From: Julien Fortin <julien@cumulusnetworks.com>
Date: Mon, 18 Jun 2018 16:44:32 +0000 (+0200)
Subject: ifupdown2.conf: vlan_aware_bridge_address_support: allow ip on vlan-aware bridge... 
X-Git-Tag: 1.2.2-1~103
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=ffdf73e14adecc430438d7bca8bc790d6556a9c4;p=mirror_ifupdown2.git

ifupdown2.conf: vlan_aware_bridge_address_support: allow ip on vlan-aware bridge (closes #58)

In linux its possible to assign an ip address to a vlan-aware bridge
For some use cases is it useful to restrict users from configuring ips on
bridges VA. This patch will let admins and distributions decide if it is
necessary to warn the user in such case.

The patch introduces a new configuration variable in:
    /etc/network/ifudpown2/ifupdown2.conf

vlan_aware_bridge_address_support: yes|no|on|off|0|1 (default to yes)

[8:30:41] root:~ # cat /etc/network/ifupdown2/ifupdown2.conf | grep "vlan_aware_bridge_address_support"
[8:30:43] root:~ # ifquery bridge
auto bridge
iface bridge
	bridge-ports swp1
	bridge-vlan-aware yes
	address 10.10.10.10

[8:30:46] root:~ # ifup bridge --syntax-check
[8:30:52] root:~ # echo $?
0
[8:30:54] root:~ # echo "vlan_aware_bridge_address_support=no" >> /etc/network/ifupdown2/ifupdown2.conf
[8:31:11] root:~ # ifup bridge --syntax-check
warning: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[8:31:14] root:~ # echo $?
1
[8:31:17] root:~ #
[8:31:20] root:~ # ifup -a
[8:31:22] root:~ # echo $?
0
[8:31:25] root:~ # ifquery bridge -c
auto bridge
iface bridge                                                        [fail]
	bridge-vlan-aware yes                                       [pass]
	bridge-ports swp1                                           [pass]
	address 10.10.10.10                                         [fail]

[8:31:29] root:~ # ifdown bridge && ifup bridge -v |& grep "bridge vlan aware interfaces"
info: bridge: ignoring ip address. Assigning an IP address is not allowed on bridge vlan aware interfaces
[8:31:57] root:~ #

Reviewed-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: Julien Fortin <julien@cumulusnetworks.com>
---

diff --git a/debian/changelog b/debian/changelog
index ae75682..83b3b52 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ ifupdown2 (1.2.0) UNRELEASED; urgency=medium
   * Package architecture refactoring and cleanups
   * Package can be build/install as debian, pip or rpm package
   * Makefile to easily perform tasks (i.e.: install, build, test, upload..)
+  * Closes #58: ifupdown2.conf: vlan_aware_bridge_address_support on/off
   * New. Enabled: traditional bridge support for mstpctl attributes
                   (portautoedge, portrestrrole)
   * Closes: CM-16493: Configuration for IPv6 link-local auto-generate mode
diff --git a/etc/network/ifupdown2/ifupdown2.conf b/etc/network/ifupdown2/ifupdown2.conf
index 906fdea..996aa7d 100644
--- a/etc/network/ifupdown2/ifupdown2.conf
+++ b/etc/network/ifupdown2/ifupdown2.conf
@@ -80,3 +80,10 @@ ifaceobj_squash=0
 # based on the physical interface they are running on top of.
 # set this flag to 0 to disable this behaviour
 adjust_logical_dev_mtu=1
+
+# By default ifupdown2 will let you configure ip addresses on a vlan-aware
+# bridge. For some use cases it is useful to restrict such configuration.
+# This is a boolean variable:
+#       yes, on, 1: to allow L3 configuration on vlan-aware bridge (default)
+#       no, off, 0: to disable L3 config on vlan-aware bridge and warn user
+vlan_aware_bridge_address_support=yes
diff --git a/ifupdown2/ifupdown/utils.py b/ifupdown2/ifupdown/utils.py
index f7a89a7..57a44c1 100644
--- a/ifupdown2/ifupdown/utils.py
+++ b/ifupdown2/ifupdown/utils.py
@@ -22,10 +22,12 @@ try:
     from ifupdown2.ifupdown.iface import *
 
     import ifupdown2.ifupdown.ifupdownflags as ifupdownflags
+    import ifupdown2.ifupdown.ifupdownconfig as ifupdownconfig
 except ImportError:
     from ifupdown.iface import *
 
     import ifupdown.ifupdownflags as ifupdownflags
+    import ifupdown.ifupdownconfig as ifupdownconfig
 
 
 def signal_handler_f(ps, sig, frame):
@@ -37,6 +39,7 @@ def signal_handler_f(ps, sig, frame):
 class utils():
     logger = logging.getLogger('ifupdown')
     DEVNULL = open(os.devnull, 'w')
+    vlan_aware_bridge_address_support = None
 
     _string_values = {
         "on": True,
@@ -331,6 +334,10 @@ class utils():
 
     @classmethod
     def is_addr_ip_allowed_on(cls, ifaceobj, syntax_check=False):
+        if cls.vlan_aware_bridge_address_support is None:
+            cls.vlan_aware_bridge_address_support = utils.get_boolean_from_string(
+                ifupdownconfig.config.get('vlan_aware_bridge_address_support', 'yes')
+            )
         msg = ('%s: ignoring ip address. Assigning an IP '
                'address is not allowed on' % ifaceobj.name)
         if (ifaceobj.role & ifaceRole.SLAVE
@@ -347,8 +354,10 @@ class utils():
                 cls.logger.info(msg)
             return False
         elif (ifaceobj.link_kind & ifaceLinkKind.BRIDGE
-                and ifaceobj.link_privflags & ifaceLinkPrivFlags.BRIDGE_VLAN_AWARE):
-            msg = '%s bridge vlan aware interfaces'
+              and ifaceobj.link_privflags & ifaceLinkPrivFlags.BRIDGE_VLAN_AWARE
+              and not cls.vlan_aware_bridge_address_support
+        ):
+            msg = '%s bridge vlan aware interfaces' % msg
             if syntax_check:
                 cls.logger.warning(msg)
             else: