[pve-devel] [PATCH pve-network] zones: simple|evpn : only enable ip-forward if gateway is defined on the subnet

[pve-devel] [PATCH pve-network] zones: simple|evpn : only enable ip-forward if gateway is defined on the subnet

[Alexandre Derumier]

or ifquery report an error
---
 PVE/Network/SDN/Zones/EvpnPlugin.pm           |  8 +++-
 PVE/Network/SDN/Zones/SimplePlugin.pm         |  8 +++-
 .../expected_controller_config                | 31 ++++++++++++++
 .../ipv4ipv6nogateway/expected_sdn_interfaces | 40 +++++++++++++++++++
 test/zones/evpn/ipv4ipv6nogateway/interfaces  |  7 ++++
 test/zones/evpn/ipv4ipv6nogateway/sdn_config  | 30 ++++++++++++++
 .../ipv4v6nogateway/expected_sdn_interfaces   |  7 ++++
 test/zones/simple/ipv4v6nogateway/interfaces  |  5 +++
 test/zones/simple/ipv4v6nogateway/sdn_config  | 25 ++++++++++++
 9 files changed, 157 insertions(+), 4 deletions(-)
 create mode 100644 test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
 create mode 100644 test/zones/evpn/ipv4ipv6nogateway/expected_sdn_interfaces
 create mode 100644 test/zones/evpn/ipv4ipv6nogateway/interfaces
 create mode 100644 test/zones/evpn/ipv4ipv6nogateway/sdn_config
 create mode 100644 test/zones/simple/ipv4v6nogateway/expected_sdn_interfaces
 create mode 100644 test/zones/simple/ipv4v6nogateway/interfaces
 create mode 100644 test/zones/simple/ipv4v6nogateway/sdn_config

diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm
index 4e1dc48..4fa46f7 100644
--- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -95,6 +95,8 @@ sub generate_sdn_config {
     my $address = {};
     my $ipv4 = undef;
     my $ipv6 = undef;
+    my $enable_forward_v4 = undef;
+    my $enable_forward_v6 = undef;
     my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
     foreach my $subnetid (sort keys %{$subnets}) {
 	my $subnet = $subnets->{$subnetid};
@@ -115,10 +117,12 @@ sub generate_sdn_config {
 	    $ipv6 = 1;
 	    $iptables = "ip6tables";
 	    $checkrouteip = '2001:4860:4860::8888';
+	    $enable_forward_v6 = 1 if $gateway;
 	} else {
 	    $ipv4 = 1;
 	    $iptables = "iptables";
 	    $checkrouteip = '8.8.8.8';
+	    $enable_forward_v4 = 1 if $gateway;
 	}
 
 	if ($subnet->{snat}) {
@@ -144,8 +148,8 @@ sub generate_sdn_config {
     push @iface_config, "bridge_fd 0";
     push @iface_config, "mtu $mtu" if $mtu;
     push @iface_config, "alias $alias" if $alias;
-    push @iface_config, "ip-forward on" if $ipv4;
-    push @iface_config, "ip6-forward on" if $ipv6;
+    push @iface_config, "ip-forward on" if $enable_forward_v4;
+    push @iface_config, "ip6-forward on" if $enable_forward_v6;
     push @iface_config, "arp-accept on" if $ipv4||$ipv6;
     push @iface_config, "vrf $vrf_iface" if $vrf_iface;
     push(@{$config->{$vnetid}}, @iface_config) if !$config->{$vnetid};
diff --git a/PVE/Network/SDN/Zones/SimplePlugin.pm b/PVE/Network/SDN/Zones/SimplePlugin.pm
index 103585c..7757747 100644
--- a/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -59,6 +59,8 @@ sub generate_sdn_config {
 
     my $ipv4 = undef;
     my $ipv6 = undef;
+    my $enable_forward_v4 = undef;
+    my $enable_forward_v6 = undef;
 
     foreach my $subnetid (sort keys %{$subnets}) {
 	my $subnet = $subnets->{$subnetid};
@@ -79,10 +81,12 @@ sub generate_sdn_config {
 	    $ipv6 = 1;
 	    $iptables = "ip6tables";
 	    $checkrouteip = '2001:4860:4860::8888';
+	    $enable_forward_v6 = 1 if $gateway;
 	} else {
 	    $ipv4 = 1;
 	    $iptables = "iptables";
 	    $checkrouteip = '8.8.8.8';
+	    $enable_forward_v4 = 1 if $gateway;
 	}
 
 	#add route for /32 pointtopoint
@@ -111,8 +115,8 @@ sub generate_sdn_config {
     }
     push @iface_config, "mtu $mtu" if $mtu;
     push @iface_config, "alias $alias" if $alias;
-    push @iface_config, "ip-forward on" if $ipv4;
-    push @iface_config, "ip6-forward on" if $ipv6;
+    push @iface_config, "ip-forward on" if $enable_forward_v4;
+    push @iface_config, "ip6-forward on" if $enable_forward_v6;
 
     push @{$config->{$vnetid}}, @iface_config;
 
diff --git a/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
new file mode 100644
index 0000000..c0ca898
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
@@ -0,0 +1,31 @@
+log syslog informational
+ip forwarding
+ipv6 forwarding
+frr defaults datacenter
+service integrated-vtysh-config
+hostname localhost
+!
+!
+vrf vrf_myzone
+ vni 1000
+exit-vrf
+!
+router bgp 65000
+ bgp router-id 192.168.0.1
+ no bgp default ipv4-unicast
+ coalesce-time 1000
+ neighbor VTEP peer-group
+ neighbor VTEP remote-as 65000
+ neighbor VTEP bfd
+ neighbor 192.168.0.2 peer-group VTEP
+ neighbor 192.168.0.3 peer-group VTEP
+ !
+ address-family l2vpn evpn
+  neighbor VTEP activate
+  advertise-all-vni
+ exit-address-family
+!
+router bgp 65000 vrf vrf_myzone
+!
+line vty
+!
\ No newline at end of file
diff --git a/test/zones/evpn/ipv4ipv6nogateway/expected_sdn_interfaces b/test/zones/evpn/ipv4ipv6nogateway/expected_sdn_interfaces
new file mode 100644
index 0000000..378fa77
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6nogateway/expected_sdn_interfaces
@@ -0,0 +1,40 @@
+#version:1
+
+auto myvnet
+iface myvnet
+	hwaddress A2:1D:CB:1A:C0:8B
+	bridge_ports vxlan_myvnet
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	arp-accept on
+	vrf vrf_myzone
+
+auto vrf_myzone
+iface vrf_myzone
+	vrf-table auto
+	post-up ip route add vrf vrf_myzone unreachable default metric 4278198272
+
+auto vrfbr_myzone
+iface vrfbr_myzone
+	bridge-ports vrfvx_myzone
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	vrf vrf_myzone
+
+auto vrfvx_myzone
+iface vrfvx_myzone
+	vxlan-id 1000
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
+
+auto vxlan_myvnet
+iface vxlan_myvnet
+	vxlan-id 100
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
diff --git a/test/zones/evpn/ipv4ipv6nogateway/interfaces b/test/zones/evpn/ipv4ipv6nogateway/interfaces
new file mode 100644
index 0000000..66bb826
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6nogateway/interfaces
@@ -0,0 +1,7 @@
+auto vmbr0
+iface vmbr0 inet static
+	address 192.168.0.1/24
+	gateway 192.168.0.254
+        bridge-ports eth0
+        bridge-stp off
+        bridge-fd 0
diff --git a/test/zones/evpn/ipv4ipv6nogateway/sdn_config b/test/zones/evpn/ipv4ipv6nogateway/sdn_config
new file mode 100644
index 0000000..ab2273f
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6nogateway/sdn_config
@@ -0,0 +1,30 @@
+{
+  version => 1,
+  vnets   => {
+               ids => {
+                        myvnet => { tag => "100", type => "vnet", zone => "myzone" },
+                      },
+             },
+
+  zones   => {
+               ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B' } },
+             },
+  controllers  => {
+               ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } },
+             },
+
+  subnets => {
+              ids => { 
+			'myzone-10.0.0.0-24' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+						  },
+		        'myzone-2a08:2142:302:3::-64' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+						  }
+		     }
+	     }
+}
+
+
diff --git a/test/zones/simple/ipv4v6nogateway/expected_sdn_interfaces b/test/zones/simple/ipv4v6nogateway/expected_sdn_interfaces
new file mode 100644
index 0000000..1e0c2c7
--- /dev/null
+++ b/test/zones/simple/ipv4v6nogateway/expected_sdn_interfaces
@@ -0,0 +1,7 @@
+#version:1
+
+auto myvnet
+iface myvnet
+	bridge_ports none
+	bridge_stp off
+	bridge_fd 0
diff --git a/test/zones/simple/ipv4v6nogateway/interfaces b/test/zones/simple/ipv4v6nogateway/interfaces
new file mode 100644
index 0000000..68b6a88
--- /dev/null
+++ b/test/zones/simple/ipv4v6nogateway/interfaces
@@ -0,0 +1,5 @@
+auto vmbr0
+iface vmbr0 inet manual
+        bridge-ports eth0
+        bridge-stp off
+        bridge-fd 0
diff --git a/test/zones/simple/ipv4v6nogateway/sdn_config b/test/zones/simple/ipv4v6nogateway/sdn_config
new file mode 100644
index 0000000..dbd75c9
--- /dev/null
+++ b/test/zones/simple/ipv4v6nogateway/sdn_config
@@ -0,0 +1,25 @@
+{
+  version => 1,
+  vnets   => {
+               ids => {
+                        myvnet => { type => "vnet", zone => "myzone" },
+                      },
+             },
+  zones   => {
+               ids => { myzone => { ipam => "pve", type => "simple" } },
+             },
+  subnets => {
+		ids => {
+			'myzone-192.168.0.0-24' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+						},
+			'myzone-2a08:2142:302:3::-64' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+							}
+		}
+             }
+}
+
+
-- 
2.20.1

Re: [pve-devel] [PATCH pve-network] zones: simple|evpn : only enable ip-forward if gateway is defined on the subnet

[Thomas Lamprecht]

On 10.05.21 08:40, Alexandre Derumier wrote:
> diff --git a/test/zones/simple/ipv4v6nogateway/sdn_config b/test/zones/simple/ipv4v6nogateway/sdn_config
> new file mode 100644
> index 0000000..dbd75c9
> --- /dev/null
> +++ b/test/zones/simple/ipv4v6nogateway/sdn_config
> @@ -0,0 +1,25 @@
> +{
> +  version => 1,
> +  vnets   => {
> +               ids => {
> +                        myvnet => { type => "vnet", zone => "myzone" },
> +                      },
> +             },
> +  zones   => {
> +               ids => { myzone => { ipam => "pve", type => "simple" } },
> +             },
> +  subnets => {
> +		ids => {
> +			'myzone-192.168.0.0-24' => {
> +							'type' => 'subnet',
> +							'vnet' => 'myvnet',
> +						},
> +			'myzone-2a08:2142:302:3::-64' => {
> +							'type' => 'subnet',
> +							'vnet' => 'myvnet',
> +							}
> +		}
> +             }
> +}

In general:
can we please format this "pretty" human-readable?

Also, anything against switching that to JSON? I do not really like the eval on
file content in the test framework and the original running config is also in JSON...

I could just do that with a simple perl script like
perl -MJSON -e 'my $d=""; while(<>) {$d .= $_;} print to_json(eval $d, {pretty=>1,canonical=>1});' FILEs...
put in a bash loop.

[pve-devel] applied: [PATCH pve-network] zones: simple|evpn : only enable ip-forward if gateway is defined on the subnet

[Thomas Lamprecht]

On 10.05.21 08:40, Alexandre Derumier wrote:
> or ifquery report an error
> ---
>  PVE/Network/SDN/Zones/EvpnPlugin.pm           |  8 +++-
>  PVE/Network/SDN/Zones/SimplePlugin.pm         |  8 +++-
>  .../expected_controller_config                | 31 ++++++++++++++
>  .../ipv4ipv6nogateway/expected_sdn_interfaces | 40 +++++++++++++++++++
>  test/zones/evpn/ipv4ipv6nogateway/interfaces  |  7 ++++
>  test/zones/evpn/ipv4ipv6nogateway/sdn_config  | 30 ++++++++++++++
>  .../ipv4v6nogateway/expected_sdn_interfaces   |  7 ++++
>  test/zones/simple/ipv4v6nogateway/interfaces  |  5 +++
>  test/zones/simple/ipv4v6nogateway/sdn_config  | 25 ++++++++++++
>  9 files changed, 157 insertions(+), 4 deletions(-)
>  create mode 100644 test/zones/evpn/ipv4ipv6nogateway/expected_controller_config
>  create mode 100644 test/zones/evpn/ipv4ipv6nogateway/expected_sdn_interfaces
>  create mode 100644 test/zones/evpn/ipv4ipv6nogateway/interfaces
>  create mode 100644 test/zones/evpn/ipv4ipv6nogateway/sdn_config
>  create mode 100644 test/zones/simple/ipv4v6nogateway/expected_sdn_interfaces
>  create mode 100644 test/zones/simple/ipv4v6nogateway/interfaces
>  create mode 100644 test/zones/simple/ipv4v6nogateway/sdn_config
> 
>

applied, thanks!