Merge pull request moby#50090 from corhere/libn/overlay-netip

libnetwork/d/overlay: use netip types more

Author: corhere

libnetwork/drivers/overlay/encryption.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"hash/fnv"
 	"net"
+	"net/netip"
 	"strconv"
 	"sync"
 	"syscall"
@@ -90,7 +91,7 @@ func (s *spi) String() string {
 }
 
 type encrMap struct {
-	nodes map[string][]*spi
+	nodes map[netip.Addr][]*spi
 	sync.Mutex
 }
 
@@ -100,7 +101,7 @@ func (e *encrMap) String() string {
 	b := new(bytes.Buffer)
 	for k, v := range e.nodes {
 		b.WriteString("\n")
-		b.WriteString(k)
+		b.WriteString(k.String())
 		b.WriteString(":")
 		b.WriteString("[")
 		for _, s := range v {
@@ -112,7 +113,7 @@ func (e *encrMap) String() string {
 	return b.String()
 }
 
-func (d *driver) checkEncryption(nid string, rIP net.IP, isLocal, add bool) error {
+func (d *driver) checkEncryption(nid string, rIP netip.Addr, isLocal, add bool) error {
 	log.G(context.TODO()).Debugf("checkEncryption(%.7s, %v, %t)", nid, rIP, isLocal)
 
 	n := d.network(nid)
@@ -126,28 +127,28 @@ func (d *driver) checkEncryption(nid string, rIP net.IP, isLocal, add bool) erro
 
 	lIP := d.bindAddress
 	aIP := d.advertiseAddress
-	nodes := map[string]net.IP{}
+	nodes := map[netip.Addr]struct{}{}
 
 	switch {
 	case isLocal:
-		if err := d.peerDbNetworkWalk(nid, func(pKey *peerKey, pEntry *peerEntry) bool {
-			if !aIP.Equal(pEntry.vtep) {
-				nodes[pEntry.vtep.String()] = pEntry.vtep
+		if err := d.peerDbNetworkWalk(nid, func(_ netip.Addr, _ net.HardwareAddr, pEntry *peerEntry) bool {
+			if aIP != pEntry.vtep {
+				nodes[pEntry.vtep] = struct{}{}
 			}
 			return false
 		}); err != nil {
 			log.G(context.TODO()).Warnf("Failed to retrieve list of participating nodes in overlay network %.5s: %v", nid, err)
 		}
 	default:
 		if len(d.network(nid).endpoints) > 0 {
-			nodes[rIP.String()] = rIP
+			nodes[rIP] = struct{}{}
 		}
 	}
 
 	log.G(context.TODO()).Debugf("List of nodes: %s", nodes)
 
 	if add {
-		for _, rIP := range nodes {
+		for rIP := range nodes {
 			if err := setupEncryption(lIP, aIP, rIP, d.secMap, d.keys); err != nil {
 				log.G(context.TODO()).Warnf("Failed to program network encryption between %s and %s: %v", lIP, rIP, err)
 			}
@@ -165,19 +166,18 @@ func (d *driver) checkEncryption(nid string, rIP net.IP, isLocal, add bool) erro
 
 // setupEncryption programs the encryption parameters for secure communication
 // between the local node and a remote node.
-func setupEncryption(localIP, advIP, remoteIP net.IP, em *encrMap, keys []*key) error {
+func setupEncryption(localIP, advIP, remoteIP netip.Addr, em *encrMap, keys []*key) error {
 	log.G(context.TODO()).Debugf("Programming encryption between %s and %s", localIP, remoteIP)
-	rIPs := remoteIP.String()
 
 	indices := make([]*spi, 0, len(keys))
 
 	for i, k := range keys {
-		spis := &spi{buildSPI(advIP, remoteIP, k.tag), buildSPI(remoteIP, advIP, k.tag)}
+		spis := &spi{buildSPI(advIP.AsSlice(), remoteIP.AsSlice(), k.tag), buildSPI(remoteIP.AsSlice(), advIP.AsSlice(), k.tag)}
 		dir := reverse
 		if i == 0 {
 			dir = bidir
 		}
-		fSA, rSA, err := programSA(localIP, remoteIP, spis, k, dir, true)
+		fSA, rSA, err := programSA(localIP.AsSlice(), remoteIP.AsSlice(), spis, k, dir, true)
 		if err != nil {
 			log.G(context.TODO()).Warn(err)
 		}
@@ -192,15 +192,15 @@ func setupEncryption(localIP, advIP, remoteIP net.IP, em *encrMap, keys []*key)
 	}
 
 	em.Lock()
-	em.nodes[rIPs] = indices
+	em.nodes[remoteIP] = indices
 	em.Unlock()
 
 	return nil
 }
 
-func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error {
+func removeEncryption(localIP, remoteIP netip.Addr, em *encrMap) error {
 	em.Lock()
-	indices, ok := em.nodes[remoteIP.String()]
+	indices, ok := em.nodes[remoteIP]
 	em.Unlock()
 	if !ok {
 		return nil
@@ -210,7 +210,7 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error {
 		if i == 0 {
 			dir = bidir
 		}
-		fSA, rSA, err := programSA(localIP, remoteIP, idxs, nil, dir, false)
+		fSA, rSA, err := programSA(localIP.AsSlice(), remoteIP.AsSlice(), idxs, nil, dir, false)
 		if err != nil {
 			log.G(context.TODO()).Warn(err)
 		}
@@ -477,7 +477,7 @@ func buildAeadAlgo(k *key, s int) *netlink.XfrmStateAlgo {
 	}
 }
 
-func (d *driver) secMapWalk(f func(string, []*spi) ([]*spi, bool)) error {
+func (d *driver) secMapWalk(f func(netip.Addr, []*spi) ([]*spi, bool)) error {
 	d.secMap.Lock()
 	for node, indices := range d.secMap.nodes {
 		idxs, stop := f(node, indices)
@@ -498,7 +498,7 @@ func (d *driver) setKeys(keys []*key) error {
 	// Accept the encryption keys and clear any stale encryption map
 	d.Lock()
 	d.keys = keys
-	d.secMap = &encrMap{nodes: map[string][]*spi{}}
+	d.secMap = &encrMap{nodes: map[netip.Addr][]*spi{}}
 	d.Unlock()
 	log.G(context.TODO()).Debugf("Initial encryption keys: %v", keys)
 	return nil
@@ -547,9 +547,8 @@ func (d *driver) updateKeys(newKey, primary, pruneKey *key) error {
 		return types.InvalidParameterErrorf("attempting to both make a key (index %d) primary and delete it", priIdx)
 	}
 
-	d.secMapWalk(func(rIPs string, spis []*spi) ([]*spi, bool) {
-		rIP := net.ParseIP(rIPs)
-		return updateNodeKey(lIP, aIP, rIP, spis, d.keys, newIdx, priIdx, delIdx), false
+	d.secMapWalk(func(rIP netip.Addr, spis []*spi) ([]*spi, bool) {
+		return updateNodeKey(lIP.AsSlice(), aIP.AsSlice(), rIP.AsSlice(), spis, d.keys, newIdx, priIdx, delIdx), false
 	})
 
 	// swap primary

libnetwork/drivers/overlay/joinleave.go

@@ -6,10 +6,12 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"syscall"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/libnetwork/driverapi"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/ns"
 	"github.com/docker/docker/libnetwork/osl"
@@ -105,7 +107,7 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf
 		if sub == s {
 			continue
 		}
-		if err = jinfo.AddStaticRoute(sub.subnetIP, types.NEXTHOP, s.gwIP.IP); err != nil {
+		if err = jinfo.AddStaticRoute(netiputil.ToIPNet(sub.subnetIP), types.NEXTHOP, s.gwIP.Addr().AsSlice()); err != nil {
 			log.G(ctx).Errorf("Adding subnet %s static route in network %q failed\n", s.subnetIP, n.id)
 		}
 	}
@@ -117,9 +119,9 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf
 		}
 	}
 
-	d.peerAdd(nid, eid, ep.addr.IP, ep.addr.Mask, ep.mac, d.advertiseAddress, true)
+	d.peerAdd(nid, eid, ep.addr, ep.mac, d.advertiseAddress, true)
 
-	if err = d.checkEncryption(nid, nil, true, true); err != nil {
+	if err = d.checkEncryption(nid, netip.Addr{}, true, true); err != nil {
 		log.G(ctx).Warn(err)
 	}
 
@@ -172,34 +174,34 @@ func (d *driver) EventNotify(etype driverapi.EventType, nid, tableName, key stri
 
 	// Ignore local peers. We already know about them and they
 	// should not be added to vxlan fdb.
-	if net.ParseIP(peer.TunnelEndpointIP).Equal(d.advertiseAddress) {
+	if addr, _ := netip.ParseAddr(peer.TunnelEndpointIP); addr == d.advertiseAddress {
 		return
 	}
 
-	addr, err := types.ParseCIDR(peer.EndpointIP)
+	addr, err := netip.ParsePrefix(peer.EndpointIP)
 	if err != nil {
-		log.G(context.TODO()).Errorf("Invalid peer IP %s received in event notify", peer.EndpointIP)
+		log.G(context.TODO()).WithError(err).Errorf("Invalid peer IP %s received in event notify", peer.EndpointIP)
 		return
 	}
 
 	mac, err := net.ParseMAC(peer.EndpointMAC)
 	if err != nil {
-		log.G(context.TODO()).Errorf("Invalid mac %s received in event notify", peer.EndpointMAC)
+		log.G(context.TODO()).WithError(err).Errorf("Invalid mac %s received in event notify", peer.EndpointMAC)
 		return
 	}
 
-	vtep := net.ParseIP(peer.TunnelEndpointIP)
-	if vtep == nil {
-		log.G(context.TODO()).Errorf("Invalid VTEP %s received in event notify", peer.TunnelEndpointIP)
+	vtep, err := netip.ParseAddr(peer.TunnelEndpointIP)
+	if err != nil {
+		log.G(context.TODO()).WithError(err).Errorf("Invalid VTEP %s received in event notify", peer.TunnelEndpointIP)
 		return
 	}
 
 	if etype == driverapi.Delete {
-		d.peerDelete(nid, eid, addr.IP, addr.Mask, mac, vtep, false)
+		d.peerDelete(nid, eid, addr, mac, vtep, false)
 		return
 	}
 
-	d.peerAdd(nid, eid, addr.IP, addr.Mask, mac, vtep, false)
+	d.peerAdd(nid, eid, addr, mac, vtep, false)
 }
 
 // Leave method is invoked when a Sandbox detaches from an endpoint.
@@ -219,7 +221,7 @@ func (d *driver) Leave(nid, eid string) error {
 		return types.InternalMaskableErrorf("could not find endpoint with id %s", eid)
 	}
 
-	d.peerDelete(nid, eid, ep.addr.IP, ep.addr.Mask, ep.mac, d.advertiseAddress, true)
+	d.peerDelete(nid, eid, ep.addr, ep.mac, d.advertiseAddress, true)
 
 	n.leaveSandbox()
 

libnetwork/drivers/overlay/ov_endpoint.go

@@ -6,9 +6,11 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 
 	"github.com/containerd/log"
 	"github.com/docker/docker/libnetwork/driverapi"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
 	"github.com/docker/docker/libnetwork/netutils"
 	"github.com/docker/docker/libnetwork/ns"
 )
@@ -20,7 +22,7 @@ type endpoint struct {
 	nid    string
 	ifName string
 	mac    net.HardwareAddr
-	addr   *net.IPNet
+	addr   netip.Prefix
 }
 
 func (n *network) endpoint(eid string) *endpoint {
@@ -61,12 +63,13 @@ func (d *driver) CreateEndpoint(_ context.Context, nid, eid string, ifInfo drive
 	}
 
 	ep := &endpoint{
-		id:   eid,
-		nid:  n.id,
-		addr: ifInfo.Address(),
-		mac:  ifInfo.MacAddress(),
+		id:  eid,
+		nid: n.id,
+		mac: ifInfo.MacAddress(),
 	}
-	if ep.addr == nil {
+	var ok bool
+	ep.addr, ok = netiputil.ToPrefix(ifInfo.Address())
+	if !ok {
 		return fmt.Errorf("create endpoint was not passed interface IP address")
 	}
 
@@ -75,7 +78,7 @@ func (d *driver) CreateEndpoint(_ context.Context, nid, eid string, ifInfo drive
 	}
 
 	if ep.mac == nil {
-		ep.mac = netutils.GenerateMACFromIP(ep.addr.IP)
+		ep.mac = netutils.GenerateMACFromIP(ep.addr.Addr().AsSlice())
 		if err := ifInfo.SetMacAddress(ep.mac); err != nil {
 			return err
 		}

libnetwork/drivers/overlay/ov_network.go

@@ -6,7 +6,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"net"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -18,6 +18,7 @@ import (
 	"github.com/docker/docker/internal/nlwrap"
 	"github.com/docker/docker/libnetwork/driverapi"
 	"github.com/docker/docker/libnetwork/drivers/overlay/overlayutils"
+	"github.com/docker/docker/libnetwork/internal/netiputil"
 	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/ns"
 	"github.com/docker/docker/libnetwork/osl"
@@ -42,8 +43,8 @@ type subnet struct {
 	brName    string
 	vni       uint32
 	initErr   error
-	subnetIP  *net.IPNet
-	gwIP      *net.IPNet
+	subnetIP  netip.Prefix
+	gwIP      netip.Prefix
 }
 
 type network struct {
@@ -138,11 +139,9 @@ func (d *driver) CreateNetwork(ctx context.Context, id string, option map[string
 	}
 
 	for i, ipd := range ipV4Data {
-		s := &subnet{
-			subnetIP: ipd.Pool,
-			gwIP:     ipd.Gateway,
-			vni:      vnis[i],
-		}
+		s := &subnet{vni: vnis[i]}
+		s.subnetIP, _ = netiputil.ToPrefix(ipd.Pool)
+		s.gwIP, _ = netiputil.ToPrefix(ipd.Gateway)
 
 		n.subnets = append(n.subnets, s)
 	}
@@ -427,7 +426,7 @@ func (n *network) setupSubnetSandbox(s *subnet, brName, vxlanName string) error
 	// create a bridge and vxlan device for this subnet and move it to the sandbox
 	sbox := n.sbox
 
-	if err := sbox.AddInterface(context.TODO(), brName, "br", "", osl.WithIPv4Address(s.gwIP), osl.WithIsBridge(true)); err != nil {
+	if err := sbox.AddInterface(context.TODO(), brName, "br", "", osl.WithIPv4Address(netiputil.ToIPNet(s.gwIP)), osl.WithIsBridge(true)); err != nil {
 		return fmt.Errorf("bridge creation in sandbox failed for subnet %q: %v", s.subnetIP.String(), err)
 	}
 
@@ -614,15 +613,13 @@ func (n *network) sandbox() *osl.Namespace {
 }
 
 // getSubnetforIP returns the subnet to which the given IP belongs
-func (n *network) getSubnetforIP(ip *net.IPNet) *subnet {
+func (n *network) getSubnetforIP(ip netip.Prefix) *subnet {
 	for _, s := range n.subnets {
 		// first check if the mask lengths are the same
-		i, _ := s.subnetIP.Mask.Size()
-		j, _ := ip.Mask.Size()
-		if i != j {
+		if s.subnetIP.Bits() != ip.Bits() {
 			continue
 		}
-		if s.subnetIP.Contains(ip.IP) {
+		if s.subnetIP.Contains(ip.Addr()) {
 			return s
 		}
 	}