GO-2024-2801: Calico privilege escalation vulnerability in github.com/projectcalico/calico

vxlanfdb

package

v1.11.0-cni-plu...-ddfc3b1 Latest Latest Go to latest Published: Nov 20, 2024 License: Apache-2.0, Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/projectcalico/calico

Documentation ¶

Index ¶

Variables
type VTEP
type VXLANFDB
- func New(family int, ifaceName string, featureDetector environment.FeatureDetectorIface, ...) *VXLANFDB
type VXLANFDBOption
- func WithNetlinkHandleShim(newNetlinkHandle func() (netlinkshim.Interface, error)) VXLANFDBOption

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrLinkDown = fmt.Errorf("VXLAN device is down")

Functions ¶

This section is empty.

Types ¶

type VTEP ¶

type VTEP struct {
	// HostIP is the remote node's real IP address; the IP that we send the
	// VXLAN packets to.
	HostIP ip.Addr
	// TunnelIP is the IP of the remote tunnel device, which we use as
	// a gateway for the remote workloads..
	TunnelIP ip.Addr
	// TunnelMAC is the MAC address of the remote tunnel device.
	TunnelMAC net.HardwareAddr
}

type VXLANFDB ¶

type VXLANFDB struct {
	// contains filtered or unexported fields
}

VXLANFDB manages the FDB and ARP/NDP entries for a VXLAN device. I.e. all the layer-2 state for the VXLAN device.

Overall, we use VXLAN to create a layer 3 routed network. We do that by

Giving each node a "tunnel IP" which is an IP on the Calico VXLAN network. this IP is allocated from a VXLAN IP pool.
(In this object) setting up static ARP/NDP entries for the tunnel IPs.
(In this object) setting up static FDB entries for the tunnel MACs.
(Elsewhere) setting up a routes to remote workloads via the tunnel IPs.

ARP/NDP entries and FDB entries are confusingly similar(!) Both are MAC/IP tuples, but they mean very different things. ARP/NDP entries tell the kernel what MAC address to use for the inner ethernet frame inside the VXLAN packet. FDB entries tell the kernel what IP address to use for the outer IP header, given a particular inner MAC. So, ARP maps IP->(inner)MAC; FDB maps (inner)MAC->(outer)IP.

From a packet's point of view, routing works like this:

A local workload or this host sends a packet to a remote workload.
The packet hits a route of the form <remote workload IPAM block> via <remote tunnel IP> dev <VXLAN device> onlink which sends it to the VXLAN device for encapsulation.
The ARP entry resolves the remote tunnel IP to the remote tunnel MAC.
The FDP entry resolves the remote tunnel MAC to the remote host's real IP.
The packet is encapsulated and sent to the remote host's real IP.

func New ¶

func New(
	family int,
	ifaceName string,
	featureDetector environment.FeatureDetectorIface,
	netlinkTimeout time.Duration,
	opts ...VXLANFDBOption,
) *VXLANFDB

func (*VXLANFDB) Apply ¶

func (f *VXLANFDB) Apply() error

func (*VXLANFDB) OnIfaceStateChanged ¶

func (f *VXLANFDB) OnIfaceStateChanged(ifaceName string, state ifacemonitor.State)

func (*VXLANFDB) QueueResync ¶

func (f *VXLANFDB) QueueResync()

func (*VXLANFDB) SetVTEPs ¶

func (f *VXLANFDB) SetVTEPs(vteps []VTEP)

type VXLANFDBOption ¶

type VXLANFDBOption func(*VXLANFDB)

func WithNetlinkHandleShim ¶

func WithNetlinkHandleShim(newNetlinkHandle func() (netlinkshim.Interface, error)) VXLANFDBOption

Source Files ¶

View all Source files

vxlan_fdb.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL