]>
Commit | Line | Data |
---|---|---|
1 | package PVE::Network; | |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use PVE::INotify; | |
7 | use PVE::ProcFSTools; | |
8 | use PVE::Tools qw(run_command lock_file); | |
9 | ||
10 | use File::Basename; | |
11 | use IO::Socket::IP; | |
12 | use Net::IP; | |
13 | use POSIX qw(ECONNREFUSED); | |
14 | use Socket qw(NI_NUMERICHOST NI_NUMERICSERV); | |
15 | ||
16 | # host network related utility functions | |
17 | ||
18 | our $PHYSICAL_NIC_RE = qr/(?:eth\d+|en[^:.]+|ib\d+)/; | |
19 | ||
20 | our $ipv4_reverse_mask = [ | |
21 | '0.0.0.0', | |
22 | '128.0.0.0', | |
23 | '192.0.0.0', | |
24 | '224.0.0.0', | |
25 | '240.0.0.0', | |
26 | '248.0.0.0', | |
27 | '252.0.0.0', | |
28 | '254.0.0.0', | |
29 | '255.0.0.0', | |
30 | '255.128.0.0', | |
31 | '255.192.0.0', | |
32 | '255.224.0.0', | |
33 | '255.240.0.0', | |
34 | '255.248.0.0', | |
35 | '255.252.0.0', | |
36 | '255.254.0.0', | |
37 | '255.255.0.0', | |
38 | '255.255.128.0', | |
39 | '255.255.192.0', | |
40 | '255.255.224.0', | |
41 | '255.255.240.0', | |
42 | '255.255.248.0', | |
43 | '255.255.252.0', | |
44 | '255.255.254.0', | |
45 | '255.255.255.0', | |
46 | '255.255.255.128', | |
47 | '255.255.255.192', | |
48 | '255.255.255.224', | |
49 | '255.255.255.240', | |
50 | '255.255.255.248', | |
51 | '255.255.255.252', | |
52 | '255.255.255.254', | |
53 | '255.255.255.255', | |
54 | ]; | |
55 | ||
56 | our $ipv4_mask_hash_localnet = { | |
57 | '255.0.0.0' => 8, | |
58 | '255.128.0.0' => 9, | |
59 | '255.192.0.0' => 10, | |
60 | '255.224.0.0' => 11, | |
61 | '255.240.0.0' => 12, | |
62 | '255.248.0.0' => 13, | |
63 | '255.252.0.0' => 14, | |
64 | '255.254.0.0' => 15, | |
65 | '255.255.0.0' => 16, | |
66 | '255.255.128.0' => 17, | |
67 | '255.255.192.0' => 18, | |
68 | '255.255.224.0' => 19, | |
69 | '255.255.240.0' => 20, | |
70 | '255.255.248.0' => 21, | |
71 | '255.255.252.0' => 22, | |
72 | '255.255.254.0' => 23, | |
73 | '255.255.255.0' => 24, | |
74 | '255.255.255.128' => 25, | |
75 | '255.255.255.192' => 26, | |
76 | '255.255.255.224' => 27, | |
77 | '255.255.255.240' => 28, | |
78 | '255.255.255.248' => 29, | |
79 | '255.255.255.252' => 30, | |
80 | '255.255.255.254' => 31, | |
81 | '255.255.255.255' => 32, | |
82 | }; | |
83 | ||
84 | sub setup_tc_rate_limit { | |
85 | my ($iface, $rate, $burst) = @_; | |
86 | ||
87 | # these are allowed / expected to fail, e.g. when there is no previous rate limit to remove | |
88 | eval { run_command("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1"); }; | |
89 | eval { run_command("/sbin/tc filter del dev $iface parent ffff: protocol all pref 50 u32 >/dev/null 2>&1"); }; | |
90 | eval { run_command("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1"); }; | |
91 | eval { run_command("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1"); }; | |
92 | ||
93 | return if !$rate; | |
94 | ||
95 | # tbf does not work for unknown reason | |
96 | #$TC qdisc add dev $DEV root tbf rate $RATE latency 100ms burst $BURST | |
97 | # so we use htb instead | |
98 | run_command("/sbin/tc qdisc add dev $iface root handle 1: htb default 1"); | |
99 | run_command("/sbin/tc class add dev $iface parent 1: classid 1:1 " . | |
100 | "htb rate ${rate}bps burst ${burst}b"); | |
101 | ||
102 | run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress"); | |
103 | run_command("/sbin/tc filter add dev $iface parent ffff: " . | |
104 | "prio 50 basic " . | |
105 | "police rate ${rate}bps burst ${burst}b mtu 64kb " . | |
106 | "drop"); | |
107 | } | |
108 | ||
109 | sub tap_rate_limit { | |
110 | my ($iface, $rate) = @_; | |
111 | ||
112 | $rate = int($rate*1024*1024) if $rate; | |
113 | my $burst = 1024*1024; | |
114 | ||
115 | setup_tc_rate_limit($iface, $rate, $burst); | |
116 | } | |
117 | ||
118 | sub read_bridge_mtu { | |
119 | my ($bridge) = @_; | |
120 | ||
121 | my $mtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu"); | |
122 | die "bridge '$bridge' does not exist\n" if !$mtu; | |
123 | # avoid insecure dependency; | |
124 | die "unable to parse mtu value" if $mtu !~ /^(\d+)$/; | |
125 | $mtu = int($1); | |
126 | ||
127 | return $mtu; | |
128 | }; | |
129 | ||
130 | my $parse_tap_device_name = sub { | |
131 | my ($iface, $noerr) = @_; | |
132 | ||
133 | my ($vmid, $devid); | |
134 | ||
135 | if ($iface =~ m/^tap(\d+)i(\d+)$/) { | |
136 | $vmid = $1; | |
137 | $devid = $2; | |
138 | } elsif ($iface =~ m/^veth(\d+)i(\d+)$/) { | |
139 | $vmid = $1; | |
140 | $devid = $2; | |
141 | } else { | |
142 | return undef if $noerr; | |
143 | die "can't create firewall bridge for random interface name '$iface'\n"; | |
144 | } | |
145 | ||
146 | return ($vmid, $devid); | |
147 | }; | |
148 | ||
149 | my $compute_fwbr_names = sub { | |
150 | my ($vmid, $devid) = @_; | |
151 | ||
152 | my $fwbr = "fwbr${vmid}i${devid}"; | |
153 | # Note: the firewall use 'fwln+' to filter traffic to VMs | |
154 | my $vethfw = "fwln${vmid}i${devid}"; | |
155 | my $vethfwpeer = "fwpr${vmid}p${devid}"; | |
156 | my $ovsintport = "fwln${vmid}o${devid}"; | |
157 | ||
158 | return ($fwbr, $vethfw, $vethfwpeer, $ovsintport); | |
159 | }; | |
160 | ||
161 | sub iface_delete($) { | |
162 | my ($iface) = @_; | |
163 | run_command(['/sbin/ip', 'link', 'delete', 'dev', $iface], noerr => 1) | |
164 | == 0 or die "failed to delete interface '$iface'\n"; | |
165 | } | |
166 | ||
167 | sub iface_create($$@) { | |
168 | my ($iface, $type, @args) = @_; | |
169 | run_command(['/sbin/ip', 'link', 'add', $iface, 'type', $type, @args], noerr => 1) | |
170 | == 0 or die "failed to create interface '$iface'\n"; | |
171 | } | |
172 | ||
173 | sub iface_set($@) { | |
174 | my ($iface, @opts) = @_; | |
175 | run_command(['/sbin/ip', 'link', 'set', $iface, @opts], noerr => 1) | |
176 | == 0 or die "failed to set interface options for '$iface' (".join(' ', @opts).")\n"; | |
177 | } | |
178 | ||
179 | # helper for nicer error messages: | |
180 | sub iface_set_master($$) { | |
181 | my ($iface, $master) = @_; | |
182 | if (defined($master)) { | |
183 | eval { iface_set($iface, 'master', $master) }; | |
184 | die "can't enslave '$iface' to '$master'\n" if $@; | |
185 | } else { | |
186 | eval { iface_set($iface, 'nomaster') }; | |
187 | die "can't unenslave '$iface'\n" if $@; | |
188 | } | |
189 | } | |
190 | ||
191 | my $cond_create_bridge = sub { | |
192 | my ($bridge) = @_; | |
193 | ||
194 | if (! -d "/sys/class/net/$bridge") { | |
195 | iface_create($bridge, 'bridge'); | |
196 | disable_ipv6($bridge); | |
197 | } | |
198 | }; | |
199 | ||
200 | sub disable_ipv6 { | |
201 | my ($iface) = @_; | |
202 | return if !-d '/proc/sys/net/ipv6'; # ipv6 might be completely disabled | |
203 | my $file = "/proc/sys/net/ipv6/conf/$iface/disable_ipv6"; | |
204 | open(my $fh, '>', $file) or die "failed to open $file for writing: $!\n"; | |
205 | print {$fh} "1\n" or die "failed to disable link-local ipv6 for $iface\n"; | |
206 | close($fh); | |
207 | } | |
208 | ||
209 | my $bridge_add_interface = sub { | |
210 | my ($bridge, $iface, $tag, $trunks) = @_; | |
211 | ||
212 | # drop link local address (it can't be used when on a bridge anyway) | |
213 | disable_ipv6($iface); | |
214 | iface_set_master($iface, $bridge); | |
215 | ||
216 | my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); | |
217 | ||
218 | if ($vlan_aware) { | |
219 | ||
220 | eval { run_command(['/sbin/bridge', 'vlan', 'del', 'dev', $iface, 'vid', '1-4094']) }; | |
221 | die "failed to remove default vlan tags of $iface - $@\n" if $@; | |
222 | ||
223 | if ($trunks) { | |
224 | my @trunks_array = split /;/, $trunks; | |
225 | foreach my $trunk (@trunks_array) { | |
226 | eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $trunk]) }; | |
227 | die "unable to add vlan $trunk to interface $iface - $@\n" if $@; | |
228 | } | |
229 | } elsif (!$tag) { | |
230 | eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', '2-4094']) }; | |
231 | die "unable to add default vlan tags to interface $iface - $@\n" if $@; | |
232 | } | |
233 | ||
234 | $tag = 1 if !$tag; | |
235 | eval { run_command(['/sbin/bridge', 'vlan', 'add', 'dev', $iface, 'vid', $tag, 'pvid', 'untagged']) }; | |
236 | die "unable to add vlan $tag to interface $iface - $@\n" if $@; | |
237 | } | |
238 | }; | |
239 | ||
240 | my $ovs_bridge_add_port = sub { | |
241 | my ($bridge, $iface, $tag, $internal, $trunks) = @_; | |
242 | ||
243 | $trunks =~ s/;/,/g if $trunks; | |
244 | ||
245 | my $cmd = ['/usr/bin/ovs-vsctl']; | |
246 | # first command | |
247 | push @$cmd, '--', 'add-port', $bridge, $iface; | |
248 | push @$cmd, "tag=$tag" if $tag; | |
249 | push @$cmd, "trunks=". join(',', $trunks) if $trunks; | |
250 | push @$cmd, "vlan_mode=native-untagged" if $tag && $trunks; | |
251 | ||
252 | if ($internal) { | |
253 | # second command | |
254 | push @$cmd, '--', 'set', 'Interface', $iface, 'type=internal'; | |
255 | } | |
256 | ||
257 | eval { run_command($cmd) }; | |
258 | die "can't add ovs port '$iface' - $@\n" if $@; | |
259 | ||
260 | disable_ipv6($iface); | |
261 | }; | |
262 | ||
263 | my $activate_interface = sub { | |
264 | my ($iface) = @_; | |
265 | ||
266 | eval { run_command(['/sbin/ip', 'link', 'set', $iface, 'up']) }; | |
267 | die "can't activate interface '$iface' - $@\n" if $@; | |
268 | }; | |
269 | ||
270 | sub tap_create { | |
271 | my ($iface, $bridge) = @_; | |
272 | ||
273 | die "unable to get bridge setting\n" if !$bridge; | |
274 | ||
275 | my $bridgemtu = read_bridge_mtu($bridge); | |
276 | ||
277 | eval { | |
278 | disable_ipv6($iface); | |
279 | PVE::Tools::run_command(['/sbin/ip', 'link', 'set', $iface, 'up', 'promisc', 'on', 'mtu', $bridgemtu]); | |
280 | }; | |
281 | die "interface activation failed\n" if $@; | |
282 | } | |
283 | ||
284 | sub veth_create { | |
285 | my ($veth, $vethpeer, $bridge, $mac) = @_; | |
286 | ||
287 | die "unable to get bridge setting\n" if !$bridge; | |
288 | ||
289 | my $bridgemtu = read_bridge_mtu($bridge); | |
290 | ||
291 | # create veth pair | |
292 | if (! -d "/sys/class/net/$veth") { | |
293 | my $cmd = ['/sbin/ip', 'link', 'add']; | |
294 | # veth device + MTU | |
295 | push @$cmd, 'name', $veth; | |
296 | push @$cmd, 'mtu', $bridgemtu; | |
297 | push @$cmd, 'type', 'veth'; | |
298 | # peer device + MTU | |
299 | push @$cmd, 'peer', 'name', $vethpeer, 'mtu', $bridgemtu; | |
300 | ||
301 | push @$cmd, 'addr', $mac if $mac; | |
302 | ||
303 | eval { run_command($cmd) }; | |
304 | die "can't create interface $veth - $@\n" if $@; | |
305 | } | |
306 | ||
307 | # up vethpair | |
308 | disable_ipv6($veth); | |
309 | disable_ipv6($vethpeer); | |
310 | &$activate_interface($veth); | |
311 | &$activate_interface($vethpeer); | |
312 | } | |
313 | ||
314 | sub veth_delete { | |
315 | my ($veth) = @_; | |
316 | ||
317 | if (-d "/sys/class/net/$veth") { | |
318 | iface_delete($veth); | |
319 | } | |
320 | eval { tap_unplug($veth) }; | |
321 | } | |
322 | ||
323 | my $create_firewall_bridge_linux = sub { | |
324 | my ($iface, $bridge, $tag, $trunks) = @_; | |
325 | ||
326 | my ($vmid, $devid) = &$parse_tap_device_name($iface); | |
327 | my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); | |
328 | ||
329 | &$cond_create_bridge($fwbr); | |
330 | &$activate_interface($fwbr); | |
331 | ||
332 | copy_bridge_config($bridge, $fwbr); | |
333 | veth_create($vethfw, $vethfwpeer, $bridge); | |
334 | ||
335 | &$bridge_add_interface($fwbr, $vethfw); | |
336 | &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks); | |
337 | ||
338 | &$bridge_add_interface($fwbr, $iface); | |
339 | }; | |
340 | ||
341 | my $create_firewall_bridge_ovs = sub { | |
342 | my ($iface, $bridge, $tag, $trunks) = @_; | |
343 | ||
344 | my ($vmid, $devid) = &$parse_tap_device_name($iface); | |
345 | my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
346 | ||
347 | my $bridgemtu = read_bridge_mtu($bridge); | |
348 | ||
349 | &$cond_create_bridge($fwbr); | |
350 | &$activate_interface($fwbr); | |
351 | ||
352 | &$bridge_add_interface($fwbr, $iface); | |
353 | ||
354 | &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1, $trunks); | |
355 | &$activate_interface($ovsintport); | |
356 | ||
357 | # set the same mtu for ovs int port | |
358 | PVE::Tools::run_command(['/sbin/ip', 'link', 'set', $ovsintport, 'mtu', $bridgemtu]); | |
359 | ||
360 | &$bridge_add_interface($fwbr, $ovsintport); | |
361 | }; | |
362 | ||
363 | my $cleanup_firewall_bridge = sub { | |
364 | my ($iface) = @_; | |
365 | ||
366 | my ($vmid, $devid) = &$parse_tap_device_name($iface, 1); | |
367 | return if !defined($vmid); | |
368 | my ($fwbr, $vethfw, $vethfwpeer, $ovsintport) = &$compute_fwbr_names($vmid, $devid); | |
369 | ||
370 | # cleanup old port config from any openvswitch bridge | |
371 | if (-d "/sys/class/net/$ovsintport") { | |
372 | run_command("/usr/bin/ovs-vsctl del-port $ovsintport", outfunc => sub {}, errfunc => sub {}); | |
373 | } | |
374 | ||
375 | # delete old vethfw interface | |
376 | veth_delete($vethfw); | |
377 | ||
378 | # cleanup fwbr bridge | |
379 | if (-d "/sys/class/net/$fwbr") { | |
380 | iface_delete($fwbr); | |
381 | } | |
382 | }; | |
383 | ||
384 | sub tap_plug { | |
385 | my ($iface, $bridge, $tag, $firewall, $trunks, $rate) = @_; | |
386 | ||
387 | #cleanup old port config from any openvswitch bridge | |
388 | eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; | |
389 | ||
390 | if (-d "/sys/class/net/$bridge/bridge") { | |
391 | &$cleanup_firewall_bridge($iface); # remove stale devices | |
392 | ||
393 | my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); | |
394 | ||
395 | if (!$vlan_aware) { | |
396 | die "vlan aware feature need to be enabled to use trunks" if $trunks; | |
397 | my $newbridge = activate_bridge_vlan($bridge, $tag); | |
398 | copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge; | |
399 | $bridge = $newbridge; | |
400 | $tag = undef; | |
401 | } | |
402 | ||
403 | if ($firewall) { | |
404 | &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks); | |
405 | } else { | |
406 | &$bridge_add_interface($bridge, $iface, $tag, $trunks); | |
407 | } | |
408 | ||
409 | } else { | |
410 | &$cleanup_firewall_bridge($iface); # remove stale devices | |
411 | ||
412 | if ($firewall) { | |
413 | &$create_firewall_bridge_ovs($iface, $bridge, $tag, $trunks); | |
414 | } else { | |
415 | &$ovs_bridge_add_port($bridge, $iface, $tag, undef, $trunks); | |
416 | } | |
417 | } | |
418 | ||
419 | tap_rate_limit($iface, $rate); | |
420 | } | |
421 | ||
422 | sub tap_unplug { | |
423 | my ($iface) = @_; | |
424 | ||
425 | my $path= "/sys/class/net/$iface/brport/bridge"; | |
426 | if (-l $path) { | |
427 | my $bridge = basename(readlink($path)); | |
428 | #avoid insecure dependency; | |
429 | ($bridge) = $bridge =~ /(\S+)/; | |
430 | ||
431 | iface_set_master($iface, undef); | |
432 | } | |
433 | ||
434 | &$cleanup_firewall_bridge($iface); | |
435 | #cleanup old port config from any openvswitch bridge | |
436 | eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; | |
437 | } | |
438 | ||
439 | sub copy_bridge_config { | |
440 | my ($br0, $br1) = @_; | |
441 | ||
442 | return if $br0 eq $br1; | |
443 | ||
444 | my $br_configs = [ 'ageing_time', 'stp_state', 'priority', 'forward_delay', | |
445 | 'hello_time', 'max_age', 'multicast_snooping', 'multicast_querier']; | |
446 | ||
447 | foreach my $sysname (@$br_configs) { | |
448 | eval { | |
449 | my $v0 = PVE::Tools::file_read_firstline("/sys/class/net/$br0/bridge/$sysname"); | |
450 | my $v1 = PVE::Tools::file_read_firstline("/sys/class/net/$br1/bridge/$sysname"); | |
451 | if ($v0 ne $v1) { | |
452 | PVE::ProcFSTools::write_proc_entry("/sys/class/net/$br1/bridge/$sysname", $v0); | |
453 | } | |
454 | }; | |
455 | warn $@ if $@; | |
456 | } | |
457 | } | |
458 | ||
459 | sub activate_bridge_vlan_slave { | |
460 | my ($bridgevlan, $iface, $tag) = @_; | |
461 | my $ifacevlan = "${iface}.$tag"; | |
462 | ||
463 | # create vlan on $iface is not already exist | |
464 | if (! -d "/sys/class/net/$ifacevlan") { | |
465 | eval { | |
466 | my $cmd = ['/sbin/ip', 'link', 'add']; | |
467 | push @$cmd, 'link', $iface; | |
468 | push @$cmd, 'name', $ifacevlan; | |
469 | push @$cmd, 'type', 'vlan', 'id', $tag; | |
470 | run_command($cmd); | |
471 | }; | |
472 | die "can't add vlan tag $tag to interface $iface - $@\n" if $@; | |
473 | ||
474 | # remove ipv6 link-local address before activation | |
475 | disable_ipv6($ifacevlan); | |
476 | } | |
477 | ||
478 | # be sure to have the $ifacevlan up | |
479 | &$activate_interface($ifacevlan); | |
480 | ||
481 | # test if $vlaniface is already enslaved in another bridge | |
482 | my $path= "/sys/class/net/$ifacevlan/brport/bridge"; | |
483 | if (-l $path) { | |
484 | my $tbridge = basename(readlink($path)); | |
485 | if ($tbridge ne $bridgevlan) { | |
486 | die "interface $ifacevlan already exist in bridge $tbridge\n"; | |
487 | } else { | |
488 | # Port already attached to bridge: do nothing. | |
489 | return; | |
490 | } | |
491 | } | |
492 | ||
493 | # add $ifacevlan to the bridge | |
494 | &$bridge_add_interface($bridgevlan, $ifacevlan); | |
495 | } | |
496 | ||
497 | sub activate_bridge_vlan { | |
498 | my ($bridge, $tag_param) = @_; | |
499 | ||
500 | die "bridge '$bridge' is not active\n" if ! -d "/sys/class/net/$bridge"; | |
501 | ||
502 | return $bridge if !defined($tag_param); # no vlan, simply return | |
503 | ||
504 | my $tag = int($tag_param); | |
505 | ||
506 | die "got strange vlan tag '$tag_param'\n" if $tag < 1 || $tag > 4094; | |
507 | ||
508 | my $bridgevlan = "${bridge}v$tag"; | |
509 | ||
510 | my @ifaces = (); | |
511 | my $dir = "/sys/class/net/$bridge/brif"; | |
512 | PVE::Tools::dir_glob_foreach($dir, '(((eth|bond)\d+|en[^.]+)(\.\d+)?)', sub { | |
513 | push @ifaces, $_[0]; | |
514 | }); | |
515 | ||
516 | die "no physical interface on bridge '$bridge'\n" if scalar(@ifaces) == 0; | |
517 | ||
518 | lock_network(sub { | |
519 | # add bridgevlan if it doesn't already exist | |
520 | if (! -d "/sys/class/net/$bridgevlan") { | |
521 | iface_create($bridgevlan, 'bridge'); | |
522 | } | |
523 | ||
524 | # for each physical interface (eth or bridge) bind them to bridge vlan | |
525 | foreach my $iface (@ifaces) { | |
526 | activate_bridge_vlan_slave($bridgevlan, $iface, $tag); | |
527 | } | |
528 | ||
529 | #fixme: set other bridge flags | |
530 | ||
531 | # remove ipv6 link-local address before activation | |
532 | disable_ipv6($bridgevlan); | |
533 | # be sure to have the bridge up | |
534 | &$activate_interface($bridgevlan); | |
535 | }); | |
536 | return $bridgevlan; | |
537 | } | |
538 | ||
539 | sub tcp_ping { | |
540 | my ($host, $port, $timeout) = @_; | |
541 | ||
542 | my $refused = 1; | |
543 | ||
544 | $timeout = 3 if !$timeout; # sane default | |
545 | if (!$port) { | |
546 | # Net::Ping defaults to the echo port | |
547 | $port = 7; | |
548 | } else { | |
549 | # Net::Ping's port_number() implies service_check(1) | |
550 | $refused = 0; | |
551 | } | |
552 | ||
553 | my ($sock, $result); | |
554 | eval { | |
555 | $result = PVE::Tools::run_with_timeout($timeout, sub { | |
556 | $sock = IO::Socket::IP->new(PeerHost => $host, PeerPort => $port, Type => SOCK_STREAM); | |
557 | $result = $refused if $! == ECONNREFUSED; | |
558 | }); | |
559 | }; | |
560 | if ($sock) { | |
561 | $sock->close(); | |
562 | $result = 1; | |
563 | } | |
564 | return $result; | |
565 | } | |
566 | ||
567 | sub IP_from_cidr { | |
568 | my ($cidr, $version) = @_; | |
569 | ||
570 | return if $cidr !~ m!^(\S+?)/(\S+)$!; | |
571 | my ($ip, $prefix) = ($1, $2); | |
572 | ||
573 | my $ipobj = Net::IP->new($ip, $version); | |
574 | return if !$ipobj; | |
575 | ||
576 | $version = $ipobj->version(); | |
577 | ||
578 | my $binmask = Net::IP::ip_get_mask($prefix, $version); | |
579 | return if !$binmask; | |
580 | ||
581 | my $masked_binip = $ipobj->binip() & $binmask; | |
582 | my $masked_ip = Net::IP::ip_bintoip($masked_binip, $version); | |
583 | return Net::IP->new("$masked_ip/$prefix"); | |
584 | } | |
585 | ||
586 | sub is_ip_in_cidr { | |
587 | my ($ip, $cidr, $version) = @_; | |
588 | ||
589 | my $cidr_obj = IP_from_cidr($cidr, $version); | |
590 | return undef if !$cidr_obj; | |
591 | ||
592 | my $ip_obj = Net::IP->new($ip, $version); | |
593 | return undef if !$ip_obj; | |
594 | ||
595 | return $cidr_obj->overlaps($ip_obj) == $Net::IP::IP_B_IN_A_OVERLAP; | |
596 | } | |
597 | ||
598 | ||
599 | sub get_local_ip_from_cidr { | |
600 | my ($cidr) = @_; | |
601 | ||
602 | my $IPs = []; | |
603 | run_command(['/sbin/ip', 'address', 'show', 'to', $cidr, 'up'], outfunc => sub { | |
604 | if ($_[0] =~ m!^\s*inet(?:6)?\s+($PVE::Tools::IPRE)(?:/\d+|\s+peer\s+)!) { | |
605 | push @$IPs, $1; | |
606 | } | |
607 | }); | |
608 | ||
609 | return $IPs; | |
610 | } | |
611 | ||
612 | sub addr_to_ip { | |
613 | my ($addr) = @_; | |
614 | my ($err, $host, $port) = Socket::getnameinfo($addr, NI_NUMERICHOST | NI_NUMERICSERV); | |
615 | die "failed to get numerical host address: $err\n" if $err; | |
616 | return ($host, $port) if wantarray; | |
617 | return $host; | |
618 | } | |
619 | ||
620 | sub get_ip_from_hostname { | |
621 | my ($hostname, $noerr) = @_; | |
622 | ||
623 | my @res = eval { PVE::Tools::getaddrinfo_all($hostname) }; | |
624 | if ($@) { | |
625 | die "hostname lookup '$hostname' failed - $@" if !$noerr; | |
626 | return undef; | |
627 | } | |
628 | ||
629 | my ($ip, $family); | |
630 | for my $ai (@res) { | |
631 | $family = $ai->{family}; | |
632 | my $tmpip = addr_to_ip($ai->{addr}); | |
633 | if ($tmpip !~ m/^127\.|^::1$/) { | |
634 | $ip = $tmpip; | |
635 | last; | |
636 | } | |
637 | } | |
638 | if (!defined($ip) ) { | |
639 | die "hostname lookup '$hostname' failed - got local IP address '$ip'\n" if !$noerr; | |
640 | return undef; | |
641 | } | |
642 | ||
643 | return wantarray ? ($ip, $family) : $ip; | |
644 | } | |
645 | ||
646 | sub lock_network { | |
647 | my ($code, @param) = @_; | |
648 | my $res = lock_file('/var/lock/pve-network.lck', 10, $code, @param); | |
649 | die $@ if $@; | |
650 | return $res; | |
651 | } | |
652 | ||
653 | 1; |