summaryrefslogtreecommitdiff
path: root/src/conf_mode/vrf.py
AgeCommit message (Collapse)Author
2024-07-26vrf: T6603: improve code runtime when retrieving info from nftables vrf zoneChristian Breunig
2024-07-26vrf: T6603: conntrack ct_iface_map must only contain one entry for ↵Christian Breunig
iifname/oifname When any of the following features NAT, NAT66 or Firewall is enabled, for every VRF on the CLI we install one rule into nftables for conntrack: chain vrf_zones_ct_in { type filter hook prerouting priority raw; policy accept; counter packets 3113 bytes 32227 ct original zone set iifname map @ct_iface_map counter packets 8550 bytes 80739 ct original zone set iifname map @ct_iface_map counter packets 5644 bytes 67697 ct original zone set iifname map @ct_iface_map } This is superfluous.
2024-07-21vrf: T6592: remove unused import get_interface_configChristian Breunig
Remove unused import (left over) from commit 36f3791e0 ("utils: migrate to new get_vrf_tableid() helper")
2024-07-20utils: migrate to new get_vrf_tableid() helperChristian Breunig
Commit 452068ce7 ("interfaces: T6592: moving an interface between VRF instances failed") introduced a new helper to retrieve the VRF table ID from the Kernel. This commit migrates the old code path where the individual fields got queried to the new helper vyos.utils.network.get_vrf_tableid().
2024-05-01vrf: T6189: render FRR L3VNI configuration when creating VRF instanceChristian Breunig
When adding and removing VRF instances on the fly it was noticed that the vni statement under the VRF instance in FRR vanishes. This was caused by a race condition which was previously designed to fix another bug. The wierd design of a Python helper below the VRF tree to only generate the VNI configuration nodes is now gone and all is rendered in the proper place.
2024-04-18T6221: Return default ip rule values after deleting VRFViacheslav Hletenko
Fix for restoring default ip rule values after deleting VRF Defult values: ``` $ ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default ``` After adding and deleting a VRF we get unexpected values: ``` $ ip rule 1000: from all lookup [l3mdev-table] 2000: from all lookup [l3mdev-table] unreachable 32765: from all lookup local 32766: from all lookup main 32767: from all lookup default ```
2024-04-01vrf: T3655: always use full nft command name (e.g. --check over -c)Christian Breunig
2024-02-27vrf: conntrack: T6073: Populate VRF zoning chains only while conntrack is ↵sarthurdev
required
2024-02-07vrf: T5973: module is now statically compiled into the kernelChristian Breunig
Always enable VRF strict_mode
2024-01-22vrf: T5973: fix has_rule() to check for l3mdev ruleChristian Breunig
A code path was missing to check if only priority is available in the result of "ip --json -4 rule show", in the case of l3mdev it's a dedicated key!
2024-01-22vrf: T5973: move initial conntrack firewall table to startupChristian Breunig
There is no need to add and remove this table during runtime - it can lurk in the standard firewall init code.
2024-01-22vrf: T5973: ensure Kernel module is loadedChristian Breunig
This prevents the following error when configuring the first VRF: sysctl: cannot stat /proc/sys/net/vrf/strict_mode: No such file or directory
2023-12-20vrf: T591: define sysctl setting for net.vrf.strict_modeChristian Breunig
Enable/Disable VRF strict mode, when net.vrf.strict_mode=0 (default) it is possible to associate multiple VRF devices to the same table. Conversely, when net.vrf.strict_mode=1 a table can be associated to a single VRF device. A VRF table can be used by the VyOS CLI only once (ensured by verify()), this simply adds an additional Kernel safety net, but a requirement for IPv6 segment routing headers.
2023-08-23vrf: T5428: stop DHCP processes on VRf removalChristian Breunig
This is a workaround for the priority inversion from T5492 ("CLI node priority is not inversed on node deletion"). As this is a corner case bug that's only triggered if an interface is removed from a VRF and also the VRF is removed in one commit, priorities are not honored. Thus we implement this workaround which stop the DHCP(v6) client processes on the VRF associated interfaces to get out the DHCP RELEASE message before interfaces are shut down.
2023-08-23vrf: T5428: move helpers to common vyos.utils.network moduleChristian Breunig
Helper functions can and will be re-use din different code places.
2023-07-14T5195: vyos.util -> vyos.utils package refactoring (#2093)Christian Breunig
* T5195: move run, cmd, call, rc_cmd helper to vyos.utils.process * T5195: use read_file and write_file implementation from vyos.utils.file Changed code automatically using: find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import read_file$/from vyos.utils.file import read_file/g' {} + find . -type f -not -path '*/\.*' -exec sed -i 's/^from vyos.util import write_file$/from vyos.utils.file import write_file/g' {} + * T5195: move chmod* helpers to vyos.utils.permission * T5195: use colon_separated_to_dict from vyos.utils.dict * T5195: move is_systemd_service_* to vyos.utils.process * T5195: fix boot issues with missing imports * T5195: move dict_search_* helpers to vyos.utils.dict * T5195: move network helpers to vyos.utils.network * T5195: move commit_* helpers to vyos.utils.commit * T5195: move user I/O helpers to vyos.utils.io
2023-07-12T5195: drop sysctl_* implementation from vyos.util - prefer vyos.utils.systemChristian Breunig
2023-04-26vrf: T5174: ensure no duplicate VNIs can be definedChristian Breunig
2023-04-13T5150: initial VRF support for Kernel/Zebra route-map filteringChristian Breunig
2023-01-06static: T4883: fix KeyError: 'table'Christian Poessinger
Commit dafb0da2 ("static: T4883: add a description field for routing tables") added an iproute2 description table but lacked checking if the key exists. This has been fixed and also converted to Jinja2 to keep the "common" style inside the routing protocols. It might feel overengineered indeed.
2022-07-12vrf: T4527: Prevent to create VRF with reserved namesViacheslav Hletenko
VRF names: "add, all, broadcast, default, delete, dev, get, inet, mtu, link, type, vrf" are reserved and cannot be used for vrf name
2022-05-07vrf: T4419: support to disable IP forwarding within a given VRFChristian Poessinger
2022-05-01vrf: T4353: fix Jinja2 linting errorsChristian Poessinger
2022-04-07ipv6: T4346: delete (migrate) CLI command to disable IPv6 address familyChristian Poessinger
2022-03-30vrf: T4319: do not add IPv6 localhost address if IPv6 is disabledChristian Poessinger
2022-03-25vyos.util: T4319: rename sysctl() -> sysctl_write()Christian Poessinger
2022-02-13vrf: T4191: bugfix for "ip rule" when VRFs are createdChristian Poessinger
We always mangled and worked on the "ip rule" singleton even when nothing needed to be changed. This resulted in a VRF hickup when the same VRF was added and removed multiple times. set interfaces ethernet eth1 vrf foo set vrf name foo table '1000' commit delete interfaces ethernet eth1 vrf delete vrf commit set interfaces ethernet eth1 vrf foo set vrf name foo table '1000' commit broke reachability on eth1 - a reboot was required. This change will now only alter the ip rule tables once when VRF instances are created for the first time and will not touch the Kernel "ip rule" representation afterwards.
2021-11-15vrf: T3655: remove superfluous import of NamedTemporaryFileChristian Poessinger
2021-08-13vrf: T3734: T3728: vni must be configured with a higher priority then bgpdChristian Poessinger
When removing bgp (vrf) instances the assigned VRF vni must be deleted from FRR prior the removal of the bgp settings (T3734). This is now done by moving the CLI command "set vrf name red vni 1000" to a dedicated Python script with a priority higher then bgp.
2021-08-06frr: T3694: temporary disable VRF VNI assignmentChristian Poessinger
Somehow we hit a priority inversion here as we need to remove the VRF assigned VNI before we can remove a BGP bound VRF instance. Maybe move this to an individual helper script that set's up the VNI for the given VRF after any routing protocol (in our case this was triggered by running "make testc" when building an ISO image by the bgp-rpki config).
2021-08-06frr: T2175: remove no longer required loop when removing VRF VNIChristian Poessinger
This is a completing commit to a55585a833 ("frr: T2175: remove no longer required loop when removing routing protocols") that was missed out previously.
2021-07-19vrf: T3655: fix potential error when removing VRF connection tracking tableChristian Poessinger
This extends commit 22791e26 ("VRF: T3655: proper connection tracking for VRFs") so that when the netfilter table is removed, we first check if it exists at all, and if it does not exist we do not remove it. This fixes the smoketest error: PermissionError: [Errno 1] failed to run command: nft delete table inet vrf_zones
2021-07-17VRF: T3655: proper connection tracking for VRFszsdc
Currently, all VRFs share the same connection tracking table, which can lead to problems: - traffic leaks to a wrong VRF - improper NAT rules handling when multiple VRFs contain the same IP networks - stateful firewall rules issues The commit implements connection tracking zones support. Each VRF utilizes its own zone, so connections will never mix up. It also adds some restrictions to VRF names and assigned table numbers, because of nftables and conntrack requirements: - VRF name should always start from a letter (interfaces that start from numbers are not supported in nftables rules) - table number must be in the 100-65535 range because conntrack supports only 65535 zones
2021-06-20vrf: T3637: bind-to-all didn't work properlyDate Huang
because of typo change from `bind_to_all` to `bind-to-all` refer: interface-definitions/vrf.xml.in
2021-04-07vrf: T3344: re-add virtual network identifierChristian Poessinger
Commit 548d9057e3e (vrf: T3344: move dynamic routing protocols under "vrf name <name> protocols") temporary removed the possibility to specify the VNI for a given VRF to to changing of the CLI configuration nodes. As VNI is set inside zebra, we can re-use the now widely deployed frr python library to configure and change the configuration without any interference to other FRR daemons.
2021-03-17vrf: T31: ignore iproute2 errorsChristian Poessinger
Re-issuing the same iproute2 commands can lead to errors, simply ignore them and not raise a Python exception.
2021-01-16vrf: T31: add support for - and _ in VRF namesChristian Poessinger
2021-01-16vrf: T31: migrate to get_config_dict()Christian Poessinger
2021-01-02vrf: T2321: assign loopback IP addresses to individual VRF interfacesChristian Poessinger
47: bar: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP group default qlen 1000 link/ether 76:7d:c0:53:6d:89 brd ff:ff:ff:ff:ff:ff inet 127.0.0.1/8 scope host bar valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
2020-08-31configd: T2582: add scripts to include list for daemonJohn Estabrook
2020-07-04cleanup: no need to call sudo for configuration mode scriptsChristian Poessinger
2020-07-01config: T2667: adapt for refinements to get_config_dictJohn Estabrook
2020-05-29airbag: T2088: explicit enabling of the featureThomas Mangin
airbag must now be explicitly installed. the patch also allow to fully disables the installation of the logging code at setup (and not just installing and doing nothing)
2020-04-12template: T2230: use render to generate templatesThomas Mangin
convert all call to jinja to use template.render
2020-04-08vrf: add additional documentation linkChristian Poessinger
2020-04-06util: T2206: rewrite vrf to cmdThomas Mangin
2020-04-05vrf: T2230: move inlined templates to dedicated filesChristian Poessinger
2020-04-04vrf: T2221: when deleting vrf also delete unreachable routeChristian Poessinger
If the unreachable routes for IPv4 and IPv6 are not deleted, there will be an error when creating the same VRF again after removal. Error changing VRF: Command '['sudo', 'ip', '-4', 'route', 'del', 'vrf', 'Blue', 'unreachable', 'default', 'metric', '4278198272']' returned non-zero exit status 2.
2020-04-04vrf: T2221: only set l3mdev when changedChristian Poessinger
2020-03-29vrf: T31: bugfix after converting remove list to dictChristian Poessinger
The list of VRFs to remove has been converted to a dict. The deletion of a VRF was no longer triggered as the logic still thought it is a list.