[pve-common.git] / src / PVE / Network.pm

package PVE::Network;

use strict;
use warnings;
use PVE::Tools qw(run_command);
use PVE::ProcFSTools;
use PVE::INotify;
use File::Basename;

# host network related utility functions

our $ipv4_reverse_mask = [
    '0.0.0.0',
    '128.0.0.0',
    '192.0.0.0',
    '224.0.0.0',
    '240.0.0.0',
    '248.0.0.0',
    '252.0.0.0',
    '254.0.0.0',
    '255.0.0.0',
    '255.128.0.0',
    '255.192.0.0',
    '255.224.0.0',
    '255.240.0.0',
    '255.248.0.0',
    '255.252.0.0',
    '255.254.0.0',
    '255.255.0.0',
    '255.255.128.0',
    '255.255.192.0',
    '255.255.224.0',
    '255.255.240.0',
    '255.255.248.0',
    '255.255.252.0',
    '255.255.254.0',
    '255.255.255.0',
    '255.255.255.128',
    '255.255.255.192',
    '255.255.255.224',
    '255.255.255.240',
    '255.255.255.248',
    '255.255.255.252',
    '255.255.255.254',
    '255.255.255.255',
];

our $ipv4_mask_hash_localnet = {
    '255.255.0.0' => 16,
    '255.255.128.0' => 17,
    '255.255.192.0' => 18,
    '255.255.224.0' => 19,
    '255.255.240.0' => 20,
    '255.255.248.0' => 21,
    '255.255.252.0' => 22,
    '255.255.254.0' => 23,
    '255.255.255.0' => 24,
    '255.255.255.128' => 25,
    '255.255.255.192' => 26,
    '255.255.255.224' => 27,
    '255.255.255.240' => 28,
    '255.255.255.248' => 29,
    '255.255.255.252' => 30,
};

sub setup_tc_rate_limit {
    my ($iface, $rate, $burst, $debug) = @_;

    system("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1");
    system("/sbin/tc filter del dev $iface parent ffff: protocol ip prio 50 estimator 1sec 8sec >/dev/null 2>&1");
    system("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1");
    system("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1");

    return if !$rate;

    run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress");

    # this does not work wit virtio - don't know why (setting "mtu 64kb" does not help)
    #run_command("/sbin/tc filter add dev $iface parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${rate}bps burst ${burst}b drop flowid :1");
    # so we use avrate instead
    run_command("/sbin/tc filter add dev $iface parent ffff: " .
		"protocol ip prio 50 estimator 1sec 8sec " .
		"u32 match ip src 0.0.0.0/0 police avrate ${rate}bps drop flowid :1");

    # tbf does not work for unknown reason
    #$TC qdisc add dev $DEV root tbf rate $RATE latency 100ms burst $BURST
    # so we use htb instead
    run_command("/sbin/tc qdisc add dev $iface root handle 1: htb default 1");
    run_command("/sbin/tc class add dev $iface parent 1: classid 1:1 " .
		"htb rate ${rate}bps burst ${burst}b");

    if ($debug) {
	print "DEBUG tc settings\n";
	system("/sbin/tc qdisc ls dev $iface");
	system("/sbin/tc class ls dev $iface");
	system("/sbin/tc filter ls dev $iface parent ffff:");
    }
}

sub tap_rate_limit {
    my ($iface, $rate) = @_;

    my $debug = 0;
    $rate = int($rate*1024*1024);
    my $burst = 1024*1024;

    setup_tc_rate_limit($iface, $rate, $burst, $debug);
}

my $read_bridge_mtu = sub {
    my ($bridge) = @_;

    my $mtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu");
    die "bridge '$bridge' does not exist\n" if !$mtu;
    # avoid insecure dependency;
    die "unable to parse mtu value" if $mtu !~ /^(\d+)$/;
    $mtu = int($1);

    return $mtu;
};

my $parse_tap_devive_name = sub {
    my ($iface, $noerr) = @_;

    my ($vmid, $devid);

    if ($iface =~ m/^tap(\d+)i(\d+)$/) {
	$vmid = $1;
	$devid = $2;
    } elsif ($iface =~ m/^veth(\d+)\.(\d+)$/) {
	$vmid = $1;
	$devid = $2;
    } else {
	return undef if $noerr;
	die "can't create firewall bridge for random interface name '$iface'\n";
    }

    return ($vmid, $devid);
};

my $compute_fwbr_names = sub {
    my ($vmid, $devid) = @_;

    my $fwbr = "fwbr${vmid}i${devid}";
    # Note: the firewall use 'fwln+' to filter traffic to VMs
    my $vethfw = "fwln${vmid}i${devid}";
    my $vethfwpeer = "fwpr${vmid}p${devid}";
    my $ovsintport = "fwln${vmid}o${devid}";

    return ($fwbr, $vethfw, $vethfwpeer, $ovsintport);
};

my $cond_create_bridge = sub {
    my ($bridge) = @_;

    if (! -d "/sys/class/net/$bridge") {
        system("/sbin/brctl addbr $bridge") == 0 ||
            die "can't add bridge '$bridge'\n";
    }
};

my $bridge_add_interface = sub {
    my ($bridge, $iface) = @_;

    system("/sbin/brctl addif $bridge $iface") == 0 ||
	die "can't add interface 'iface' to bridge '$bridge'\n";
};

my $ovs_bridge_add_port = sub {
    my ($bridge, $iface, $tag, $internal) = @_;

    my $cmd = "/usr/bin/ovs-vsctl add-port $bridge $iface";
    $cmd .= " tag=$tag" if $tag;
    $cmd .= " -- set Interface $iface type=internal" if $internal;
    system($cmd) == 0 ||
	die "can't add ovs port '$iface'\n";
};

my $activate_interface = sub {
    my ($iface) = @_;

    system("/sbin/ip link set $iface up") == 0 ||
	die "can't activate interface '$iface'\n";
};

sub tap_create {
    my ($iface, $bridge) = @_;

    die "unable to get bridge setting\n" if !$bridge;

    my $bridgemtu = &$read_bridge_mtu($bridge);

    eval { 
	PVE::Tools::run_command("/sbin/ifconfig $iface 0.0.0.0 promisc up mtu $bridgemtu");
    };
    die "interface activation failed\n" if $@;
}

sub veth_create {
    my ($veth, $vethpeer, $bridge, $mac) = @_;

    die "unable to get bridge setting\n" if !$bridge;

    my $bridgemtu = &$read_bridge_mtu($bridge);

    # create veth pair
    if (! -d "/sys/class/net/$veth") {
	my $cmd = "/sbin/ip link add name $veth type veth peer name $vethpeer mtu $bridgemtu";
	$cmd .= " addr $mac" if $mac;
	system($cmd) == 0 || die "can't create interface $veth\n";
    }

    # up vethpair
    &$activate_interface($veth);
    &$activate_interface($vethpeer);
}

sub veth_delete {
    my ($veth) = @_;

    if (-d "/sys/class/net/$veth") {
	run_command("/sbin/ip link delete dev $veth", outfunc => sub {}, errfunc => sub {});
    }

}

my $create_firewall_bridge_linux = sub {
    my ($iface, $bridge) = @_;

    my ($vmid, $devid) = &$parse_tap_devive_name($iface);
    my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);

    &$cond_create_bridge($fwbr);
    &$activate_interface($fwbr);

    copy_bridge_config($bridge, $fwbr);
    veth_create($vethfw, $vethfwpeer, $bridge);

    &$bridge_add_interface($fwbr, $vethfw);
    &$bridge_add_interface($bridge, $vethfwpeer);

    return $fwbr;
};

my $create_firewall_bridge_ovs = sub {
    my ($iface, $bridge, $tag) = @_;

    my ($vmid, $devid) = &$parse_tap_devive_name($iface);
    my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid);

    my $bridgemtu = &$read_bridge_mtu($bridge);

    &$cond_create_bridge($fwbr);
    &$activate_interface($fwbr);

    &$bridge_add_interface($fwbr, $iface);

    &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1);
    &$activate_interface($ovsintport);

    # set the same mtu for ovs int port
    PVE::Tools::run_command("/sbin/ifconfig $ovsintport mtu $bridgemtu");
    
    &$bridge_add_interface($fwbr, $ovsintport);
};

my $cleanup_firewall_bridge = sub {
    my ($iface) = @_;

    my ($vmid, $devid) = &$parse_tap_devive_name($iface, 1);
    return if !defined($vmid);  
    my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid);

    # cleanup old port config from any openvswitch bridge
    if (-d "/sys/class/net/$ovsintport") {
	run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {});
    }

    # delete old vethfw interface
    veth_delete($vethfw);

    # cleanup fwbr bridge
    if (-d "/sys/class/net/$fwbr") {
	run_command("/sbin/ip link set dev $fwbr down", outfunc => sub {}, errfunc => sub {});
	run_command("/sbin/brctl delbr $fwbr", outfunc => sub {}, errfunc => sub {});
    }
};

sub tap_plug {
    my ($iface, $bridge, $tag, $firewall) = @_;

    #cleanup old port config from any openvswitch bridge
    eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) };

    if (-d "/sys/class/net/$bridge/bridge") {
	&$cleanup_firewall_bridge($iface); # remove stale devices

	my $newbridge = activate_bridge_vlan($bridge, $tag);
	copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;

	$newbridge = &$create_firewall_bridge_linux($iface, $newbridge) if $firewall;

	&$bridge_add_interface($newbridge, $iface);
    } else {
	&$cleanup_firewall_bridge($iface); # remove stale devices

	if ($firewall) {
	    &$create_firewall_bridge_ovs($iface, $bridge, $tag);
	} else {
	    &$ovs_bridge_add_port($bridge, $iface, $tag);
	}
    }
}

sub tap_unplug {
    my ($iface) = @_;

    my $path= "/sys/class/net/$iface/brport/bridge";
    if (-l $path) {
	my $bridge = basename(readlink($path));
	#avoid insecure dependency;
	($bridge) = $bridge =~ /(\S+)/;

	system("/sbin/brctl delif $bridge $iface") == 0 ||
	    die "can't del interface '$iface' from bridge '$bridge'\n";

    }
    
    &$cleanup_firewall_bridge($iface);
}

sub copy_bridge_config {
    my ($br0, $br1) = @_;

    return if $br0 eq $br1;

    my $br_configs = [ 'ageing_time', 'stp_state', 'priority', 'forward_delay', 
		       'hello_time', 'max_age', 'multicast_snooping', 'multicast_querier'];

    foreach my $sysname (@$br_configs) {
	eval {
	    my $v0 = PVE::Tools::file_read_firstline("/sys/class/net/$br0/bridge/$sysname");
	    my $v1 = PVE::Tools::file_read_firstline("/sys/class/net/$br1/bridge/$sysname");
	    if ($v0 ne $v1) {
		 PVE::ProcFSTools::write_proc_entry("/sys/class/net/$br1/bridge/$sysname", $v0);
	    }
	};
	warn $@ if $@;
    }
}

sub activate_bridge_vlan_slave {
    my ($bridgevlan, $iface, $tag) = @_;
    my $ifacevlan = "${iface}.$tag";
	
    # create vlan on $iface is not already exist
    if (! -d "/sys/class/net/$ifacevlan") {
	system("/sbin/vconfig add $iface $tag") == 0 ||
	    die "can't add vlan tag $tag to interface $iface\n";
    }

    # be sure to have the $ifacevlan up
    &$activate_interface($ifacevlan);

    # test if $vlaniface is already enslaved in another bridge
    my $path= "/sys/class/net/$ifacevlan/brport/bridge";
    if (-l $path) {
        my $tbridge = basename(readlink($path));
	if ($tbridge ne $bridgevlan) {
	    die "interface $ifacevlan already exist in bridge $tbridge\n";
	} else {
            # Port already attached to bridge: do nothing.
            return;
	}
    }

    # add $ifacevlan to the bridge
    &$bridge_add_interface($bridgevlan, $ifacevlan);
}

sub activate_bridge_vlan {
    my ($bridge, $tag_param) = @_;

    die "bridge '$bridge' is not active\n" if ! -d "/sys/class/net/$bridge";

    return $bridge if !defined($tag_param); # no vlan, simply return

    my $tag = int($tag_param);

    die "got strange vlan tag '$tag_param'\n" if $tag < 1 || $tag > 4094;

    my $bridgevlan = "${bridge}v$tag";

    my @ifaces = ();
    my $dir = "/sys/class/net/$bridge/brif";
    PVE::Tools::dir_glob_foreach($dir, '((eth|bond)\d+)', sub {
        push @ifaces, $_[0];
    });

    die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0;

    # add bridgevlan if it doesn't already exist
    if (! -d "/sys/class/net/$bridgevlan") {
        system("/sbin/brctl addbr $bridgevlan") == 0 ||
            die "can't add bridge $bridgevlan\n";
    }

    # for each physical interface (eth or bridge) bind them to bridge vlan
    foreach my $iface (@ifaces) {
        activate_bridge_vlan_slave($bridgevlan, $iface, $tag);
    }

    #fixme: set other bridge flags

    # be sure to have the bridge up
    system("/sbin/ip link set $bridgevlan up") == 0 ||
        die "can't up bridge $bridgevlan\n";
   
    return $bridgevlan;
}

1;
Commit	Line	Data
b9436cda DM	1	package PVE::Network;
	2
	3	use strict;
c36f332e	4	use warnings;
74d1b045	5	use PVE::Tools qw(run_command);
b9436cda DM	6	use PVE::ProcFSTools;
	7	use PVE::INotify;
	8	use File::Basename;
	9
	10	# host network related utility functions
	11
61aa94e4 WB	12	our $ipv4_reverse_mask = [
	13	'0.0.0.0',
	14	'128.0.0.0',
	15	'192.0.0.0',
	16	'224.0.0.0',
	17	'240.0.0.0',
	18	'248.0.0.0',
	19	'252.0.0.0',
	20	'254.0.0.0',
	21	'255.0.0.0',
	22	'255.128.0.0',
	23	'255.192.0.0',
	24	'255.224.0.0',
	25	'255.240.0.0',
	26	'255.248.0.0',
	27	'255.252.0.0',
	28	'255.254.0.0',
	29	'255.255.0.0',
	30	'255.255.128.0',
	31	'255.255.192.0',
	32	'255.255.224.0',
	33	'255.255.240.0',
	34	'255.255.248.0',
	35	'255.255.252.0',
	36	'255.255.254.0',
	37	'255.255.255.0',
	38	'255.255.255.128',
	39	'255.255.255.192',
	40	'255.255.255.224',
	41	'255.255.255.240',
	42	'255.255.255.248',
	43	'255.255.255.252',
	44	'255.255.255.254',
	45	'255.255.255.255',
	46	];
	47
	48	our $ipv4_mask_hash_localnet = {
	49	'255.255.0.0' => 16,
	50	'255.255.128.0' => 17,
	51	'255.255.192.0' => 18,
	52	'255.255.224.0' => 19,
	53	'255.255.240.0' => 20,
	54	'255.255.248.0' => 21,
	55	'255.255.252.0' => 22,
	56	'255.255.254.0' => 23,
	57	'255.255.255.0' => 24,
	58	'255.255.255.128' => 25,
	59	'255.255.255.192' => 26,
	60	'255.255.255.224' => 27,
	61	'255.255.255.240' => 28,
	62	'255.255.255.248' => 29,
	63	'255.255.255.252' => 30,
	64	};
	65
74d1b045 DM	66	sub setup_tc_rate_limit {
	67	my ($iface, $rate, $burst, $debug) = @_;
	68
957753df AD	69	system("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1");
957753df AD	70	system("/sbin/tc filter del dev $iface parent ffff: protocol ip prio 50 estimator 1sec 8sec >/dev/null 2>&1");
edde1d46	71	system("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1");
74d1b045 DM	72	system("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1");
74d1b045 DM	73
d6f2623b	74	return if !$rate;
957753df	75
74d1b045 DM	76	run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress");
74d1b045 DM	77
0aaf0ca4 DM	78	# this does not work wit virtio - don't know why (setting "mtu 64kb" does not help)
	79	#run_command("/sbin/tc filter add dev $iface parent ffff: protocol ip prio 50 u32 match ip src 0.0.0.0/0 police rate ${rate}bps burst ${burst}b drop flowid :1");
	80	# so we use avrate instead
ca402c95	81	run_command("/sbin/tc filter add dev $iface parent ffff: " .
0aaf0ca4 DM	82	"protocol ip prio 50 estimator 1sec 8sec " .
0aaf0ca4 DM	83	"u32 match ip src 0.0.0.0/0 police avrate ${rate}bps drop flowid :1");
74d1b045 DM	84
	85	# tbf does not work for unknown reason
	86	#$TC qdisc add dev $DEV root tbf rate $RATE latency 100ms burst $BURST
	87	# so we use htb instead
	88	run_command("/sbin/tc qdisc add dev $iface root handle 1: htb default 1");
	89	run_command("/sbin/tc class add dev $iface parent 1: classid 1:1 " .
	90	"htb rate ${rate}bps burst ${burst}b");
	91
	92	if ($debug) {
	93	print "DEBUG tc settings\n";
	94	system("/sbin/tc qdisc ls dev $iface");
	95	system("/sbin/tc class ls dev $iface");
	96	system("/sbin/tc filter ls dev $iface parent ffff:");
	97	}
	98	}
	99
ec9ada18 AD	100	sub tap_rate_limit {
	101	my ($iface, $rate) = @_;
	102
	103	my $debug = 0;
	104	$rate = int($rate10241024);
	105	my $burst = 1024*1024;
	106
	107	setup_tc_rate_limit($iface, $rate, $burst, $debug);
	108	}
74d1b045	109
605bb891 DM	110	my $read_bridge_mtu = sub {
	111	my ($bridge) = @_;
	112
	113	my $mtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu");
	114	die "bridge '$bridge' does not exist\n" if !$mtu;
	115	# avoid insecure dependency;
	116	die "unable to parse mtu value" if $mtu !~ /^(\d+)$/;
	117	$mtu = int($1);
	118
	119	return $mtu;
	120	};
	121
	122	my $parse_tap_devive_name = sub {
6c80e6d6	123	my ($iface, $noerr) = @_;
605bb891 DM	124
	125	my ($vmid, $devid);
	126
	127	if ($iface =~ m/^tap(\d+)i(\d+)$/) {
	128	$vmid = $1;
	129	$devid = $2;
	130	} elsif ($iface =~ m/^veth(\d+)\.(\d+)$/) {
	131	$vmid = $1;
	132	$devid = $2;
	133	} else {
6c80e6d6 DM	134	return undef if $noerr;
6c80e6d6 DM	135	die "can't create firewall bridge for random interface name '$iface'\n";
605bb891 DM	136	}
	137
	138	return ($vmid, $devid);
	139	};
	140
70ab4434	141	my $compute_fwbr_names = sub {
605bb891 DM	142	my ($vmid, $devid) = @_;
	143
	144	my $fwbr = "fwbr${vmid}i${devid}";
f193aa74	145	# Note: the firewall use 'fwln+' to filter traffic to VMs
7d78a966 AD	146	my $vethfw = "fwln${vmid}i${devid}";
	147	my $vethfwpeer = "fwpr${vmid}p${devid}";
	148	my $ovsintport = "fwln${vmid}o${devid}";
605bb891	149
70ab4434	150	return ($fwbr, $vethfw, $vethfwpeer, $ovsintport);
605bb891 DM	151	};
	152
	153	my $cond_create_bridge = sub {
	154	my ($bridge) = @_;
	155
	156	if (! -d "/sys/class/net/$bridge") {
	157	system("/sbin/brctl addbr $bridge") == 0 \|\|
	158	die "can't add bridge '$bridge'\n";
	159	}
	160	};
	161
	162	my $bridge_add_interface = sub {
	163	my ($bridge, $iface) = @_;
	164
	165	system("/sbin/brctl addif $bridge $iface") == 0 \|\|
	166	die "can't add interface 'iface' to bridge '$bridge'\n";
	167	};
	168
70ab4434 DM	169	my $ovs_bridge_add_port = sub {
	170	my ($bridge, $iface, $tag, $internal) = @_;
	171
	172	my $cmd = "/usr/bin/ovs-vsctl add-port $bridge $iface";
	173	$cmd .= " tag=$tag" if $tag;
	174	$cmd .= " -- set Interface $iface type=internal" if $internal;
	175	system($cmd) == 0 \|\|
	176	die "can't add ovs port '$iface'\n";
	177	};
	178
605bb891 DM	179	my $activate_interface = sub {
	180	my ($iface) = @_;
	181
	182	system("/sbin/ip link set $iface up") == 0 \|\|
	183	die "can't activate interface '$iface'\n";
	184	};
	185
3aa99c70 AD	186	sub tap_create {
	187	my ($iface, $bridge) = @_;
	188
	189	die "unable to get bridge setting\n" if !$bridge;
	190
605bb891	191	my $bridgemtu = &$read_bridge_mtu($bridge);
3aa99c70	192
098795e0 DM	193	eval {
	194	PVE::Tools::run_command("/sbin/ifconfig $iface 0.0.0.0 promisc up mtu $bridgemtu");
	195	};
	196	die "interface activation failed\n" if $@;
3aa99c70 AD	197	}
3aa99c70 AD	198
35efc4eb AD	199	sub veth_create {
	200	my ($veth, $vethpeer, $bridge, $mac) = @_;
	201
	202	die "unable to get bridge setting\n" if !$bridge;
	203
	204	my $bridgemtu = &$read_bridge_mtu($bridge);
	205
	206	# create veth pair
	207	if (! -d "/sys/class/net/$veth") {
	208	my $cmd = "/sbin/ip link add name $veth type veth peer name $vethpeer mtu $bridgemtu";
	209	$cmd .= " addr $mac" if $mac;
	210	system($cmd) == 0 \|\| die "can't create interface $veth\n";
	211	}
	212
	213	# up vethpair
	214	&$activate_interface($veth);
	215	&$activate_interface($vethpeer);
	216	}
	217
f3f0bc3a AD	218	sub veth_delete {
	219	my ($veth) = @_;
	220
	221	if (-d "/sys/class/net/$veth") {
	222	run_command("/sbin/ip link delete dev $veth", outfunc => sub {}, errfunc => sub {});
	223	}
	224
	225	}
35efc4eb	226
605bb891 DM	227	my $create_firewall_bridge_linux = sub {
	228	my ($iface, $bridge) = @_;
	229
	230	my ($vmid, $devid) = &$parse_tap_devive_name($iface);
70ab4434	231	my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid);
605bb891	232
605bb891 DM	233	&$cond_create_bridge($fwbr);
	234	&$activate_interface($fwbr);
	235
	236	copy_bridge_config($bridge, $fwbr);
35efc4eb	237	veth_create($vethfw, $vethfwpeer, $bridge);
605bb891	238
7d78a966 AD	239	&$bridge_add_interface($fwbr, $vethfw);
7d78a966 AD	240	&$bridge_add_interface($bridge, $vethfwpeer);
605bb891 DM	241
	242	return $fwbr;
	243	};
	244
70ab4434 DM	245	my $create_firewall_bridge_ovs = sub {
	246	my ($iface, $bridge, $tag) = @_;
	247
	248	my ($vmid, $devid) = &$parse_tap_devive_name($iface);
	249	my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid);
	250
	251	my $bridgemtu = &$read_bridge_mtu($bridge);
	252
	253	&$cond_create_bridge($fwbr);
	254	&$activate_interface($fwbr);
	255
	256	&$bridge_add_interface($fwbr, $iface);
	257
	258	&$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1);
ac3a04b8	259	&$activate_interface($ovsintport);
70ab4434 DM	260
	261	# set the same mtu for ovs int port
	262	PVE::Tools::run_command("/sbin/ifconfig $ovsintport mtu $bridgemtu");
	263
	264	&$bridge_add_interface($fwbr, $ovsintport);
	265	};
	266
	267	my $cleanup_firewall_bridge = sub {
605bb891 DM	268	my ($iface) = @_;
605bb891 DM	269
6c80e6d6 DM	270	my ($vmid, $devid) = &$parse_tap_devive_name($iface, 1);
6c80e6d6 DM	271	return if !defined($vmid);
70ab4434 DM	272	my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid);
	273
	274	# cleanup old port config from any openvswitch bridge
	275	if (-d "/sys/class/net/$ovsintport") {
	276	run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {});
	277	}
605bb891 DM	278
605bb891 DM	279	# delete old vethfw interface
f3f0bc3a	280	veth_delete($vethfw);
605bb891 DM	281
	282	# cleanup fwbr bridge
	283	if (-d "/sys/class/net/$fwbr") {
	284	run_command("/sbin/ip link set dev $fwbr down", outfunc => sub {}, errfunc => sub {});
	285	run_command("/sbin/brctl delbr $fwbr", outfunc => sub {}, errfunc => sub {});
	286	}
	287	};
	288
f0c190ee	289	sub tap_plug {
605bb891	290	my ($iface, $bridge, $tag, $firewall) = @_;
f0c190ee	291
4cbabd40 AD	292	#cleanup old port config from any openvswitch bridge
	293	eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) };
	294
098795e0	295	if (-d "/sys/class/net/$bridge/bridge") {
70ab4434	296	&$cleanup_firewall_bridge($iface); # remove stale devices
605bb891	297
098795e0 DM	298	my $newbridge = activate_bridge_vlan($bridge, $tag);
	299	copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;
	300
605bb891 DM	301	$newbridge = &$create_firewall_bridge_linux($iface, $newbridge) if $firewall;
	302
	303	&$bridge_add_interface($newbridge, $iface);
098795e0	304	} else {
70ab4434 DM	305	&$cleanup_firewall_bridge($iface); # remove stale devices
	306
	307	if ($firewall) {
	308	&$create_firewall_bridge_ovs($iface, $bridge, $tag);
	309	} else {
	310	&$ovs_bridge_add_port($bridge, $iface, $tag);
	311	}
4cbabd40	312	}
f0c190ee AD	313	}
f0c190ee AD	314
a84b65c0	315	sub tap_unplug {
2db1cc0d	316	my ($iface) = @_;
a84b65c0	317
2db1cc0d DM	318	my $path= "/sys/class/net/$iface/brport/bridge";
	319	if (-l $path) {
	320	my $bridge = basename(readlink($path));
	321	#avoid insecure dependency;
	322	($bridge) = $bridge =~ /(\S+)/;
4cbabd40	323
098795e0	324	system("/sbin/brctl delif $bridge $iface") == 0 \|\|
2db1cc0d	325	die "can't del interface '$iface' from bridge '$bridge'\n";
605bb891	326
4cbabd40	327	}
70ab4434 DM	328
70ab4434 DM	329	&$cleanup_firewall_bridge($iface);
a84b65c0 AD	330	}
a84b65c0 AD	331
b9436cda DM	332	sub copy_bridge_config {
	333	my ($br0, $br1) = @_;
	334
	335	return if $br0 eq $br1;
	336
	337	my $br_configs = [ 'ageing_time', 'stp_state', 'priority', 'forward_delay',
ba4af65b	338	'hello_time', 'max_age', 'multicast_snooping', 'multicast_querier'];
b9436cda DM	339
	340	foreach my $sysname (@$br_configs) {
	341	eval {
	342	my $v0 = PVE::Tools::file_read_firstline("/sys/class/net/$br0/bridge/$sysname");
	343	my $v1 = PVE::Tools::file_read_firstline("/sys/class/net/$br1/bridge/$sysname");
	344	if ($v0 ne $v1) {
aec04803	345	PVE::ProcFSTools::write_proc_entry("/sys/class/net/$br1/bridge/$sysname", $v0);
b9436cda DM	346	}
	347	};
	348	warn $@ if $@;
	349	}
	350	}
	351
70d89745 PRG	352	sub activate_bridge_vlan_slave {
70d89745 PRG	353	my ($bridgevlan, $iface, $tag) = @_;
b9436cda	354	my $ifacevlan = "${iface}.$tag";
70d89745	355
b9436cda DM	356	# create vlan on $iface is not already exist
b9436cda DM	357	if (! -d "/sys/class/net/$ifacevlan") {
02c9a6b4 DM	358	system("/sbin/vconfig add $iface $tag") == 0 \|\|
02c9a6b4 DM	359	die "can't add vlan tag $tag to interface $iface\n";
b9436cda DM	360	}
	361
	362	# be sure to have the $ifacevlan up
605bb891	363	&$activate_interface($ifacevlan);
b9436cda DM	364
	365	# test if $vlaniface is already enslaved in another bridge
	366	my $path= "/sys/class/net/$ifacevlan/brport/bridge";
	367	if (-l $path) {
	368	my $tbridge = basename(readlink($path));
70d89745	369	if ($tbridge ne $bridgevlan) {
b9436cda	370	die "interface $ifacevlan already exist in bridge $tbridge\n";
eee4b32a PRG	371	} else {
	372	# Port already attached to bridge: do nothing.
	373	return;
b9436cda DM	374	}
	375	}
	376
70d89745	377	# add $ifacevlan to the bridge
605bb891	378	&$bridge_add_interface($bridgevlan, $ifacevlan);
70d89745 PRG	379	}
	380
	381	sub activate_bridge_vlan {
	382	my ($bridge, $tag_param) = @_;
	383
	384	die "bridge '$bridge' is not active\n" if ! -d "/sys/class/net/$bridge";
	385
	386	return $bridge if !defined($tag_param); # no vlan, simply return
	387
	388	my $tag = int($tag_param);
	389
	390	die "got strange vlan tag '$tag_param'\n" if $tag < 1 \|\| $tag > 4094;
	391
	392	my $bridgevlan = "${bridge}v$tag";
	393
c9030d97 PRG	394	my @ifaces = ();
	395	my $dir = "/sys/class/net/$bridge/brif";
	396	PVE::Tools::dir_glob_foreach($dir, '((eth\|bond)\d+)', sub {
5ffa7628	397	push @ifaces, $_[0];
c9030d97 PRG	398	});
c9030d97 PRG	399
5ffa7628	400	die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0;
c9030d97	401
b9436cda DM	402	# add bridgevlan if it doesn't already exist
b9436cda DM	403	if (! -d "/sys/class/net/$bridgevlan") {
9e14b1b7	404	system("/sbin/brctl addbr $bridgevlan") == 0 \|\|
b9436cda DM	405	die "can't add bridge $bridgevlan\n";
	406	}
	407
70d89745	408	# for each physical interface (eth or bridge) bind them to bridge vlan
c9030d97 PRG	409	foreach my $iface (@ifaces) {
	410	activate_bridge_vlan_slave($bridgevlan, $iface, $tag);
	411	}
70d89745	412
b9436cda DM	413	#fixme: set other bridge flags
	414
	415	# be sure to have the bridge up
	416	system("/sbin/ip link set $bridgevlan up") == 0 \|\|
	417	die "can't up bridge $bridgevlan\n";
70d89745	418
b9436cda DM	419	return $bridgevlan;
	420	}
	421
	422	1;