]>
Commit | Line | Data |
---|---|---|
b9436cda DM |
1 | package PVE::Network; |
2 | ||
3 | use strict; | |
c36f332e | 4 | use warnings; |
74d1b045 | 5 | use PVE::Tools qw(run_command); |
b9436cda DM |
6 | use PVE::ProcFSTools; |
7 | use PVE::INotify; | |
8 | use File::Basename; | |
9 | ||
10 | # host network related utility functions | |
11 | ||
61aa94e4 WB |
12 | our $ipv4_reverse_mask = [ |
13 | '0.0.0.0', | |
14 | '128.0.0.0', | |
15 | '192.0.0.0', | |
16 | '224.0.0.0', | |
17 | '240.0.0.0', | |
18 | '248.0.0.0', | |
19 | '252.0.0.0', | |
20 | '254.0.0.0', | |
21 | '255.0.0.0', | |
22 | '255.128.0.0', | |
23 | '255.192.0.0', | |
24 | '255.224.0.0', | |
25 | '255.240.0.0', | |
26 | '255.248.0.0', | |
27 | '255.252.0.0', | |
28 | '255.254.0.0', | |
29 | '255.255.0.0', | |
30 | '255.255.128.0', | |
31 | '255.255.192.0', | |
32 | '255.255.224.0', | |
33 | '255.255.240.0', | |
34 | '255.255.248.0', | |
35 | '255.255.252.0', | |
36 | '255.255.254.0', | |
37 | '255.255.255.0', | |
38 | '255.255.255.128', | |
39 | '255.255.255.192', | |
40 | '255.255.255.224', | |
41 | '255.255.255.240', | |
42 | '255.255.255.248', | |
43 | '255.255.255.252', | |
44 | '255.255.255.254', | |
45 | '255.255.255.255', | |
46 | ]; | |
47 | ||
48 | our $ipv4_mask_hash_localnet = { | |
49 | '255.255.0.0' => 16, | |
50 | '255.255.128.0' => 17, | |
51 | '255.255.192.0' => 18, | |
52 | '255.255.224.0' => 19, | |
53 | '255.255.240.0' => 20, | |
54 | '255.255.248.0' => 21, | |
55 | '255.255.252.0' => 22, | |
56 | '255.255.254.0' => 23, | |
57 | '255.255.255.0' => 24, | |
58 | '255.255.255.128' => 25, | |
59 | '255.255.255.192' => 26, | |
60 | '255.255.255.224' => 27, | |
61 | '255.255.255.240' => 28, | |
62 | '255.255.255.248' => 29, | |
63 | '255.255.255.252' => 30, | |
64 | }; | |
65 | ||
74d1b045 DM |
66 | sub setup_tc_rate_limit { |
67 | my ($iface, $rate, $burst, $debug) = @_; | |
68 | ||
957753df AD |
69 | system("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1"); |
70 | system("/sbin/tc filter del dev $iface parent ffff: protocol ip prio 50 estimator 1sec 8sec >/dev/null 2>&1"); | |
edde1d46 | 71 | system("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1"); |
74d1b045 DM |
72 | system("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1"); |
73 | ||
d6f2623b | 74 | return if !$rate; |
957753df | 75 | |
74d1b045 DM |
76 | run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress"); |
77 | ||
0aaf0ca4 DM |
78 | # this does not work wit virtio - don't know why (setting "mtu 64kb" does not help) |
79 | #run_command("/sbin/tc filter add dev $iface parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${rate}bps burst ${burst}b drop flowid :1"); | |
80 | # so we use avrate instead | |
ca402c95 | 81 | run_command("/sbin/tc filter add dev $iface parent ffff: " . |
0aaf0ca4 DM |
82 | "protocol ip prio 50 estimator 1sec 8sec " . |
83 | "u32 match ip src 0.0.0.0/0 police avrate ${rate}bps drop flowid :1"); | |
74d1b045 DM |
84 | |
85 | # tbf does not work for unknown reason | |
86 | #$TC qdisc add dev $DEV root tbf rate $RATE latency 100ms burst $BURST | |
87 | # so we use htb instead | |
88 | run_command("/sbin/tc qdisc add dev $iface root handle 1: htb default 1"); | |
89 | run_command("/sbin/tc class add dev $iface parent 1: classid 1:1 " . | |
90 | "htb rate ${rate}bps burst ${burst}b"); | |
91 | ||
92 | if ($debug) { | |
93 | print "DEBUG tc settings\n"; | |
94 | system("/sbin/tc qdisc ls dev $iface"); | |
95 | system("/sbin/tc class ls dev $iface"); | |
96 | system("/sbin/tc filter ls dev $iface parent ffff:"); | |
97 | } | |
98 | } | |
99 | ||
ec9ada18 AD |
100 | sub tap_rate_limit { |
101 | my ($iface, $rate) = @_; | |
102 | ||
103 | my $debug = 0; | |
104 | $rate = int($rate*1024*1024); | |
105 | my $burst = 1024*1024; | |
106 | ||
107 | setup_tc_rate_limit($iface, $rate, $burst, $debug); | |
108 | } | |
74d1b045 | 109 | |
605bb891 DM |
110 | my $read_bridge_mtu = sub { |
111 | my ($bridge) = @_; | |
112 | ||
113 | my $mtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu"); | |
114 | die "bridge '$bridge' does not exist\n" if !$mtu; | |
115 | # avoid insecure dependency; | |
116 | die "unable to parse mtu value" if $mtu !~ /^(\d+)$/; | |
117 | $mtu = int($1); | |
118 | ||
119 | return $mtu; | |
120 | }; | |
121 | ||
122 | my $parse_tap_devive_name = sub { | |
6c80e6d6 | 123 | my ($iface, $noerr) = @_; |
605bb891 DM |
124 | |
125 | my ($vmid, $devid); | |
126 | ||
127 | if ($iface =~ m/^tap(\d+)i(\d+)$/) { | |
128 | $vmid = $1; | |
129 | $devid = $2; | |
130 | } elsif ($iface =~ m/^veth(\d+)\.(\d+)$/) { | |
131 | $vmid = $1; | |
132 | $devid = $2; | |
133 | } else { | |
6c80e6d6 DM |
134 | return undef if $noerr; |
135 | die "can't create firewall bridge for random interface name '$iface'\n"; | |
605bb891 DM |
136 | } |
137 | ||
138 | return ($vmid, $devid); | |
139 | }; | |
140 | ||
70ab4434 | 141 | my $compute_fwbr_names = sub { |
605bb891 DM |
142 | my ($vmid, $devid) = @_; |
143 | ||
144 | my $fwbr = "fwbr${vmid}i${devid}"; | |
f193aa74 | 145 | # Note: the firewall use 'fwln+' to filter traffic to VMs |
7d78a966 AD |
146 | my $vethfw = "fwln${vmid}i${devid}"; |
147 | my $vethfwpeer = "fwpr${vmid}p${devid}"; | |
148 | my $ovsintport = "fwln${vmid}o${devid}"; | |
605bb891 | 149 | |
70ab4434 | 150 | return ($fwbr, $vethfw, $vethfwpeer, $ovsintport); |
605bb891 DM |
151 | }; |
152 | ||
153 | my $cond_create_bridge = sub { | |
154 | my ($bridge) = @_; | |
155 | ||
156 | if (! -d "/sys/class/net/$bridge") { | |
157 | system("/sbin/brctl addbr $bridge") == 0 || | |
158 | die "can't add bridge '$bridge'\n"; | |
159 | } | |
160 | }; | |
161 | ||
162 | my $bridge_add_interface = sub { | |
163 | my ($bridge, $iface) = @_; | |
164 | ||
165 | system("/sbin/brctl addif $bridge $iface") == 0 || | |
166 | die "can't add interface 'iface' to bridge '$bridge'\n"; | |
167 | }; | |
168 | ||
70ab4434 DM |
169 | my $ovs_bridge_add_port = sub { |
170 | my ($bridge, $iface, $tag, $internal) = @_; | |
171 | ||
172 | my $cmd = "/usr/bin/ovs-vsctl add-port $bridge $iface"; | |
173 | $cmd .= " tag=$tag" if $tag; | |
174 | $cmd .= " -- set Interface $iface type=internal" if $internal; | |
175 | system($cmd) == 0 || | |
176 | die "can't add ovs port '$iface'\n"; | |
177 | }; | |
178 | ||
605bb891 DM |
179 | my $activate_interface = sub { |
180 | my ($iface) = @_; | |
181 | ||
182 | system("/sbin/ip link set $iface up") == 0 || | |
183 | die "can't activate interface '$iface'\n"; | |
184 | }; | |
185 | ||
3aa99c70 AD |
186 | sub tap_create { |
187 | my ($iface, $bridge) = @_; | |
188 | ||
189 | die "unable to get bridge setting\n" if !$bridge; | |
190 | ||
605bb891 | 191 | my $bridgemtu = &$read_bridge_mtu($bridge); |
3aa99c70 | 192 | |
098795e0 DM |
193 | eval { |
194 | PVE::Tools::run_command("/sbin/ifconfig $iface 0.0.0.0 promisc up mtu $bridgemtu"); | |
195 | }; | |
196 | die "interface activation failed\n" if $@; | |
3aa99c70 AD |
197 | } |
198 | ||
35efc4eb AD |
199 | sub veth_create { |
200 | my ($veth, $vethpeer, $bridge, $mac) = @_; | |
201 | ||
202 | die "unable to get bridge setting\n" if !$bridge; | |
203 | ||
204 | my $bridgemtu = &$read_bridge_mtu($bridge); | |
205 | ||
206 | # create veth pair | |
207 | if (! -d "/sys/class/net/$veth") { | |
208 | my $cmd = "/sbin/ip link add name $veth type veth peer name $vethpeer mtu $bridgemtu"; | |
209 | $cmd .= " addr $mac" if $mac; | |
210 | system($cmd) == 0 || die "can't create interface $veth\n"; | |
211 | } | |
212 | ||
213 | # up vethpair | |
214 | &$activate_interface($veth); | |
215 | &$activate_interface($vethpeer); | |
216 | } | |
217 | ||
f3f0bc3a AD |
218 | sub veth_delete { |
219 | my ($veth) = @_; | |
220 | ||
221 | if (-d "/sys/class/net/$veth") { | |
222 | run_command("/sbin/ip link delete dev $veth", outfunc => sub {}, errfunc => sub {}); | |
223 | } | |
224 | ||
225 | } | |
35efc4eb | 226 | |
605bb891 DM |
227 | my $create_firewall_bridge_linux = sub { |
228 | my ($iface, $bridge) = @_; | |
229 | ||
230 | my ($vmid, $devid) = &$parse_tap_devive_name($iface); | |
70ab4434 | 231 | my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); |
605bb891 | 232 | |
605bb891 DM |
233 | &$cond_create_bridge($fwbr); |
234 | &$activate_interface($fwbr); | |
235 | ||
236 | copy_bridge_config($bridge, $fwbr); | |
35efc4eb | 237 | veth_create($vethfw, $vethfwpeer, $bridge); |
605bb891 | 238 | |
7d78a966 AD |
239 | &$bridge_add_interface($fwbr, $vethfw); |
240 | &$bridge_add_interface($bridge, $vethfwpeer); | |
605bb891 DM |
241 | |
242 | return $fwbr; | |
243 | }; | |
244 | ||
70ab4434 DM |
245 | my $create_firewall_bridge_ovs = sub { |
246 | my ($iface, $bridge, $tag) = @_; | |
247 | ||
248 | my ($vmid, $devid) = &$parse_tap_devive_name($iface); | |
249 | my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
250 | ||
251 | my $bridgemtu = &$read_bridge_mtu($bridge); | |
252 | ||
253 | &$cond_create_bridge($fwbr); | |
254 | &$activate_interface($fwbr); | |
255 | ||
256 | &$bridge_add_interface($fwbr, $iface); | |
257 | ||
258 | &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1); | |
ac3a04b8 | 259 | &$activate_interface($ovsintport); |
70ab4434 DM |
260 | |
261 | # set the same mtu for ovs int port | |
262 | PVE::Tools::run_command("/sbin/ifconfig $ovsintport mtu $bridgemtu"); | |
263 | ||
264 | &$bridge_add_interface($fwbr, $ovsintport); | |
265 | }; | |
266 | ||
267 | my $cleanup_firewall_bridge = sub { | |
605bb891 DM |
268 | my ($iface) = @_; |
269 | ||
6c80e6d6 DM |
270 | my ($vmid, $devid) = &$parse_tap_devive_name($iface, 1); |
271 | return if !defined($vmid); | |
70ab4434 DM |
272 | my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid); |
273 | ||
274 | # cleanup old port config from any openvswitch bridge | |
275 | if (-d "/sys/class/net/$ovsintport") { | |
276 | run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {}); | |
277 | } | |
605bb891 DM |
278 | |
279 | # delete old vethfw interface | |
f3f0bc3a | 280 | veth_delete($vethfw); |
605bb891 DM |
281 | |
282 | # cleanup fwbr bridge | |
283 | if (-d "/sys/class/net/$fwbr") { | |
284 | run_command("/sbin/ip link set dev $fwbr down", outfunc => sub {}, errfunc => sub {}); | |
285 | run_command("/sbin/brctl delbr $fwbr", outfunc => sub {}, errfunc => sub {}); | |
286 | } | |
287 | }; | |
288 | ||
f0c190ee | 289 | sub tap_plug { |
605bb891 | 290 | my ($iface, $bridge, $tag, $firewall) = @_; |
f0c190ee | 291 | |
4cbabd40 AD |
292 | #cleanup old port config from any openvswitch bridge |
293 | eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; | |
294 | ||
098795e0 | 295 | if (-d "/sys/class/net/$bridge/bridge") { |
70ab4434 | 296 | &$cleanup_firewall_bridge($iface); # remove stale devices |
605bb891 | 297 | |
098795e0 DM |
298 | my $newbridge = activate_bridge_vlan($bridge, $tag); |
299 | copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge; | |
300 | ||
605bb891 DM |
301 | $newbridge = &$create_firewall_bridge_linux($iface, $newbridge) if $firewall; |
302 | ||
303 | &$bridge_add_interface($newbridge, $iface); | |
098795e0 | 304 | } else { |
70ab4434 DM |
305 | &$cleanup_firewall_bridge($iface); # remove stale devices |
306 | ||
307 | if ($firewall) { | |
308 | &$create_firewall_bridge_ovs($iface, $bridge, $tag); | |
309 | } else { | |
310 | &$ovs_bridge_add_port($bridge, $iface, $tag); | |
311 | } | |
4cbabd40 | 312 | } |
f0c190ee AD |
313 | } |
314 | ||
a84b65c0 | 315 | sub tap_unplug { |
2db1cc0d | 316 | my ($iface) = @_; |
a84b65c0 | 317 | |
2db1cc0d DM |
318 | my $path= "/sys/class/net/$iface/brport/bridge"; |
319 | if (-l $path) { | |
320 | my $bridge = basename(readlink($path)); | |
321 | #avoid insecure dependency; | |
322 | ($bridge) = $bridge =~ /(\S+)/; | |
4cbabd40 | 323 | |
098795e0 | 324 | system("/sbin/brctl delif $bridge $iface") == 0 || |
2db1cc0d | 325 | die "can't del interface '$iface' from bridge '$bridge'\n"; |
605bb891 | 326 | |
4cbabd40 | 327 | } |
70ab4434 DM |
328 | |
329 | &$cleanup_firewall_bridge($iface); | |
a84b65c0 AD |
330 | } |
331 | ||
b9436cda DM |
332 | sub copy_bridge_config { |
333 | my ($br0, $br1) = @_; | |
334 | ||
335 | return if $br0 eq $br1; | |
336 | ||
337 | my $br_configs = [ 'ageing_time', 'stp_state', 'priority', 'forward_delay', | |
ba4af65b | 338 | 'hello_time', 'max_age', 'multicast_snooping', 'multicast_querier']; |
b9436cda DM |
339 | |
340 | foreach my $sysname (@$br_configs) { | |
341 | eval { | |
342 | my $v0 = PVE::Tools::file_read_firstline("/sys/class/net/$br0/bridge/$sysname"); | |
343 | my $v1 = PVE::Tools::file_read_firstline("/sys/class/net/$br1/bridge/$sysname"); | |
344 | if ($v0 ne $v1) { | |
aec04803 | 345 | PVE::ProcFSTools::write_proc_entry("/sys/class/net/$br1/bridge/$sysname", $v0); |
b9436cda DM |
346 | } |
347 | }; | |
348 | warn $@ if $@; | |
349 | } | |
350 | } | |
351 | ||
70d89745 PRG |
352 | sub activate_bridge_vlan_slave { |
353 | my ($bridgevlan, $iface, $tag) = @_; | |
b9436cda | 354 | my $ifacevlan = "${iface}.$tag"; |
70d89745 | 355 | |
b9436cda DM |
356 | # create vlan on $iface is not already exist |
357 | if (! -d "/sys/class/net/$ifacevlan") { | |
02c9a6b4 DM |
358 | system("/sbin/vconfig add $iface $tag") == 0 || |
359 | die "can't add vlan tag $tag to interface $iface\n"; | |
b9436cda DM |
360 | } |
361 | ||
362 | # be sure to have the $ifacevlan up | |
605bb891 | 363 | &$activate_interface($ifacevlan); |
b9436cda DM |
364 | |
365 | # test if $vlaniface is already enslaved in another bridge | |
366 | my $path= "/sys/class/net/$ifacevlan/brport/bridge"; | |
367 | if (-l $path) { | |
368 | my $tbridge = basename(readlink($path)); | |
70d89745 | 369 | if ($tbridge ne $bridgevlan) { |
b9436cda | 370 | die "interface $ifacevlan already exist in bridge $tbridge\n"; |
eee4b32a PRG |
371 | } else { |
372 | # Port already attached to bridge: do nothing. | |
373 | return; | |
b9436cda DM |
374 | } |
375 | } | |
376 | ||
70d89745 | 377 | # add $ifacevlan to the bridge |
605bb891 | 378 | &$bridge_add_interface($bridgevlan, $ifacevlan); |
70d89745 PRG |
379 | } |
380 | ||
381 | sub activate_bridge_vlan { | |
382 | my ($bridge, $tag_param) = @_; | |
383 | ||
384 | die "bridge '$bridge' is not active\n" if ! -d "/sys/class/net/$bridge"; | |
385 | ||
386 | return $bridge if !defined($tag_param); # no vlan, simply return | |
387 | ||
388 | my $tag = int($tag_param); | |
389 | ||
390 | die "got strange vlan tag '$tag_param'\n" if $tag < 1 || $tag > 4094; | |
391 | ||
392 | my $bridgevlan = "${bridge}v$tag"; | |
393 | ||
c9030d97 PRG |
394 | my @ifaces = (); |
395 | my $dir = "/sys/class/net/$bridge/brif"; | |
396 | PVE::Tools::dir_glob_foreach($dir, '((eth|bond)\d+)', sub { | |
5ffa7628 | 397 | push @ifaces, $_[0]; |
c9030d97 PRG |
398 | }); |
399 | ||
5ffa7628 | 400 | die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0; |
c9030d97 | 401 | |
b9436cda DM |
402 | # add bridgevlan if it doesn't already exist |
403 | if (! -d "/sys/class/net/$bridgevlan") { | |
9e14b1b7 | 404 | system("/sbin/brctl addbr $bridgevlan") == 0 || |
b9436cda DM |
405 | die "can't add bridge $bridgevlan\n"; |
406 | } | |
407 | ||
70d89745 | 408 | # for each physical interface (eth or bridge) bind them to bridge vlan |
c9030d97 PRG |
409 | foreach my $iface (@ifaces) { |
410 | activate_bridge_vlan_slave($bridgevlan, $iface, $tag); | |
411 | } | |
70d89745 | 412 | |
b9436cda DM |
413 | #fixme: set other bridge flags |
414 | ||
415 | # be sure to have the bridge up | |
416 | system("/sbin/ip link set $bridgevlan up") == 0 || | |
417 | die "can't up bridge $bridgevlan\n"; | |
70d89745 | 418 | |
b9436cda DM |
419 | return $bridgevlan; |
420 | } | |
421 | ||
422 | 1; |