bridge: Add macspoofchk support
The new macspoofchk field is added to the bridge plugin to support anti-mac-spoofing. When the parameter is enabled, traffic is limited to the mac addresses of the container interface (the veth peer that is placed in the container ns). Any traffic that exits the pod is checked against the source mac address that is expected. If the mac address is different, the frames are dropped. The implementation is using nftables and should only be used on nodes that support it. Signed-off-by: Edward Haas <edwardh@redhat.com>
This commit is contained in:
Edward Haas
6
vendor/modules.txt
vendored
6
vendor/modules.txt
vendored
@ -84,6 +84,12 @@ github.com/j-keck/arping
|
||||
# github.com/mattn/go-shellwords v1.0.12
|
||||
## explicit
|
||||
github.com/mattn/go-shellwords
|
||||
# github.com/networkplumbing/go-nft v0.2.0
|
||||
## explicit
|
||||
github.com/networkplumbing/go-nft/nft
|
||||
github.com/networkplumbing/go-nft/nft/config
|
||||
github.com/networkplumbing/go-nft/nft/exec
|
||||
github.com/networkplumbing/go-nft/nft/schema
|
||||
# github.com/nxadm/tail v1.4.8
|
||||
github.com/nxadm/tail
|
||||
github.com/nxadm/tail/ratelimiter
|
||||
|
||||
Reference in New Issue
Block a user