github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/libnetwork/drivers/overlay/encryption_u32.go

github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/libnetwork/drivers/overlay/encryption_u32.go (about)

     1  package overlay
     2  
     3  import (
     4  	"fmt"
     5  	"strconv"
     6  )
     7  
     8  // matchVXLANWithU32 returns an iptables rule fragment which matches VXLAN
     9  // datagrams with the given destination port and VXLAN Network ID utilizing the
    10  // xt_u32 netfilter kernel module. The returned slice's backing array is
    11  // guaranteed not to alias any other slice's.
    12  func matchVXLANWithU32(port, vni uint32) []string {
    13  	dport := strconv.FormatUint(uint64(port), 10)
    14  
    15  	// The u32 expression language is documented in iptables-extensions(8).
    16  	// https://ipset.netfilter.org/iptables-extensions.man.html#lbCK
    17  	//
    18  	// 0>>22&0x3C                ; Compute number of octets in IPv4 header
    19  	//           @               ; Make this the new offset into the packet
    20  	//                           ; (jump to start of UDP header)
    21  	//            12&0xFFFFFF00  ; Read 32-bit value at offset 12 and mask off the bottom octet
    22  	//                         = ; Test whether the value is equal to a constant
    23  	//
    24  	// A UDP header is eight octets long so offset 12 from the start of the
    25  	// UDP header is four octets into the payload: the VNI field of the
    26  	// VXLAN header.
    27  	vniMatch := fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
    28  
    29  	return []string{"-p", "udp", "--dport", dport, "-m", "u32", "--u32", vniMatch}
    30  }