interfaces: T6592: moving an interface between VRF instances failed

To reproduce: set vrf name mgmt table '150' set vrf name no-mgmt table '151' set interfaces ethernet eth2 vrf 'mgmt' commit set interfaces ethernet eth2 vrf no-mgmt commit This resulted in an error while interacting with nftables: [Errno 1] failed to run command: nft add element inet vrf_zones ct_iface_map { "eth2" : 151 } The reason is that the old mapping entry still exists and was not removed. This commit adds a new utility function get_vrf_tableid() and compares the current and new VRF table IDs assigned to an interface. If the IDs do not match, the nftables ct_iface_map entry is removed before the new entry is added. (cherry picked from commit 452068ce78581bb6fba2df4dba197e95b9aeb33d) # Conflicts: # python/vyos/ifconfig/interface.py # python/vyos/utils/network.py
author: Christian Breunig <christian@breunig.cc> 2024-07-20 10:35:44 +0200
committer: Christian Breunig <christian@breunig.cc> 2024-07-20 20:21:07 +0200
commit: 031eebc1ee473196cffe9e4b7b0164444cf88905 (patch)
tree: 8829805685e492b8cc6f3ddd2390adfd39ea8393 /python
parent: 5ae173c05defa1e230552271018133816ca00467 (diff)
download: vyos-1x-031eebc1ee473196cffe9e4b7b0164444cf88905.tar.gz
vyos-1x-031eebc1ee473196cffe9e4b7b0164444cf88905.zip
2 files changed, 34 insertions, 9 deletions
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index fa79395ff..fd4f5b269 100644
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -36,6 +36,7 @@ from vyos.template import render
 from vyos.utils.network import mac2eui64
 from vyos.utils.dict import dict_search
 from vyos.utils.network import get_interface_config
+from vyos.utils.network import get_vrf_tableid
 from vyos.utils.process import is_systemd_service_active
 from vyos.template import is_ipv4
 from vyos.template import is_ipv6
@@ -387,25 +388,33 @@ class Interface(Control):
         cmd = 'ip link del dev {ifname}'.format(**self.config)
         return self._cmd(cmd)
 
-    def _set_vrf_ct_zone(self, vrf):
+    def _set_vrf_ct_zone(self, vrf, old_vrf_tableid=None):
         """
         Add/Remove rules in nftables to associate traffic in VRF to an
         individual conntack zone
         """
+
+        def nft_check_and_run(nft_command):
+            # Check if deleting is possible first to avoid raising errors
+            _, err = self._popen(f'nft --check {nft_command}')
+            if not err:
+                # Remove map element
+                self._cmd(f'nft {nft_command}')
+
         if vrf:
             # Get routing table ID for VRF
-            vrf_table_id = get_interface_config(vrf).get('linkinfo', {}).get(
-                'info_data', {}).get('table')
+            vrf_table_id = get_vrf_tableid(vrf)
             # Add map element with interface and zone ID
             if vrf_table_id:
+                # delete old table ID from nftables if it has changed, e.g. interface moved to a different VRF
+                if old_vrf_tableid and old_vrf_tableid != int(vrf_table_id):
+                    nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}'
+                    nft_check_and_run(nft_del_element)
+
                 self._cmd(f'nft add element inet vrf_zones ct_iface_map {{ "{self.ifname}" : {vrf_table_id} }}')
         else:
             nft_del_element = f'delete element inet vrf_zones ct_iface_map {{ "{self.ifname}" }}'
-            # Check if deleting is possible first to avoid raising errors
-            _, err = self._popen(f'nft --check {nft_del_element}')
-            if not err:
-                # Remove map element
-                self._cmd(f'nft {nft_del_element}')
+            nft_check_and_run(nft_del_element)
 
     def get_min_mtu(self):
         """
@@ -559,8 +568,11 @@ class Interface(Control):
         if tmp == vrf:
             return None
 
+        # Get current VRF table ID
+        old_vrf_tableid = get_vrf_tableid(self.ifname)
         self.set_interface('vrf', vrf)
-        self._set_vrf_ct_zone(vrf)
+        self._set_vrf_ct_zone(vrf, old_vrf_tableid)
+        return True
 
     def set_arp_cache_tmo(self, tmo):
         """
diff --git a/python/vyos/utils/network.py b/python/vyos/utils/network.py
index a3bd5c58f..8befe370f 100644
--- a/python/vyos/utils/network.py
+++ b/python/vyos/utils/network.py
@@ -70,6 +70,19 @@ def get_interface_vrf(interface):
         return tmp['master']
     return 'default'
 
+def get_vrf_tableid(interface: str):
+    """ Return VRF table ID for given interface name or None """
+    from vyos.utils.dict import dict_search
+    table = None
+    tmp = get_interface_config(interface)
+    # Check if we are "the" VRF interface
+    if dict_search('linkinfo.info_kind', tmp) == 'vrf':
+        table = tmp['linkinfo']['info_data']['table']
+    # or an interface bound to a VRF
+    elif dict_search('linkinfo.info_slave_kind', tmp) == 'vrf':
+        table = tmp['linkinfo']['info_slave_data']['table']
+    return table
+
 def get_interface_config(interface):
     """ Returns the used encapsulation protocol for given interface.
         If interface does not exist, None is returned.
author	Christian Breunig <christian@breunig.cc>	2024-07-20 10:35:44 +0200
committer	Christian Breunig <christian@breunig.cc>	2024-07-20 20:21:07 +0200
commit	031eebc1ee473196cffe9e4b7b0164444cf88905 (patch)
tree	8829805685e492b8cc6f3ddd2390adfd39ea8393 /python
parent	5ae173c05defa1e230552271018133816ca00467 (diff)
download	vyos-1x-031eebc1ee473196cffe9e4b7b0164444cf88905.tar.gz vyos-1x-031eebc1ee473196cffe9e4b7b0164444cf88905.zip