libnetwork/d/overlay: checkEncryption: drop isLocal param

corhere · corhere · commit 0d893252ac72 · 2025-05-29T14:13:13.000-04:00
Since it is not meaningful to add or remove encryption between the local
node and itself, the isLocal parameter is redundant. Setting up
encryption for all network peers is now invoked by calling

    checkEncryption(nid, netip.Addr{}, true)

Calling checkEncryption with isLocal=true, add=false is now more
explicitly a no-op. It always was effectively a no-op, but that was not
easy to spot by inspection. In the world with the isLocal flag,
calls to checkEncryption where isLocal=true and add=false would have rIP
set to d.advertiseAddr. In other words, it was a request to remove
encryption parameters between the local peer and itself if peerDB had no
remote-peer entries for the network. So either the call would do
nothing, or it would remove encryption parameters that aren't used for
anything. Now the equivalent call always does nothing.

Signed-off-by: Cory Snider &lt;csnider@mirantis.com&gt;
diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go
@@ -113,8 +113,12 @@ func (e *encrMap) String() string {
 	return b.String()
 }
 
-func (d *driver) checkEncryption(nid string, rIP netip.Addr, isLocal, add bool) error {
-	log.G(context.TODO()).Debugf("checkEncryption(%.7s, %v, %t)", nid, rIP, isLocal)
+// checkEncryption sets up or removes IPsec encryption parameters for peers on a network.
+//
+// When given an rIP, encryption paremeters will be set up for the VXLAN tunnel to that peer.
+// When !rIP.IsValid(), encryption parameters will be set up for all network peers.
+func (d *driver) checkEncryption(nid string, rIP netip.Addr, add bool) error {
+	log.G(context.TODO()).Debugf("checkEncryption(%.7s, %v)", nid, rIP)
 
 	n := d.network(nid)
 	if n == nil || !n.secure {
@@ -130,7 +134,7 @@ func (d *driver) checkEncryption(nid string, rIP netip.Addr, isLocal, add bool)
 	nodes := map[netip.Addr]struct{}{}
 
 	switch {
-	case isLocal:
+	case !rIP.IsValid():
 		if err := d.peerDbNetworkWalk(nid, func(_ netip.Addr, _ net.HardwareAddr, pEntry *peerEntry) bool {
 			if !pEntry.isLocal() {
 				nodes[pEntry.vtep] = struct{}{}
@@ -154,7 +158,7 @@ func (d *driver) checkEncryption(nid string, rIP netip.Addr, isLocal, add bool)
 			}
 		}
 	} else {
-		if len(nodes) == 0 {
+		if rIP.IsValid() && len(nodes) == 0 {
 			if err := removeEncryption(lIP, rIP, d.secMap); err != nil {
 				log.G(context.TODO()).Warnf("Failed to remove network encryption between %s and %s: %v", lIP, rIP, err)
 			}
diff --git a/libnetwork/drivers/overlay/joinleave.go b/libnetwork/drivers/overlay/joinleave.go
@@ -121,7 +121,7 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf
 
 	d.peerAdd(nid, eid, ep.addr, ep.mac, netip.Addr{})
 
-	if err = d.checkEncryption(nid, netip.Addr{}, true, true); err != nil {
+	if err = d.checkEncryption(nid, netip.Addr{}, true); err != nil {
 		log.G(ctx).Warn(err)
 	}
 
diff --git a/libnetwork/drivers/overlay/peerdb.go b/libnetwork/drivers/overlay/peerdb.go
@@ -235,7 +235,7 @@ func (d *driver) peerAddOp(nid, eid string, peerIP netip.Prefix, peerMac net.Har
 		return fmt.Errorf("subnet sandbox join failed for %q: %v", s.subnetIP.String(), err)
 	}
 
-	if err := d.checkEncryption(nid, vtep, false, true); err != nil {
+	if err := d.checkEncryption(nid, vtep, true); err != nil {
 		log.G(context.TODO()).Warn(err)
 	}
 
@@ -291,7 +291,7 @@ func (d *driver) peerDeleteOp(nid, eid string, peerIP netip.Prefix, peerMac net.
 		return nil
 	}
 
-	if err := d.checkEncryption(nid, vtep, !vtep.IsValid(), false); err != nil {
+	if err := d.checkEncryption(nid, vtep, false); err != nil {
 		log.G(context.TODO()).Warn(err)
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ func (d *driver) Join(ctx context.Context, nid, eid string, sboxKey string, jinf`
`121`	`121`
`122`	`122`	`d.peerAdd(nid, eid, ep.addr, ep.mac, netip.Addr{})`
`123`	`123`
`124`		`- if err = d.checkEncryption(nid, netip.Addr{}, true, true); err != nil {`
	`124`	`+ if err = d.checkEncryption(nid, netip.Addr{}, true); err != nil {`
`125`	`125`	`log.G(ctx).Warn(err)`
`126`	`126`	`}`
`127`	`127`
Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ func (d *driver) peerAddOp(nid, eid string, peerIP netip.Prefix, peerMac net.Har`
`235`	`235`	`return fmt.Errorf("subnet sandbox join failed for %q: %v", s.subnetIP.String(), err)`
`236`	`236`	`}`
`237`	`237`
`238`		`- if err := d.checkEncryption(nid, vtep, false, true); err != nil {`
	`238`	`+ if err := d.checkEncryption(nid, vtep, true); err != nil {`
`239`	`239`	`log.G(context.TODO()).Warn(err)`
`240`	`240`	`}`
`241`	`241`
`@@ -291,7 +291,7 @@ func (d *driver) peerDeleteOp(nid, eid string, peerIP netip.Prefix, peerMac net.`
`291`	`291`	`return nil`
`292`	`292`	`}`
`293`	`293`
`294`		`- if err := d.checkEncryption(nid, vtep, !vtep.IsValid(), false); err != nil {`
	`294`	`+ if err := d.checkEncryption(nid, vtep, false); err != nil {`
`295`	`295`	`log.G(context.TODO()).Warn(err)`
`296`	`296`	`}`
`297`	`297`