From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 49F8B7C552 for ; Fri, 5 Nov 2021 09:07:19 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 40D2A27C3D for ; Fri, 5 Nov 2021 09:06:49 +0100 (CET) Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [IPv6:2a0a:1580:2000::2d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id ADAA927C17 for ; Fri, 5 Nov 2021 09:06:43 +0100 (CET) Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12]) by bastionodiso.odiso.net (Postfix) with ESMTP id 1A87A9E72; Fri, 5 Nov 2021 09:06:37 +0100 (CET) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id A4A4314DE3A; Fri, 5 Nov 2021 09:06:46 +0100 (CET) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Fri, 5 Nov 2021 09:06:44 +0100 Message-Id: <20211105080645.3145996-5-aderumier@odiso.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211105080645.3145996-1-aderumier@odiso.com> References: <20211105080645.3145996-1-aderumier@odiso.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.021 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% HEADER_FROM_DIFFERENT_DOMAINS 0.249 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods NO_DNS_FOR_FROM 0.001 Envelope sender has no MX or A DNS records SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record Subject: [pve-devel] [PATCH pve-network 4/5] zones: evpn: add disable-arp-nd-suppression option X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Nov 2021 08:07:19 -0000 arp-nd-suppression can break ip mobility, when an ip from a vm is moved to another vm, with different mac. For example, with a keepalived vip, the garp is filtered. --- PVE/Network/SDN/Zones/EvpnPlugin.pm | 10 ++++- .../expected_controller_config | 31 ++++++++++++++ .../expected_sdn_interfaces | 40 +++++++++++++++++++ .../disable_arp_nd_suppression/interfaces | 7 ++++ .../disable_arp_nd_suppression/sdn_config | 26 ++++++++++++ 5 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 test/zones/evpn/disable_arp_nd_suppression/expected_controller_config create mode 100644 test/zones/evpn/disable_arp_nd_suppression/expected_sdn_interfaces create mode 100644 test/zones/evpn/disable_arp_nd_suppression/interfaces create mode 100644 test/zones/evpn/disable_arp_nd_suppression/sdn_config diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm index 648f7c7..50ea619 100644 --- a/PVE/Network/SDN/Zones/EvpnPlugin.pm +++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm @@ -44,6 +44,11 @@ sub properties { type => 'boolean', description => "Advertise evpn subnets if you have silent hosts", optional => 1 + }, + 'disable-arp-nd-suppression' => { + type => 'boolean', + description => "Disable ipv4 arp && ipv6 neighbour discovery suppression", + optional => 1 } }; } @@ -56,6 +61,7 @@ sub options { exitnodes => { optional => 1 }, 'exitnodes-local-routing' => { optional => 1 }, 'advertise-subnets' => { optional => 1 }, + 'disable-arp-nd-suppression' => { optional => 1 }, mtu => { optional => 1 }, mac => { optional => 1 }, dns => { optional => 1 }, @@ -99,7 +105,7 @@ sub generate_sdn_config { push @iface_config, "vxlan-id $tag"; push @iface_config, "vxlan-local-tunnelip $ifaceip" if $ifaceip; push @iface_config, "bridge-learning off"; - push @iface_config, "bridge-arp-nd-suppress on"; + push @iface_config, "bridge-arp-nd-suppress on" if !$plugin_config->{'disable-arp-nd-suppression'}; push @iface_config, "mtu $mtu" if $mtu; push(@{$config->{$vxlan_iface}}, @iface_config) if !$config->{$vxlan_iface}; @@ -186,7 +192,7 @@ sub generate_sdn_config { push @iface_config, "vxlan-id $vrfvxlan"; push @iface_config, "vxlan-local-tunnelip $ifaceip" if $ifaceip; push @iface_config, "bridge-learning off"; - push @iface_config, "bridge-arp-nd-suppress on"; + push @iface_config, "bridge-arp-nd-suppress on" if !$plugin_config->{'disable-arp-nd-suppression'}; push @iface_config, "mtu $mtu" if $mtu; push(@{$config->{$iface_vrf_vxlan}}, @iface_config) if !$config->{$iface_vrf_vxlan}; diff --git a/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config new file mode 100644 index 0000000..c0ca898 --- /dev/null +++ b/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config @@ -0,0 +1,31 @@ +log syslog informational +ip forwarding +ipv6 forwarding +frr defaults datacenter +service integrated-vtysh-config +hostname localhost +! +! +vrf vrf_myzone + vni 1000 +exit-vrf +! +router bgp 65000 + bgp router-id 192.168.0.1 + no bgp default ipv4-unicast + coalesce-time 1000 + neighbor VTEP peer-group + neighbor VTEP remote-as 65000 + neighbor VTEP bfd + neighbor 192.168.0.2 peer-group VTEP + neighbor 192.168.0.3 peer-group VTEP + ! + address-family l2vpn evpn + neighbor VTEP activate + advertise-all-vni + exit-address-family +! +router bgp 65000 vrf vrf_myzone +! +line vty +! \ No newline at end of file diff --git a/test/zones/evpn/disable_arp_nd_suppression/expected_sdn_interfaces b/test/zones/evpn/disable_arp_nd_suppression/expected_sdn_interfaces new file mode 100644 index 0000000..bbde906 --- /dev/null +++ b/test/zones/evpn/disable_arp_nd_suppression/expected_sdn_interfaces @@ -0,0 +1,40 @@ +#version:1 + +auto myvnet +iface myvnet + address 10.0.0.1/24 + hwaddress A2:1D:CB:1A:C0:8B + bridge_ports vxlan_myvnet + bridge_stp off + bridge_fd 0 + mtu 1450 + ip-forward on + arp-accept on + vrf vrf_myzone + +auto vrf_myzone +iface vrf_myzone + vrf-table auto + post-up ip route add vrf vrf_myzone unreachable default metric 4278198272 + +auto vrfbr_myzone +iface vrfbr_myzone + bridge-ports vrfvx_myzone + bridge_stp off + bridge_fd 0 + mtu 1450 + vrf vrf_myzone + +auto vrfvx_myzone +iface vrfvx_myzone + vxlan-id 1000 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + mtu 1450 + +auto vxlan_myvnet +iface vxlan_myvnet + vxlan-id 100 + vxlan-local-tunnelip 192.168.0.1 + bridge-learning off + mtu 1450 diff --git a/test/zones/evpn/disable_arp_nd_suppression/interfaces b/test/zones/evpn/disable_arp_nd_suppression/interfaces new file mode 100644 index 0000000..66bb826 --- /dev/null +++ b/test/zones/evpn/disable_arp_nd_suppression/interfaces @@ -0,0 +1,7 @@ +auto vmbr0 +iface vmbr0 inet static + address 192.168.0.1/24 + gateway 192.168.0.254 + bridge-ports eth0 + bridge-stp off + bridge-fd 0 diff --git a/test/zones/evpn/disable_arp_nd_suppression/sdn_config b/test/zones/evpn/disable_arp_nd_suppression/sdn_config new file mode 100644 index 0000000..199596b --- /dev/null +++ b/test/zones/evpn/disable_arp_nd_suppression/sdn_config @@ -0,0 +1,26 @@ +{ + version => 1, + vnets => { + ids => { + myvnet => { tag => "100", type => "vnet", zone => "myzone" }, + }, + }, + + zones => { + ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B', 'disable-arp-nd-suppression' => 1 } }, + }, + controllers => { + ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } }, + }, + + subnets => { + ids => { 'myzone-10.0.0.0-24' => { + 'type' => 'subnet', + 'vnet' => 'myvnet', + 'gateway' => '10.0.0.1', + } + } + } +} + + -- 2.30.2