use strict;
use warnings;
-use PVE::Tools qw(extract_param);
+use Net::IP qw(:PROC);
+use PVE::Tools qw(extract_param dir_glob_regex);
use PVE::SafeSyslog;
use PVE::INotify;
use PVE::Exception qw(raise_param_exc);
use base qw(PVE::RESTHandler);
+my $have_sdn;
+eval {
+ require PVE::Network::SDN;
+ $have_sdn = 1;
+};
+
my $iflockfn = "/etc/network/.pve-interfaces.lock";
my $bond_mode_enum = [
'balance-rr',
- 'active-backup',
+ 'active-backup', # OVS and Linux
'balance-xor',
'broadcast',
'802.3ad',
'balance-tlb',
- 'balance-alb'
+ 'balance-alb',
+ 'balance-slb', # OVS
+ 'lacp-balance-slb', # OVS
+ 'lacp-balance-tcp', # OVS
];
+my $network_type_enum = ['bridge', 'bond', 'eth', 'alias', 'vlan',
+ 'OVSBridge', 'OVSBond', 'OVSPort', 'OVSIntPort'];
+
my $confdesc = {
+ type => {
+ description => "Network interface type",
+ type => 'string',
+ enum => [@$network_type_enum, 'unknown'],
+ },
+ comments => {
+ description => "Comments",
+ type => 'string',
+ optional => 1,
+ },
+ comments6 => {
+ description => "Comments",
+ type => 'string',
+ optional => 1,
+ },
autostart => {
description => "Automatically start interface on boot.",
type => 'boolean',
optional => 1,
},
+ bridge_vlan_aware => {
+ description => "Enable bridge vlan support.",
+ type => 'boolean',
+ optional => 1,
+ },
bridge_ports => {
- description => "Specify the iterfaces you want to add to your bridge.",
+ description => "Specify the interfaces you want to add to your bridge.",
+ optional => 1,
+ type => 'string', format => 'pve-iface-list',
+ },
+ ovs_ports => {
+ description => "Specify the interfaces you want to add to your bridge.",
optional => 1,
type => 'string', format => 'pve-iface-list',
},
+ ovs_tag => {
+ description => "Specify a VLan tag (used by OVSPort, OVSIntPort, OVSBond)",
+ optional => 1,
+ type => 'integer',
+ minimum => 1,
+ maximum => 4094,
+ },
+ ovs_options => {
+ description => "OVS interface options.",
+ optional => 1,
+ type => 'string',
+ maxLength => 1024,
+ },
+ ovs_bridge => {
+ description => "The OVS bridge associated with a OVS port. This is required when you create an OVS port.",
+ optional => 1,
+ type => 'string', format => 'pve-iface',
+ },
slaves => {
description => "Specify the interfaces used by the bonding device.",
optional => 1,
type => 'string', format => 'pve-iface-list',
},
+ ovs_bonds => {
+ description => "Specify the interfaces used by the bonding device.",
+ optional => 1,
+ type => 'string', format => 'pve-iface-list',
+ },
bond_mode => {
description => "Bonding mode.",
optional => 1,
type => 'string', enum => $bond_mode_enum,
},
+ 'bond-primary' => {
+ description => "Specify the primary interface for active-backup bond.",
+ optional => 1,
+ type => 'string', format => 'pve-iface',
+ },
+ bond_xmit_hash_policy => {
+ description => "Selects the transmit hash policy to use for slave selection in balance-xor and 802.3ad modes.",
+ optional => 1,
+ type => 'string',
+ enum => ['layer2', 'layer2+3', 'layer3+4' ],
+ },
+ 'vlan-raw-device' => {
+ description => "Specify the raw interface for the vlan interface.",
+ optional => 1,
+ type => 'string', format => 'pve-iface',
+ },
+ 'vlan-id' => {
+ description => "vlan-id for a custom named vlan interface (ifupdown2 only).",
+ optional => 1,
+ type => 'integer',
+ minimum => 1,
+ maximum => 4094,
+ },
gateway => {
description => 'Default gateway address.',
type => 'string', format => 'ipv4',
description => 'Network mask.',
type => 'string', format => 'ipv4mask',
optional => 1,
+ requires => 'address',
},
address => {
description => 'IP address.',
type => 'string', format => 'ipv4',
optional => 1,
requires => 'netmask',
- }
+ },
+ cidr => {
+ description => 'IPv4 CIDR.',
+ type => 'string', format => 'CIDRv4',
+ optional => 1,
+ },
+ mtu => {
+ description => 'MTU.',
+ optional => 1,
+ type => 'integer',
+ minimum => 1280,
+ maximum => 65520,
+ },
+ gateway6 => {
+ description => 'Default ipv6 gateway address.',
+ type => 'string', format => 'ipv6',
+ optional => 1,
+ },
+ netmask6 => {
+ description => 'Network mask.',
+ type => 'integer', minimum => 0, maximum => 128,
+ optional => 1,
+ requires => 'address6',
+ },
+ address6 => {
+ description => 'IP address.',
+ type => 'string', format => 'ipv6',
+ optional => 1,
+ requires => 'netmask6',
+ },
+ cidr6 => {
+ description => 'IPv6 CIDR.',
+ type => 'string', format => 'CIDRv6',
+ optional => 1,
+ },
};
sub json_config_properties {
type => {
description => "Only list specific interface types.",
type => 'string',
- enum => ['bond', 'bridge', 'alias', 'eth'],
+ enum => [ @$network_type_enum, 'any_bridge', 'any_local_bridge' ],
optional => 1,
},
},
my ($param) = @_;
my $rpcenv = PVE::RPCEnvironment::get();
+ my $authuser = $rpcenv->get_user();
my $tmp = PVE::INotify::read_file('interfaces', 1);
my $config = $tmp->{data};
$rpcenv->set_result_attrib('changes', $changes) if $changes;
- delete $config->{lo}; # do not list the loopback device
+ my $ifaces = $config->{ifaces};
+
+ delete $ifaces->{lo}; # do not list the loopback device
- if ($param->{type}) {
- foreach my $k (keys %$config) {
- delete $config->{$k} if $param->{type} ne $config->{$k}->{type};
+ if (my $tfilter = $param->{type}) {
+ my $vnets;
+
+ if ($have_sdn && $tfilter eq 'any_bridge') {
+ $vnets = PVE::Network::SDN::get_local_vnets(); # returns already access-filtered
+ }
+
+ for my $k (sort keys $ifaces->%*) {
+ my $type = $ifaces->{$k}->{type};
+ my $is_bridge = $type eq 'bridge' || $type eq 'OVSBridge';
+ my $bridge_match = $is_bridge && $tfilter =~ /^any(_local)?_bridge$/;
+ my $match = $tfilter eq $type || $bridge_match;
+ delete $ifaces->{$k} if !$match;
+ }
+
+ if (defined($vnets)) {
+ $ifaces->{$_} = $vnets->{$_} for keys $vnets->%*
}
}
- return PVE::RESTHandler::hash_to_array($config, 'iface');
+ #always check bridge access
+ my $can_access_vnet = sub {
+ return 1 if $authuser eq 'root@pam';
+ return 1 if $rpcenv->check_sdn_bridge($authuser, "localnetwork", $_[0], ['SDN.Audit', 'SDN.Use'], 1);
+ };
+ for my $k (sort keys $ifaces->%*) {
+ my $type = $ifaces->{$k}->{type};
+ delete $ifaces->{$k} if ($type eq 'bridge' || $type eq 'OVSBridge') && !$can_access_vnet->($k);
+ }
+
+ return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
}});
__PACKAGE__->register_method({
return undef;
}});
+my $check_duplicate = sub {
+ my ($config, $newiface, $key, $name) = @_;
+
+ foreach my $iface (keys %$config) {
+ raise_param_exc({ $key => "$name already exists on interface '$iface'." })
+ if ($newiface ne $iface) && $config->{$iface}->{$key};
+ }
+};
+
my $check_duplicate_gateway = sub {
my ($config, $newiface) = @_;
+ return &$check_duplicate($config, $newiface, 'gateway', 'Default gateway');
+};
- foreach my $iface (keys %$config) {
- raise_param_exc({ gateway => "Default gateway already exists on interface '$iface'." })
- if ($newiface ne $iface) && $config->{$iface}->{gateway};
+my $check_duplicate_gateway6 = sub {
+ my ($config, $newiface) = @_;
+ return &$check_duplicate($config, $newiface, 'gateway6', 'Default ipv6 gateway');
+};
+
+my $check_duplicate_ports = sub {
+ my ($config, $newiface, $newparam) = @_;
+
+ my $param_name;
+ my $get_portlist = sub {
+ my ($param) = @_;
+ my $ports = '';
+ for my $k (qw(bridge_ports ovs_ports slaves ovs_bonds)) {
+ if ($param->{$k}) {
+ $ports .= " $param->{$k}";
+ $param_name //= $k;
+ }
+ }
+ return PVE::Tools::split_list($ports);
+ };
+
+ my $new_ports = {};
+ for my $p ($get_portlist->($newparam)) {
+ $new_ports->{$p} = 1;
+ }
+ return if !(keys %$new_ports);
+
+ for my $iface (keys %$config) {
+ next if $iface eq $newiface;
+
+ my $d = $config->{$iface};
+ for my $p ($get_portlist->($d)) {
+ raise_param_exc({ $param_name => "$p is already used on interface '$iface'." })
+ if $new_ports->{$p};
+ }
+ }
+};
+
+sub ipv6_tobin {
+ return Net::IP::ip_iptobin(Net::IP::ip_expand_address(shift, 6), 6);
+}
+
+my $check_ipv6_settings = sub {
+ my ($address, $netmask) = @_;
+
+ raise_param_exc({ netmask => "$netmask is not a valid subnet length for ipv6" })
+ if $netmask < 0 || $netmask > 128;
+
+ raise_param_exc({ address => "$address is not a valid host IPv6 address." })
+ if !Net::IP::ip_is_ipv6($address);
+
+ my $binip = ipv6_tobin($address);
+ my $binmask = Net::IP::ip_get_mask($netmask, 6);
+
+ my $type = ($binip eq $binmask) ? 'ANYCAST' : Net::IP::ip_iptypev6($binip);
+
+ if (defined($type) && $type !~ /^(?:(?:GLOBAL|(?:UNIQUE|LINK)-LOCAL)-UNICAST)$/) {
+ raise_param_exc({ address => "$address with type '$type', cannot be used as host IPv6 address." });
}
};
+my $map_cidr_to_address_netmask = sub {
+ my ($param) = @_;
+
+ if ($param->{cidr}) {
+ raise_param_exc({ address => "address conflicts with cidr" })
+ if $param->{address};
+ raise_param_exc({ netmask => "netmask conflicts with cidr" })
+ if $param->{netmask};
+
+ my ($address, $netmask) = $param->{cidr} =~ m!^(.*)/(\d+)$!;
+ $param->{address} = $address;
+ $param->{netmask} = $netmask;
+ delete $param->{cidr};
+ }
+
+ if ($param->{cidr6}) {
+ raise_param_exc({ address6 => "address6 conflicts with cidr6" })
+ if $param->{address6};
+ raise_param_exc({ netmask6 => "netmask6 conflicts with cidr6" })
+ if $param->{netmask6};
+
+ my ($address, $netmask) = $param->{cidr6} =~ m!^(.*)/(\d+)$!;
+ $param->{address6} = $address;
+ $param->{netmask6} = $netmask;
+ delete $param->{cidr6};
+ }
+};
__PACKAGE__->register_method({
name => 'create_network',
my $code = sub {
my $config = PVE::INotify::read_file('interfaces');
+ my $ifaces = $config->{ifaces};
raise_param_exc({ iface => "interface already exists" })
- if $config->{$iface};
+ if $ifaces->{$iface};
- &$check_duplicate_gateway($config, $iface)
+ &$check_duplicate_gateway($ifaces, $iface)
if $param->{gateway};
+ &$check_duplicate_gateway6($ifaces, $iface)
+ if $param->{gateway6};
+
+ $check_duplicate_ports->($ifaces, $iface, $param);
+
+ $map_cidr_to_address_netmask->($param);
+
+ &$check_ipv6_settings($param->{address6}, int($param->{netmask6}))
+ if $param->{address6};
+
+ my $families = $param->{families} = [];
+ push @$families, 'inet'
+ if $param->{address} && !grep(/^inet$/, @$families);
+ push @$families, 'inet6'
+ if $param->{address6} && !grep(/^inet6$/, @$families);
+ @$families = ('inet') if !scalar(@$families);
$param->{method} = $param->{address} ? 'static' : 'manual';
+ $param->{method6} = $param->{address6} ? 'static' : 'manual';
- $config->{$iface} = $param;
+ if ($param->{type} =~ m/^OVS/) {
+ -x '/usr/bin/ovs-vsctl' ||
+ die "Open VSwitch is not installed (need package 'openvswitch-switch')\n";
+ }
+
+ if ($param->{type} eq 'OVSIntPort' || $param->{type} eq 'OVSBond') {
+ my $brname = $param->{ovs_bridge};
+ raise_param_exc({ ovs_bridge => "parameter is required" }) if !$brname;
+ my $br = $ifaces->{$brname};
+ raise_param_exc({ ovs_bridge => "bridge '$brname' does not exist" }) if !$br;
+ raise_param_exc({ ovs_bridge => "interface '$brname' is no OVS bridge" })
+ if $br->{type} ne 'OVSBridge';
+
+ my @ports = split (/\s+/, $br->{ovs_ports} || '');
+ $br->{ovs_ports} = join(' ', @ports, $iface)
+ if ! grep { $_ eq $iface } @ports;
+ }
+
+ $ifaces->{$iface} = $param;
PVE::INotify::write_file('interfaces', $config);
};
my $code = sub {
my $config = PVE::INotify::read_file('interfaces');
+ my $ifaces = $config->{ifaces};
raise_param_exc({ iface => "interface does not exist" })
- if !$config->{$iface};
+ if !$ifaces->{$iface};
+ my $families = ($param->{families} ||= []);
foreach my $k (PVE::Tools::split_list($delete)) {
- delete $config->{$iface}->{$k};
+ delete $ifaces->{$iface}->{$k};
+ @$families = grep(!/^inet$/, @$families) if $k eq 'address';
+ @$families = grep(!/^inet6$/, @$families) if $k eq 'address6';
+ if ($k eq 'cidr') {
+ delete $ifaces->{$iface}->{netmask};
+ delete $ifaces->{$iface}->{address};
+ } elsif ($k eq 'cidr6') {
+ delete $ifaces->{$iface}->{netmask6};
+ delete $ifaces->{$iface}->{address6};
+ }
}
- &$check_duplicate_gateway($config, $iface)
+ $map_cidr_to_address_netmask->($param);
+
+ &$check_duplicate_gateway($ifaces, $iface)
if $param->{gateway};
+ &$check_duplicate_gateway6($ifaces, $iface)
+ if $param->{gateway6};
+
+ $check_duplicate_ports->($ifaces, $iface, $param);
+
+ if ($param->{address}) {
+ push @$families, 'inet' if !grep(/^inet$/, @$families);
+ } else {
+ @$families = grep(!/^inet$/, @$families);
+ }
+ if ($param->{address6}) {
+ &$check_ipv6_settings($param->{address6}, int($param->{netmask6}));
+ push @$families, 'inet6' if !grep(/^inet6$/, @$families);
+ } else {
+ @$families = grep(!/^inet6$/, @$families);
+ }
+ @$families = ('inet') if !scalar(@$families);
$param->{method} = $param->{address} ? 'static' : 'manual';
+ $param->{method6} = $param->{address6} ? 'static' : 'manual';
foreach my $k (keys %$param) {
- $config->{$iface}->{$k} = $param->{$k};
+ $ifaces->{$iface}->{$k} = $param->{$k};
}
PVE::INotify::write_file('interfaces', $config);
my ($param) = @_;
my $config = PVE::INotify::read_file('interfaces');
+ my $ifaces = $config->{ifaces};
raise_param_exc({ iface => "interface does not exist" })
- if !$config->{$param->{iface}};
+ if !$ifaces->{$param->{iface}};
- return $config->{$param->{iface}};
+ return $ifaces->{$param->{iface}};
+ }});
+
+sub ifupdown2_version {
+ my $v;
+ PVE::Tools::run_command(['ifreload', '-V'], outfunc => sub { $v //= shift });
+ return if !defined($v) || $v !~ /^\s*ifupdown2:(\S+)\s*$/;
+ $v = $1;
+ my ($major, $minor, $extra, $pve) = split(/\.|-/, $v);
+ my $is_pve = defined($pve) && $pve =~ /(pve|pmx|proxmox)/;
+
+ return ($major * 100000 + $minor * 1000 + $extra * 10, $is_pve, $v);
+}
+sub assert_ifupdown2_installed {
+ die "you need ifupdown2 to reload network configuration\n" if ! -e '/usr/share/ifupdown2';
+ my ($v, $pve, $v_str) = ifupdown2_version();
+ die "incompatible 'ifupdown2' package version '$v_str'! Did you installed from Proxmox repositories?\n"
+ if $v < (1*100000 + 2*1000 + 8*10) || !$pve;
+}
+
+__PACKAGE__->register_method({
+ name => 'reload_network_config',
+ path => '',
+ method => 'PUT',
+ permissions => {
+ check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+ },
+ description => "Reload network configuration",
+ protected => 1,
+ proxyto => 'node',
+ parameters => {
+ additionalProperties => 0,
+ properties => {
+ node => get_standard_option('pve-node'),
+ },
+ },
+ returns => { type => 'string' },
+ code => sub {
+
+ my ($param) = @_;
+
+ my $rpcenv = PVE::RPCEnvironment::get();
+
+ my $authuser = $rpcenv->get_user();
+
+ my $current_config_file = "/etc/network/interfaces";
+ my $new_config_file = "/etc/network/interfaces.new";
+
+ assert_ifupdown2_installed();
+
+ my $worker = sub {
+
+ rename($new_config_file, $current_config_file) if -e $new_config_file;
+
+ if ($have_sdn) {
+ PVE::Network::SDN::generate_zone_config();
+ }
+
+ my $err = sub {
+ my $line = shift;
+ if ($line =~ /(warning|error): (\S+):/) {
+ print "$2 : $line \n";
+ }
+ };
+ PVE::Tools::run_command(['ifreload', '-a'], errfunc => $err);
+
+ if ($have_sdn) {
+ PVE::Network::SDN::generate_controller_config(1);
+ }
+ };
+ return $rpcenv->fork_worker('srvreload', 'networking', $authuser, $worker);
}});
__PACKAGE__->register_method({
my $code = sub {
my $config = PVE::INotify::read_file('interfaces');
+ my $ifaces = $config->{ifaces};
raise_param_exc({ iface => "interface does not exist" })
- if !$config->{$param->{iface}};
+ if !$ifaces->{$param->{iface}};
+
+ my $d = $ifaces->{$param->{iface}};
+ if ($d->{type} eq 'OVSIntPort' || $d->{type} eq 'OVSBond') {
+ if (my $brname = $d->{ovs_bridge}) {
+ if (my $br = $ifaces->{$brname}) {
+ if ($br->{ovs_ports}) {
+ my @ports = split (/\s+/, $br->{ovs_ports});
+ my @new = grep { $_ ne $param->{iface} } @ports;
+ $br->{ovs_ports} = join(' ', @new);
+ }
+ }
+ }
+ }
- delete $config->{$param->{iface}};
+ delete $ifaces->{$param->{iface}};
PVE::INotify::write_file('interfaces', $config);
};
projects / pve-manager.git / blobdiff