]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Network; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | use PVE::Tools qw(run_command); | |
6 | use PVE::ProcFSTools; | |
7 | use PVE::INotify; | |
8 | use File::Basename; | |
9 | use IO::Socket::IP; | |
10 | use POSIX qw(ECONNREFUSED); | |
11 | ||
12 | use Net::IP; | |
13 | ||
14 | # host network related utility functions | |
15 | ||
16 | our $ipv4_reverse_mask = [ | |
17 | '0.0.0.0', | |
18 | '128.0.0.0', | |
19 | '192.0.0.0', | |
20 | '224.0.0.0', | |
21 | '240.0.0.0', | |
22 | '248.0.0.0', | |
23 | '252.0.0.0', | |
24 | '254.0.0.0', | |
25 | '255.0.0.0', | |
26 | '255.128.0.0', | |
27 | '255.192.0.0', | |
28 | '255.224.0.0', | |
29 | '255.240.0.0', | |
30 | '255.248.0.0', | |
31 | '255.252.0.0', | |
32 | '255.254.0.0', | |
33 | '255.255.0.0', | |
34 | '255.255.128.0', | |
35 | '255.255.192.0', | |
36 | '255.255.224.0', | |
37 | '255.255.240.0', | |
38 | '255.255.248.0', | |
39 | '255.255.252.0', | |
40 | '255.255.254.0', | |
41 | '255.255.255.0', | |
42 | '255.255.255.128', | |
43 | '255.255.255.192', | |
44 | '255.255.255.224', | |
45 | '255.255.255.240', | |
46 | '255.255.255.248', | |
47 | '255.255.255.252', | |
48 | '255.255.255.254', | |
49 | '255.255.255.255', | |
50 | ]; | |
51 | ||
52 | our $ipv4_mask_hash_localnet = { | |
53 | '255.255.0.0' => 16, | |
54 | '255.255.128.0' => 17, | |
55 | '255.255.192.0' => 18, | |
56 | '255.255.224.0' => 19, | |
57 | '255.255.240.0' => 20, | |
58 | '255.255.248.0' => 21, | |
59 | '255.255.252.0' => 22, | |
60 | '255.255.254.0' => 23, | |
61 | '255.255.255.0' => 24, | |
62 | '255.255.255.128' => 25, | |
63 | '255.255.255.192' => 26, | |
64 | '255.255.255.224' => 27, | |
65 | '255.255.255.240' => 28, | |
66 | '255.255.255.248' => 29, | |
67 | '255.255.255.252' => 30, | |
68 | }; | |
69 | ||
70 | sub setup_tc_rate_limit { | |
71 | my ($iface, $rate, $burst, $debug) = @_; | |
72 | ||
73 | system("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1"); | |
74 | system("/sbin/tc filter del dev $iface parent ffff: protocol all pref 50 u32 >/dev/null 2>&1"); | |
75 | system("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1"); | |
76 | system("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1"); | |
77 | ||
78 | return if !$rate; | |
79 | ||
80 | # tbf does not work for unknown reason | |
81 | #$TC qdisc add dev $DEV root tbf rate $RATE latency 100ms burst $BURST | |
82 | # so we use htb instead | |
83 | run_command("/sbin/tc qdisc add dev $iface root handle 1: htb default 1"); | |
84 | run_command("/sbin/tc class add dev $iface parent 1: classid 1:1 " . | |
85 | "htb rate ${rate}bps burst ${burst}b"); | |
86 | ||
87 | run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress"); | |
88 | run_command("/sbin/tc filter add dev $iface parent ffff: " . | |
89 | "protocol all prio 50 u32 match u32 0 0 " . | |
90 | "police rate ${rate}bps burst ${burst}b mtu 64kb " . | |
91 | "drop flowid :1"); | |
92 | ||
93 | if ($debug) { | |
94 | print "DEBUG tc settings\n"; | |
95 | system("/sbin/tc qdisc ls dev $iface"); | |
96 | system("/sbin/tc class ls dev $iface"); | |
97 | system("/sbin/tc filter ls dev $iface parent ffff:"); | |
98 | } | |
99 | } | |
100 | ||
101 | sub tap_rate_limit { | |
102 | my ($iface, $rate) = @_; | |
103 | ||
104 | my $debug = 0; | |
105 | $rate = int($rate*1024*1024); | |
106 | my $burst = 1024*1024; | |
107 | ||
108 | setup_tc_rate_limit($iface, $rate, $burst, $debug); | |
109 | } | |
110 | ||
111 | my $read_bridge_mtu = sub { | |
112 | my ($bridge) = @_; | |
113 | ||
114 | my $mtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu"); | |
115 | die "bridge '$bridge' does not exist\n" if !$mtu; | |
116 | # avoid insecure dependency; | |
117 | die "unable to parse mtu value" if $mtu !~ /^(\d+)$/; | |
118 | $mtu = int($1); | |
119 | ||
120 | return $mtu; | |
121 | }; | |
122 | ||
123 | my $parse_tap_device_name = sub { | |
124 | my ($iface, $noerr) = @_; | |
125 | ||
126 | my ($vmid, $devid); | |
127 | ||
128 | if ($iface =~ m/^tap(\d+)i(\d+)$/) { | |
129 | $vmid = $1; | |
130 | $devid = $2; | |
131 | } elsif ($iface =~ m/^veth(\d+)i(\d+)$/) { | |
132 | $vmid = $1; | |
133 | $devid = $2; | |
134 | } else { | |
135 | return undef if $noerr; | |
136 | die "can't create firewall bridge for random interface name '$iface'\n"; | |
137 | } | |
138 | ||
139 | return ($vmid, $devid); | |
140 | }; | |
141 | ||
142 | my $compute_fwbr_names = sub { | |
143 | my ($vmid, $devid) = @_; | |
144 | ||
145 | my $fwbr = "fwbr${vmid}i${devid}"; | |
146 | # Note: the firewall use 'fwln+' to filter traffic to VMs | |
147 | my $vethfw = "fwln${vmid}i${devid}"; | |
148 | my $vethfwpeer = "fwpr${vmid}p${devid}"; | |
149 | my $ovsintport = "fwln${vmid}o${devid}"; | |
150 | ||
151 | return ($fwbr, $vethfw, $vethfwpeer, $ovsintport); | |
152 | }; | |
153 | ||
154 | my $cond_create_bridge = sub { | |
155 | my ($bridge) = @_; | |
156 | ||
157 | if (! -d "/sys/class/net/$bridge") { | |
158 | system("/sbin/brctl addbr $bridge") == 0 || | |
159 | die "can't add bridge '$bridge'\n"; | |
160 | } | |
161 | }; | |
162 | ||
163 | my $bridge_add_interface = sub { | |
164 | my ($bridge, $iface, $tag) = @_; | |
165 | ||
166 | system("/sbin/brctl addif $bridge $iface") == 0 || | |
167 | die "can't add interface 'iface' to bridge '$bridge'\n"; | |
168 | ||
169 | my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); | |
170 | ||
171 | if ($vlan_aware) { | |
172 | if ($tag) { | |
173 | system("/sbin/bridge vlan add dev $iface vid $tag pvid untagged") == 0 || | |
174 | die "unable to add vlan $tag to interface $iface\n"; | |
175 | } else { | |
176 | system("/sbin/bridge vlan add dev $iface vid 2-4094") == 0 || | |
177 | die "unable to add vlan $tag to interface $iface\n"; | |
178 | } | |
179 | } | |
180 | }; | |
181 | ||
182 | my $ovs_bridge_add_port = sub { | |
183 | my ($bridge, $iface, $tag, $internal) = @_; | |
184 | ||
185 | my $cmd = "/usr/bin/ovs-vsctl add-port $bridge $iface"; | |
186 | $cmd .= " tag=$tag" if $tag; | |
187 | $cmd .= " -- set Interface $iface type=internal" if $internal; | |
188 | system($cmd) == 0 || | |
189 | die "can't add ovs port '$iface'\n"; | |
190 | }; | |
191 | ||
192 | my $activate_interface = sub { | |
193 | my ($iface) = @_; | |
194 | ||
195 | system("/sbin/ip link set $iface up") == 0 || | |
196 | die "can't activate interface '$iface'\n"; | |
197 | }; | |
198 | ||
199 | sub tap_create { | |
200 | my ($iface, $bridge) = @_; | |
201 | ||
202 | die "unable to get bridge setting\n" if !$bridge; | |
203 | ||
204 | my $bridgemtu = &$read_bridge_mtu($bridge); | |
205 | ||
206 | eval { | |
207 | PVE::Tools::run_command("/sbin/ifconfig $iface 0.0.0.0 promisc up mtu $bridgemtu"); | |
208 | }; | |
209 | die "interface activation failed\n" if $@; | |
210 | } | |
211 | ||
212 | sub veth_create { | |
213 | my ($veth, $vethpeer, $bridge, $mac) = @_; | |
214 | ||
215 | die "unable to get bridge setting\n" if !$bridge; | |
216 | ||
217 | my $bridgemtu = &$read_bridge_mtu($bridge); | |
218 | ||
219 | # create veth pair | |
220 | if (! -d "/sys/class/net/$veth") { | |
221 | my $cmd = "/sbin/ip link add name $veth type veth peer name $vethpeer mtu $bridgemtu"; | |
222 | $cmd .= " addr $mac" if $mac; | |
223 | system($cmd) == 0 || die "can't create interface $veth\n"; | |
224 | } | |
225 | ||
226 | # up vethpair | |
227 | &$activate_interface($veth); | |
228 | &$activate_interface($vethpeer); | |
229 | } | |
230 | ||
231 | sub veth_delete { | |
232 | my ($veth) = @_; | |
233 | ||
234 | if (-d "/sys/class/net/$veth") { | |
235 | run_command("/sbin/ip link delete dev $veth", outfunc => sub {}, errfunc => sub {}); | |
236 | } | |
237 | ||
238 | } | |
239 | ||
240 | my $create_firewall_bridge_linux = sub { | |
241 | my ($iface, $bridge, $tag) = @_; | |
242 | ||
243 | my ($vmid, $devid) = &$parse_tap_device_name($iface); | |
244 | my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); | |
245 | ||
246 | &$cond_create_bridge($fwbr); | |
247 | &$activate_interface($fwbr); | |
248 | ||
249 | copy_bridge_config($bridge, $fwbr); | |
250 | veth_create($vethfw, $vethfwpeer, $bridge); | |
251 | ||
252 | &$bridge_add_interface($fwbr, $vethfw); | |
253 | &$bridge_add_interface($bridge, $vethfwpeer, $tag); | |
254 | ||
255 | &$bridge_add_interface($fwbr, $iface); | |
256 | }; | |
257 | ||
258 | my $create_firewall_bridge_ovs = sub { | |
259 | my ($iface, $bridge, $tag) = @_; | |
260 | ||
261 | my ($vmid, $devid) = &$parse_tap_device_name($iface); | |
262 | my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
263 | ||
264 | my $bridgemtu = &$read_bridge_mtu($bridge); | |
265 | ||
266 | &$cond_create_bridge($fwbr); | |
267 | &$activate_interface($fwbr); | |
268 | ||
269 | &$bridge_add_interface($fwbr, $iface); | |
270 | ||
271 | &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1); | |
272 | &$activate_interface($ovsintport); | |
273 | ||
274 | # set the same mtu for ovs int port | |
275 | PVE::Tools::run_command("/sbin/ifconfig $ovsintport mtu $bridgemtu"); | |
276 | ||
277 | &$bridge_add_interface($fwbr, $ovsintport); | |
278 | }; | |
279 | ||
280 | my $cleanup_firewall_bridge = sub { | |
281 | my ($iface) = @_; | |
282 | ||
283 | my ($vmid, $devid) = &$parse_tap_device_name($iface, 1); | |
284 | return if !defined($vmid); | |
285 | my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
286 | ||
287 | # cleanup old port config from any openvswitch bridge | |
288 | if (-d "/sys/class/net/$ovsintport") { | |
289 | run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {}); | |
290 | } | |
291 | ||
292 | # delete old vethfw interface | |
293 | veth_delete($vethfw); | |
294 | ||
295 | # cleanup fwbr bridge | |
296 | if (-d "/sys/class/net/$fwbr") { | |
297 | run_command("/sbin/ip link set dev $fwbr down", outfunc => sub {}, errfunc => sub {}); | |
298 | run_command("/sbin/brctl delbr $fwbr", outfunc => sub {}, errfunc => sub {}); | |
299 | } | |
300 | }; | |
301 | ||
302 | sub tap_plug { | |
303 | my ($iface, $bridge, $tag, $firewall) = @_; | |
304 | ||
305 | #cleanup old port config from any openvswitch bridge | |
306 | eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; | |
307 | ||
308 | if (-d "/sys/class/net/$bridge/bridge") { | |
309 | &$cleanup_firewall_bridge($iface); # remove stale devices | |
310 | ||
311 | my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); | |
312 | ||
313 | if (!$vlan_aware) { | |
314 | my $newbridge = activate_bridge_vlan($bridge, $tag); | |
315 | copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge; | |
316 | $bridge = $newbridge; | |
317 | $tag = undef; | |
318 | } | |
319 | ||
320 | if ($firewall) { | |
321 | &$create_firewall_bridge_linux($iface, $bridge, $tag); | |
322 | } else { | |
323 | &$bridge_add_interface($bridge, $iface, $tag); | |
324 | } | |
325 | ||
326 | } else { | |
327 | &$cleanup_firewall_bridge($iface); # remove stale devices | |
328 | ||
329 | if ($firewall) { | |
330 | &$create_firewall_bridge_ovs($iface, $bridge, $tag); | |
331 | } else { | |
332 | &$ovs_bridge_add_port($bridge, $iface, $tag); | |
333 | } | |
334 | } | |
335 | } | |
336 | ||
337 | sub tap_unplug { | |
338 | my ($iface) = @_; | |
339 | ||
340 | my $path= "/sys/class/net/$iface/brport/bridge"; | |
341 | if (-l $path) { | |
342 | my $bridge = basename(readlink($path)); | |
343 | #avoid insecure dependency; | |
344 | ($bridge) = $bridge =~ /(\S+)/; | |
345 | ||
346 | system("/sbin/brctl delif $bridge $iface") == 0 || | |
347 | die "can't del interface '$iface' from bridge '$bridge'\n"; | |
348 | ||
349 | } | |
350 | ||
351 | &$cleanup_firewall_bridge($iface); | |
352 | } | |
353 | ||
354 | sub copy_bridge_config { | |
355 | my ($br0, $br1) = @_; | |
356 | ||
357 | return if $br0 eq $br1; | |
358 | ||
359 | my $br_configs = [ 'ageing_time', 'stp_state', 'priority', 'forward_delay', | |
360 | 'hello_time', 'max_age', 'multicast_snooping', 'multicast_querier']; | |
361 | ||
362 | foreach my $sysname (@$br_configs) { | |
363 | eval { | |
364 | my $v0 = PVE::Tools::file_read_firstline("/sys/class/net/$br0/bridge/$sysname"); | |
365 | my $v1 = PVE::Tools::file_read_firstline("/sys/class/net/$br1/bridge/$sysname"); | |
366 | if ($v0 ne $v1) { | |
367 | PVE::ProcFSTools::write_proc_entry("/sys/class/net/$br1/bridge/$sysname", $v0); | |
368 | } | |
369 | }; | |
370 | warn $@ if $@; | |
371 | } | |
372 | } | |
373 | ||
374 | sub activate_bridge_vlan_slave { | |
375 | my ($bridgevlan, $iface, $tag) = @_; | |
376 | my $ifacevlan = "${iface}.$tag"; | |
377 | ||
378 | # create vlan on $iface is not already exist | |
379 | if (! -d "/sys/class/net/$ifacevlan") { | |
380 | system("/sbin/ip link add link $iface name ${iface}.${tag} type vlan id $tag") == 0 || | |
381 | die "can't add vlan tag $tag to interface $iface\n"; | |
382 | } | |
383 | ||
384 | # be sure to have the $ifacevlan up | |
385 | &$activate_interface($ifacevlan); | |
386 | ||
387 | # test if $vlaniface is already enslaved in another bridge | |
388 | my $path= "/sys/class/net/$ifacevlan/brport/bridge"; | |
389 | if (-l $path) { | |
390 | my $tbridge = basename(readlink($path)); | |
391 | if ($tbridge ne $bridgevlan) { | |
392 | die "interface $ifacevlan already exist in bridge $tbridge\n"; | |
393 | } else { | |
394 | # Port already attached to bridge: do nothing. | |
395 | return; | |
396 | } | |
397 | } | |
398 | ||
399 | # add $ifacevlan to the bridge | |
400 | &$bridge_add_interface($bridgevlan, $ifacevlan); | |
401 | } | |
402 | ||
403 | sub activate_bridge_vlan { | |
404 | my ($bridge, $tag_param) = @_; | |
405 | ||
406 | die "bridge '$bridge' is not active\n" if ! -d "/sys/class/net/$bridge"; | |
407 | ||
408 | return $bridge if !defined($tag_param); # no vlan, simply return | |
409 | ||
410 | my $tag = int($tag_param); | |
411 | ||
412 | die "got strange vlan tag '$tag_param'\n" if $tag < 1 || $tag > 4094; | |
413 | ||
414 | my $bridgevlan = "${bridge}v$tag"; | |
415 | ||
416 | my @ifaces = (); | |
417 | my $dir = "/sys/class/net/$bridge/brif"; | |
418 | PVE::Tools::dir_glob_foreach($dir, '((eth|bond)\d+(\.\d+)?)', sub { | |
419 | push @ifaces, $_[0]; | |
420 | }); | |
421 | ||
422 | die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0; | |
423 | ||
424 | # add bridgevlan if it doesn't already exist | |
425 | if (! -d "/sys/class/net/$bridgevlan") { | |
426 | system("/sbin/brctl addbr $bridgevlan") == 0 || | |
427 | die "can't add bridge $bridgevlan\n"; | |
428 | } | |
429 | ||
430 | # for each physical interface (eth or bridge) bind them to bridge vlan | |
431 | foreach my $iface (@ifaces) { | |
432 | activate_bridge_vlan_slave($bridgevlan, $iface, $tag); | |
433 | } | |
434 | ||
435 | #fixme: set other bridge flags | |
436 | ||
437 | # be sure to have the bridge up | |
438 | system("/sbin/ip link set $bridgevlan up") == 0 || | |
439 | die "can't up bridge $bridgevlan\n"; | |
440 | ||
441 | return $bridgevlan; | |
442 | } | |
443 | ||
444 | sub tcp_ping { | |
445 | my ($host, $port, $timeout) = @_; | |
446 | ||
447 | my $refused = 1; | |
448 | ||
449 | $timeout = 3 if !$timeout; # sane default | |
450 | if (!$port) { | |
451 | # Net::Ping defaults to the echo port | |
452 | $port = 7; | |
453 | } else { | |
454 | # Net::Ping's port_number() implies service_check(1) | |
455 | $refused = 0; | |
456 | } | |
457 | ||
458 | my ($sock, $result); | |
459 | eval { | |
460 | $result = PVE::Tools::run_with_timeout($timeout, sub { | |
461 | $sock = IO::Socket::IP->new(PeerHost => $host, PeerPort => $port, Type => SOCK_STREAM); | |
462 | $result = $refused if $! == ECONNREFUSED; | |
463 | }); | |
464 | }; | |
465 | if ($sock) { | |
466 | $sock->close(); | |
467 | $result = 1; | |
468 | } | |
469 | return $result; | |
470 | } | |
471 | ||
472 | sub IP_from_cidr { | |
473 | my ($cidr, $version) = @_; | |
474 | ||
475 | return if $cidr !~ m!^(\S+?)/(\S+)$!; | |
476 | my ($ip, $prefix) = ($1, $2); | |
477 | ||
478 | my $ipobj = Net::IP->new($ip, $version); | |
479 | return if !$ipobj; | |
480 | ||
481 | $version = $ipobj->version(); | |
482 | ||
483 | my $binmask = Net::IP::ip_get_mask($prefix, $version); | |
484 | return if !$binmask; | |
485 | ||
486 | my $masked_binip = $ipobj->binip() & $binmask; | |
487 | my $masked_ip = Net::IP::ip_bintoip($masked_binip, $version); | |
488 | return Net::IP->new("$masked_ip/$prefix"); | |
489 | } | |
490 | ||
491 | sub is_ip_in_cidr { | |
492 | my ($ip, $cidr, $version) = @_; | |
493 | ||
494 | my $cidr_obj = IP_from_cidr($cidr, $version); | |
495 | return undef if !$cidr_obj; | |
496 | ||
497 | my $ip_obj = Net::IP->new($ip, $version); | |
498 | return undef if !$ip_obj; | |
499 | ||
500 | return $cidr_obj->overlaps($ip_obj) == $Net::IP::IP_B_IN_A_OVERLAP; | |
501 | } | |
502 | ||
503 | 1; |