From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2F48A755E7 for ; Wed, 21 Apr 2021 22:56:02 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 294A4133F5 for ; Wed, 21 Apr 2021 22:56:02 +0200 (CEST) Received: from kvmformation3.odiso.net (globalOdiso.M6Lille.odiso.net [89.248.211.242]) by firstgate.proxmox.com (Proxmox) with ESMTP id 9129C133C8 for ; Wed, 21 Apr 2021 22:55:56 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id 331808309D; Wed, 21 Apr 2021 22:55:50 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Wed, 21 Apr 2021 22:55:49 +0200 Message-Id: <20210421205549.1604429-6-aderumier@odiso.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210421205549.1604429-1-aderumier@odiso.com> References: <20210421205549.1604429-1-aderumier@odiso.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -0.169 Adjusted score from AWL reputation of From: address HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KHOP_HELO_FCRDNS 0.399 Relay HELO differs from its IP's reverse DNS NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [simpleplugin.pm] Subject: [pve-devel] [PATCH v2 pve-network 5/5] zones: simple: fix ip-forward && ipv6 snat X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2021 20:56:02 -0000 Signed-off-by: Alexandre Derumier --- PVE/Network/SDN/Zones/SimplePlugin.pm | 34 ++++++++++++++----- .../simple/hetzner/expected_sdn_interfaces | 19 +++++++++++ test/zones/simple/hetzner/interfaces | 6 ++++ test/zones/simple/hetzner/sdn_config | 34 +++++++++++++++++++ .../zones/simple/ipv4/expected_sdn_interfaces | 1 + .../simple/ipv4snat/expected_sdn_interfaces | 1 + .../simple/ipv4v6/expected_sdn_interfaces | 11 ++++++ test/zones/simple/ipv4v6/interfaces | 5 +++ test/zones/simple/ipv4v6/sdn_config | 27 +++++++++++++++ .../simple/ipv6snat/expected_sdn_interfaces | 13 +++++++ test/zones/simple/ipv6snat/interfaces | 7 ++++ test/zones/simple/ipv6snat/sdn_config | 24 +++++++++++++ 12 files changed, 174 insertions(+), 8 deletions(-) create mode 100644 test/zones/simple/hetzner/expected_sdn_interfaces create mode 100644 test/zones/simple/hetzner/interfaces create mode 100644 test/zones/simple/hetzner/sdn_config create mode 100644 test/zones/simple/ipv4v6/expected_sdn_interfaces create mode 100644 test/zones/simple/ipv4v6/interfaces create mode 100644 test/zones/simple/ipv4v6/sdn_config create mode 100644 test/zones/simple/ipv6snat/expected_sdn_interfaces create mode 100644 test/zones/simple/ipv6snat/interfaces create mode 100644 test/zones/simple/ipv6snat/sdn_config diff --git a/PVE/Network/SDN/Zones/SimplePlugin.pm b/PVE/Network/SDN/Zones/SimplePlugin.pm index 9f74f3e..caea5a8 100644 --- a/PVE/Network/SDN/Zones/SimplePlugin.pm +++ b/PVE/Network/SDN/Zones/SimplePlugin.pm @@ -47,8 +47,6 @@ sub generate_sdn_config { return $config if$config->{$vnetid}; # nothing to do - my $ipv4 = $vnet->{ipv4}; - my $ipv6 = $vnet->{ipv6}; my $mac = $vnet->{mac}; my $alias = $vnet->{alias}; my $mtu = $plugin_config->{mtu} if $plugin_config->{mtu}; @@ -59,6 +57,9 @@ sub generate_sdn_config { my $address = {}; my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1); + my $ipv4 = undef; + my $ipv6 = undef; + foreach my $subnetid (sort keys %{$subnets}) { my $subnet = $subnets->{$subnetid}; my $cidr = $subnet->{cidr}; @@ -69,18 +70,33 @@ sub generate_sdn_config { push @iface_config, "address $gateway/$mask" if !defined($address->{$gateway}); $address->{$gateway} = 1; } + + my $iptables = undef; + my $checkrouteip = undef; + my $ipversion = Net::IP::ip_is_ipv6($gateway) ? 6 : 4; + + if ( $ipversion == 6) { + $ipv6 = 1; + $iptables = "ip6tables"; + $checkrouteip = '2001:4860:4860::8888'; + } else { + $ipv4 = 1; + $iptables = "iptables"; + $checkrouteip = '8.8.8.8'; + } + #add route for /32 pointtopoint - push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32; + push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32 && $ipversion == 4; if ($subnet->{snat}) { #find outgoing interface - my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip('8.8.8.8'); + my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip); if ($outip && $outiface) { #use snat, faster than masquerade - push @iface_config, "post-up iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; - push @iface_config, "post-down iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; + push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; + push @iface_config, "post-down $iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; #add conntrack zone once on outgoing interface - push @iface_config, "post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1"; - push @iface_config, "post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1"; + push @iface_config, "post-up $iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1"; + push @iface_config, "post-down $iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1"; } } } @@ -95,6 +111,8 @@ sub generate_sdn_config { } push @iface_config, "mtu $mtu" if $mtu; push @iface_config, "alias $alias" if $alias; + push @iface_config, "ip-forward on" if $ipv4; + push @iface_config, "ip6-forward on" if $ipv6; push @{$config->{$vnetid}}, @iface_config; diff --git a/test/zones/simple/hetzner/expected_sdn_interfaces b/test/zones/simple/hetzner/expected_sdn_interfaces new file mode 100644 index 0000000..f47ac53 --- /dev/null +++ b/test/zones/simple/hetzner/expected_sdn_interfaces @@ -0,0 +1,19 @@ +#version:1 + +auto myvnet +iface myvnet + address 144.76.100.65/29 + bridge_ports none + bridge_stp off + bridge_fd 0 + ip-forward on + +auto myvnet2 +iface myvnet2 + address 144.76.0.1/32 + up ip route add 144.76.200.65/32 dev myvnet2 + up ip route add 144.76.200.66/32 dev myvnet2 + bridge_ports none + bridge_stp off + bridge_fd 0 + ip-forward on diff --git a/test/zones/simple/hetzner/interfaces b/test/zones/simple/hetzner/interfaces new file mode 100644 index 0000000..5ab9635 --- /dev/null +++ b/test/zones/simple/hetzner/interfaces @@ -0,0 +1,6 @@ +auto eth0 +iface eth0 inet static + address 144.76.0.1 + netmask 255.255.255.255 + pointopoint 172.31.1.1 + gateway 172.31.1.1 \ No newline at end of file diff --git a/test/zones/simple/hetzner/sdn_config b/test/zones/simple/hetzner/sdn_config new file mode 100644 index 0000000..30773ca --- /dev/null +++ b/test/zones/simple/hetzner/sdn_config @@ -0,0 +1,34 @@ +{ + version => 1, + vnets => { + ids => { + myvnet => { type => "vnet", zone => "myzone" }, + myvnet2 => { type => "vnet", zone => "myzone" }, + }, + }, + zones => { + ids => { myzone => { ipam => "pve", type => "simple" } }, + }, + + subnets => { + ids => { + 'myzone-144.76.100.64-29' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '144.76.100.65', + }, + 'myzone-144.76.200.65-32' => { + 'type' => 'subnet', + 'vnet' => 'myvnet2', + 'gateway' => '144.76.0.1', + }, + 'myzone-144.76.200.66-32' => { + 'type' => 'subnet', + 'vnet' => 'myvnet2', + 'gateway' => '144.76.0.1', + }, + } + } +} + + diff --git a/test/zones/simple/ipv4/expected_sdn_interfaces b/test/zones/simple/ipv4/expected_sdn_interfaces index d84075d..06e43ad 100644 --- a/test/zones/simple/ipv4/expected_sdn_interfaces +++ b/test/zones/simple/ipv4/expected_sdn_interfaces @@ -6,3 +6,4 @@ iface myvnet bridge_ports none bridge_stp off bridge_fd 0 + ip-forward on diff --git a/test/zones/simple/ipv4snat/expected_sdn_interfaces b/test/zones/simple/ipv4snat/expected_sdn_interfaces index c822af1..69d7986 100644 --- a/test/zones/simple/ipv4snat/expected_sdn_interfaces +++ b/test/zones/simple/ipv4snat/expected_sdn_interfaces @@ -10,3 +10,4 @@ iface myvnet bridge_ports none bridge_stp off bridge_fd 0 + ip-forward on diff --git a/test/zones/simple/ipv4v6/expected_sdn_interfaces b/test/zones/simple/ipv4v6/expected_sdn_interfaces new file mode 100644 index 0000000..34ed5db --- /dev/null +++ b/test/zones/simple/ipv4v6/expected_sdn_interfaces @@ -0,0 +1,11 @@ +#version:1 + +auto myvnet +iface myvnet + address 192.168.0.1/24 + address 2a08:2142:302:3::1/64 + bridge_ports none + bridge_stp off + bridge_fd 0 + ip-forward on + ip6-forward on diff --git a/test/zones/simple/ipv4v6/interfaces b/test/zones/simple/ipv4v6/interfaces new file mode 100644 index 0000000..68b6a88 --- /dev/null +++ b/test/zones/simple/ipv4v6/interfaces @@ -0,0 +1,5 @@ +auto vmbr0 +iface vmbr0 inet manual + bridge-ports eth0 + bridge-stp off + bridge-fd 0 diff --git a/test/zones/simple/ipv4v6/sdn_config b/test/zones/simple/ipv4v6/sdn_config new file mode 100644 index 0000000..b8ed848 --- /dev/null +++ b/test/zones/simple/ipv4v6/sdn_config @@ -0,0 +1,27 @@ +{ + version => 1, + vnets => { + ids => { + myvnet => { type => "vnet", zone => "myzone" }, + }, + }, + zones => { + ids => { myzone => { ipam => "pve", type => "simple" } }, + }, + subnets => { + ids => { + 'myzone-192.168.0.0-24' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '192.168.0.1', + }, + 'myzone-2a08:2142:302:3::-64' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '2a08:2142:302:3::1', + } + } + } +} + + diff --git a/test/zones/simple/ipv6snat/expected_sdn_interfaces b/test/zones/simple/ipv6snat/expected_sdn_interfaces new file mode 100644 index 0000000..d3adc24 --- /dev/null +++ b/test/zones/simple/ipv6snat/expected_sdn_interfaces @@ -0,0 +1,13 @@ +#version:1 + +auto myvnet +iface myvnet + address 2a08:2142:302:3::1/64 + post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1 + post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1 + post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 + post-down ip6tables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 + bridge_ports none + bridge_stp off + bridge_fd 0 + ip6-forward on diff --git a/test/zones/simple/ipv6snat/interfaces b/test/zones/simple/ipv6snat/interfaces new file mode 100644 index 0000000..66bb826 --- /dev/null +++ b/test/zones/simple/ipv6snat/interfaces @@ -0,0 +1,7 @@ +auto vmbr0 +iface vmbr0 inet static + address 192.168.0.1/24 + gateway 192.168.0.254 + bridge-ports eth0 + bridge-stp off + bridge-fd 0 diff --git a/test/zones/simple/ipv6snat/sdn_config b/test/zones/simple/ipv6snat/sdn_config new file mode 100644 index 0000000..bc38527 --- /dev/null +++ b/test/zones/simple/ipv6snat/sdn_config @@ -0,0 +1,24 @@ +{ + version => 1, + vnets => { + ids => { + myvnet => { type => "vnet", zone => "myzone" }, + }, + }, + zones => { + ids => { myzone => { ipam => "pve", type => "simple" } }, + }, + + subnets => { + ids => { + 'myzone-2a08:2142:302:3::-64' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '2a08:2142:302:3::1', + 'snat' => 1 + } + } + } +} + + -- 2.20.1