This commit adds support for configuring GRE/IPIP/SIT tunnel interfaces as know
from previous versions of ifupdown. Currently only configuration checks for GRE
and SIT tunnels are implemented.
A tunnel interface configuration could look like this:
auto gre42
iface gre42 inet tunnel
mode gre
local 198.51.100.1
endpoint 203.0.113.2
#
# optional tunnel attributes
ttl 64
mtu 1400
tunnel-physdev eth0
#
address 192.0.2.42/31
address 2001:db8:d0c:23::42/64
auto he-ipv6
iface he-ipv6 inet tunnel
mode sit
endpoint 203.0.113.6
local 198.51.100.66
#
# optional tunnel attributes
ttl 255
mtu 1466
tunnel-physdev vrf_external
#
address 2001:db8:666::2/64
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
closes#58
In linux its possible to assign a vlan-aware bridge an ip address
For some use cases is it useful to restrict users from configuring
ips on bridges VA. This patch will let admins and distributions
decide if it is necessary to warn the user in such case.
The patch introduces a new 'address' policy:
vlan_aware_bridge_address_support: yes|no|on|off|0|1 (default to yes)
[16:46:09] root:~ # cat /var/lib/ifupdown2/policy.d/address.json
{
"address": {
"module_globals": {
"enable_l3_iface_forwarding_checks": "yes"
},
"defaults": {
"mtu": "1500",
"ip-forward": "on",
"ip6-forward": "on"
}
}
}
[16:46:16] root:~ # ifquery -a
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto bridge
iface bridge
bridge-ports swp1
bridge-vlan-aware yes
address 10.10.10.10/32
[16:46:20] root:~ # ifup -a --syntax-check
[16:46:22] root:~ # echo $?
0
[16:46:33] root:~ # nano /var/lib/ifupdown2/policy.d/address.json
[16:46:47] root:~ # cat /var/lib/ifupdown2/policy.d/address.json
{
"address": {
"module_globals": {
"enable_l3_iface_forwarding_checks": "yes",
"vlan_aware_bridge_address_support": "no"
},
"defaults": {
"mtu": "1500",
"ip-forward": "on",
"ip6-forward": "on"
}
}
}
[16:46:48] root:~ # ifup -a --syntax-check
warning: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[16:46:51] root:~ # echo $?
1
[16:46:52] root:~ #
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
$ ifquery -a
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
vrf mgmt
link-down yes
auto mgmt
iface mgmt
vrf-table auto
$ ifup -a -d
...
...
debug: mgmt: pre-up : running module vrf
info: executing /usr/lib/vrf/vrf-helper create mgmt 1001
debug: mgmt: eth0: slave configured with link-down yes
info: mgmt: netlink: ip link set dev mgmt up
...
$ ip link show eth0
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master mgmt state DOWN mode DEFAULT group default qlen 1000
link/ether 08:00:27:80:e2:97 brd ff:ff:ff:ff:ff:ff
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
In linux its possible to assign an ip address to a vlan-aware bridge
For some use cases is it useful to restrict users from configuring ips on
bridges VA. This patch will let admins and distributions decide if it is
necessary to warn the user in such case.
The patch introduces a new configuration variable in:
/etc/network/ifudpown2/ifupdown2.conf
vlan_aware_bridge_address_support: yes|no|on|off|0|1 (default to yes)
[8:30:41] root:~ # cat /etc/network/ifupdown2/ifupdown2.conf | grep "vlan_aware_bridge_address_support"
[8:30:43] root:~ # ifquery bridge
auto bridge
iface bridge
bridge-ports swp1
bridge-vlan-aware yes
address 10.10.10.10
[8:30:46] root:~ # ifup bridge --syntax-check
[8:30:52] root:~ # echo $?
0
[8:30:54] root:~ # echo "vlan_aware_bridge_address_support=no" >> /etc/network/ifupdown2/ifupdown2.conf
[8:31:11] root:~ # ifup bridge --syntax-check
warning: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[8:31:14] root:~ # echo $?
1
[8:31:17] root:~ #
[8:31:20] root:~ # ifup -a
[8:31:22] root:~ # echo $?
0
[8:31:25] root:~ # ifquery bridge -c
auto bridge
iface bridge [fail]
bridge-vlan-aware yes [pass]
bridge-ports swp1 [pass]
address 10.10.10.10 [fail]
[8:31:29] root:~ # ifdown bridge && ifup bridge -v |& grep "bridge vlan aware interfaces"
info: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[8:31:57] root:~ #
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Now that some system support ip addr METRIC sets we dont have to do this
"fix_connected_route" hack. The hack was previously introduced to make
sure the primary address was the first in the routing table. Some events
could cause some issues like having the macvlan address first in the
routing table. In that case the macvlan needs to be flapped. This shouldn't
happen when we are able to set the address metric
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
[14:53:46] root:~ # ifquery -a
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto vlan1903
iface vlan1903
alias LAB-CUST-VMS
vlan-id 1903
vlan-raw-device bridge
address 2a06:c01:1:1903::3/64
address 185.98.123.3/24
address-virtual 00:00:5e:00:01:a3 2a06:c01:1:1903::1/64 fe80::1/64 185.98.123.1/24
vrf public
auto public
iface public
vrf-table auto
auto bridge
iface bridge
bridge-ports swp1
[14:53:47] root:~ # ifup -a
[14:53:50] root:~ # ip addr show vlan1903-v0
46: vlan1903-v0@vlan1903: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master public state UP group default
link/ether 00:00:5e:00:01:a3 brd ff:ff:ff:ff:ff:ff
inet 185.98.123.1/24 scope global vlan1903-v0
valid_lft forever preferred_lft forever
inet6 2a06:c01:1:1903::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::200:5eff:fe00:1a3/64 scope link
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
[14:53:52] root:~ #
[14:53:54] root:~ #
[14:53:54] root:~ # nano /etc/network/interfaces
[14:53:57] root:~ # ifquery vlan1903
auto vlan1903
iface vlan1903
alias LAB-CUST-VMS
vlan-id 1903
vlan-raw-device bridge
address 2a06:c01:1:1903::3/64
address 185.98.123.3/24
address-virtual 00:00:5e:00:01:a3 2a06:c01:1:1903::1/64 fe80::1/64 185.98.123.1/24
address-virtual-ipv6-addrgen off
vrf public
[14:54:05] root:~ # ifdown -a -X eth0
[14:54:08] root:~ # ifup -a -v
...
...
info: executing /bin/ip -force -batch - [link set dev vlan1903-v0 master public
link set dev vlan1903-v0 addrgenmode none
link set dev vlan1903-v0 down
link set dev vlan1903-v0 address 00:00:5e:00:01:a3
link set dev vlan1903-v0 up
addr add 2a06:c01:1:1903::1/64 dev vlan1903-v0
addr add fe80::1/64 dev vlan1903-v0
addr add 185.98.123.1/24 dev vlan1903-v0
route del 2a06:c01:1:1903::/64 table 1001 dev vlan1903-v0
route del fe80::/64 table 1001 dev vlan1903-v0
route add 2a06:c01:1:1903::/64 table 1001 dev vlan1903-v0 proto kernel metric 9999
route add fe80::/64 table 1001 dev vlan1903-v0 proto kernel metric 9999
]
...
...
[14:54:14] root:~ # ip addr show vlan1903-v0
50: vlan1903-v0@vlan1903: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master public state UP group default
link/ether 00:00:5e:00:01:a3 brd ff:ff:ff:ff:ff:ff
inet 185.98.123.1/24 scope global vlan1903-v0
valid_lft forever preferred_lft forever
inet6 2a06:c01:1:1903::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::1/64 scope link
valid_lft forever preferred_lft forever
[14:54:16] root:~ #
Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
backporting the following commit to master-next:
commit eb92e5efff776602081b8bbd2cc74462293c4b79
Author: Maximilian Wilhelm <max@rfc2324.org>
Date: Thu Oct 6 19:22:06 2016 +0200
Add support for setting phys-dev for VXLAN interfaces.
Add interface configuration option »vxlan-physdev« to set »dev« attribute
of VXLAN interfaces and a check for the running configuration.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
This backport also:
- adds support for ifquery --running
- uses the netlink cache
- includes some pep8 fixes
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
Co-authored-by: Julien Fortin <julien@cumulusnetworks.com>
Co-authored-by: Maximilian Wilhelm <max@rfc2324.org>
this has been upstreamed recently in linux kernel, with
IFLA_BRPORT_NEIGH_SUPPRESS, with 32 as netlink value.
https://www.spinics.net/lists/linux-ethernet-bridging/msg06910.html
Cumulus is using a temp 152 number in his own kernel.
This is needed for bgp evpn and anycast gateway.
auto vmbr3
iface vmbr3
bridge_ports vxlan3
bridge_stp off
bridge_fd 0
auto vxlan3
iface vxlan3 inet manual
vxlan-id 3
vxlan-local-tunnelip 10.59.100.231
bridge-learning off
bridge-arp-nd-suppress on
info: reading '/sys/class/net/vmbr3/bridge/stp_state'
debug: vmbr3: evaluating port expr '['vxlan3']'
debug: _cache_get(['vxlan3', 'hwaddress']) : ['hwaddress']
debug: reading '/sys/class/net/vxlan3/address'
info: writing '1' to file /proc/sys/net/ipv6/conf/vxlan3/disable_ipv6
info: executing /bin/ip -force -batch - [link set dev vxlan3 master vmbr3
addr flush dev vxlan3
]
info: vmbr3: applying bridge port configuration: ['vxlan3']
info: vmbr3: vxlan3: set bridge-learning off
debug: (cache None)
info: vmbr3: vxlan3: set bridge-arp-nd-suppress on
debug: (cache None)
info: vmbr3: vxlan3: vxlan learning and bridge learning out of sync: set False
info: vxlan3: netlink: ip link set dev vxlan3: bridge slave attributes
debug: vxlan3: ifla_info_data {7: False}
debug: vxlan3: ifla_info_slave_data {8: False, 152: True}
This is a major update coming all at once from master-next branch
master-next branch was started with --orphan option which is basically a new
branch without history.
The major changes are:
- repackaging
- cleanup the directory tree
- rewritte setup.py to allow install from deb file or pypi (pip install)
- add a Makefile to make things (like building a deb) easier
- review all debian files
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
Latest additions added a bunch of new tunnel modes but didn't add support
to read in these modes which breaks 'ifquery' as it falsely marks the mode
as 'fail'.
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Create all tunnels - except gretap - with 'ip tunnel', as this supports
most tunnel modes; create gretap tunnels with 'ip link'.
Rework the whole concept of tunnel updates and make sure a tunnel only is
changed - recreated - IFF the configuration has changed. In previos code
'tunnel change' was called on every _up() call. The 'tunnel change' part
was removed completely as it doesn't work on many occations. So IFF the
tunnel related interface configuration has changed, the tunnel is removed
and recreated.
fixes#78
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
$ cat /etc/network/interfaces
auto v0
iface v0
link-type veth
vrf blue
auto blue
iface blue
vrf-table auto
$ ifreload -a
$ echo $?
0
$ ifquery -a -c
auto v0
iface v0 [pass]
link-type veth [pass]
vrf blue [pass]
auto blue
iface blue [pass]
vrf-table 1001 [pass]
$ echo $?
0
Reported-by: Maximilian Wilhelm <max@rfc2324.org>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
This simple patch allows the creation of bridges which should be set up
without any ports, like a bridge for virtual machines on a hosting box.
With this patch ifupdown2 get's a step closer to feature parity and
compatiblity with ifupdown1.
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
This commit adds support to configure and check gretap tunnels. An example
configuration could look like this:
iface tap0 inet tunnel
mode gretap
local 10.132.255.3
endpoint 10.132.255.1
ttl 64
mtu 1400
tunnel-physdev eth0
#
address 10.10.0.1/2
ifup will happily configure the interface (which it does even without this
patch) and ifquery now can successfully validate the configure interface:
cr03.in.ffho.net:~# ifquery -c tap0
iface tap0 inet tunnel [[ OK ]]
tunnel-physdev eth0 [[ OK ]]
endpoint 10.132.255.1 [[ OK ]]
local 10.132.255.3 [[ OK ]]
mode gretap [[ OK ]]
ttl 64 [[ OK ]]
mtu 1400 [[ OK ]]
address 10.10.0.1/24 [[ OK ]]
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
* addons: batman_adv: Rework B.A.T.M.A.N. adv. attribute handling.
This commit reworks the internal handling of B.A.T.M.A.N. adv. attributes
within the plugin. The new approach on setting and checking attributes is
more generic and allows adding more B.A.T.M.A.N. adv. which should be set
as attributes of an B.A.T.M.A.N. adv. interface in a simple way.
This commit does not introduce any changes visibile to the user.
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
* addons: batman_adv: Add support for more B.A.T.M.A.N. adv. attributes.
This commit adds supports for setting the following optional attributes:
* gw-mode (one of { off, client, server })
* multicast-mode (can be 'enabled' or 'disabled')
* distributed-arp-table (cat be 'enabled' or 'disabled')
Example config:
pandora:~# ifquery -c bat-foo
iface bat-foo [pass]
batman-ifaces dummy-bat [pass]
batman-ifaces-ignore-regex [pass]
batman-hop-penalty 7 [pass]
batman-multicast-mode enabled [pass]
batman-distributed-arp-table enabled [pass]
batman-gw-mode client [pass]
Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Due to a simple logic bug the 'pointopoint' attribute was ignored when
specifying and address as <ip/mask> and only considered when IP and mask
where given seperately. This commit fixes this behaviour.
When configured in ptp mode »ip addr« will show the IP address without a
netmask which will make »ifquery -c« mark the IP as failed. The check has
been fixed, too.
Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>
