1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
|
#!/usr/bin/env python3
#
# Copyright (C) 2019-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from sys import exit
from vyos.base import Warning
from vyos.config import Config
from vyos.configdict import get_interface_dict
from vyos.configdict import leaf_node_changed
from vyos.configdict import is_node_changed
from vyos.configdict import node_changed
from vyos.configverify import verify_address
from vyos.configverify import verify_bridge_delete
from vyos.configverify import verify_mtu_ipv6
from vyos.configverify import verify_mirror_redirect
from vyos.configverify import verify_source_interface
from vyos.configverify import verify_bond_bridge_member
from vyos.ifconfig import Interface
from vyos.ifconfig import VXLANIf
from vyos.template import is_ipv6
from vyos.utils.dict import dict_search
from vyos.utils.network import interface_exists
from vyos import ConfigError
from vyos import airbag
airbag.enable()
def get_config(config=None):
"""
Retrive CLI config as dictionary. Dictionary can never be empty, as at least
the interface name will be added or a deleted flag
"""
if config:
conf = config
else:
conf = Config()
base = ['interfaces', 'vxlan']
ifname, vxlan = get_interface_dict(conf, base)
# VXLAN interfaces are picky and require recreation if certain parameters
# change. But a VXLAN interface should - of course - not be re-created if
# it's description or IP address is adjusted. Feels somehow logic doesn't it?
for cli_option in ['parameters', 'gpe', 'group', 'port', 'remote',
'source-address', 'source-interface', 'vni']:
if is_node_changed(conf, base + [ifname, cli_option]):
vxlan.update({'rebuild_required': {}})
break
# When dealing with VNI filtering we need to know what VNI was actually removed,
# so build up a dict matching the vlan_to_vni structure but with removed values.
tmp = node_changed(conf, base + [ifname, 'vlan-to-vni'], recursive=True)
if tmp:
vxlan.update({'vlan_to_vni_removed': {}})
for vlan in tmp:
vni = leaf_node_changed(conf, base + [ifname, 'vlan-to-vni', vlan, 'vni'])
vxlan['vlan_to_vni_removed'].update({vlan : {'vni' : vni[0]}})
# We need to verify that no other VXLAN tunnel is configured when external
# mode is in use - Linux Kernel limitation
conf.set_level(base)
vxlan['other_tunnels'] = conf.get_config_dict([], key_mangling=('-', '_'),
get_first_key=True,
no_tag_node_value_mangle=True)
# This if-clause is just to be sure - it will always evaluate to true
ifname = vxlan['ifname']
if ifname in vxlan['other_tunnels']:
del vxlan['other_tunnels'][ifname]
if len(vxlan['other_tunnels']) == 0:
del vxlan['other_tunnels']
return vxlan
def verify(vxlan):
if 'deleted' in vxlan:
verify_bridge_delete(vxlan)
return None
if int(vxlan['mtu']) < 1500:
Warning('RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU')
if 'group' in vxlan:
if 'source_interface' not in vxlan:
raise ConfigError('Multicast VXLAN requires an underlaying interface')
verify_source_interface(vxlan)
if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan):
raise ConfigError('Group, remote, source-address or source-interface must be configured')
if 'vni' not in vxlan and dict_search('parameters.external', vxlan) == None:
raise ConfigError('Must either configure VXLAN "vni" or use "external" CLI option!')
if dict_search('parameters.external', vxlan) != None:
if 'vni' in vxlan:
raise ConfigError('Can not specify both "external" and "VNI"!')
if 'other_tunnels' in vxlan:
# When multiple VXLAN interfaces are defined and "external" is used,
# all VXLAN interfaces need to have vni-filter enabled!
# See Linux Kernel commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9
other_vni_filter = False
for tunnel, tunnel_config in vxlan['other_tunnels'].items():
if dict_search('parameters.vni_filter', tunnel_config) != None:
other_vni_filter = True
break
# eqivalent of the C foo ? 'a' : 'b' statement
vni_filter = True and (dict_search('parameters.vni_filter', vxlan) != None) or False
# If either one is enabled, so must be the other. Both can be off and both can be on
if (vni_filter and not other_vni_filter) or (not vni_filter and other_vni_filter):
raise ConfigError(f'Using multiple VXLAN interfaces with "external" '\
'requires all VXLAN interfaces to have "vni-filter" configured!')
if not vni_filter and not other_vni_filter:
other_tunnels = ', '.join(vxlan['other_tunnels'])
raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\
f'CLI option is used and "vni-filter" is unset. '\
f'Additional tunnels: {other_tunnels}')
if 'gpe' in vxlan and 'external' not in vxlan:
raise ConfigError(f'VXLAN-GPE is only supported when "external" '\
f'CLI option is used.')
if 'source_interface' in vxlan:
# VXLAN adds at least an overhead of 50 byte - we need to check the
# underlaying device if our VXLAN package is not going to be fragmented!
vxlan_overhead = 50
if 'source_address' in vxlan and is_ipv6(vxlan['source_address']):
# IPv6 adds an extra 20 bytes overhead because the IPv6 header is 20
# bytes larger than the IPv4 header - assuming no extra options are
# in use.
vxlan_overhead += 20
# If source_address is not used - check IPv6 'remote' list
elif 'remote' in vxlan:
if any(is_ipv6(a) for a in vxlan['remote']):
vxlan_overhead += 20
lower_mtu = Interface(vxlan['source_interface']).get_mtu()
if lower_mtu < (int(vxlan['mtu']) + vxlan_overhead):
raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\
f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)')
# Check for mixed IPv4 and IPv6 addresses
protocol = None
if 'source_address' in vxlan:
if is_ipv6(vxlan['source_address']):
protocol = 'ipv6'
else:
protocol = 'ipv4'
if 'remote' in vxlan:
error_msg = 'Can not mix both IPv4 and IPv6 for VXLAN underlay'
for remote in vxlan['remote']:
if is_ipv6(remote):
if protocol == 'ipv4':
raise ConfigError(error_msg)
protocol = 'ipv6'
else:
if protocol == 'ipv6':
raise ConfigError(error_msg)
protocol = 'ipv4'
if 'vlan_to_vni' in vxlan:
if 'is_bridge_member' not in vxlan:
raise ConfigError('VLAN to VNI mapping requires that VXLAN interface '\
'is member of a bridge interface!')
vnis_used = []
for vif, vif_config in vxlan['vlan_to_vni'].items():
if 'vni' not in vif_config:
raise ConfigError(f'Must define VNI for VLAN "{vif}"!')
vni = vif_config['vni']
if vni in vnis_used:
raise ConfigError(f'VNI "{vni}" is already assigned to a different VLAN!')
vnis_used.append(vni)
if dict_search('parameters.neighbor_suppress', vxlan) != None:
if 'is_bridge_member' not in vxlan:
raise ConfigError('Neighbor suppression requires that VXLAN interface '\
'is member of a bridge interface!')
verify_mtu_ipv6(vxlan)
verify_address(vxlan)
verify_bond_bridge_member(vxlan)
verify_mirror_redirect(vxlan)
# We use a defaultValue for port, thus it's always safe to use
if vxlan['port'] == '8472':
Warning('Starting from VyOS 1.4, the default port for VXLAN '\
'has been changed to 4789. This matches the IANA assigned '\
'standard port number!')
return None
def generate(vxlan):
return None
def apply(vxlan):
# Check if the VXLAN interface already exists
if 'rebuild_required' in vxlan or 'delete' in vxlan:
if interface_exists(vxlan['ifname']):
v = VXLANIf(**vxlan)
# VXLAN is super picky and the tunnel always needs to be recreated,
# thus we can simply always delete it first.
v.remove()
if 'deleted' not in vxlan:
# Finally create the new interface
v = VXLANIf(**vxlan)
v.update(vxlan)
return None
if __name__ == '__main__':
try:
c = get_config()
verify(c)
generate(c)
apply(c)
except ConfigError as e:
print(e)
exit(1)
|