From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 31B201FF163 for ; Thu, 10 Oct 2024 10:19:11 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 80E5A146C9; Thu, 10 Oct 2024 10:19:37 +0200 (CEST) Date: Wed, 09 Oct 2024 16:55:50 +0000 To: "DERUMIER, Alexandre" In-Reply-To: <9045eca45de7aa50fd817fb9221cfa04c524ff19.camel@groupe-cyllene.com> References: <20241008040109.322473-1-andrew@apalrd.net> <20241008040109.322473-2-andrew@apalrd.net> <9045eca45de7aa50fd817fb9221cfa04c524ff19.camel@groupe-cyllene.com> X-Mailman-Approved-At: Thu, 10 Oct 2024 10:19:35 +0200 MIME-Version: 1.0 Message-ID: List-Id: Proxmox VE development discussion List-Post: From: Andrew via pve-devel Precedence: list Cc: Andrew , "pve-devel@lists.proxmox.com" X-Mailman-Version: 2.1.29 X-BeenThere: pve-devel@lists.proxmox.com List-Subscribe: , List-Unsubscribe: , List-Archive: Reply-To: Proxmox VE development discussion List-Help: Subject: Re: [pve-devel] [PATCH ifupdown2 1/1] Correctly handle IPv6 addresses in vxlan Content-Type: multipart/mixed; boundary="===============6134050151233771568==" Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" --===============6134050151233771568== Content-Type: message/rfc822 Content-Disposition: inline Return-Path: X-Original-To: pve-devel@lists.proxmox.com Delivered-To: pve-devel@lists.proxmox.com Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A8F91C3D9D for ; Wed, 9 Oct 2024 18:56:02 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 8B7BABBC3 for ; Wed, 9 Oct 2024 18:56:02 +0200 (CEST) Received: from mail-4317.proton.ch (mail-4317.proton.ch [185.70.43.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Wed, 9 Oct 2024 18:56:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apalrd.net; s=protonmail; t=1728492953; x=1728752153; bh=7o79y/P4Mrj3atwdHy7yVF3xWVJoMCCN0lP6fwMzIL0=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=LYh8ubacYlDN3TcGaiRN315OVYCp7aiBIhRtQ1Hm1TCakLhcLOf3HcbLoUZ/0qeKS R24Fr5+RFgKiXzCY5tyPGCsMQTIdHzIS9WWuj1I/IZYUv9P1j1j1t46po9A2CLJkVN jU1L8F4OTxNZeFmXGjI8kNxYYD1prYwUxfjWc/U/UmOcKXpmlMuu23lIa24xRpimjR XGAxlJJIu2VHiO+YVUyRkkdHyAbFxmh+ZGVvLGtMUcMv/2jdKCZIksOHex0OKxnGgy WUUCBsjFNmQbM3VrpFRvDD5QBqgmx/WX6Nf1ChZAAssfIEfFB0jpsb80gUjmk73qTP BJHnilXciLrlg== Date: Wed, 09 Oct 2024 16:55:50 +0000 To: "DERUMIER, Alexandre" From: Andrew Cc: "pve-devel@lists.proxmox.com" Subject: Re: [PATCH ifupdown2 1/1] Correctly handle IPv6 addresses in vxlan Message-ID: <17214981-4406-4100-AFF6-9F70E12E421B@apalrd.net> In-Reply-To: <9045eca45de7aa50fd817fb9221cfa04c524ff19.camel@groupe-cyllene.com> References: <20241008040109.322473-1-andrew@apalrd.net> <20241008040109.322473-2-andrew@apalrd.net> <9045eca45de7aa50fd817fb9221cfa04c524ff19.camel@groupe-cyllene.com> Feedback-ID: 38364418:user:proton X-Pm-Message-ID: 64cad63d8904e38c893da30cf404857890d7bf9a MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL -0.002 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy RCVD_IN_MSPIKE_H4 0.001 Very Good reputation (+4) RCVD_IN_MSPIKE_WL 0.001 Mailspike good senders RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_PASS -0.001 SPF: HELO matches SPF record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [vxlan.py,apalrd.net] X-Mailman-Approved-At: Thu, 10 Oct 2024 10:19:35 +0200 Yes, I read all of the PRs and discussion on ifupdown2 GitHub before implem= enting this. Ultimately I disagreed with the solution to use a separate parameter for IP= v6, for the following reasons: - We can only have one local tunnel IP, so having two parameters means we n= eed to check if the other one has been set (since setting both would be inv= alid) - There are already other cases in ifupdown2 which do ip.version =3D=3D 6 i= ncluding common parameters like address and gateway, and most parameters do= take both IPv4 and IPv6 addresses (such as the remoteip field in vxlan), s= o having one parameter for both families would be consistent with other par= ameters in the interfaces file which take both families (regardless of the = kernel implementation having two fields instead of one in this case) - ifupdown-ng already solved this problem using a single parameter instead = of two, so doing something else would diverge ifupdown2 vs ifupdown-ng synt= ax which should be the same I could add additional error checking to ensure that remoteip[] and localip= are the same address family if you=E2=80=99d like. Currently that results = in a Netlink exception which gets passed back as an error message. The kern= el only allows one address family for a vxlan interface. Thanks, Andrew > On Oct 9, 2024, at 11:37, DERUMIER, Alexandre wrote: >=20 > Try to look at ifupdown2 github, their are 2 old pull request about > this (never merged/ never completed) >=20 >=20 >=20 > https://github.com/CumulusNetworks/ifupdown2/pull/172 >=20 > " > For this we would need a new attribute vxlan-local-tunnelip6, we don't > want to reuse the same attribute for ipv6. > We are using netlink to configure vxlans, so it's important to use a > different attribute to set the proper netlink attribute (I don't want > to have things like if IPAddress(value).version =3D=3D 6: set > Link.IFLA_VXLAN_LOCAL > " >=20 > https://github.com/CumulusNetworks/ifupdown2/pull/182 >=20 >=20 > so, at minimum, this need to use a different "vxlan-local-tunnelip6" > attribute for ipv6 >=20 >=20 > -------- Message initial -------- > De: apalrd > =C3=80: pve-devel@lists.proxmox.com > Cc: apalrd > Objet: [PATCH ifupdown2 1/1] Correctly handle IPv6 addresses in vxlan > Date: 08/10/2024 06:01:09 >=20 > --- > ifupdown2/addons/vxlan.py | 26 ++++++++++++++++---------- > 1 file changed, 16 insertions(+), 10 deletions(-) >=20 > diff --git a/ifupdown2/addons/vxlan.py b/ifupdown2/addons/vxlan.py > index 084aec9..4aa8e50 100644 > --- a/ifupdown2/addons/vxlan.py > +++ b/ifupdown2/addons/vxlan.py > @@ -51,7 +51,7 @@ class vxlan(Vxlan, moduleBase): > }, > "vxlan-local-tunnelip": { > "help": "vxlan local tunnel ip", > - "validvals": [""], > + "validvals": [","], > "example": ["vxlan-local-tunnelip 172.16.20.103"] > }, > "vxlan-svcnodeip": { > @@ -66,7 +66,7 @@ class vxlan(Vxlan, moduleBase): > }, > "vxlan-remoteip": { > "help": "vxlan remote ip", > - "validvals": [""], > + "validvals": [","], > "example": ["vxlan-remoteip 172.16.22.127"], > "multiline": True > }, > @@ -521,7 +521,7 @@ class vxlan(Vxlan, moduleBase): > local =3D self._vxlan_local_tunnelip > =20 > if link_exists: > - cached_ifla_vxlan_local =3D > cached_vxlan_ifla_info_data.get(Link.IFLA_VXLAN_LOCAL) > + cached_ifla_vxlan_local =3D > cached_vxlan_ifla_info_data.get(Link.IFLA_VXLAN_LOCAL) or > cached_vxlan_ifla_info_data.get(Link.IFLA_VXLAN_LOCAL6) > =20 > # on ifreload do not overwrite anycast_ip to individual ip > # if clagd has modified > @@ -547,7 +547,7 @@ class vxlan(Vxlan, moduleBase): > =20 > if local: > try: > - local =3D ipnetwork.IPv4Address(local) > + local =3D ipnetwork.IPAddress(local) > =20 > if local.initialized_with_prefixlen: > self.logger.warning("%s: vxlan-local-tunnelip %s: > netmask ignored" % (ifname, local)) > @@ -559,13 +559,19 @@ class vxlan(Vxlan, moduleBase): > if local: > if local !=3D cached_ifla_vxlan_local: > self.logger.info("%s: set vxlan-local-tunnelip %s" % > (ifname, local)) > - user_request_vxlan_info_data[Link.IFLA_VXLAN_LOCAL] =3D > local > + if local.version =3D=3D 6: > + =20 > user_request_vxlan_info_data[Link.IFLA_VXLAN_LOCAL6] =3D local > + else: > + =20 > user_request_vxlan_info_data[Link.IFLA_VXLAN_LOCAL] =3D local > =20 > # if both local-ip and anycast-ip are identical the > function prints a warning > self.syntax_check_localip_anycastip_equal(ifname, > local, self._clagd_vxlan_anycast_ip) > elif cached_ifla_vxlan_local: > self.logger.info("%s: removing vxlan-local-tunnelip (cache > %s)" % (ifname, cached_ifla_vxlan_local)) > - user_request_vxlan_info_data[Link.IFLA_VXLAN_LOCAL] =3D None > + if cached_ifla_vxlan_local.version =3D=3D 6: > + user_request_vxlan_info_data[Link.IFLA_VXLAN_LOCAL6] =3D > None > + else: > + user_request_vxlan_info_data[Link.IFLA_VXLAN_LOCAL] =3D > None > =20 > return local > =20 > @@ -1236,7 +1242,7 @@ class vxlan(Vxlan, moduleBase): > if remoteips: > try: > for remoteip in remoteips: > - ipnetwork.IPv4Address(remoteip) > + ipnetwork.IPAddress(remoteip) > except Exception as e: > self.log_error('%s: vxlan-remoteip: %s' % > (ifaceobj.name, str(e))) > =20 > @@ -1244,7 +1250,7 @@ class vxlan(Vxlan, moduleBase): > # purge any removed remote ip > old_remoteips =3D self.get_old_remote_ips(ifaceobj.name) > =20 > - if vxlan_purge_remotes or remoteips or (remoteips !=3D > old_remoteips): > + if vxlan_purge_remotes or (isinstance(remoteips,list) and > remoteips !=3D old_remoteips): > # figure out the diff for remotes and do the bridge fdb > updates > # only if provisioned by user and not by an vxlan external > # controller. > @@ -1281,8 +1287,8 @@ class vxlan(Vxlan, moduleBase): > "00:00:00:00:00:00", > None, True, addr > ) > - except Exception: > - pass > + except Exception as e: > + self.log_error('%s: vxlan-remoteip: %s' % > (ifaceobj.name, str(e))) > =20 > self.vxlan_remote_ip_map(ifaceobj, vxlan_mcast_grp_map) > =20 >=20 --===============6134050151233771568== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel --===============6134050151233771568==--