From 665d1c5bdb24aa0aef79405dc2f2962b930fb9b3 Mon Sep 17 00:00:00 2001 From: Thomas Mangin Date: Tue, 3 Mar 2020 20:01:56 +0100 Subject: vrf: T31: initial support for a VRF backend in XML/Python This is a work in progress to complete T31 whoever thought it was less than 1 hour of work was ..... optimistic. Only VRF vreation and show is supported right now. No interface can be bound to any one VRF. --- interface-definitions/include/interface-vrf.xml.i | 12 ++ interface-definitions/vrf.xml.in | 58 +++++++ op-mode-definitions/show-vrf.xml | 24 +++ python/vyos/vrf.py | 23 +++ src/completion/list_vrf.py | 27 ++++ src/conf_mode/vrf.py | 186 ++++++++++++++++++++++ src/validators/interface-name | 29 ++++ 7 files changed, 359 insertions(+) create mode 100644 interface-definitions/include/interface-vrf.xml.i create mode 100644 interface-definitions/vrf.xml.in create mode 100644 op-mode-definitions/show-vrf.xml create mode 100644 python/vyos/vrf.py create mode 100755 src/completion/list_vrf.py create mode 100755 src/conf_mode/vrf.py create mode 100755 src/validators/interface-name diff --git a/interface-definitions/include/interface-vrf.xml.i b/interface-definitions/include/interface-vrf.xml.i new file mode 100644 index 000000000..7e880e6ee --- /dev/null +++ b/interface-definitions/include/interface-vrf.xml.i @@ -0,0 +1,12 @@ + + + VRF instance name + + vrf name + + + + + VRF name not allowed or to long + + diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in new file mode 100644 index 000000000..e270e8b90 --- /dev/null +++ b/interface-definitions/vrf.xml.in @@ -0,0 +1,58 @@ + + + + + VRF configuration + + 210 + + + + + Disable services running on the default VRF from other VRF (ssh, bgp, ...) + + + + + + Enable binding across all VRF domains for IPv4 + + + + + + + Virtual Routing and Forwarding + + + + VRF name not allowed or to long + + name + the vrf name must not contain '/' and be 16 characters or less + + + + + + The routing table to associate to this VRF + + + + Invalid kernel table number + + number + the VRF must be a number between 1 and 2^31-1 + + + + + + Description of the VRF role + + + + + + + \ No newline at end of file diff --git a/op-mode-definitions/show-vrf.xml b/op-mode-definitions/show-vrf.xml new file mode 100644 index 000000000..fb2fddd49 --- /dev/null +++ b/op-mode-definitions/show-vrf.xml @@ -0,0 +1,24 @@ + + + + + + + Show VRF information + + ${vyos_completion_dir}/list_vrf.py -e + + + + Show VRF information for an interface + + + + + ${vyos_completion_dir}/list_vrf.py -e "$4" + + + + + + diff --git a/python/vyos/vrf.py b/python/vyos/vrf.py new file mode 100644 index 000000000..99e4cb7d1 --- /dev/null +++ b/python/vyos/vrf.py @@ -0,0 +1,23 @@ +# Copyright 2020 VyOS maintainers and contributors +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see . + +import json +import subprocess + + +def list_vrfs(): + command = 'ip -j -br link show type vrf' + answer = json.loads(subprocess.check_output(command.split()).decode()) + return [_ for _ in answer if _] diff --git a/src/completion/list_vrf.py b/src/completion/list_vrf.py new file mode 100755 index 000000000..210b3c9a4 --- /dev/null +++ b/src/completion/list_vrf.py @@ -0,0 +1,27 @@ +#!/usr/bin/env python3 + +import argparse +import vyos.vrf + +parser = argparse.ArgumentParser() +group = parser.add_mutually_exclusive_group() +group.add_argument("-e", "--extensive", action="store_true", + help="provide detailed vrf informatio") +parser.add_argument('interface', metavar='I', type=str, nargs='?', + help='interface to display') + +args = parser.parse_args() + +if args.extensive: + print('{:16} {:7} {:17} {}'.format('interface', 'state', 'mac', 'flags')) + print('{:16} {:7} {:17} {}'.format('---------', '-----', '---', '-----')) + for vrf in vyos.vrf.list_vrfs(): + name = vrf['ifname'] + if args.interface and name != args.interface: + continue + state = vrf['operstate'].lower() + mac = vrf['address'].lower() + info = ','.join([_.lower() for _ in vrf['flags']]) + print(f'{name:16} {state:7} {mac:17} {info}') +else: + print(" ".join([vrf['ifname'] for vrf in vyos.vrf.list_vrfs()])) diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py new file mode 100755 index 000000000..9896c7c85 --- /dev/null +++ b/src/conf_mode/vrf.py @@ -0,0 +1,186 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os + +from sys import exit +from copy import deepcopy +from vyos.config import Config +from vyos import ConfigError +from vyos import vrf + + +# https://github.com/torvalds/linux/blob/master/Documentation/networking/vrf.txt + + +def sysctl(name, value): + os.system('sysctl -wq {}={}'.format(name, value)) + +def interfaces_with_vrf (match, effective): + matched = [] + config = Config() + section = config.get_config_dict('interfaces', effective) + for type in section: + interfaces = section[type] + for name in interfaces: + interface = interfaces[name] + if 'vrf' in interface: + v = interface.get('vrf', '') + if v == match: + matched.append(name) + return matched + +def get_config(): + command = { + 'bind':{}, + 'vrf':[], + 'int': {}, # per vrf name list of interfaces which will have it + } + + config = Config() + + old = {} + new = {} + + if config.exists_effective('vrf'): + old = deepcopy(config.get_config_dict('vrf', True)) + + if config.exists('vrf'): + new = deepcopy(config.get_config_dict('vrf', False)) + + integer = lambda _: '1' if _ else '0' + command['bind']['ipv4'] = integer('ipv4' not in new.get('disable-bind-to-all', {})) + command['bind']['ipv6'] = integer('ipv6' not in new.get('disable-bind-to-all', {})) + + old_names = old.get('name', []) + new_names = new.get('name', []) + all_names = list(set(old_names) | set(new_names)) + del_names = list(set(old_names).difference(new_names)) + mod_names = list(set(old_names).intersection(new_names)) + add_names = list(set(new_names).difference(old_names)) + + for name in all_names: + v = { + 'name': name, + 'action': 'miss', + 'table': -1, + 'check': -1, + } + + if name in new_names: + v['table'] = new.get('name', {}).get(name, {}).get('table', -1) + v['check'] = old.get('name', {}).get(name, {}).get('table', -1) + + if name in add_names: + v['action'] = 'add' + elif name in del_names: + v['action'] = 'delete' + elif name in mod_names: + if v['table'] != -1: + if v['check'] == -1: + v['action'] = 'add' + else: + v['action'] = 'modify' + + command['vrf'].append(v) + + for v in vrf.list_vrfs(): + name = v['ifname'] + command['int'][name] = interfaces_with_vrf(name,False) + + return command + + +def verify(command): + for v in command['vrf']: + action = v['action'] + name = v['name'] + if action == 'modify' and v['table'] != v['check']: + raise ConfigError(f'set vrf name {name}: modification of vrf table is not supported yet') + if action == 'delete' and name in command['int']: + interface = ', '.join(command['int'][name]) + if interface: + raise ConfigError(f'delete vrf name {name}: can not delete vrf as it is used on {interface}') + + return command + + +def generate(command): + return command + + +def apply(command): + # set the default VRF global behaviour + sysctl('net.ipv4.tcp_l3mdev_accept', command['bind']['ipv4']) + sysctl('net.ipv4.udp_l3mdev_accept', command['bind']['ipv4']) + + errors = [] + for v in command['vrf']: + name = v['name'] + action = v['action'] + table = v['table'] + + errors.append(f'could not {action} vrf {name}') + + if action == 'miss': + continue + + if action == 'delete': + if os.system(f'sudo ip link delete dev {name}'): + continue + errors.pop() + continue + + if action == 'modify': + # > uname -a + # Linux vyos 4.19.101-amd64-vyos #1 SMP Sun Feb 2 10:18:07 UTC 2020 x86_64 GNU/Linux + # > ip link add my-vrf type vrf table 100 + # > ip link set my-vrf type vrf table 200 + # RTNETLINK answers: Operation not supported + # so require to remove vrf and change all existing the interfaces + + if os.system(f'sudo ip link delete dev {name}'): + continue + action = 'add' + + if action == 'add': + commands = [ + f'sudo ip link add {name} type vrf table {table}', + f'sudo ip link set dev {name} up', + f'sudo ip -4 rule add oif {name} lookup {table}', + f'sudo ip -4 rule add iif {name} lookup {table}', + f'sudo ip -6 rule add oif {name} lookup {table}', + f'sudo ip -6 rule add iif {name} lookup {table}', + ] + + for command in commands: + if os.system(command): + errors[-1] += ' ('+command+')' + continue + errors.pop() + + if errors: + raise ConfigError(', '.join(errors)) + +if __name__ == '__main__': + try: + c = get_config() + verify(c) + generate(c) + apply(c) + except ConfigError as e: + print(e) + exit(1) diff --git a/src/validators/interface-name b/src/validators/interface-name new file mode 100755 index 000000000..49a833f39 --- /dev/null +++ b/src/validators/interface-name @@ -0,0 +1,29 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2018 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# +# + +import sys +import re + +if len(sys.argv) == 2: + # https://unix.stackexchange.com/questions/451368/allowed-chars-in-linux-network-interface-names + pattern = "^([^/\s]{1,16}$)$" + if re.match(pattern, sys.argv[1]): + sys.exit(0) + else: + sys.exit(1) + -- cgit v1.2.3