summaryrefslogtreecommitdiff
path: root/python/vyos/ifconfig/interface.py
AgeCommit message (Collapse)Author
2021-07-17VRF: T3655: proper connection tracking for VRFszsdc
Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones
2021-06-21Python: T3641: adjust to changes in latest vesion of netifaces libraryChristian Poessinger
2021-05-21vlan: T3551: support runtime changing of ingress and egress QoS settingsJACK
2021-05-15vyos.ifconfig: T3532: re-create Q-in-Q interface on protocol changeChristian Poessinger
It is not possible to change the VLAN encapsulation protocol "on-the-fly". For this "quirk" we need to actively delete and re-create the VIF-S interface.
2021-05-14vyos.ifconfig: T3535: add helper to get only IPv4 or IPv6 interface addressesChristian Poessinger
2021-03-30xdp: T3448: bail out early on platforms not supporting xdp (e.g. RaspberryPi)Christian Poessinger
2021-03-27vrf: vlan: T3438: do not automatically delete upper interfaceChristian Poessinger
Removing a VLAN (VIF) interface from the CLI always deleted all interfaces the kernel listed as "upper" in the /sys/class/net folder. This had the drawback that when deleting a VIF, also the VRF interface was simply deleted - killing all VRF related services.
2021-03-19bridge: T3415: add port isolation / private-vlan optionChristian Poessinger
Private VLAN, also known as port isolation, is a technique in computer networking where a VLAN contains switch ports that are restricted such that they can only communicate with a given "uplink". The restricted ports are called "private ports". Each private VLAN typically contains many private ports, and a single uplink. The uplink will typically be a port (or link aggregation group) connected to a router, firewall, server, provider network, or similar central resource. Q: https://en.wikipedia.org/wiki/Private_VLAN
2021-03-04Merge pull request #729 from bstepler/T3300Christian Poessinger
dhcp: T3300: add DHCP default route distance
2021-02-28vif: T3349: use fixed ordering when enabling parent and child interfaceChristian Poessinger
When a VIF/VLAN interface is placed in admin down state but the lower interface, serving the vlan, is moved from admin down -> admin up, all its vlan interfaces will be placed in admin up state, too. This is bad as a VLAN interface will become admin up even if its specified as admin down after a reboot. To reproduce: set interfaces ethernet eth1 vif 20 disable set interfaces ethernet eth1 disable commit delete interfaces ethernet eth1 disable commit Now check the interface state and it returns UP,LOWER_UP 7: eth1.20@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 00:50:56:b3:09:07 brd ff:ff:ff:ff:ff:ff inet6 fe80::250:56ff:feb3:907/64 scope link valid_lft forever preferred_lft forever
2021-02-28vyos.ifconfig: T1579: remove calls to vyos.ifconfig.Interface.get_config()Christian Poessinger
Interface.get_config() was always a pure helper which exposed a "per interface type" dictionary which was then fed by the caller to create interfaces by iproute2 which required additional options during creation time. Such interfaces had been: * tunnel * vxlan * geneve * macsec * wifi * macvlan / pseudo-ethernet The code was always duplicated to convert from the VyOS CLI based get_config_dict() to a dict which can be used to feed iproute2. This path has been removed and we now always feed in the entire dictionary retrieved by get_config_dict() or in the interfaces case, it's high-level wrapper get_interface_dict() to the interface we wan't to create. This also adds the - personally long awaited - possibility to get rid of the derived tunnel classes for e.g. GRE, IPIP, IPIP6 and so on.
2021-02-22vyos.ifconfig: extend debug option to print input dictChristian Poessinger
2021-02-15dhcp: T3300: add DHCP default route distanceBrandon Stepler
2021-02-11mirror: T3297: redirect stderr to /dev/nullJACK
2021-01-27dhcpv6: T3262: don't run DHCPv6 client when only dhcpv6-options is configuredBrandon Stepler
If dhcpv6-options is configured without requesting a DHCPv6 address or PD, the dhcpv6pd variable is assigned an empty dict.
2021-01-16bridge: T3137: Support disable native VLANjack9603301
2021-01-15bridge: T3137: Delete blank linesjack9603301
2021-01-15bridge: T3137: Better implementation of VLAN aware Bridgejack9603301
2021-01-15bridge: T3137: Let VLAN aware bridge approach the behavior of professional ↵jack9603301
equipment According to the consensus, the specific behavior of a VLAN aware bridge should conform to the behavior of professional equipment. This commit makes a significant change to the behavior of VLAN aware bridge, and has the following behaviors: 1. Disable `vif 1` configuration 2. When the VLAN aware bridge is enabled, the parent interface is always VLAN 1 3. When `native-vlan` is not configured, the default behavior of the device is `native-vlan 1` 4. The VLAN ids forwarded by the bridge are determined by `vif` 5. It has an `enable-vlan` node to enable VLAN awareness 6. VLAN configuration is allowed only when VLAN aware bridge is activated
2021-01-13ifconfig: T2653: return empty string when there is no interface descriptionChristian Poessinger
After switching to iproute2 in commit 92f36735 ("ifconfig: T2653: use iproute2 commands for alias, mac and mtu set()/get()" it is necessary to return an empty string as iproute2 returns None.
2021-01-12ifconfig: T2653: use iproute2 commands for alias, mac and mtu set()/get()Christian Poessinger
2021-01-06ifconfig.interface: use Python3 f-ormat stringChristian Poessinger
2021-01-04mirror: T3089: bugfix is_mirror_intf code pathChristian Poessinger
2021-01-03mirror: T3089: remove redundant code pathsChristian Poessinger
- remove redundant code paths apply_mirror() / apply_mirror_of_monitor() - have single source available
2020-12-26mirror: T3150: When configuring QOS, the setting procedure of port mirroring ↵jack9603301
is wrong In e8957b5, we used json to parse the `tc qdisc` filter to determine whether it needs to be deleted (reduction of exception mechanism), but now we find that the json output by this command will output unparsed json in some cases, so We have to go back to the processing of the exception mechanism
2020-12-23xdp: T2666: move CLI node to "interfaces ethernet <eth> xdp"Christian Poessinger
2020-12-20Revert "dhcpv6: T3134: add missing duid support"Christian Poessinger
This reverts commit 9541355433e202fade4692851bffa33ba9d48f44.
2020-12-20dhcpv6: T3134: add missing duid supportChristian Poessinger
2020-12-14interface: mirror: T3089: Improve logic to reduce unnecessary lines of codejack9603301
2020-12-13interfaces: mirror: T3089: Fix the dependency problem between interfacesjack9603301
Since the dependency problem has not been solved before, if the monitoring interface does not exist when the mirror rule is created, the execution will be abnormal
2020-12-13interfaces: T3114: Modify the logic of the second addition to complete the ↵jack9603301
setting and streamline the code
2020-12-13interfaces: T3114: Improve VLAN ID setting logic in `bridge`jack9603301
2020-12-13interfaces: T3114: When the VLAN aware option is not detected, the setting ↵jack9603301
of `bridge` should not be overwritten
2020-12-13interfaces: T3114: Improve the processing of enabling logic for ↵jack9603301
`vlan_filter` to avoid redundant paths
2020-12-13interfaces: T3114: Remove some redundant codejack9603301
2020-12-13interfaces: T3114: Fix VLAN-aware bridge setting failurejack9603301
2020-12-08Merge pull request #633 from jack9603301/T3089Christian Poessinger
mirror: T3089: support two-way traffic mirroring
2020-12-08mirror: T3089: support two-way traffic mirroringjack9603301
2020-12-07vyos.ifconfig: T1579: keep IPv6 link-local address on reconfiguration #2Christian Poessinger
This is the second attempt after commit d247736f ("vyos.ifconfig: T1579: do not remove IPv6 link-local address on reconfiguration"). We only clean out link-local IPv6 addresses left over after an interface MAC change.
2020-12-06Revert "vyos.ifconfig: T1579: do not remove IPv6 link-local address on ↵Christian Poessinger
reconfiguration" This reverts commit d247736f67cc056062b75a4215a031bebcfee2ee. We need to clean link-local IPv6 addresses on link reconfiguration to also drop no longer existing link-local addresse son MAC address change.
2020-12-06vyos.ifconfig: T1579: do not remove IPv6 link-local address on reconfigurationChristian Poessinger
2020-12-04vyos.ifconfig: T1579: migrate "ip source-validation" option from ↵Christian Poessinger
vyatta-cfg-quagga
2020-12-03interface: T3089: Migrate port mirroring to vyos-1xjack9603301
2020-11-27vyos.template: T2720: always enable Jinja2 trim_blocks featureChristian Poessinger
2020-11-19ifconfig: T1405: ensure MAC address is configured firstChristian Poessinger
The MAC address is changed after we have set an IP address on the interface or started dhclient. This will cause some users to receive the wrong IP address on device startup. Change to order of how parameters are set in the system. The interface MAC address is now configured first.
2020-11-13vyos.template: provide general is_ip(v4|v6) helpersChristian Poessinger
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined. All places now have been converged into vyos.template as they are used both in the Jinja2 templates and also in our scripts.
2020-10-28vyos.util: T2995: rename vyos_dict_search() -> dict_search()Christian Poessinger
Renamed using snippet below: ---------------------------- for file in $(find . -name "*.py") do sed -i "s/vyos_dict_search/dict_search/" $file done
2020-10-18ifconfig: T2985: remove no longer available vyos.ifconfig.stp includeChristian Poessinger
almost every interface can be part of a bridge thus the code for changing STP cost is best part of the Interface() base class itself. Commit b5ef10cf ("ifconfig: T2985: support on demand bridge creation") implemented this change but the STP file was not removed on the test devices causing tests to pass.
2020-10-17ifconfig: T2985: support on demand bridge creationChristian Poessinger
The current implementation for bridge based interfaces has an issue which is caused by priority inheritance. We always assumed that the bridge interface will be created last, but this may not be true in all cases, where some interfaces will be created "on demand" - e.g. OpenVPN or late (VXLAN, GENEVE). As we already have a bunch of verify steps in place we should not see a bridge interface leak to the underlaying infrastructure code. This means, whenever an interface will be member of a bridge, and the bridge does yet not exist, we will create it in advance in the interface context, as the bridge code will be run in the same commit but maybe sooner or later. This will also be the solution for T2924.
2020-10-17sysctl-forwarding: T752: Add disable forwarding for ipv4sever-sever