From 665d1c5bdb24aa0aef79405dc2f2962b930fb9b3 Mon Sep 17 00:00:00 2001 From: Thomas Mangin Date: Tue, 3 Mar 2020 20:01:56 +0100 Subject: vrf: T31: initial support for a VRF backend in XML/Python This is a work in progress to complete T31 whoever thought it was less than 1 hour of work was ..... optimistic. Only VRF vreation and show is supported right now. No interface can be bound to any one VRF. --- interface-definitions/vrf.xml.in | 58 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 interface-definitions/vrf.xml.in (limited to 'interface-definitions/vrf.xml.in') diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in new file mode 100644 index 000000000..e270e8b90 --- /dev/null +++ b/interface-definitions/vrf.xml.in @@ -0,0 +1,58 @@ + + + + + VRF configuration + + 210 + + + + + Disable services running on the default VRF from other VRF (ssh, bgp, ...) + + + + + + Enable binding across all VRF domains for IPv4 + + + + + + + Virtual Routing and Forwarding + + + + VRF name not allowed or to long + + name + the vrf name must not contain '/' and be 16 characters or less + + + + + + The routing table to associate to this VRF + + + + Invalid kernel table number + + number + the VRF must be a number between 1 and 2^31-1 + + + + + + Description of the VRF role + + + + + + + \ No newline at end of file -- cgit v1.2.3 From 45904fcd80beaed93e3737d0f78b7f081234fc07 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Mar 2020 19:10:23 +0100 Subject: vrf: T31: use embedded regex on 'vrf name' instead of python script --- interface-definitions/vrf.xml.in | 8 ++++---- src/validators/interface-name | 29 ----------------------------- 2 files changed, 4 insertions(+), 33 deletions(-) delete mode 100755 src/validators/interface-name (limited to 'interface-definitions/vrf.xml.in') diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index e270e8b90..1fb878f44 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -22,14 +22,14 @@ - Virtual Routing and Forwarding + VRF instance name - + [^/\s]{1,16}$ - VRF name not allowed or to long + VRF instance name must be 16 characters or less name - the vrf name must not contain '/' and be 16 characters or less + Instance name diff --git a/src/validators/interface-name b/src/validators/interface-name deleted file mode 100755 index 49a833f39..000000000 --- a/src/validators/interface-name +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/env python3 -# -# Copyright (C) 2018 VyOS maintainers and contributors -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License version 2 or later as -# published by the Free Software Foundation. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . -# -# - -import sys -import re - -if len(sys.argv) == 2: - # https://unix.stackexchange.com/questions/451368/allowed-chars-in-linux-network-interface-names - pattern = "^([^/\s]{1,16}$)$" - if re.match(pattern, sys.argv[1]): - sys.exit(0) - else: - sys.exit(1) - -- cgit v1.2.3 From c3bba9873dd6412d14b073d06c04278de25fed67 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Mar 2020 19:10:30 +0100 Subject: vrf: T31: reuse interface-description.xml.i for instance description --- interface-definitions/vrf.xml.in | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'interface-definitions/vrf.xml.in') diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 1fb878f44..717a283aa 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -46,11 +46,7 @@ - - - Description of the VRF role - - + #include -- cgit v1.2.3 From 8fa0754f3aa8e4df18b0448e970abc01f348366f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Mar 2020 19:10:32 +0100 Subject: vrf: T31: improve help for routing table --- interface-definitions/vrf.xml.in | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'interface-definitions/vrf.xml.in') diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index 717a283aa..a6c67e9dd 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -2,7 +2,7 @@ - VRF configuration + Virtual Routing and Forwarding 210 @@ -35,14 +35,14 @@ - The routing table to associate to this VRF + Routing table associated with this instance Invalid kernel table number - number - the VRF must be a number between 1 and 2^31-1 + 1-2147483647 + Routing table ID -- cgit v1.2.3 From 93f7ae7f1ed1e218ef64d2582d11ac0ed769a438 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 4 Mar 2020 19:53:58 +0100 Subject: vrf: T31: rename 'vrf disable-bind-to-all ipv4' to 'vrf bind-to-all' By default the scope of the port bindings for unbound sockets is limited to the default VRF. That is, it will not be matched by packets arriving on interfaces enslaved to an l3mdev and processes may bind to the same port if they bind to an l3mdev. TCP & UDP services running in the default VRF context (ie., not bound to any VRF device) can work across all VRF domains by enabling the 'vrf bind-to-all' option. --- interface-definitions/vrf.xml.in | 15 ++++----------- src/conf_mode/vrf.py | 15 +++++++++------ 2 files changed, 13 insertions(+), 17 deletions(-) (limited to 'interface-definitions/vrf.xml.in') diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index a6c67e9dd..f1895598e 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -7,19 +7,12 @@ 210 - + - Disable services running on the default VRF from other VRF (ssh, bgp, ...) + Enable binding services to all VRFs + - - - - - Enable binding across all VRF domains for IPv4 - - - - + VRF instance name diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index ad2b72a5b..e31285dde 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -24,6 +24,7 @@ from vyos.configdict import list_diff from vyos import ConfigError default_config_data = { + 'bind_to_all': 0, 'deleted': False, 'vrf_add': [], 'vrf_existing': [], @@ -40,7 +41,6 @@ def _cmd(command): pass raise ConfigError(f'Error operationg on VRF: {e}') - def interfaces_with_vrf(match): matched = [] config = Config() @@ -55,7 +55,6 @@ def interfaces_with_vrf(match): matched.append(name) return matched - def get_config(): conf = Config() vrf_config = deepcopy(default_config_data) @@ -65,6 +64,11 @@ def get_config(): # get all currently effetive VRFs and mark them for deletion vrf_config['vrf_remove'] = conf.list_effective_nodes(cfg_base + ['name']) else: + + # Should services be allowed to bind to all VRFs? + if conf.exists(['bind-to-all']): + vrf_config['bind_to_all'] = 1 + # Determine vrf interfaces (currently effective) - to determine which # vrf interface is no longer present and needs to be removed eff_vrf = conf.list_effective_nodes(cfg_base + ['name']) @@ -121,7 +125,6 @@ def get_config(): vrf_config['vrf_remove'] = tmp return vrf_config - def verify(vrf_config): # ensure VRF is not assigned to any interface for vrf in vrf_config['vrf_remove']: @@ -137,7 +140,6 @@ def verify(vrf_config): return None - def generate(vrf_config): return None @@ -145,8 +147,9 @@ def apply(vrf_config): # https://github.com/torvalds/linux/blob/master/Documentation/networking/vrf.txt # set the default VRF global behaviour - #sysctl('net.ipv4.tcp_l3mdev_accept', command['bind']['ipv4']) - #sysctl('net.ipv4.udp_l3mdev_accept', command['bind']['ipv4']) + bind_all = vrf_config['bind_to_all'] + _cmd(f'sysctl -wq net.ipv4.tcp_l3mdev_accept={bind_all}') + _cmd(f'sysctl -wq net.ipv4.udp_l3mdev_accept={bind_all}') for vrf_name in vrf_config['vrf_remove']: if os.path.isdir(f'/sys/class/net/{vrf_name}'): -- cgit v1.2.3