diff options
author | Christian Poessinger <christian@poessinger.com> | 2020-03-04 19:53:58 +0100 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2020-03-04 21:45:41 +0100 |
commit | 93f7ae7f1ed1e218ef64d2582d11ac0ed769a438 (patch) | |
tree | 9ec8c29b220496481e90a23265221f8632e48a92 | |
parent | 5bf9dfd17096af6e7cf06e8e20eb16e8e55b9177 (diff) | |
download | vyos-1x-93f7ae7f1ed1e218ef64d2582d11ac0ed769a438.tar.gz vyos-1x-93f7ae7f1ed1e218ef64d2582d11ac0ed769a438.zip |
vrf: T31: rename 'vrf disable-bind-to-all ipv4' to 'vrf bind-to-all'
By default the scope of the port bindings for unbound sockets is limited to the
default VRF. That is, it will not be matched by packets arriving on interfaces
enslaved to an l3mdev and processes may bind to the same port if they bind to
an l3mdev.
TCP & UDP services running in the default VRF context (ie., not bound to any
VRF device) can work across all VRF domains by enabling the 'vrf bind-to-all'
option.
-rw-r--r-- | interface-definitions/vrf.xml.in | 15 | ||||
-rwxr-xr-x | src/conf_mode/vrf.py | 15 |
2 files changed, 13 insertions, 17 deletions
diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in index a6c67e9dd..f1895598e 100644 --- a/interface-definitions/vrf.xml.in +++ b/interface-definitions/vrf.xml.in @@ -7,19 +7,12 @@ <priority>210</priority> </properties> <children> - <node name="disable-bind-to-all"> + <leafNode name="bind-to-all"> <properties> - <help>Disable services running on the default VRF from other VRF (ssh, bgp, ...)</help> + <help>Enable binding services to all VRFs</help> + <valueless/> </properties> - <children> - <leafNode name="ipv4"> - <properties> - <valueless/> - <help>Enable binding across all VRF domains for IPv4</help> - </properties> - </leafNode> - </children> - </node> + </leafNode> <tagNode name="name"> <properties> <help>VRF instance name</help> diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py index ad2b72a5b..e31285dde 100755 --- a/src/conf_mode/vrf.py +++ b/src/conf_mode/vrf.py @@ -24,6 +24,7 @@ from vyos.configdict import list_diff from vyos import ConfigError default_config_data = { + 'bind_to_all': 0, 'deleted': False, 'vrf_add': [], 'vrf_existing': [], @@ -40,7 +41,6 @@ def _cmd(command): pass raise ConfigError(f'Error operationg on VRF: {e}') - def interfaces_with_vrf(match): matched = [] config = Config() @@ -55,7 +55,6 @@ def interfaces_with_vrf(match): matched.append(name) return matched - def get_config(): conf = Config() vrf_config = deepcopy(default_config_data) @@ -65,6 +64,11 @@ def get_config(): # get all currently effetive VRFs and mark them for deletion vrf_config['vrf_remove'] = conf.list_effective_nodes(cfg_base + ['name']) else: + + # Should services be allowed to bind to all VRFs? + if conf.exists(['bind-to-all']): + vrf_config['bind_to_all'] = 1 + # Determine vrf interfaces (currently effective) - to determine which # vrf interface is no longer present and needs to be removed eff_vrf = conf.list_effective_nodes(cfg_base + ['name']) @@ -121,7 +125,6 @@ def get_config(): vrf_config['vrf_remove'] = tmp return vrf_config - def verify(vrf_config): # ensure VRF is not assigned to any interface for vrf in vrf_config['vrf_remove']: @@ -137,7 +140,6 @@ def verify(vrf_config): return None - def generate(vrf_config): return None @@ -145,8 +147,9 @@ def apply(vrf_config): # https://github.com/torvalds/linux/blob/master/Documentation/networking/vrf.txt # set the default VRF global behaviour - #sysctl('net.ipv4.tcp_l3mdev_accept', command['bind']['ipv4']) - #sysctl('net.ipv4.udp_l3mdev_accept', command['bind']['ipv4']) + bind_all = vrf_config['bind_to_all'] + _cmd(f'sysctl -wq net.ipv4.tcp_l3mdev_accept={bind_all}') + _cmd(f'sysctl -wq net.ipv4.udp_l3mdev_accept={bind_all}') for vrf_name in vrf_config['vrf_remove']: if os.path.isdir(f'/sys/class/net/{vrf_name}'): |