It is available since Kernel 4.19 and has two parmeters:
1. XFRM ID to map to an SA/SAs
2. Underlying Interface if you want to take advantage of IPSec Hardware Offload
Otherwise it is treated as a normal interface and not like a tunnel (VTI).
I added two attributes to the interface to configure it and otherwise use it as a normal interface.
One example is:
auto ipsec1
iface ipsec1 inet
xfrm-physdev lo
xfrmid 1
Add a new attribute for B.A.T.M.A.N. advanced interfaces to control the
B.A.T.M.A.N. advanced routing algorithm to be used when setting up new
interfaces. As the routing algorithm must be set before an interface is
created, it needs special handling and can't be implemented as a common
attribute. D'oh.
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Tested-by: Annika Wickert <aw@awlnx.space>
On ifreload (down ops) we need to purge the cache entry of the bridge and its upper devices
to avoid stale values in our cache.
ifup this config, then remove bridge-vids 20, ifreload: since the bridge is removed because
of ifreload_down_changed=1, we need torecreate the vlan bridge.10 and it's configuration, the
cache is stale. We need to clear it to remove the ip 10.10.10.10/32.
auto bridge
iface bridge
bridge-ports swp1 swp2
bridge-vids 10 20
bridge-vlan-aware yes
auto swp1
iface swp1
link-speed 10000
auto swp2
iface swp2
auto bridge.10
iface bridge.10
address 10.10.10.10/32
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
New VRRP macvlan devices should be set into protodown when first
created, to prevent ND traffic and other automatically generated kernel
traffic from being transmitted on the interface and causing downstream
MAC moves.
Reviewed-by: Julien Fortin <julien@cumulusnetworks.com>
Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Now we support the following config:
auto swp1
iface swp1
vrrp 3 50.0.1.1/24
vrrp 3 2001:50:0:1::1/64
vrrp 3 2001:50:0:42::1/64
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
For each VRRP configuration we create 2 macvlans (ip4 and ip6), if the ip4
is removed from the config we need to remove the associated macvlan (same
for ip6).
Testing Done: remove all ip4 (or ip6) from vrr attribute line
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
if igmp snooping is enabled on a vxlan bridge and if the
vxlan_bridge_igmp_snooping_enable_port_mcrouter is turned on, ifupdown2
will automatically enable multicast router on the vxlan brport unless
this attribute was provided by the user. The policy is enabled by default.
The policy can be disabled as follow:
{
"bridge": {
"module_globals": {
"vxlan_bridge_igmp_snooping_enable_port_mcrouter": "no"
}
}
}
auto br0
iface br0
bridge-ports vx42
bridge-mcsnoop yes
auto vx42
iface vx42
vxlan-id 42
$ ifreload -ad
will show that the config is applied
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Add a vrrp config under swp intf - ifup, then remove the vrrp config - ifreload
the macvlans are not removed without this patch
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
New vxlan-ttl attribute: specifies the TTL value to use in outgoing
packets. Valid values: range 1..255 or auto (0)
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
The new code base supports installation via pypi so we need to update the
imports statement.
It's also good practice to use the existing IO apis to read/write and execute
sub-commands, those API will do error handling and logging.
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
batman wasn't in master-next so it got removed during the last merge
this commit adds it back to master.
See PR #12
From Maximilian Wilhelm:
This commit adds support for configuring B.A.T.M.A.N. advanced interfaces
with ifupdown2. B.A.T.M.A.N. advanced is a protocol to build Layer2 based
mesh networks with. It's supported in the Linux kernel and thus available
in many Linux environments.
A configuration could look like this
auto bat0
iface bat0
batman-ifaces eth1 eth2.23
batman-ifaces-ignore-regex .*_nodes
batman-hop-penalty 23
#
address 192.0.2.42/24
where »bat0« would be the local connection to the mesh network.
The interfaces »eth1« and »eth2.23« would be used by the B.A.T.M.A.N. adv.
protocol to communicate to other member of the mesh network.
Any interfaces matching the »ifaces-ignore-regex« will be gently ignored
by ifquery and ifreload as there might be some tunnels or interfaces
added to the mesh network by other means which should not be removed by
any subsequent ifreload run.
The »hop-penalty» parameter set the penalty of this node within the mesh
network.
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Author: Maximilian Wilhelm <max@rfc2324.org>
During the recent merge between master and master-next the changes introduced
by PR #80 were lost. This commit adds them back with some refactoring to use
the new netlink cache.
Co-authored-by: Maximilian Wilhelm <max@sdn.clinic>
Co-authored-by: Julien Fortin <julien@cumulusnetworks.com>
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
because of a typo (use of wrong object) we weren't looking at the correct
ifaceobj for LINK_DOWN lookup. In some cases we didn't honor link-down yes
on VRF slaves
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
on --show-fec ethtool seems to return fec in uppercase while
we only advertise lowercase validvals. We should only deal
and compare lowercase values for running, config and default
root@host:/home/cumulus# /sbin/ethtool --show-fec swp29
FEC parameters for swp29:
FEC encodings : RS
root@host:/home/cumulus#
testing:
set: link-fec rs
ifup/ifreloads
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
As shown in the following example, ifupdown1 sets the default route with the
onlink attribute. This patch will add this capability to ifupdown2 controlled
by a policy variable in the address module: "l3_intf_default_gateway_set_onlink"
default to on
[19:16:07] root:~ # cat /etc/network/interfaces
auto lo
iface lo inet loopback
auto enp0s3
iface enp0s3 inet static
address 78.46.193.234/32
gateway 172.31.1.1
[19:16:19] root:~ # ifup -a -v
ifup: configuring interface enp0s3=enp0s3 (inet)
...
/bin/ip addr add 78.46.193.234/255.255.255.255 broadcast 78.46.193.234 dev enp0s3 label enp0s3
/bin/ip link set dev enp0s3 up
/bin/ip route add default via 172.31.1.1 dev enp0s3 onlink
...
[19:16:21] root:~ # ip route show
default via 172.31.1.1 dev enp0s3 onlink
10.0.2.0/24 dev enp0s3 proto kernel scope link src 10.0.2.15
169.254.0.0/16 dev enp0s3 scope link metric 1000
[19:16:21] root:~ #
$ cat /etc/network/ifupdown2/policy.d/address.json
{
"address": {
"module_globals": {
"l3_intf_default_gateway_set_onlink": "yes"
}
}
}
$ ifquery swp1
auto swp1
iface swp1 inet static
address 78.46.193.234/32
gateway 172.31.1.1
$ ifreload -av |& grep "route add default"
info: executing /bin/ip route add default via 172.31.1.1 proto kernel dev swp1 onlink
$
$
$ emacs -nw /etc/network/ifupdown2/policy.d/address.json
$ cat /etc/network/ifupdown2/policy.d/address.json
{
"address": {
"module_globals": {
"l3_intf_default_gateway_set_onlink": "no"
}
}
}
$ ifdown -a -X eth0
$ ifreload -av |& grep "route add default"
info: executing /bin/ip route add default via 172.31.1.1 proto kernel dev swp1
$
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
-n sets DRYRUN flags, when DRYRUN is set many functions return True
(like link_exists), in this case vxlanattrs is set to False because
not cached. But since link_exists=True we still try to access it like
a dictionary.
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
The issue here lies with how we query the cache to get the ips addresses
configured on the macvlan. A few months ago we added support for link scope
addresses in the cache, since the kernel may add it's own link addresse to
some interfaces we need to filter them out when querying the cache (because
we just want to get the list of IPs managed by ifupdown2). To perform this
filtering we need to look at the current user configuration (/e/n/i) but we
also need to look at past configuration. To perform this filtering we need
to provide the API LinkUtils:get_running_addrs a special parameter for
address-virtual (we need an ifaceobj).
$ ifquery -a
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto vlan1000
iface vlan1000
address 192.168.10.2/24
address fc00:10::2/64
address-virtual 00:00:5e:00:01:01 192.168.10.1/24 fc00:10::1/64 fe80::1/64
address-virtual-ipv6-addrgen off
vlan-id 1000
vlan-raw-device bridge
vrf blue
auto bridge
iface bridge
bridge-ports swp1
auto blue
iface blue
vrf-table auto
$ ifreload -a
$ echo $?
0
$ ifquery -a -c
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp [pass]
auto vlan1000
iface vlan1000 [pass]
vlan-raw-device bridge [pass]
vlan-id 1000 [pass]
vrf blue [pass]
address 192.168.10.2/24 [pass]
address fc00:10::2/64 [pass]
address-virtual 00:00:5e:00:01:01 192.168.10.1/24 fc00:10::1/64 fe80::1/64 [pass]
address-virtual-ipv6-addrgen off [pass]
auto bridge
iface bridge [pass]
bridge-ports swp1 [pass]
auto blue
iface blue [pass]
vrf-table 1001 [pass]
$ ifquery -r vlan1000
auto vlan1000
iface vlan1000
vlan-id 1000
vlan-protocol 802.1Q
vlan-raw-device bridge
address 192.168.10.2/24
address fc00:10::2/64
address-virtual 00:00:5e:00:01:01 192.168.10.1/24 fe80::1/64 fc00:10::1/64
address-virtual-ipv6-addrgen off
$
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
