From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 81ACC756CC for ; Wed, 21 Apr 2021 23:50:01 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 7667914431 for ; Wed, 21 Apr 2021 23:49:31 +0200 (CEST) Received: from kvmformation3.odiso.net (globalOdiso.M6Lille.odiso.net [89.248.211.242]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8C610140FC for ; Wed, 21 Apr 2021 23:49:27 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id 606D78D62B; Wed, 21 Apr 2021 23:49:27 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Wed, 21 Apr 2021 23:49:24 +0200 Message-Id: <20210421214926.1789330-5-aderumier@odiso.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210421214926.1789330-1-aderumier@odiso.com> References: <20210421214926.1789330-1-aderumier@odiso.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 1 AWL -0.168 Adjusted score from AWL reputation of From: address HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods KHOP_HELO_FCRDNS 0.399 Relay HELO differs from its IP's reverse DNS NO_DNS_FOR_FROM 0.379 Envelope sender has no MX or A DNS records SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [evpnplugin.pm] Subject: [pve-devel] [PATCH v3 pve-network 4/6] zones: evpn: fix arp-accept && ip-forward + ipv6 snat X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Apr 2021 21:50:01 -0000 they were lost during subnet work Signed-off-by: Alexandre Derumier --- PVE/Network/SDN/Zones/EvpnPlugin.pm | 29 +++++++++--- test/zones/evpn/ebgp/expected_sdn_interfaces | 2 + .../ebgp_loopback/expected_sdn_interfaces | 2 + .../evpn/exitnode/expected_sdn_interfaces | 2 + .../exitnode_snat/expected_sdn_interfaces | 25 +++++++++++ test/zones/evpn/exitnode_snat/sdn_config | 12 ++++- test/zones/evpn/ipv4/expected_sdn_interfaces | 2 + .../evpn/ipv4ipv6/expected_controller_config | 31 +++++++++++++ .../evpn/ipv4ipv6/expected_sdn_interfaces | 44 +++++++++++++++++++ test/zones/evpn/ipv4ipv6/interfaces | 7 +++ test/zones/evpn/ipv4ipv6/sdn_config | 32 ++++++++++++++ .../evpn/ipv6/expected_controller_config | 31 +++++++++++++ test/zones/evpn/ipv6/expected_sdn_interfaces | 42 ++++++++++++++++++ test/zones/evpn/ipv6/interfaces | 7 +++ test/zones/evpn/ipv6/sdn_config | 27 ++++++++++++ 15 files changed, 286 insertions(+), 9 deletions(-) create mode 100644 test/zones/evpn/ipv4ipv6/expected_controller_config create mode 100644 test/zones/evpn/ipv4ipv6/expected_sdn_interfaces create mode 100644 test/zones/evpn/ipv4ipv6/interfaces create mode 100644 test/zones/evpn/ipv4ipv6/sdn_config create mode 100644 test/zones/evpn/ipv6/expected_controller_config create mode 100644 test/zones/evpn/ipv6/expected_sdn_interfaces create mode 100644 test/zones/evpn/ipv6/interfaces create mode 100644 test/zones/evpn/ipv6/sdn_config diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm index d68d3ee..8d5250c 100644 --- a/PVE/Network/SDN/Zones/EvpnPlugin.pm +++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm @@ -9,6 +9,7 @@ use PVE::Tools qw($IPV4RE); use PVE::INotify; use PVE::Cluster; use PVE::Tools; +use Net::IP; use PVE::Network::SDN::Controllers::EvpnPlugin; @@ -59,8 +60,6 @@ sub generate_sdn_config { my $tag = $vnet->{tag}; my $alias = $vnet->{alias}; - my $ipv4 = $vnet->{ipv4}; - my $ipv6 = $vnet->{ipv6}; my $mac = $plugin_config->{'mac'}; my $vrf_iface = "vrf_$zoneid"; @@ -95,6 +94,8 @@ sub generate_sdn_config { @iface_config = (); my $address = {}; + my $ipv4 = undef; + my $ipv6 = undef; my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1); foreach my $subnetid (sort keys %{$subnets}) { my $subnet = $subnets->{$subnetid}; @@ -107,19 +108,33 @@ sub generate_sdn_config { $address->{$gateway} = 1; } + my $iptables = undef; + my $checkrouteip = undef; + my $ipversion = Net::IP::ip_is_ipv6($gateway) ? 6 : 4; + + if ($ipversion == 6) { + $ipv6 = 1; + $iptables = "ip6tables"; + $checkrouteip = '2001:4860:4860::8888'; + } else { + $ipv4 = 1; + $iptables = "iptables"; + $checkrouteip = '8.8.8.8'; + } + if ($subnet->{snat}) { my $is_evpn_gateway = $plugin_config->{'exitnodes'}->{$local_node}; #find outgoing interface - my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip('8.8.8.8'); + my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip); if ($outip && $outiface && $is_evpn_gateway) { #use snat, faster than masquerade - push @iface_config, "post-up iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; - push @iface_config, "post-down iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; + push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; + push @iface_config, "post-down $iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip"; #add conntrack zone once on outgoing interface - push @iface_config, "post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1"; - push @iface_config, "post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1"; + push @iface_config, "post-up $iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1"; + push @iface_config, "post-down $iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1"; } } } diff --git a/test/zones/evpn/ebgp/expected_sdn_interfaces b/test/zones/evpn/ebgp/expected_sdn_interfaces index 6d2d3b6..4cf13e0 100644 --- a/test/zones/evpn/ebgp/expected_sdn_interfaces +++ b/test/zones/evpn/ebgp/expected_sdn_interfaces @@ -7,6 +7,8 @@ iface myvnet bridge_stp off bridge_fd 0 mtu 1450 + ip-forward on + arp-accept on vrf vrf_myzone auto vrf_myzone diff --git a/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces b/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces index 6d2d3b6..4cf13e0 100644 --- a/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces +++ b/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces @@ -7,6 +7,8 @@ iface myvnet bridge_stp off bridge_fd 0 mtu 1450 + ip-forward on + arp-accept on vrf vrf_myzone auto vrf_myzone diff --git a/test/zones/evpn/exitnode/expected_sdn_interfaces b/test/zones/evpn/exitnode/expected_sdn_interfaces index 6d2d3b6..4cf13e0 100644 --- a/test/zones/evpn/exitnode/expected_sdn_interfaces +++ b/test/zones/evpn/exitnode/expected_sdn_interfaces @@ -7,6 +7,8 @@ iface myvnet bridge_stp off bridge_fd 0 mtu 1450 + ip-forward on + arp-accept on vrf vrf_myzone auto vrf_myzone diff --git a/test/zones/evpn/exitnode_snat/expected_sdn_interfaces b/test/zones/evpn/exitnode_snat/expected_sdn_interfaces index e8093a2..a2a183e 100644 --- a/test/zones/evpn/exitnode_snat/expected_sdn_interfaces +++ b/test/zones/evpn/exitnode_snat/expected_sdn_interfaces @@ -11,6 +11,23 @@ iface myvnet bridge_stp off bridge_fd 0 mtu 1450 + ip-forward on + arp-accept on + vrf vrf_myzone + +auto myvnet2 +iface myvnet2 + address 2a08:2142:302:3::1/64 + post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1 + post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1 + post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 + post-down ip6tables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1 + bridge_ports vxlan_myvnet2 + bridge_stp off + bridge_fd 0 + mtu 1450 + ip6-forward on + arp-accept on vrf vrf_myzone auto vrf_myzone @@ -41,3 +58,11 @@ iface vxlan_myvnet bridge-learning off bridge-arp-nd-suppress on mtu 1450 + +auto vxlan_myvnet2 +iface vxlan_myvnet2 + vxlan-id 200 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + bridge-arp-nd-suppress on + mtu 1450 diff --git a/test/zones/evpn/exitnode_snat/sdn_config b/test/zones/evpn/exitnode_snat/sdn_config index f40e8bd..35cdf5d 100644 --- a/test/zones/evpn/exitnode_snat/sdn_config +++ b/test/zones/evpn/exitnode_snat/sdn_config @@ -3,6 +3,7 @@ vnets => { ids => { myvnet => { tag => "100", type => "vnet", zone => "myzone" }, + myvnet2 => { tag => "200", type => "vnet", zone => "myzone" }, }, }, @@ -14,12 +15,19 @@ }, subnets => { - ids => { 'myzone-10.0.0.0-24' => { + ids => { + 'myzone-10.0.0.0-24' => { 'type' => 'subnet', 'vnet' => 'myvnet', 'gateway' => '10.0.0.1', 'snat' => 1 - } + }, + 'myzone-2a08:2142:302:3::-64' => { + 'type' => 'subnet', + 'vnet' => 'myvnet2', + 'gateway' => '2a08:2142:302:3::1', + 'snat' => 1 + } } } } diff --git a/test/zones/evpn/ipv4/expected_sdn_interfaces b/test/zones/evpn/ipv4/expected_sdn_interfaces index e2d5a75..9d1c64c 100644 --- a/test/zones/evpn/ipv4/expected_sdn_interfaces +++ b/test/zones/evpn/ipv4/expected_sdn_interfaces @@ -8,6 +8,8 @@ iface myvnet bridge_stp off bridge_fd 0 mtu 1450 + ip-forward on + arp-accept on vrf vrf_myzone auto vrf_myzone diff --git a/test/zones/evpn/ipv4ipv6/expected_controller_config b/test/zones/evpn/ipv4ipv6/expected_controller_config new file mode 100644 index 0000000..c0ca898 --- /dev/null +++ b/test/zones/evpn/ipv4ipv6/expected_controller_config @@ -0,0 +1,31 @@ +log syslog informational +ip forwarding +ipv6 forwarding +frr defaults datacenter +service integrated-vtysh-config +hostname localhost +! +! +vrf vrf_myzone + vni 1000 +exit-vrf +! +router bgp 65000 + bgp router-id 192.168.0.1 + no bgp default ipv4-unicast + coalesce-time 1000 + neighbor VTEP peer-group + neighbor VTEP remote-as 65000 + neighbor VTEP bfd + neighbor 192.168.0.2 peer-group VTEP + neighbor 192.168.0.3 peer-group VTEP + ! + address-family l2vpn evpn + neighbor VTEP activate + advertise-all-vni + exit-address-family +! +router bgp 65000 vrf vrf_myzone +! +line vty +! \ No newline at end of file diff --git a/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces b/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces new file mode 100644 index 0000000..7a5d741 --- /dev/null +++ b/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces @@ -0,0 +1,44 @@ +#version:1 + +auto myvnet +iface myvnet + address 10.0.0.1/24 + address 2a08:2142:302:3::1/64 + hwaddress A2:1D:CB:1A:C0:8B + bridge_ports vxlan_myvnet + bridge_stp off + bridge_fd 0 + mtu 1450 + ip-forward on + ip6-forward on + arp-accept on + vrf vrf_myzone + +auto vrf_myzone +iface vrf_myzone + vrf-table auto + post-up ip route add vrf vrf_myzone unreachable default metric 4278198272 + +auto vrfbr_myzone +iface vrfbr_myzone + bridge-ports vrfvx_myzone + bridge_stp off + bridge_fd 0 + mtu 1450 + vrf vrf_myzone + +auto vrfvx_myzone +iface vrfvx_myzone + vxlan-id 1000 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + bridge-arp-nd-suppress on + mtu 1450 + +auto vxlan_myvnet +iface vxlan_myvnet + vxlan-id 100 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + bridge-arp-nd-suppress on + mtu 1450 diff --git a/test/zones/evpn/ipv4ipv6/interfaces b/test/zones/evpn/ipv4ipv6/interfaces new file mode 100644 index 0000000..66bb826 --- /dev/null +++ b/test/zones/evpn/ipv4ipv6/interfaces @@ -0,0 +1,7 @@ +auto vmbr0 +iface vmbr0 inet static + address 192.168.0.1/24 + gateway 192.168.0.254 + bridge-ports eth0 + bridge-stp off + bridge-fd 0 diff --git a/test/zones/evpn/ipv4ipv6/sdn_config b/test/zones/evpn/ipv4ipv6/sdn_config new file mode 100644 index 0000000..4583818 --- /dev/null +++ b/test/zones/evpn/ipv4ipv6/sdn_config @@ -0,0 +1,32 @@ +{ + version => 1, + vnets => { + ids => { + myvnet => { tag => "100", type => "vnet", zone => "myzone" }, + }, + }, + + zones => { + ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B' } }, + }, + controllers => { + ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } }, + }, + + subnets => { + ids => { + 'myzone-10.0.0.0-24' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '10.0.0.1', + }, + 'myzone-2a08:2142:302:3::-64' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '2a08:2142:302:3::1', + } + } + } +} + + diff --git a/test/zones/evpn/ipv6/expected_controller_config b/test/zones/evpn/ipv6/expected_controller_config new file mode 100644 index 0000000..c0ca898 --- /dev/null +++ b/test/zones/evpn/ipv6/expected_controller_config @@ -0,0 +1,31 @@ +log syslog informational +ip forwarding +ipv6 forwarding +frr defaults datacenter +service integrated-vtysh-config +hostname localhost +! +! +vrf vrf_myzone + vni 1000 +exit-vrf +! +router bgp 65000 + bgp router-id 192.168.0.1 + no bgp default ipv4-unicast + coalesce-time 1000 + neighbor VTEP peer-group + neighbor VTEP remote-as 65000 + neighbor VTEP bfd + neighbor 192.168.0.2 peer-group VTEP + neighbor 192.168.0.3 peer-group VTEP + ! + address-family l2vpn evpn + neighbor VTEP activate + advertise-all-vni + exit-address-family +! +router bgp 65000 vrf vrf_myzone +! +line vty +! \ No newline at end of file diff --git a/test/zones/evpn/ipv6/expected_sdn_interfaces b/test/zones/evpn/ipv6/expected_sdn_interfaces new file mode 100644 index 0000000..b2bdbfe --- /dev/null +++ b/test/zones/evpn/ipv6/expected_sdn_interfaces @@ -0,0 +1,42 @@ +#version:1 + +auto myvnet +iface myvnet + address 2a08:2142:302:3::1/64 + hwaddress A2:1D:CB:1A:C0:8B + bridge_ports vxlan_myvnet + bridge_stp off + bridge_fd 0 + mtu 1450 + ip6-forward on + arp-accept on + vrf vrf_myzone + +auto vrf_myzone +iface vrf_myzone + vrf-table auto + post-up ip route add vrf vrf_myzone unreachable default metric 4278198272 + +auto vrfbr_myzone +iface vrfbr_myzone + bridge-ports vrfvx_myzone + bridge_stp off + bridge_fd 0 + mtu 1450 + vrf vrf_myzone + +auto vrfvx_myzone +iface vrfvx_myzone + vxlan-id 1000 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + bridge-arp-nd-suppress on + mtu 1450 + +auto vxlan_myvnet +iface vxlan_myvnet + vxlan-id 100 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + bridge-arp-nd-suppress on + mtu 1450 diff --git a/test/zones/evpn/ipv6/interfaces b/test/zones/evpn/ipv6/interfaces new file mode 100644 index 0000000..66bb826 --- /dev/null +++ b/test/zones/evpn/ipv6/interfaces @@ -0,0 +1,7 @@ +auto vmbr0 +iface vmbr0 inet static + address 192.168.0.1/24 + gateway 192.168.0.254 + bridge-ports eth0 + bridge-stp off + bridge-fd 0 diff --git a/test/zones/evpn/ipv6/sdn_config b/test/zones/evpn/ipv6/sdn_config new file mode 100644 index 0000000..949e886 --- /dev/null +++ b/test/zones/evpn/ipv6/sdn_config @@ -0,0 +1,27 @@ +{ + version => 1, + vnets => { + ids => { + myvnet => { tag => "100", type => "vnet", zone => "myzone" }, + }, + }, + + zones => { + ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B' } }, + }, + controllers => { + ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } }, + }, + + subnets => { + ids => { + 'myzone-2a08:2142:302:3::-64' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '2a08:2142:302:3::1', + } + } + } +} + + -- 2.20.1