bond: bridge: T4534: error out if member interface is assigned to a VRF instance

It makes no sense to enslave an interface to a bond or a bridge device if it is
bound to a given VRF. If VRFs should be used - the encapuslating/master
interface should be part of the VRF.

Error out if the member interface is part of a VRF.

(cherry picked from commit 87d2dff241d9ab4de9f3a2c7fbf9852934557aef)

3 files changed, 34 insertions, 0 deletions

diff --git a/python/vyos/validate.py b/python/vyos/validate.py
index 23e88b5ac..9aa23d3dc 100644
--- a/python/vyos/validate.py
+++ b/python/vyos/validate.py
@@ -260,3 +260,22 @@ def has_address_configured(conf, intf):
 
     conf.set_level(old_level)
     return ret
+
+def has_vrf_configured(conf, intf):
+    """
+    Checks if interface has a VRF configured.
+
+    Returns True if interface has VRF configured, False if it doesn't.
+    """
+    from vyos.ifconfig import Section
+    ret = False
+
+    old_level = conf.get_level()
+    conf.set_level([])
+
+    tmp = ['interfaces', Section.get_config_path(intf), 'vrf']
+    if conf.exists(tmp):
+        ret = True
+
+    conf.set_level(old_level)
+    return ret
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index 55ffb184d..06e6f059a 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -35,6 +35,7 @@ from vyos.ifconfig import BondIf
 from vyos.ifconfig import Section
 from vyos.util import dict_search
 from vyos.validate import has_address_configured
+from vyos.validate import has_vrf_configured
 from vyos import ConfigError
 from vyos import airbag
 airbag.enable()
@@ -125,6 +126,10 @@ def get_config(config=None):
             tmp = has_address_configured(conf, interface)
             if tmp: bond['member']['interface'][interface].update({'has_address' : {}})
 
+            # bond members must not have a VRF attached
+            tmp = has_vrf_configured(conf, interface)
+            if tmp: bond['member']['interface'][interface].update({'has_vrf' : {}})
+
     return bond
 
 
@@ -181,6 +186,8 @@ def verify(bond):
             if 'has_address' in interface_config:
                 raise ConfigError(error_msg + 'it has an address assigned!')
 
+            if 'has_vrf' in interface_config:
+                raise ConfigError(error_msg + 'it has a VRF assigned!')
 
     if 'primary' in bond:
         if bond['primary'] not in bond['member']['interface']:
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index a0cfca0af..9ad39e080 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -30,6 +30,7 @@ from vyos.configverify import verify_dhcpv6
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import BridgeIf
 from vyos.validate import has_address_configured
+from vyos.validate import has_vrf_configured
 from vyos.xml import defaults
 
 from vyos.util import cmd
@@ -92,6 +93,10 @@ def get_config(config=None):
             tmp = has_address_configured(conf, interface)
             if tmp: bridge['member']['interface'][interface].update({'has_address' : ''})
 
+            # Bridge members must not have a VRF attached
+            tmp = has_vrf_configured(conf, interface)
+            if tmp: bridge['member']['interface'][interface].update({'has_vrf' : ''})
+
             # VLAN-aware bridge members must not have VLAN interface configuration
             tmp = has_vlan_subinterface_configured(conf,interface)
             if 'enable_vlan' in bridge and tmp:
@@ -130,6 +135,9 @@ def verify(bridge):
             if 'has_address' in interface_config:
                 raise ConfigError(error_msg + 'it has an address assigned!')
 
+            if 'has_vrf' in interface_config:
+                raise ConfigError(error_msg + 'it has a VRF assigned!')
+
             if 'enable_vlan' in bridge:
                 if 'has_vlan' in interface_config:
                     raise ConfigError(error_msg + 'it has VLAN subinterface(s) assigned!')