]>
Commit | Line | Data |
---|---|---|
b9436cda DM |
1 | package PVE::Network; |
2 | ||
3 | use strict; | |
c36f332e | 4 | use warnings; |
f27d5e6b | 5 | |
b9436cda | 6 | use PVE::INotify; |
f27d5e6b TL |
7 | use PVE::ProcFSTools; |
8 | use PVE::Tools qw(run_command lock_file); | |
9 | ||
b9436cda | 10 | use File::Basename; |
b6bff92e | 11 | use IO::Socket::IP; |
d7cafe51 | 12 | use JSON; |
bf52d27b | 13 | use Net::IP; |
8286ef53 | 14 | use NetAddr::IP qw(:lower); |
f27d5e6b TL |
15 | use POSIX qw(ECONNREFUSED); |
16 | use Socket qw(NI_NUMERICHOST NI_NUMERICSERV); | |
bf52d27b | 17 | |
b9436cda DM |
18 | # host network related utility functions |
19 | ||
19819404 | 20 | our $PHYSICAL_NIC_RE = qr/(?:eth\d+|en[^:.]+|ib[^:.]+)/; |
3dabe28a | 21 | |
61aa94e4 WB |
22 | our $ipv4_reverse_mask = [ |
23 | '0.0.0.0', | |
24 | '128.0.0.0', | |
25 | '192.0.0.0', | |
26 | '224.0.0.0', | |
27 | '240.0.0.0', | |
28 | '248.0.0.0', | |
29 | '252.0.0.0', | |
30 | '254.0.0.0', | |
31 | '255.0.0.0', | |
32 | '255.128.0.0', | |
33 | '255.192.0.0', | |
34 | '255.224.0.0', | |
35 | '255.240.0.0', | |
36 | '255.248.0.0', | |
37 | '255.252.0.0', | |
38 | '255.254.0.0', | |
39 | '255.255.0.0', | |
40 | '255.255.128.0', | |
41 | '255.255.192.0', | |
42 | '255.255.224.0', | |
43 | '255.255.240.0', | |
44 | '255.255.248.0', | |
45 | '255.255.252.0', | |
46 | '255.255.254.0', | |
47 | '255.255.255.0', | |
48 | '255.255.255.128', | |
49 | '255.255.255.192', | |
50 | '255.255.255.224', | |
51 | '255.255.255.240', | |
52 | '255.255.255.248', | |
53 | '255.255.255.252', | |
54 | '255.255.255.254', | |
55 | '255.255.255.255', | |
56 | ]; | |
57 | ||
58 | our $ipv4_mask_hash_localnet = { | |
19e609fd WB |
59 | '255.0.0.0' => 8, |
60 | '255.128.0.0' => 9, | |
61 | '255.192.0.0' => 10, | |
62 | '255.224.0.0' => 11, | |
63 | '255.240.0.0' => 12, | |
64 | '255.248.0.0' => 13, | |
65 | '255.252.0.0' => 14, | |
66 | '255.254.0.0' => 15, | |
61aa94e4 WB |
67 | '255.255.0.0' => 16, |
68 | '255.255.128.0' => 17, | |
69 | '255.255.192.0' => 18, | |
70 | '255.255.224.0' => 19, | |
71 | '255.255.240.0' => 20, | |
72 | '255.255.248.0' => 21, | |
73 | '255.255.252.0' => 22, | |
74 | '255.255.254.0' => 23, | |
75 | '255.255.255.0' => 24, | |
76 | '255.255.255.128' => 25, | |
77 | '255.255.255.192' => 26, | |
78 | '255.255.255.224' => 27, | |
79 | '255.255.255.240' => 28, | |
80 | '255.255.255.248' => 29, | |
81 | '255.255.255.252' => 30, | |
e43faad9 WB |
82 | '255.255.255.254' => 31, |
83 | '255.255.255.255' => 32, | |
61aa94e4 WB |
84 | }; |
85 | ||
74d1b045 | 86 | sub setup_tc_rate_limit { |
6256f2c3 | 87 | my ($iface, $rate, $burst) = @_; |
74d1b045 | 88 | |
2d6b3a90 FG |
89 | # these are allowed / expected to fail, e.g. when there is no previous rate limit to remove |
90 | eval { run_command("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1"); }; | |
91 | eval { run_command("/sbin/tc filter del dev $iface parent ffff: protocol all pref 50 u32 >/dev/null 2>&1"); }; | |
92 | eval { run_command("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1"); }; | |
93 | eval { run_command("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1"); }; | |
74d1b045 | 94 | |
d6f2623b | 95 | return if !$rate; |
957753df | 96 | |
74d1b045 DM |
97 | # tbf does not work for unknown reason |
98 | #$TC qdisc add dev $DEV root tbf rate $RATE latency 100ms burst $BURST | |
99 | # so we use htb instead | |
100 | run_command("/sbin/tc qdisc add dev $iface root handle 1: htb default 1"); | |
101 | run_command("/sbin/tc class add dev $iface parent 1: classid 1:1 " . | |
102 | "htb rate ${rate}bps burst ${burst}b"); | |
103 | ||
5d35df41 | 104 | run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress"); |
ceff9a84 TL |
105 | run_command( |
106 | "/sbin/tc filter add dev $iface parent ffff: prio 50 basic police rate ${rate}bps burst ${burst}b mtu 64kb drop"); | |
107 | ||
108 | return; | |
74d1b045 DM |
109 | } |
110 | ||
ec9ada18 AD |
111 | sub tap_rate_limit { |
112 | my ($iface, $rate) = @_; | |
113 | ||
ad066ae2 | 114 | $rate = int($rate*1024*1024) if $rate; |
ec9ada18 AD |
115 | my $burst = 1024*1024; |
116 | ||
6256f2c3 | 117 | setup_tc_rate_limit($iface, $rate, $burst); |
ceff9a84 TL |
118 | |
119 | return; | |
ec9ada18 | 120 | } |
74d1b045 | 121 | |
1b6ad61c | 122 | sub read_bridge_mtu { |
605bb891 DM |
123 | my ($bridge) = @_; |
124 | ||
125 | my $mtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu"); | |
126 | die "bridge '$bridge' does not exist\n" if !$mtu; | |
89022ed5 TL |
127 | |
128 | if ($mtu =~ /^(\d+)$/) { # avoid insecure dependency (untaint) | |
129 | $mtu = int($1); | |
130 | } else { | |
131 | die "unexpeted error: unable to parse mtu value '$mtu' as integer\n"; | |
132 | } | |
605bb891 DM |
133 | |
134 | return $mtu; | |
ceff9a84 | 135 | } |
605bb891 | 136 | |
32cb7d27 | 137 | my $parse_tap_device_name = sub { |
6c80e6d6 | 138 | my ($iface, $noerr) = @_; |
605bb891 DM |
139 | |
140 | my ($vmid, $devid); | |
141 | ||
142 | if ($iface =~ m/^tap(\d+)i(\d+)$/) { | |
143 | $vmid = $1; | |
144 | $devid = $2; | |
32cb7d27 | 145 | } elsif ($iface =~ m/^veth(\d+)i(\d+)$/) { |
605bb891 DM |
146 | $vmid = $1; |
147 | $devid = $2; | |
148 | } else { | |
ceff9a84 | 149 | return if $noerr; |
6c80e6d6 | 150 | die "can't create firewall bridge for random interface name '$iface'\n"; |
605bb891 DM |
151 | } |
152 | ||
153 | return ($vmid, $devid); | |
154 | }; | |
155 | ||
70ab4434 | 156 | my $compute_fwbr_names = sub { |
605bb891 DM |
157 | my ($vmid, $devid) = @_; |
158 | ||
159 | my $fwbr = "fwbr${vmid}i${devid}"; | |
f193aa74 | 160 | # Note: the firewall use 'fwln+' to filter traffic to VMs |
7d78a966 AD |
161 | my $vethfw = "fwln${vmid}i${devid}"; |
162 | my $vethfwpeer = "fwpr${vmid}p${devid}"; | |
163 | my $ovsintport = "fwln${vmid}o${devid}"; | |
605bb891 | 164 | |
70ab4434 | 165 | return ($fwbr, $vethfw, $vethfwpeer, $ovsintport); |
605bb891 DM |
166 | }; |
167 | ||
ceff9a84 | 168 | sub iface_delete :prototype($) { |
e9b54cc6 WB |
169 | my ($iface) = @_; |
170 | run_command(['/sbin/ip', 'link', 'delete', 'dev', $iface], noerr => 1) | |
171 | == 0 or die "failed to delete interface '$iface'\n"; | |
ceff9a84 | 172 | return; |
e9b54cc6 WB |
173 | } |
174 | ||
ceff9a84 | 175 | sub iface_create :prototype($$@) { |
e9b54cc6 WB |
176 | my ($iface, $type, @args) = @_; |
177 | run_command(['/sbin/ip', 'link', 'add', $iface, 'type', $type, @args], noerr => 1) | |
178 | == 0 or die "failed to create interface '$iface'\n"; | |
ceff9a84 | 179 | return; |
e9b54cc6 WB |
180 | } |
181 | ||
ceff9a84 | 182 | sub iface_set :prototype($@) { |
e9b54cc6 WB |
183 | my ($iface, @opts) = @_; |
184 | run_command(['/sbin/ip', 'link', 'set', $iface, @opts], noerr => 1) | |
185 | == 0 or die "failed to set interface options for '$iface' (".join(' ', @opts).")\n"; | |
ceff9a84 | 186 | return; |
e9b54cc6 WB |
187 | } |
188 | ||
189 | # helper for nicer error messages: | |
ceff9a84 | 190 | sub iface_set_master :prototype($$) { |
e9b54cc6 WB |
191 | my ($iface, $master) = @_; |
192 | if (defined($master)) { | |
193 | eval { iface_set($iface, 'master', $master) }; | |
194 | die "can't enslave '$iface' to '$master'\n" if $@; | |
195 | } else { | |
196 | eval { iface_set($iface, 'nomaster') }; | |
197 | die "can't unenslave '$iface'\n" if $@; | |
198 | } | |
ceff9a84 | 199 | return; |
e9b54cc6 WB |
200 | } |
201 | ||
605bb891 DM |
202 | my $cond_create_bridge = sub { |
203 | my ($bridge) = @_; | |
204 | ||
205 | if (! -d "/sys/class/net/$bridge") { | |
e9b54cc6 | 206 | iface_create($bridge, 'bridge'); |
86b84237 | 207 | disable_ipv6($bridge); |
605bb891 DM |
208 | } |
209 | }; | |
210 | ||
f3ccd9b4 WB |
211 | sub disable_ipv6 { |
212 | my ($iface) = @_; | |
f3ccd9b4 | 213 | my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6"; |
2e3fd24d | 214 | return if !-e $file; # ipv6 might be completely disabled |
f3ccd9b4 WB |
215 | open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n"; |
216 | print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n"; | |
217 | close($fh); | |
ceff9a84 | 218 | return; |
f3ccd9b4 WB |
219 | } |
220 | ||
354ec8de AD |
221 | my $bridge_disable_interface_learning = sub { |
222 | my ($iface) = @_; | |
223 | ||
224 | PVE::ProcFSTools::write_proc_entry("/sys/class/net/$iface/brport/unicast_flood", "0"); | |
225 | PVE::ProcFSTools::write_proc_entry("/sys/class/net/$iface/brport/learning", "0"); | |
226 | ||
227 | }; | |
228 | ||
605bb891 | 229 | my $bridge_add_interface = sub { |
b0b34ffd | 230 | my ($bridge, $iface, $tag, $trunks) = @_; |
605bb891 | 231 | |
c3db7708 | 232 | my $bridgemtu = read_bridge_mtu($bridge); |
89022ed5 | 233 | eval { run_command(['/sbin/ip', 'link', 'set', $iface, 'mtu', $bridgemtu]) }; |
c3db7708 | 234 | |
f3ccd9b4 WB |
235 | # drop link local address (it can't be used when on a bridge anyway) |
236 | disable_ipv6($iface); | |
e9b54cc6 | 237 | iface_set_master($iface, $bridge); |
4d25f4aa AD |
238 | |
239 | my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); | |
240 | ||
241 | if ($vlan_aware) { | |
aa91ae3d AD |
242 | |
243 | eval { run_command(['/sbin/bridge', 'vlan', 'del', 'dev', $iface, 'vid', '1-4094']) }; | |
244 | die "failed to remove default vlan tags of $iface - $@\n" if $@; | |
245 | ||
246 | if ($trunks) { | |
247 | my @trunks_array = split /;/, $trunks; | |
248 | foreach my $trunk (@trunks_array) { | |
249 | eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $trunk]) }; | |
250 | die "unable to add vlan $trunk to interface $iface - $@\n" if $@; | |
251 | } | |
252 | } elsif (!$tag) { | |
253 | eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', '2-4094']) }; | |
254 | die "unable to add default vlan tags to interface $iface - $@\n" if $@; | |
255 | } | |
256 | ||
257 | $tag = 1 if !$tag; | |
258 | eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $tag, 'pvid', 'untagged']) }; | |
259 | die "unable to add vlan $tag to interface $iface - $@\n" if $@; | |
4d25f4aa | 260 | } |
605bb891 DM |
261 | }; |
262 | ||
70ab4434 | 263 | my $ovs_bridge_add_port = sub { |
b0b34ffd AD |
264 | my ($bridge, $iface, $tag, $internal, $trunks) = @_; |
265 | ||
266 | $trunks =~ s/;/,/g if $trunks; | |
70ab4434 | 267 | |
89ea13ef FG |
268 | my $cmd = ['/usr/bin/ovs-vsctl']; |
269 | # first command | |
270 | push @$cmd, '--', 'add-port', $bridge, $iface; | |
271 | push @$cmd, "tag=$tag" if $tag; | |
272 | push @$cmd, "trunks=". join(',', $trunks) if $trunks; | |
273 | push @$cmd, "vlan_mode=native-untagged" if $tag && $trunks; | |
274 | ||
c3db7708 AD |
275 | my $bridgemtu = read_bridge_mtu($bridge); |
276 | push @$cmd, '--', 'set', 'Interface', $iface, "mtu_request=$bridgemtu"; | |
277 | ||
89ea13ef FG |
278 | if ($internal) { |
279 | # second command | |
280 | push @$cmd, '--', 'set', 'Interface', $iface, 'type=internal'; | |
281 | } | |
282 | ||
283 | eval { run_command($cmd) }; | |
284 | die "can't add ovs port '$iface' - $@\n" if $@; | |
b0b34ffd | 285 | |
f3ccd9b4 | 286 | disable_ipv6($iface); |
70ab4434 DM |
287 | }; |
288 | ||
605bb891 | 289 | my $activate_interface = sub { |
c3db7708 | 290 | my ($iface, $mtu) = @_; |
605bb891 | 291 | |
c3db7708 | 292 | my $cmd = ['/sbin/ip', 'link', 'set', $iface, 'up']; |
89022ed5 | 293 | push @$cmd, ('mtu', $mtu) if $mtu; |
c3db7708 AD |
294 | |
295 | eval { run_command($cmd) }; | |
89ea13ef | 296 | die "can't activate interface '$iface' - $@\n" if $@; |
605bb891 DM |
297 | }; |
298 | ||
354ec8de AD |
299 | sub add_bridge_fdb { |
300 | my ($iface, $mac) = @_; | |
301 | ||
302 | my $learning = PVE::Tools::file_read_firstline("/sys/class/net/$iface/brport/learning"); | |
99fc8123 | 303 | return if !defined($learning) || $learning == 1; |
354ec8de AD |
304 | |
305 | my ($vmid, $devid) = &$parse_tap_device_name($iface, 1); | |
306 | return if !defined($vmid); | |
307 | ||
b8638604 | 308 | run_command(['/sbin/bridge', 'fdb', 'append', $mac, 'dev', $iface, 'master', 'static']); |
354ec8de AD |
309 | |
310 | my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
311 | ||
312 | if (-d "/sys/class/net/$vethfwpeer") { | |
b8638604 | 313 | run_command(['/sbin/bridge', 'fdb', 'append', $mac, 'dev', $vethfwpeer, 'master', 'static']); |
354ec8de AD |
314 | } |
315 | ||
ceff9a84 | 316 | return; |
354ec8de AD |
317 | } |
318 | ||
319 | sub del_bridge_fdb { | |
320 | my ($iface, $mac) = @_; | |
321 | ||
322 | my $learning = PVE::Tools::file_read_firstline("/sys/class/net/$iface/brport/learning"); | |
99fc8123 | 323 | return if !defined($learning) || $learning == 1; |
354ec8de AD |
324 | |
325 | my ($vmid, $devid) = &$parse_tap_device_name($iface, 1); | |
326 | return if !defined($vmid); | |
327 | ||
b8638604 | 328 | run_command(['/sbin/bridge', 'fdb', 'del', $mac, 'dev', $iface, 'master', 'static']); |
354ec8de AD |
329 | |
330 | my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
331 | ||
332 | if (-d "/sys/class/net/$vethfwpeer") { | |
b8638604 | 333 | run_command(['/sbin/bridge', 'fdb', 'del', $mac, 'dev', $vethfwpeer, 'master', 'static']); |
354ec8de | 334 | } |
ceff9a84 TL |
335 | |
336 | return; | |
354ec8de AD |
337 | } |
338 | ||
3aa99c70 AD |
339 | sub tap_create { |
340 | my ($iface, $bridge) = @_; | |
341 | ||
342 | die "unable to get bridge setting\n" if !$bridge; | |
343 | ||
1b6ad61c | 344 | my $bridgemtu = read_bridge_mtu($bridge); |
3aa99c70 | 345 | |
9bbc4e17 | 346 | eval { |
f3ccd9b4 | 347 | disable_ipv6($iface); |
b8638604 | 348 | run_command(['/sbin/ip', 'link', 'set', $iface, 'up', 'promisc', 'on', 'mtu', $bridgemtu]); |
098795e0 DM |
349 | }; |
350 | die "interface activation failed\n" if $@; | |
ceff9a84 | 351 | return; |
3aa99c70 AD |
352 | } |
353 | ||
35efc4eb AD |
354 | sub veth_create { |
355 | my ($veth, $vethpeer, $bridge, $mac) = @_; | |
356 | ||
357 | die "unable to get bridge setting\n" if !$bridge; | |
358 | ||
1b6ad61c | 359 | my $bridgemtu = read_bridge_mtu($bridge); |
35efc4eb AD |
360 | |
361 | # create veth pair | |
362 | if (! -d "/sys/class/net/$veth") { | |
89ea13ef FG |
363 | my $cmd = ['/sbin/ip', 'link', 'add']; |
364 | # veth device + MTU | |
365 | push @$cmd, 'name', $veth; | |
366 | push @$cmd, 'mtu', $bridgemtu; | |
367 | push @$cmd, 'type', 'veth'; | |
368 | # peer device + MTU | |
369 | push @$cmd, 'peer', 'name', $vethpeer, 'mtu', $bridgemtu; | |
370 | ||
371 | push @$cmd, 'addr', $mac if $mac; | |
372 | ||
373 | eval { run_command($cmd) }; | |
374 | die "can't create interface $veth - $@\n" if $@; | |
35efc4eb AD |
375 | } |
376 | ||
377 | # up vethpair | |
f3ccd9b4 WB |
378 | disable_ipv6($veth); |
379 | disable_ipv6($vethpeer); | |
c3db7708 AD |
380 | &$activate_interface($veth, $bridgemtu); |
381 | &$activate_interface($vethpeer, $bridgemtu); | |
382 | ||
ceff9a84 | 383 | return; |
35efc4eb AD |
384 | } |
385 | ||
f3f0bc3a AD |
386 | sub veth_delete { |
387 | my ($veth) = @_; | |
388 | ||
389 | if (-d "/sys/class/net/$veth") { | |
e9b54cc6 | 390 | iface_delete($veth); |
f3f0bc3a | 391 | } |
e0a862e2 | 392 | eval { tap_unplug($veth) }; |
ceff9a84 | 393 | return; |
f3f0bc3a | 394 | } |
35efc4eb | 395 | |
605bb891 | 396 | my $create_firewall_bridge_linux = sub { |
93cc2aa9 | 397 | my ($iface, $bridge, $tag, $trunks, $no_learning) = @_; |
605bb891 | 398 | |
32cb7d27 | 399 | my ($vmid, $devid) = &$parse_tap_device_name($iface); |
70ab4434 | 400 | my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); |
605bb891 | 401 | |
c3db7708 AD |
402 | my $bridgemtu = read_bridge_mtu($bridge); |
403 | ||
605bb891 | 404 | &$cond_create_bridge($fwbr); |
c3db7708 | 405 | &$activate_interface($fwbr, $bridgemtu); |
605bb891 DM |
406 | |
407 | copy_bridge_config($bridge, $fwbr); | |
35efc4eb | 408 | veth_create($vethfw, $vethfwpeer, $bridge); |
605bb891 | 409 | |
b0b34ffd | 410 | &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks); |
93cc2aa9 | 411 | &$bridge_disable_interface_learning($vethfwpeer) if $no_learning; |
354ec8de | 412 | &$bridge_add_interface($fwbr, $vethfw); |
605bb891 | 413 | |
4d25f4aa | 414 | &$bridge_add_interface($fwbr, $iface); |
605bb891 DM |
415 | }; |
416 | ||
70ab4434 | 417 | my $create_firewall_bridge_ovs = sub { |
93cc2aa9 | 418 | my ($iface, $bridge, $tag, $trunks, $no_learning) = @_; |
70ab4434 | 419 | |
32cb7d27 | 420 | my ($vmid, $devid) = &$parse_tap_device_name($iface); |
70ab4434 DM |
421 | my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid); |
422 | ||
1b6ad61c | 423 | my $bridgemtu = read_bridge_mtu($bridge); |
70ab4434 DM |
424 | |
425 | &$cond_create_bridge($fwbr); | |
c3db7708 | 426 | &$activate_interface($fwbr, $bridgemtu); |
70ab4434 DM |
427 | |
428 | &$bridge_add_interface($fwbr, $iface); | |
429 | ||
b0b34ffd | 430 | &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1, $trunks); |
c3db7708 | 431 | &$activate_interface($ovsintport, $bridgemtu); |
9bbc4e17 | 432 | |
70ab4434 | 433 | &$bridge_add_interface($fwbr, $ovsintport); |
93cc2aa9 | 434 | &$bridge_disable_interface_learning($ovsintport) if $no_learning; |
70ab4434 DM |
435 | }; |
436 | ||
437 | my $cleanup_firewall_bridge = sub { | |
605bb891 DM |
438 | my ($iface) = @_; |
439 | ||
32cb7d27 | 440 | my ($vmid, $devid) = &$parse_tap_device_name($iface, 1); |
9bbc4e17 | 441 | return if !defined($vmid); |
70ab4434 DM |
442 | my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid); |
443 | ||
444 | # cleanup old port config from any openvswitch bridge | |
445 | if (-d "/sys/class/net/$ovsintport") { | |
446 | run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {}); | |
447 | } | |
605bb891 DM |
448 | |
449 | # delete old vethfw interface | |
f3f0bc3a | 450 | veth_delete($vethfw); |
605bb891 DM |
451 | |
452 | # cleanup fwbr bridge | |
453 | if (-d "/sys/class/net/$fwbr") { | |
e9b54cc6 | 454 | iface_delete($fwbr); |
605bb891 DM |
455 | } |
456 | }; | |
457 | ||
f0c190ee | 458 | sub tap_plug { |
93cc2aa9 | 459 | my ($iface, $bridge, $tag, $firewall, $trunks, $rate, $opts) = @_; |
f0c190ee | 460 | |
93cc2aa9 | 461 | $opts = {} if !defined($opts); |
ac39d36f | 462 | $opts = { learning => $opts } if !ref($opts); # FIXME: backward compat, drop with PVE 8.0 |
93cc2aa9 | 463 | |
ac39d36f TL |
464 | if (!defined($opts->{learning})) { # auto-detect |
465 | $opts = {} if !defined($opts); | |
466 | my $interfaces_config = PVE::INotify::read_file('interfaces'); | |
467 | my $bridge = $interfaces_config->{ifaces}->{$bridge}; | |
468 | $opts->{learning} = !($bridge && $bridge->{'bridge-disable-mac-learning'}); # default learning to on | |
469 | } | |
470 | my $no_learning = !$opts->{learning}; | |
93cc2aa9 TL |
471 | |
472 | # cleanup old port config from any openvswitch bridge | |
473 | eval { | |
474 | run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}); | |
475 | }; | |
4cbabd40 | 476 | |
098795e0 | 477 | if (-d "/sys/class/net/$bridge/bridge") { |
70ab4434 | 478 | &$cleanup_firewall_bridge($iface); # remove stale devices |
605bb891 | 479 | |
4d25f4aa | 480 | my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); |
098795e0 | 481 | |
4d25f4aa | 482 | if (!$vlan_aware) { |
b0b34ffd | 483 | die "vlan aware feature need to be enabled to use trunks" if $trunks; |
4d25f4aa AD |
484 | my $newbridge = activate_bridge_vlan($bridge, $tag); |
485 | copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge; | |
ff042056 | 486 | $bridge = $newbridge; |
4d25f4aa AD |
487 | $tag = undef; |
488 | } | |
489 | ||
490 | if ($firewall) { | |
93cc2aa9 | 491 | &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks, $no_learning); |
4d25f4aa | 492 | } else { |
b0b34ffd | 493 | &$bridge_add_interface($bridge, $iface, $tag, $trunks); |
4d25f4aa | 494 | } |
0a3c65c0 TL |
495 | if ($no_learning) { |
496 | $bridge_disable_interface_learning->($iface); | |
497 | add_bridge_fdb($iface, $opts->{mac}) if defined($opts->{mac}); | |
498 | } | |
605bb891 | 499 | |
098795e0 | 500 | } else { |
70ab4434 DM |
501 | &$cleanup_firewall_bridge($iface); # remove stale devices |
502 | ||
503 | if ($firewall) { | |
93cc2aa9 | 504 | &$create_firewall_bridge_ovs($iface, $bridge, $tag, $trunks, $no_learning); |
70ab4434 | 505 | } else { |
b0b34ffd | 506 | &$ovs_bridge_add_port($bridge, $iface, $tag, undef, $trunks); |
70ab4434 | 507 | } |
4cbabd40 | 508 | } |
bce2a5b3 WB |
509 | |
510 | tap_rate_limit($iface, $rate); | |
ceff9a84 TL |
511 | |
512 | return; | |
f0c190ee AD |
513 | } |
514 | ||
a84b65c0 | 515 | sub tap_unplug { |
2db1cc0d | 516 | my ($iface) = @_; |
a84b65c0 | 517 | |
bf5bc363 | 518 | my $path = "/sys/class/net/$iface/brport/bridge"; |
2db1cc0d DM |
519 | if (-l $path) { |
520 | my $bridge = basename(readlink($path)); | |
521 | #avoid insecure dependency; | |
522 | ($bridge) = $bridge =~ /(\S+)/; | |
4cbabd40 | 523 | |
e9b54cc6 | 524 | iface_set_master($iface, undef); |
4cbabd40 | 525 | } |
9bbc4e17 | 526 | |
70ab4434 | 527 | &$cleanup_firewall_bridge($iface); |
dd44486e | 528 | #cleanup old port config from any openvswitch bridge |
ceff9a84 TL |
529 | eval { run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; |
530 | ||
531 | return; | |
a84b65c0 AD |
532 | } |
533 | ||
b9436cda DM |
534 | sub copy_bridge_config { |
535 | my ($br0, $br1) = @_; | |
536 | ||
537 | return if $br0 eq $br1; | |
538 | ||
b8638604 TL |
539 | my $br_configs = [ |
540 | 'ageing_time', 'stp_state', 'priority', 'forward_delay', | |
541 | 'hello_time', 'max_age', 'multicast_snooping', 'multicast_querier', | |
542 | ]; | |
b9436cda DM |
543 | |
544 | foreach my $sysname (@$br_configs) { | |
545 | eval { | |
546 | my $v0 = PVE::Tools::file_read_firstline("/sys/class/net/$br0/bridge/$sysname"); | |
547 | my $v1 = PVE::Tools::file_read_firstline("/sys/class/net/$br1/bridge/$sysname"); | |
548 | if ($v0 ne $v1) { | |
aec04803 | 549 | PVE::ProcFSTools::write_proc_entry("/sys/class/net/$br1/bridge/$sysname", $v0); |
b9436cda DM |
550 | } |
551 | }; | |
552 | warn $@ if $@; | |
553 | } | |
ceff9a84 | 554 | return; |
b9436cda DM |
555 | } |
556 | ||
70d89745 PRG |
557 | sub activate_bridge_vlan_slave { |
558 | my ($bridgevlan, $iface, $tag) = @_; | |
b9436cda | 559 | my $ifacevlan = "${iface}.$tag"; |
9bbc4e17 | 560 | |
b9436cda DM |
561 | # create vlan on $iface is not already exist |
562 | if (! -d "/sys/class/net/$ifacevlan") { | |
89ea13ef FG |
563 | eval { |
564 | my $cmd = ['/sbin/ip', 'link', 'add']; | |
565 | push @$cmd, 'link', $iface; | |
566 | push @$cmd, 'name', $ifacevlan; | |
567 | push @$cmd, 'type', 'vlan', 'id', $tag; | |
568 | run_command($cmd); | |
569 | }; | |
570 | die "can't add vlan tag $tag to interface $iface - $@\n" if $@; | |
b9436cda | 571 | |
86b84237 WB |
572 | # remove ipv6 link-local address before activation |
573 | disable_ipv6($ifacevlan); | |
574 | } | |
f3ccd9b4 | 575 | |
b9436cda | 576 | # be sure to have the $ifacevlan up |
605bb891 | 577 | &$activate_interface($ifacevlan); |
b9436cda DM |
578 | |
579 | # test if $vlaniface is already enslaved in another bridge | |
580 | my $path= "/sys/class/net/$ifacevlan/brport/bridge"; | |
581 | if (-l $path) { | |
582 | my $tbridge = basename(readlink($path)); | |
70d89745 | 583 | if ($tbridge ne $bridgevlan) { |
b9436cda | 584 | die "interface $ifacevlan already exist in bridge $tbridge\n"; |
eee4b32a PRG |
585 | } else { |
586 | # Port already attached to bridge: do nothing. | |
587 | return; | |
b9436cda DM |
588 | } |
589 | } | |
590 | ||
70d89745 | 591 | # add $ifacevlan to the bridge |
605bb891 | 592 | &$bridge_add_interface($bridgevlan, $ifacevlan); |
ceff9a84 | 593 | return; |
70d89745 PRG |
594 | } |
595 | ||
596 | sub activate_bridge_vlan { | |
597 | my ($bridge, $tag_param) = @_; | |
598 | ||
599 | die "bridge '$bridge' is not active\n" if ! -d "/sys/class/net/$bridge"; | |
600 | ||
601 | return $bridge if !defined($tag_param); # no vlan, simply return | |
602 | ||
603 | my $tag = int($tag_param); | |
604 | ||
605 | die "got strange vlan tag '$tag_param'\n" if $tag < 1 || $tag > 4094; | |
606 | ||
607 | my $bridgevlan = "${bridge}v$tag"; | |
608 | ||
c9030d97 PRG |
609 | my @ifaces = (); |
610 | my $dir = "/sys/class/net/$bridge/brif"; | |
899f8c4a | 611 | PVE::Tools::dir_glob_foreach($dir, '(((eth|bond)\d+|en[^.]+)(\.\d+)?)', sub { |
5ffa7628 | 612 | push @ifaces, $_[0]; |
c9030d97 PRG |
613 | }); |
614 | ||
5ffa7628 | 615 | die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0; |
c9030d97 | 616 | |
a712bf6e WB |
617 | lock_network(sub { |
618 | # add bridgevlan if it doesn't already exist | |
619 | if (! -d "/sys/class/net/$bridgevlan") { | |
e9b54cc6 | 620 | iface_create($bridgevlan, 'bridge'); |
a712bf6e | 621 | } |
b9436cda | 622 | |
d8a0dff1 DC |
623 | my $bridgemtu = read_bridge_mtu($bridge); |
624 | eval { run_command(['/sbin/ip', 'link', 'set', $bridgevlan, 'mtu', $bridgemtu]) }; | |
625 | ||
a712bf6e WB |
626 | # for each physical interface (eth or bridge) bind them to bridge vlan |
627 | foreach my $iface (@ifaces) { | |
628 | activate_bridge_vlan_slave($bridgevlan, $iface, $tag); | |
629 | } | |
70d89745 | 630 | |
a712bf6e | 631 | #fixme: set other bridge flags |
b9436cda | 632 | |
f3ccd9b4 WB |
633 | # remove ipv6 link-local address before activation |
634 | disable_ipv6($bridgevlan); | |
a712bf6e | 635 | # be sure to have the bridge up |
f3ccd9b4 | 636 | &$activate_interface($bridgevlan); |
a712bf6e | 637 | }); |
b9436cda DM |
638 | return $bridgevlan; |
639 | } | |
640 | ||
b6bff92e WB |
641 | sub tcp_ping { |
642 | my ($host, $port, $timeout) = @_; | |
643 | ||
644 | my $refused = 1; | |
645 | ||
646 | $timeout = 3 if !$timeout; # sane default | |
647 | if (!$port) { | |
648 | # Net::Ping defaults to the echo port | |
649 | $port = 7; | |
650 | } else { | |
651 | # Net::Ping's port_number() implies service_check(1) | |
652 | $refused = 0; | |
653 | } | |
654 | ||
655 | my ($sock, $result); | |
656 | eval { | |
657 | $result = PVE::Tools::run_with_timeout($timeout, sub { | |
658 | $sock = IO::Socket::IP->new(PeerHost => $host, PeerPort => $port, Type => SOCK_STREAM); | |
659 | $result = $refused if $! == ECONNREFUSED; | |
660 | }); | |
661 | }; | |
662 | if ($sock) { | |
663 | $sock->close(); | |
664 | $result = 1; | |
665 | } | |
666 | return $result; | |
667 | } | |
668 | ||
bf52d27b WB |
669 | sub IP_from_cidr { |
670 | my ($cidr, $version) = @_; | |
671 | ||
89022ed5 | 672 | my ($ip, $prefix) = $cidr =~ m!^(\S+?)/(\S+)$! or return; |
bf52d27b WB |
673 | |
674 | my $ipobj = Net::IP->new($ip, $version); | |
675 | return if !$ipobj; | |
676 | ||
677 | $version = $ipobj->version(); | |
678 | ||
679 | my $binmask = Net::IP::ip_get_mask($prefix, $version); | |
680 | return if !$binmask; | |
681 | ||
682 | my $masked_binip = $ipobj->binip() & $binmask; | |
683 | my $masked_ip = Net::IP::ip_bintoip($masked_binip, $version); | |
684 | return Net::IP->new("$masked_ip/$prefix"); | |
685 | } | |
686 | ||
687 | sub is_ip_in_cidr { | |
688 | my ($ip, $cidr, $version) = @_; | |
689 | ||
690 | my $cidr_obj = IP_from_cidr($cidr, $version); | |
ceff9a84 | 691 | return if !$cidr_obj; |
bf52d27b WB |
692 | |
693 | my $ip_obj = Net::IP->new($ip, $version); | |
ceff9a84 | 694 | return if !$ip_obj; |
bf52d27b | 695 | |
123c3104 | 696 | my $overlap = $cidr_obj->overlaps($ip_obj); |
b0e3bcc1 FE |
697 | return if !defined($overlap); |
698 | ||
123c3104 | 699 | return $overlap == $Net::IP::IP_B_IN_A_OVERLAP || $overlap == $Net::IP::IP_IDENTICAL; |
bf52d27b WB |
700 | } |
701 | ||
d7cafe51 TL |
702 | # get all currently configured addresses that have a global scope, i.e., are reachable from the |
703 | # outside of the host and thus are neither loopback nor link-local ones | |
704 | # returns an array ref of: { addr => "IP", cidr => "IP/PREFIXLEN", family => "inet|inet6" } | |
705 | sub get_reachable_networks { | |
706 | my $raw = ''; | |
707 | run_command([qw(ip -j addr show up scope global)], outfunc => sub { $raw .= shift }); | |
4e405958 | 708 | my $decoded = decode_json($raw); |
d7cafe51 | 709 | |
4e405958 TL |
710 | my $addrs = []; # filter/transform first so that we can sort correctly more easily below |
711 | for my $e ($decoded->@*) { | |
712 | next if !$e->{addr_info} || grep { $_ eq 'LOOPBACK' } $e->{flags}->@*; | |
713 | push $addrs->@*, grep { scalar(keys $_->%*) } $e->{addr_info}->@* | |
714 | } | |
d7cafe51 | 715 | my $res = []; |
4e405958 TL |
716 | for my $info (sort { $a->{family} cmp $b->{family} || $a->{local} cmp $b->{local} } $addrs->@*) { |
717 | push $res->@*, { | |
718 | addr => $info->{local}, | |
719 | cidr => "$info->{local}/$info->{prefixlen}", | |
720 | family => $info->{family}, | |
721 | }; | |
d7cafe51 TL |
722 | } |
723 | ||
724 | return $res; | |
725 | } | |
beb9820f | 726 | |
ac487a88 TL |
727 | # get one or all local IPs that are not loopback ones, able to pick up the following ones (in order) |
728 | # - the hostname primary resolves too, follows gai.conf (admin controlled) and will be prioritised | |
729 | # - all configured in the interfaces configuration | |
730 | # - all currently networks known to the kernel in the current (root) namespace | |
731 | # returns a single address if no parameter is passed, and all found, grouped by type, if `all => 1` | |
732 | # is passed. | |
733 | sub get_local_ip { | |
734 | my (%param) = @_; | |
735 | ||
736 | my $nodename = PVE::INotify::nodename(); | |
737 | my $resolved_host = eval { get_ip_from_hostname($nodename) }; | |
738 | ||
739 | return $resolved_host if defined($resolved_host) && !$param{all}; | |
740 | ||
741 | my $all = { v4 => {}, v6 => {} }; # hash to avoid duplicates and group by type | |
742 | ||
0c4641dc TL |
743 | my $interaces_cfg = PVE::INotify::read_file('interfaces', 1) || {}; |
744 | for my $if (values $interaces_cfg->{data}->{ifaces}->%*) { | |
ac487a88 TL |
745 | next if $if->{type} eq 'loopback' || (!defined($if->{address}) && !defined($if->{address6})); |
746 | my ($v4, $v6) = ($if->{address}, $if->{address6}); | |
747 | ||
748 | return ($v4 // $v6) if !$param{all}; # prefer v4, admin can override $resolved_host via hosts/gai.conf | |
749 | ||
750 | $all->{v4}->{$v4} = 1 if defined($v4); | |
751 | $all->{v6}->{$v6} = 1 if defined($v6); | |
752 | } | |
753 | ||
97809c69 | 754 | my $live = eval { get_reachable_networks() } // []; |
ac487a88 TL |
755 | for my $info ($live->@*) { |
756 | my $addr = $info->{addr}; | |
757 | ||
758 | return $addr if !$param{all}; | |
759 | ||
760 | if ($info->{family} eq 'inet') { | |
761 | $all->{v4}->{$addr} = 1; | |
762 | } else { | |
763 | $all->{v6}->{$addr} = 1; | |
764 | } | |
765 | } | |
766 | ||
ceff9a84 | 767 | return if !$param{all}; # getting here means no early return above triggered -> no IPs |
ac487a88 TL |
768 | |
769 | my $res = []; # order gai.conf controlled first, then group v4 and v6, simply lexically sorted | |
770 | if ($resolved_host) { | |
771 | push $res->@*, $resolved_host; | |
772 | delete $all->{v4}->{$resolved_host}; | |
773 | delete $all->{v6}->{$resolved_host}; | |
774 | } | |
775 | push $res->@*, sort { $a cmp $b } keys $all->{v4}->%*; | |
776 | push $res->@*, sort { $a cmp $b } keys $all->{v6}->%*; | |
777 | ||
778 | return $res; | |
779 | } | |
780 | ||
beb9820f TL |
781 | sub get_local_ip_from_cidr { |
782 | my ($cidr) = @_; | |
783 | ||
1e55a6cd | 784 | my $IPs = {}; |
ef737f0b | 785 | my $i = 1; |
b15e50dd TL |
786 | run_command(['/sbin/ip', 'address', 'show', 'to', $cidr, 'up'], outfunc => sub { |
787 | if ($_[0] =~ m!^\s*inet(?:6)?\s+($PVE::Tools::IPRE)(?:/\d+|\s+peer\s+)!) { | |
ef737f0b | 788 | $IPs->{$1} = $i++ if !exists($IPs->{$1}); |
beb9820f | 789 | } |
b15e50dd | 790 | }); |
beb9820f | 791 | |
ef737f0b | 792 | return [ sort { $IPs->{$a} <=> $IPs->{$b} } keys %{$IPs} ]; |
beb9820f TL |
793 | } |
794 | ||
87aa00de TL |
795 | sub addr_to_ip { |
796 | my ($addr) = @_; | |
797 | my ($err, $host, $port) = Socket::getnameinfo($addr, NI_NUMERICHOST | NI_NUMERICSERV); | |
798 | die "failed to get numerical host address: $err\n" if $err; | |
799 | return ($host, $port) if wantarray; | |
800 | return $host; | |
801 | } | |
802 | ||
803 | sub get_ip_from_hostname { | |
804 | my ($hostname, $noerr) = @_; | |
805 | ||
5bd1e56b | 806 | my @res = eval { PVE::Tools::getaddrinfo_all($hostname) }; |
87aa00de | 807 | if ($@) { |
4ed6974a | 808 | die "hostname lookup '$hostname' failed - $@" if !$noerr; |
ceff9a84 | 809 | return; |
87aa00de TL |
810 | } |
811 | ||
5bd1e56b | 812 | for my $ai (@res) { |
29dde5f4 TL |
813 | my $ip = addr_to_ip($ai->{addr}); |
814 | if ($ip !~ m/^127\.|^::1$/) { | |
815 | return wantarray ? ($ip, $ai->{family}) : $ip; | |
5bd1e56b TL |
816 | } |
817 | } | |
29dde5f4 TL |
818 | # NOTE: we only get here if no WAN/LAN IP was found, so this is now the error path! |
819 | die "address lookup for '$hostname' did not find any IP address\n" if !$noerr; | |
ceff9a84 | 820 | return; |
87aa00de TL |
821 | } |
822 | ||
a712bf6e WB |
823 | sub lock_network { |
824 | my ($code, @param) = @_; | |
825 | my $res = lock_file('/var/lock/pve-network.lck', 10, $code, @param); | |
826 | die $@ if $@; | |
827 | return $res; | |
828 | } | |
829 | ||
8286ef53 FE |
830 | # the canonical form of the given IP, i.e. dotted quad for IPv4 and RFC 5952 for IPv6 |
831 | sub canonical_ip { | |
832 | my ($ip) = @_; | |
833 | ||
834 | my $ip_obj = NetAddr::IP->new($ip) or die "invalid IP string '$ip'\n"; | |
835 | ||
836 | return $ip_obj->canon(); | |
837 | } | |
838 | ||
8f75194c FE |
839 | # List of unique, canonical IPs in the provided list. |
840 | # Keeps the original order, filtering later duplicates. | |
841 | sub unique_ips { | |
842 | my ($ips) = @_; | |
843 | ||
844 | my $res = []; | |
845 | my $seen = {}; | |
846 | ||
847 | for my $ip (@{$ips}) { | |
848 | $ip = canonical_ip($ip); | |
849 | ||
850 | next if $seen->{$ip}; | |
851 | ||
852 | $seen->{$ip} = 1; | |
853 | push @{$res}, $ip; | |
854 | } | |
855 | ||
856 | return $res; | |
857 | } | |
858 | ||
b9436cda | 859 | 1; |