From 4e4c645b47e81ec54c8b02d2f4377664e5689a86 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Wed, 7 Feb 2024 17:40:11 +0100 Subject: vrf: T5973: module is now statically compiled into the kernel Always enable VRF strict_mode (cherry picked from commit 117fbcd6237b59f54f2c1c66986a8ce073808c84) --- smoketest/scripts/cli/test_vrf.py | 7 +++++-- src/conf_mode/vrf.py | 14 -------------- src/etc/sysctl.d/30-vyos-router.conf | 2 ++ 3 files changed, 7 insertions(+), 16 deletions(-) diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py index 6207a1b41..a3090ee41 100755 --- a/smoketest/scripts/cli/test_vrf.py +++ b/smoketest/scripts/cli/test_vrf.py @@ -53,14 +53,17 @@ class VRFTest(VyOSUnitTestSHIM.TestCase): # call base-classes classmethod super(VRFTest, cls).setUpClass() + def setUp(self): + # VRF strict_most ist always enabled + tmp = read_file('/proc/sys/net/vrf/strict_mode') + self.assertEqual(tmp, '1') + def tearDown(self): # delete all VRFs self.cli_delete(base_path) self.cli_commit() for vrf in vrfs: self.assertNotIn(vrf, interfaces()) - # If there is no VRF defined, strict_mode should be off - self.assertEqual(sysctl_read('net.vrf.strict_mode'), '0') def test_vrf_vni_and_table_id(self): base_table = '1000' diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index f2c544aa6..a2f4956be 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -27,7 +27,6 @@ from vyos.ifconfig import Interface from vyos.template import render from vyos.template import render_to_string from vyos.utils.dict import dict_search -from vyos.utils.kernel import check_kmod from vyos.utils.network import get_interface_config from vyos.utils.network import get_vrf_members from vyos.utils.network import interface_exists @@ -223,18 +222,6 @@ def apply(vrf): # Delete the VRF Kernel interface call(f'ip link delete dev {tmp}') - # Enable/Disable VRF strict mode - # When net.vrf.strict_mode=0 (default) it is possible to associate multiple - # VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a - # table can be associated to a single VRF device. - # - # A VRF table can be used by the VyOS CLI only once (ensured by verify()), - # this simply adds an additional Kernel safety net - strict_mode = '0' - # Set to 1 if any VRF is defined - if 'name' in vrf: strict_mode = '1' - sysctl_write('net.vrf.strict_mode', strict_mode) - if 'name' in vrf: # Linux routing uses rules to find tables - routing targets are then # looked up in those tables. If the lookup got a matching route, the @@ -323,7 +310,6 @@ def apply(vrf): if __name__ == '__main__': try: - check_kmod(k_mod) c = get_config() verify(c) generate(c) diff --git a/src/etc/sysctl.d/30-vyos-router.conf b/src/etc/sysctl.d/30-vyos-router.conf index 6291be5f0..c9b8ef8fe 100644 --- a/src/etc/sysctl.d/30-vyos-router.conf +++ b/src/etc/sysctl.d/30-vyos-router.conf @@ -108,3 +108,5 @@ net.ipv4.tcp_congestion_control=bbr # Disable IPv6 Segment Routing packets by default net.ipv6.conf.all.seg6_enabled = 0 net.ipv6.conf.default.seg6_enabled = 0 + +net.vrf.strict_mode = 1 -- cgit v1.2.3