!202 docker:fix CVE-2023-28840 CVE-2023-28841 CVE-2023-28842

From: @zhong-jiawei-1 Reviewed-by: @zhangsong234, @duguhaotian Signed-off-by: @duguhaotian
2023-04-06 11:59:59 +00:00 · 2023-04-06 11:59:59 +00:00 · 222bb3dc21
commit 222bb3dc21
parent 639d314f97 3b459012b6
7 changed files with 521 additions and 3 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.322
+18.09.0.323
--- a/docker.spec
+++ b/docker.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 322
+Release: 323
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@ -229,6 +229,12 @@ fi
 %endif

 %changelog
+* Thu Apr 06 2023 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-323
+- Type:CVE
+- CVE:CVE-2023-28840,CVE-2023-28841,CVE-2023-28842
+- SUG:NA
+- DESC:fix CVE-2023-28840,CVE-2023-28841,CVE-2023-28842
+
 * Wed Mar 29 2023 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-322
 - Type:bugfix
 - CVE:NA
--- a/2
+++ b/2
@ -1 +1 @@
-4c4d6bc65a4aed3a9f32ddce05f022aa79302364
+172f8daba189d1c50663a252a90b2780f13f7f87
--- a/patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch
+++ b/patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch
@ -0,0 +1,90 @@
+From d95faf745be50c948cc26e5d870da8fb870de887 Mon Sep 17 00:00:00 2001
+From: Cory Snider <csnider@mirantis.com>
+Date: Mon, 6 Mar 2023 17:50:30 -0500
+Subject: [PATCH] libnet/d/overlay: extract VNI match rule builder
+
+The iptables rule clause used to match on the VNI of VXLAN datagrams
+looks like line noise to the uninitiated. It doesn't help that the
+expression is repeated twice and neither copy has any commentary.
+DRY out the rule builder to a common function, and document what the
+rule does and how it works.
+
+Signed-off-by: Cory Snider <csnider@mirantis.com>
+---
+ .../libnetwork/drivers/overlay/encryption.go  | 12 +++-----
+ .../drivers/overlay/encryption_u32.go         | 30 +++++++++++++++++++
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+ create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+index a97e73df82..be09c70d7a 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+@@ -200,11 +200,9 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error {
+ 
+ func programMangle(vni uint32, add bool) (err error) {
+ 	var (
+-		p      = strconv.FormatUint(uint64(vxlanPort), 10)
+-		c      = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
+ 		m      = strconv.FormatUint(uint64(r), 10)
+ 		chain  = "OUTPUT"
+-		rule   = []string{"-p", "udp", "--dport", p, "-m", "u32", "--u32", c, "-j", "MARK", "--set-mark", m}
+		rule   = append(matchVXLAN(overlayutils.VXLANUDPPort(), vni), "-j", "MARK", "--set-mark", m)
+ 		a      = "-A"
+ 		action = "install"
+ 	)
+@@ -227,12 +225,10 @@ func programMangle(vni uint32, add bool) (err error) {
+ 
+ func programInput(vni uint32, add bool) (err error) {
+ 	var (
+-		port       = strconv.FormatUint(uint64(vxlanPort), 10)
+-		vniMatch   = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
+-		plainVxlan = []string{"-p", "udp", "--dport", port, "-m", "u32", "--u32", vniMatch, "-j"}
+		plainVxlan = matchVXLAN(overlayutils.VXLANUDPPort(), vni)
+ 		ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...)
+-		block      = append(plainVxlan, "DROP")
+-		accept     = append(ipsecVxlan, "ACCEPT")
+		block      = append(plainVxlan, "-j", "DROP")
+		accept     = append(ipsecVxlan, "-j", "ACCEPT")
+ 		chain      = "INPUT"
+ 		action     = iptables.Append
+ 		msg        = "add"
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go
+new file mode 100644
+index 0000000000..c93f7c96fc
+--- /dev/null
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go
+@@ -0,0 +1,30 @@
+package overlay
+
+import (
+	"fmt"
+	"strconv"
+)
+
+// matchVXLAN returns an iptables rule fragment which matches VXLAN datagrams
+// with the given destination port and VXLAN Network ID utilizing the xt_u32
+// netfilter kernel module. The returned slice's backing array is guaranteed not
+// to alias any other slice's.
+func matchVXLAN(port, vni uint32) []string {
+	dport := strconv.FormatUint(uint64(port), 10)
+
+	// The u32 expression language is documented in iptables-extensions(8).
+	// https://ipset.netfilter.org/iptables-extensions.man.html#lbCK
+	//
+	// 0>>22&0x3C                ; Compute number of octets in IPv4 header
+	//           @               ; Make this the new offset into the packet
+	//                           ; (jump to start of UDP header)
+	//            12&0xFFFFFF00  ; Read 32-bit value at offset 12 and mask off the bottom octet
+	//                         = ; Test whether the value is equal to a constant
+	//
+	// A UDP header is eight octets long so offset 12 from the start of the
+	// UDP header is four octets into the payload: the VNI field of the
+	// VXLAN header.
+	vniMatch := fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
+
+	return []string{"-p", "udp", "--dport", dport, "-m", "u32", "--u32", vniMatch}
+}
+-- 
+2.33.0
+
--- a/patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch
+++ b/patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch
@ -0,0 +1,143 @@
+From e83ba81129646c3242ed96496cf2d503f977a2e0 Mon Sep 17 00:00:00 2001
+From: Cory Snider <csnider@mirantis.com>
+Date: Tue, 7 Mar 2023 13:51:57 -0500
+Subject: [PATCH] libnet/d/overlay: document some encryption code
+
+The overlay-network encryption code is woefully under-documented, which
+is especially problematic as it operates on under-documented kernel
+interfaces. Document what I have puzzled out of the implementation for
+the benefit of the next poor soul to touch this code.
+
+Signed-off-by: Cory Snider <csnider@mirantis.com>
+---
+ .../libnetwork/drivers/overlay/encryption.go  | 46 +++++++++++++++----
+ 1 file changed, 38 insertions(+), 8 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+index be09c70d7a..2084351624 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+@@ -19,8 +19,31 @@ import (
+ 	"github.com/vishvananda/netlink"
+ )
+ 
+/*
+Encrypted overlay networks use IPsec in transport mode to encrypt and
+authenticate the VXLAN UDP datagrams. This driver implements a bespoke control
+plane which negotiates the security parameters for each peer-to-peer tunnel.
+IPsec Terminology
+ - ESP: IPSec Encapsulating Security Payload
+ - SPI: Security Parameter Index
+ - ICV: Integrity Check Value
+ - SA: Security Association https://en.wikipedia.org/wiki/IPsec#Security_association
+Developer documentation for Linux IPsec is rather sparse online. The following
+slide deck provides a decent overview.
+https://libreswan.org/wiki/images/e/e0/Netdev-0x12-ipsec-flow.pdf
+The Linux IPsec stack is part of XFRM, the netlink packet transformation
+interface.
+https://man7.org/linux/man-pages/man8/ip-xfrm.8.html
+*/
+
+ const (
+-	r            = 0xD0C4E3
+	// Value used to mark outgoing packets which should have our IPsec
+	// processing applied. It is also used as a label to identify XFRM
+	// states (Security Associations) and policies (Security Policies)
+	// programmed by us so we know which ones we can clean up without
+	// disrupting other VPN connections on the system.
+	mark = 0xD0C4E3
+
+ 	pktExpansion = 26 // SPI(4) + SeqN(4) + IV(8) + PadLength(1) + NextHeader(1) + ICV(8)
+ )
+ 
+@@ -30,7 +53,9 @@ const (
+ 	bidir
+ )
+ 
+-var spMark = netlink.XfrmMark{Value: uint32(r), Mask: 0xffffffff}
+// Mark value for matching packets which should have our IPsec security policy
+// applied.
+var spMark = netlink.XfrmMark{Value: mark, Mask: 0xffffffff}
+ 
+ type key struct {
+ 	value []byte
+@@ -49,6 +74,9 @@ type spi struct {
+ 	reverse int
+ }
+ 
+// Security Parameter Indices for the IPsec flows between local node and a
+// remote peer, which identify the Security Associations (XFRM states) to be
+// applied when encrypting and decrypting packets.
+ func (s *spi) String() string {
+ 	return fmt.Sprintf("SPI(FWD: 0x%x, REV: 0x%x)", uint32(s.forward), uint32(s.reverse))
+ }
+@@ -200,7 +228,7 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error {
+ 
+ func programMangle(vni uint32, add bool) (err error) {
+ 	var (
+-		m      = strconv.FormatUint(uint64(r), 10)
+		m      = strconv.FormatUint(mark, 10)
+ 		chain  = "OUTPUT"
+ 		rule   = append(matchVXLAN(overlayutils.VXLANUDPPort(), vni), "-j", "MARK", "--set-mark", m)
+ 		a      = "-A"
+@@ -239,10 +267,12 @@ func programInput(vni uint32, add bool) (err error) {
+ 		msg = "remove"
+ 	}
+ 
+	// Accept incoming VXLAN datagrams for the VNI which were subjected to IPSec processing.
+ 	if err := iptables.ProgramRule(iptables.Filter, chain, action, accept); err != nil {
+ 		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
+ 	}
+ 
+	// Drop incoming VXLAN datagrams for the VNI which were received in cleartext.
+ 	if err := iptables.ProgramRule(iptables.Filter, chain, action, block); err != nil {
+ 		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
+ 	}
+@@ -268,7 +298,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f
+ 			Proto: netlink.XFRM_PROTO_ESP,
+ 			Spi:   spi.reverse,
+ 			Mode:  netlink.XFRM_MODE_TRANSPORT,
+-			Reqid: r,
+			Reqid: mark,
+ 		}
+ 		if add {
+ 			rSA.Aead = buildAeadAlgo(k, spi.reverse)
+@@ -294,7 +324,7 @@ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (f
+ 			Proto: netlink.XFRM_PROTO_ESP,
+ 			Spi:   spi.forward,
+ 			Mode:  netlink.XFRM_MODE_TRANSPORT,
+-			Reqid: r,
+			Reqid: mark,
+ 		}
+ 		if add {
+ 			fSA.Aead = buildAeadAlgo(k, spi.forward)
+@@ -343,7 +373,7 @@ func programSP(fSA *netlink.XfrmState, rSA *netlink.XfrmState, add bool) error {
+ 				Proto: netlink.XFRM_PROTO_ESP,
+ 				Mode:  netlink.XFRM_MODE_TRANSPORT,
+ 				Spi:   fSA.Spi,
+-				Reqid: r,
+				Reqid: mark,
+ 			},
+ 		},
+ 	}
+@@ -557,7 +587,7 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr
+ 					Proto: netlink.XFRM_PROTO_ESP,
+ 					Mode:  netlink.XFRM_MODE_TRANSPORT,
+ 					Spi:   fSA2.Spi,
+-					Reqid: r,
+					Reqid: mark,
+ 				},
+ 			},
+ 		}
+@@ -624,7 +654,7 @@ func clearEncryptionStates() {
+ 		}
+ 	}
+ 	for _, sa := range saList {
+-		if sa.Reqid == r {
+		if sa.Reqid == mark {
+ 			if err := nlh.XfrmStateDel(&sa); err != nil {
+ 				logrus.Warnf("Failed to delete stale SA %s: %v", sa, err)
+ 				continue
+-- 
+2.33.0
+
--- a/patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch
+++ b/patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch
@ -0,0 +1,276 @@
+From a8d7747e2ebc37b63558475b73e1d0a2dee2625e Mon Sep 17 00:00:00 2001
+From: Cory Snider <csnider@mirantis.com>
+Date: Fri, 10 Mar 2023 15:29:27 -0500
+Subject: [PATCH] libnet/d/overlay: add BPF-powered VNI matcher
+
+Some newer distros such as RHEL 9 have stopped making the xt_u32 kernel
+module available with the kernels they ship. They do ship the xt_bpf
+kernel module, which can do everything xt_u32 can and more. Add an
+alternative implementation of the iptables match rule which uses xt_bpf
+to implement exactly the same logic as the u32 filter using a BPF
+program. Try programming the BPF-powered rules as a fallback when
+programming the u32-powered rules fails.
+
+Signed-off-by: Cory Snider <csnider@mirantis.com>
+---
+ .../docker/libnetwork/drivers/overlay/bpf.go  | 47 +++++++++++++++++++
+ .../libnetwork/drivers/overlay/bpf_test.go    | 14 ++++++
+ .../libnetwork/drivers/overlay/encryption.go  | 37 +++++++++++++--
+ .../drivers/overlay/encryption_bpf.go         | 17 +++++++
+ .../drivers/overlay/encryption_u32.go         | 10 ++--
+ .../drivers/overlay/overlayutils/utils.go     | 46 ++++++++++++++++++
+ 6 files changed, 162 insertions(+), 9 deletions(-)
+ create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go
+ create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go
+ create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go
+ create mode 100644 components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go
+new file mode 100644
+index 00000000..cb96fb7a
+--- /dev/null
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf.go
+@@ -0,0 +1,47 @@
+package overlay
+
+import (
+	"fmt"
+	"strings"
+
+	"golang.org/x/net/bpf"
+)
+
+// vniMatchBPF returns a BPF program suitable for passing to the iptables bpf
+// match which matches on the VXAN Network ID of encapsulated packets. The
+// program assumes that it will be used in a rule which only matches UDP
+// datagrams.
+func vniMatchBPF(vni uint32) []bpf.RawInstruction {
+	asm, err := bpf.Assemble([]bpf.Instruction{
+		bpf.LoadMemShift{Off: 0},                                    // ldx 4*([0] & 0xf) ; Load length of IPv4 header into X
+		bpf.LoadIndirect{Off: 12, Size: 4},                          // ld [x + 12]       ; Load VXLAN ID (UDP header + 4 bytes) into A
+		bpf.ALUOpConstant{Op: bpf.ALUOpAnd, Val: 0xffffff00},        // and #0xffffff00   ; VXLAN ID is in top 24 bits
+		bpf.JumpIf{Cond: bpf.JumpEqual, Val: vni << 8, SkipTrue: 1}, // jeq ($vni << 8), match
+		bpf.RetConstant{Val: 0},                                     // ret #0
+		bpf.RetConstant{Val: ^uint32(0)},                            // match: ret #-1
+	})
+	// bpf.Assemble() only errors if an instruction is invalid. As the only variable
+	// part of the program is an instruction value for which the entire range is
+	// valid, whether the program can be successfully assembled is independent of
+	// the input. Given that the only recourse is to fix this function and
+	// recompile, there's little value in bubbling the error up to the caller.
+	if err != nil {
+		panic(err)
+	}
+	return asm
+}
+
+// marshalXTBPF marshals a BPF program into the "decimal" byte code format
+// which is suitable for passing to the [iptables bpf match].
+//
+//	iptables -m bpf --bytecode
+//
+// [iptables bpf match]: https://ipset.netfilter.org/iptables-extensions.man.html#lbAH
+func marshalXTBPF(prog []bpf.RawInstruction) string { //nolint:unused
+	var b strings.Builder
+	fmt.Fprintf(&b, "%d", len(prog))
+	for _, ins := range prog {
+		fmt.Fprintf(&b, ",%d %d %d %d", ins.Op, ins.Jt, ins.Jf, ins.K)
+	}
+	return b.String()
+}
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go
+new file mode 100644
+index 00000000..f636d14e
+--- /dev/null
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/bpf_test.go
+@@ -0,0 +1,14 @@
+package overlay
+
+import (
+	"testing"
+)
+
+func FuzzVNIMatchBPFDoesNotPanic(f *testing.F) {
+	for _, seed := range []uint32{0, 1, 42, 0xfffffe, 0xffffff, 0xfffffffe, 0xffffffff} {
+		f.Add(seed)
+	}
+	f.Fuzz(func(t *testing.T, vni uint32) {
+		_ = vniMatchBPF(vni)
+	})
+}
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+index 20843516..513de71e 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
+@@ -1,3 +1,6 @@
+//go:build linux
+// +build linux
+
+ package overlay
+ 
+ import (
+@@ -12,9 +15,11 @@ import (
+ 
+ 	"strconv"
+ 
+	"github.com/docker/libnetwork/drivers/overlay/overlayutils"
+ 	"github.com/docker/libnetwork/iptables"
+ 	"github.com/docker/libnetwork/ns"
+ 	"github.com/docker/libnetwork/types"
+	"github.com/hashicorp/go-multierror"
+ 	"github.com/sirupsen/logrus"
+ 	"github.com/vishvananda/netlink"
+ )
+@@ -226,7 +231,31 @@ func removeEncryption(localIP, remoteIP net.IP, em *encrMap) error {
+ 	return nil
+ }
+ 
+-func programMangle(vni uint32, add bool) (err error) {
+type matchVXLANFunc func(port, vni uint32) []string
+
+// programVXLANRuleFunc returns a function which tries calling programWithMatch
+// with the u32 match, falling back to the BPF match if installing u32 variant
+// of the rules fails.
+func programVXLANRuleFunc(programWithMatch func(matchVXLAN matchVXLANFunc, vni uint32, add bool) error) func(vni uint32, add bool) error {
+	return func(vni uint32, add bool) error {
+		if add {
+			if err := programWithMatch(matchVXLANWithU32, vni, add); err != nil {
+				// That didn't work. Maybe the xt_u32 module isn't available? Try again with xt_bpf.
+				err2 := programWithMatch(matchVXLANWithBPF, vni, add)
+				if err2 != nil {
+					return multierror.Append(err, err2)
+				}
+			}
+			return nil
+		} else {
+			// Delete both flavours.
+			err := programWithMatch(matchVXLANWithU32, vni, add)
+			return multierror.Append(err, programWithMatch(matchVXLANWithBPF, vni, add)).ErrorOrNil()
+		}
+	}
+}
+
+var programMangle = programVXLANRuleFunc(func(matchVXLAN matchVXLANFunc, vni uint32, add bool) (err error) {
+ 	var (
+ 		m      = strconv.FormatUint(mark, 10)
+ 		chain  = "OUTPUT"
+@@ -249,9 +278,9 @@ func programMangle(vni uint32, add bool) (err error) {
+ 	}
+ 
+ 	return
+-}
+})
+ 
+-func programInput(vni uint32, add bool) (err error) {
+var programInput = programVXLANRuleFunc(func(matchVXLAN matchVXLANFunc, vni uint32, add bool) (err error) {
+ 	var (
+ 		plainVxlan = matchVXLAN(overlayutils.VXLANUDPPort(), vni)
+ 		ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...)
+@@ -278,7 +307,7 @@ func programInput(vni uint32, add bool) (err error) {
+ 	}
+ 
+ 	return
+-}
+})
+ 
+ func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
+ 	var (
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go
+new file mode 100644
+index 00000000..de57c217
+--- /dev/null
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_bpf.go
+@@ -0,0 +1,17 @@
+package overlay
+
+import (
+	"strconv"
+)
+
+// matchVXLANWithBPF returns an iptables rule fragment which matches VXLAN
+// datagrams with the given destination port and VXLAN Network ID utilizing the
+// xt_bpf netfilter kernel module. The returned slice's backing array is
+// guaranteed not to alias any other slice's.
+func matchVXLANWithBPF(port, vni uint32) []string {
+	dport := strconv.FormatUint(uint64(port), 10)
+	vniMatch := marshalXTBPF(vniMatchBPF(vni))
+
+	// https://ipset.netfilter.org/iptables-extensions.man.html#lbAH
+	return []string{"-p", "udp", "--dport", dport, "-m", "bpf", "--bytecode", vniMatch}
+}
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go
+index c93f7c96..94a74031 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/encryption_u32.go
+@@ -5,11 +5,11 @@ import (
+ 	"strconv"
+ )
+ 
+-// matchVXLAN returns an iptables rule fragment which matches VXLAN datagrams
+-// with the given destination port and VXLAN Network ID utilizing the xt_u32
+-// netfilter kernel module. The returned slice's backing array is guaranteed not
+-// to alias any other slice's.
+-func matchVXLAN(port, vni uint32) []string {
+// matchVXLANWithU32 returns an iptables rule fragment which matches VXLAN
+// datagrams with the given destination port and VXLAN Network ID utilizing the
+// xt_u32 netfilter kernel module. The returned slice's backing array is
+// guaranteed not to alias any other slice's.
+func matchVXLANWithU32(port, vni uint32) []string {
+ 	dport := strconv.FormatUint(uint64(port), 10)
+ 
+ 	// The u32 expression language is documented in iptables-extensions(8).
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go
+new file mode 100644
+index 00000000..73136e8e
+--- /dev/null
+++ b/components/engine/vendor/github.com/docker/libnetwork/drivers/overlay/overlayutils/utils.go
+@@ -0,0 +1,46 @@
+// Package overlayutils provides utility functions for overlay networks
+package overlayutils
+
+import (
+	"fmt"
+	"sync"
+)
+
+var (
+	mutex        sync.RWMutex
+	vxlanUDPPort uint32
+)
+
+const defaultVXLANUDPPort = 4789
+
+func init() {
+	vxlanUDPPort = defaultVXLANUDPPort
+}
+
+// ConfigVXLANUDPPort configures the VXLAN UDP port (data path port) number.
+// If no port is set, the default (4789) is returned. Valid port numbers are
+// between 1024 and 49151.
+func ConfigVXLANUDPPort(vxlanPort uint32) error {
+	if vxlanPort == 0 {
+		vxlanPort = defaultVXLANUDPPort
+	}
+	// IANA procedures for each range in detail
+	// The Well Known Ports, aka the System Ports, from 0-1023
+	// The Registered Ports, aka the User Ports, from 1024-49151
+	// The Dynamic Ports, aka the Private Ports, from 49152-65535
+	// So we can allow range between 1024 to 49151
+	if vxlanPort < 1024 || vxlanPort > 49151 {
+		return fmt.Errorf("VXLAN UDP port number is not in valid range (1024-49151): %d", vxlanPort)
+	}
+	mutex.Lock()
+	vxlanUDPPort = vxlanPort
+	mutex.Unlock()
+	return nil
+}
+
+// VXLANUDPPort returns Vxlan UDP port number
+func VXLANUDPPort() uint32 {
+	mutex.RLock()
+	defer mutex.RUnlock()
+	return vxlanUDPPort
+}
+-- 
+2.33.0
+
--- a/series.conf
+++ b/series.conf
@ -252,4 +252,7 @@ patch/0251-docker-daemon-containerStart-fix-unhandled-error-for-saveAp.patch
 patch/0252-docker-Prevent-panic-on-network-attach.patch
 patch/0253-docker-build-fix-panic-when-exporting-to-tar.patch
 patch/0254-docker-bugfix-fetch-the-right-device-number-which-great-tha.patch
+patch/0255-docker-libnet-d-overlay-extract-VNI-match-rule-builder.patch
+patch/0256-docker-libnet-d-overlay-document-some-encryption-code.patch
+patch/0257-docker-libnet-d-overlay-add-BPF-powered-VNI-matcher.patch
 #end