, i.DstName())
 }

osl/options_linux.go

@@ -77,3 +77,9 @@ func (n *networkNamespace) Routes(routes []*net.IPNet) IfaceOption {
 		i.routes = routes
 	}
 }
+
+func (n *networkNamespace) DisableLearning() IfaceOption {
+	return func(i *nwIface) {
+		i.disableLearning = true
+	}
+}

osl/sandbox.go

@@ -101,6 +101,10 @@ type IfaceOptionSetter interface {
 
 	// Address returns an option setter to set interface routes.
 	Routes([]*net.IPNet) IfaceOption
+
+	// DisableLearning returns an option setter to disable mac learning on a bridge
+	// interface
+	DisableLearning() IfaceOption
 }
 
 // Info represents all possible information that