ifconfig: T2653: bond: bridge: ensure member interface is not a source-interface

As we already check that a bond/bridge member interface is not a member of any
other bridge or bond, the check must be extended. We also need to ensure that
the bond member interface is not used as a source-interface to pppoe, macsec,
tunnel, pseudo-ethernet, vxlan interfaces.

4 files changed, 76 insertions, 2 deletions

diff --git a/python/vyos/configdict.py b/python/vyos/configdict.py
index 4a4a767f3..58ecd3f17 100644
--- a/python/vyos/configdict.py
+++ b/python/vyos/configdict.py
@@ -228,6 +228,41 @@ def is_member(conf, interface, intftype=None):
     old_level = conf.set_level(old_level)
     return ret_val
 
+def is_source_interface(conf, interface, intftype=None):
+    """
+    Checks if passed interface is configured as source-interface of other
+    interfaces of specified type. intftype is optional, if not passed it will
+    search all known types (currently pppoe, macsec, pseudo-ethernet, tunnel
+    and vxlan)
+
+    Returns:
+    None -> Interface is not a member
+    interface name -> Interface is a member of this interface
+    False -> interface type cannot have members
+    """
+    ret_val = None
+    intftypes = ['macsec', 'pppoe', 'pseudo-ethernet', 'tunnel', 'vxlan']
+    if intftype not in intftypes + [None]:
+        raise ValueError(f'unknown interface type "{intftype}" or it can not '
+            'have a source-interface')
+
+    intftype = intftypes if intftype == None else [intftype]
+
+    # set config level to root
+    old_level = conf.get_level()
+    conf.set_level([])
+
+    for it in intftype:
+        base = ['interfaces', it]
+        for intf in conf.list_nodes(base):
+            lower_intf = base + [intf, 'source-interface']
+            if conf.exists(lower_intf) and interface in conf.return_values(lower_intf):
+                ret_val = intf
+                break
+
+    old_level = conf.set_level(old_level)
+    return ret_val
+
 def get_interface_dict(config, base, ifname=''):
     """
     Common utility function to retrieve and mandgle the interfaces available
@@ -284,6 +319,17 @@ def get_interface_dict(config, base, ifname=''):
     bond = is_member(config, ifname, 'bonding')
     if bond: dict.update({'is_bond_member' : bond})
 
+    # Some interfaces come with a source_interface which must also not be part
+    # of any other bond or bridge interface as it is exclusivly assigned as the
+    # Kernels "lower" interface to this new "virtual/upper" interface.
+    if 'source_interface' in dict:
+        # Check if source interface is member of another bridge
+        tmp = is_member(config, dict['source_interface'], 'bridge')
+        if tmp: dict.update({'source_interface_is_bridge_member' : tmp})
+
+        # Check if source interface is member of another bridge
+        tmp = is_member(config, dict['source_interface'], 'bonding')
+        if tmp: dict.update({'source_interface_is_bond_member' : tmp})
 
     mac = leaf_node_changed(config, ['mac'])
     if mac: dict.update({'mac_old' : mac})
diff --git a/python/vyos/configverify.py b/python/vyos/configverify.py
index 7e1930878..bf4e26fa7 100644
--- a/python/vyos/configverify.py
+++ b/python/vyos/configverify.py
@@ -82,9 +82,20 @@ def verify_source_interface(config):
     if 'source_interface' not in config:
         raise ConfigError('Physical source-interface required for '
                           'interface "{ifname}"'.format(**config))
+
     if config['source_interface'] not in interfaces():
-        raise ConfigError('Source interface {source_interface} does not '
-                          'exist'.format(**config))
+        raise ConfigError('Specified source-interface {source_interface} does '
+                          'not exist'.format(**config))
+
+    if 'source_interface_is_bridge_member' in config:
+        raise ConfigError('Invalid source-interface {source_interface}. Interface '
+                          'is already a member of bridge '
+                          '{source_interface_is_bridge_member}'.format(**config))
+
+    if 'source_interface_is_bond_member' in config:
+        raise ConfigError('Invalid source-interface {source_interface}. Interface '
+                          'is already a member of bond '
+                          '{source_interface_is_bond_member}'.format(**config))
 
 def verify_dhcpv6(config):
     """
diff --git a/src/conf_mode/interfaces-bonding.py b/src/conf_mode/interfaces-bonding.py
index 5ac4feb77..aece2a04b 100755
--- a/src/conf_mode/interfaces-bonding.py
+++ b/src/conf_mode/interfaces-bonding.py
@@ -23,6 +23,7 @@ from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import leaf_node_changed
 from vyos.configdict import is_member
+from vyos.configdict import is_source_interface
 from vyos.configverify import verify_address
 from vyos.configverify import verify_bridge_delete
 from vyos.configverify import verify_dhcpv6
@@ -110,6 +111,10 @@ def get_config(config=None):
             if tmp and tmp != bond['ifname']:
                 interface_config.update({'is_bond_member' : tmp})
 
+            # Check if member interface is used as source-interface on another interface
+            tmp = is_source_interface(conf, interface)
+            if tmp: interface_config.update({'is_source_interface' : tmp})
+
             # bond members must not have an assigned address
             tmp = has_address_configured(conf, interface)
             if tmp: interface_config.update({'has_address' : ''})
@@ -162,6 +167,10 @@ def verify(bond):
                 tmp = interface_config['is_bond_member']
                 raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
 
+            if 'is_source_interface' in interface_config:
+                tmp = interface_config['is_source_interface']
+                raise ConfigError(error_msg + f'it is the source-interface of "{tmp}"!')
+
             if 'has_address' in interface_config:
                 raise ConfigError(error_msg + 'it has an address assigned!')
 
diff --git a/src/conf_mode/interfaces-bridge.py b/src/conf_mode/interfaces-bridge.py
index 3bddac023..485decb17 100755
--- a/src/conf_mode/interfaces-bridge.py
+++ b/src/conf_mode/interfaces-bridge.py
@@ -23,6 +23,7 @@ from vyos.config import Config
 from vyos.configdict import get_interface_dict
 from vyos.configdict import node_changed
 from vyos.configdict import is_member
+from vyos.configdict import is_source_interface
 from vyos.configverify import verify_dhcpv6
 from vyos.configverify import verify_vrf
 from vyos.ifconfig import BridgeIf
@@ -80,6 +81,9 @@ def get_config(config=None):
             tmp = is_member(conf, interface, 'bonding')
             if tmp: interface_config.update({'is_bond_member' : tmp})
 
+            # Check if member interface is used as source-interface on another interface
+            tmp = is_source_interface(conf, interface)
+            if tmp: interface_config.update({'is_source_interface' : tmp})
 
             # Bridge members must not have an assigned address
             tmp = has_address_configured(conf, interface)
@@ -112,6 +116,10 @@ def verify(bridge):
                 tmp = interface_config['is_bond_member']
                 raise ConfigError(error_msg + f'it is already a member of bond "{tmp}"!')
 
+            if 'is_source_interface' in interface_config:
+                tmp = interface_config['is_source_interface']
+                raise ConfigError(error_msg + f'it is the source-interface of "{tmp}"!')
+
             if 'has_address' in interface_config:
                 raise ConfigError(error_msg + 'it has an address assigned!')