X-Git-Url: https://git.proxmox.com/?p=pve-common.git;a=blobdiff_plain;f=src%2FPVE%2FNetwork.pm;h=71af2b889bbbd6da5ce6651581c6197bf531935d;hp=024b9b4917afc62318d54ca75da86f27b71da208;hb=5d662b31b74ac171cb03378df4acc57a71d1c8e2;hpb=bf52d27bb383f394ca1e4d66a9e351622c09898f diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm index 024b9b4..71af2b8 100644 --- a/src/PVE/Network.pm +++ b/src/PVE/Network.pm @@ -11,6 +11,12 @@ use POSIX qw(ECONNREFUSED); use Net::IP; +use Socket qw(IPPROTO_IP); + +use constant IFF_UP => 1; +use constant IFNAMSIZ => 16; +use constant SIOCGIFFLAGS => 0x8913; + # host network related utility functions our $ipv4_reverse_mask = [ @@ -70,10 +76,11 @@ our $ipv4_mask_hash_localnet = { sub setup_tc_rate_limit { my ($iface, $rate, $burst, $debug) = @_; - system("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1"); - system("/sbin/tc filter del dev $iface parent ffff: protocol all pref 50 u32 >/dev/null 2>&1"); - system("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1"); - system("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1"); + # these are allowed / expected to fail, e.g. when there is no previous rate limit to remove + eval { run_command("/sbin/tc class del dev $iface parent 1: classid 1:1 >/dev/null 2>&1"); }; + eval { run_command("/sbin/tc filter del dev $iface parent ffff: protocol all pref 50 u32 >/dev/null 2>&1"); }; + eval { run_command("/sbin/tc qdisc del dev $iface ingress >/dev/null 2>&1"); }; + eval { run_command("/sbin/tc qdisc del dev $iface root >/dev/null 2>&1"); }; return if !$rate; @@ -86,7 +93,7 @@ sub setup_tc_rate_limit { run_command("/sbin/tc qdisc add dev $iface handle ffff: ingress"); run_command("/sbin/tc filter add dev $iface parent ffff: " . - "protocol all prio 50 u32 match u32 0 0 " . + "prio 50 basic " . "police rate ${rate}bps burst ${burst}b mtu 64kb " . "drop flowid :1"); @@ -102,7 +109,7 @@ sub tap_rate_limit { my ($iface, $rate) = @_; my $debug = 0; - $rate = int($rate*1024*1024); + $rate = int($rate*1024*1024) if $rate; my $burst = 1024*1024; setup_tc_rate_limit($iface, $rate, $burst, $debug); @@ -161,7 +168,7 @@ my $cond_create_bridge = sub { }; my $bridge_add_interface = sub { - my ($bridge, $iface, $tag) = @_; + my ($bridge, $iface, $tag, $trunks) = @_; system("/sbin/brctl addif $bridge $iface") == 0 || die "can't add interface 'iface' to bridge '$bridge'\n"; @@ -172,18 +179,33 @@ my $bridge_add_interface = sub { if ($tag) { system("/sbin/bridge vlan add dev $iface vid $tag pvid untagged") == 0 || die "unable to add vlan $tag to interface $iface\n"; + + warn "Caution: Setting VLAN ID 1 on a VLAN aware bridge may be dangerous\n" if $tag == 1; } else { system("/sbin/bridge vlan add dev $iface vid 2-4094") == 0 || - die "unable to add vlan $tag to interface $iface\n"; + die "unable to add default vlan tags to interface $iface\n" if !$trunks; } + + if ($trunks) { + my @trunks_array = split /;/, $trunks; + foreach my $trunk (@trunks_array) { + system("/sbin/bridge vlan add dev $iface vid $trunk") == 0 || + die "unable to add vlan $trunk to interface $iface\n"; + } + } } }; my $ovs_bridge_add_port = sub { - my ($bridge, $iface, $tag, $internal) = @_; + my ($bridge, $iface, $tag, $internal, $trunks) = @_; + + $trunks =~ s/;/,/g if $trunks; my $cmd = "/usr/bin/ovs-vsctl add-port $bridge $iface"; $cmd .= " tag=$tag" if $tag; + $cmd .= " trunks=". join(',', $trunks) if $trunks; + $cmd .= " vlan_mode=native-untagged" if $tag && $trunks; + $cmd .= " -- set Interface $iface type=internal" if $internal; system($cmd) == 0 || die "can't add ovs port '$iface'\n"; @@ -238,7 +260,7 @@ sub veth_delete { } my $create_firewall_bridge_linux = sub { - my ($iface, $bridge, $tag) = @_; + my ($iface, $bridge, $tag, $trunks) = @_; my ($vmid, $devid) = &$parse_tap_device_name($iface); my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names($vmid, $devid); @@ -250,13 +272,13 @@ my $create_firewall_bridge_linux = sub { veth_create($vethfw, $vethfwpeer, $bridge); &$bridge_add_interface($fwbr, $vethfw); - &$bridge_add_interface($bridge, $vethfwpeer, $tag); + &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks); &$bridge_add_interface($fwbr, $iface); }; my $create_firewall_bridge_ovs = sub { - my ($iface, $bridge, $tag) = @_; + my ($iface, $bridge, $tag, $trunks) = @_; my ($vmid, $devid) = &$parse_tap_device_name($iface); my ($fwbr, undef, undef, $ovsintport) = &$compute_fwbr_names($vmid, $devid); @@ -268,7 +290,7 @@ my $create_firewall_bridge_ovs = sub { &$bridge_add_interface($fwbr, $iface); - &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1); + &$ovs_bridge_add_port($bridge, $ovsintport, $tag, 1, $trunks); &$activate_interface($ovsintport); # set the same mtu for ovs int port @@ -300,7 +322,7 @@ my $cleanup_firewall_bridge = sub { }; sub tap_plug { - my ($iface, $bridge, $tag, $firewall) = @_; + my ($iface, $bridge, $tag, $firewall, $trunks, $rate) = @_; #cleanup old port config from any openvswitch bridge eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; @@ -311,6 +333,7 @@ sub tap_plug { my $vlan_aware = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/bridge/vlan_filtering"); if (!$vlan_aware) { + die "vlan aware feature need to be enabled to use trunks" if $trunks; my $newbridge = activate_bridge_vlan($bridge, $tag); copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge; $bridge = $newbridge; @@ -318,20 +341,22 @@ sub tap_plug { } if ($firewall) { - &$create_firewall_bridge_linux($iface, $bridge, $tag); + &$create_firewall_bridge_linux($iface, $bridge, $tag, $trunks); } else { - &$bridge_add_interface($bridge, $iface, $tag); + &$bridge_add_interface($bridge, $iface, $tag, $trunks); } } else { &$cleanup_firewall_bridge($iface); # remove stale devices if ($firewall) { - &$create_firewall_bridge_ovs($iface, $bridge, $tag); + &$create_firewall_bridge_ovs($iface, $bridge, $tag, $trunks); } else { - &$ovs_bridge_add_port($bridge, $iface, $tag); + &$ovs_bridge_add_port($bridge, $iface, $tag, undef, $trunks); } } + + tap_rate_limit($iface, $rate); } sub tap_unplug { @@ -349,6 +374,8 @@ sub tap_unplug { } &$cleanup_firewall_bridge($iface); + #cleanup old port config from any openvswitch bridge + eval {run_command("/usr/bin/ovs-vsctl del-port $iface", outfunc => sub {}, errfunc => sub {}) }; } sub copy_bridge_config { @@ -415,7 +442,7 @@ sub activate_bridge_vlan { my @ifaces = (); my $dir = "/sys/class/net/$bridge/brif"; - PVE::Tools::dir_glob_foreach($dir, '((eth|bond)\d+(\.\d+)?)', sub { + PVE::Tools::dir_glob_foreach($dir, '(((eth|bond)\d+|en[^.]+)(\.\d+)?)', sub { push @ifaces, $_[0]; }); @@ -500,4 +527,36 @@ sub is_ip_in_cidr { return $cidr_obj->overlaps($ip_obj) == $Net::IP::IP_B_IN_A_OVERLAP; } +# struct ifreq { // FOR SIOCGIFFLAGS: +# char ifrn_name[IFNAMSIZ] +# short ifru_flags +# }; +my $STRUCT_IFREQ_SIOCGIFFLAGS = 'Z' . IFNAMSIZ . 's1'; +sub get_active_interfaces { + # Use the interface name list from /proc/net/dev + open my $fh, '<', '/proc/net/dev' + or die "failed to open /proc/net/dev: $!\n"; + # And filter by IFF_UP flag fetched via a PF_INET6 socket ioctl: + my $sock; + socket($sock, PF_INET6, SOCK_DGRAM, &IPPROTO_IP) + or socket($sock, PF_INET, SOCK_DGRAM, &IPPROTO_IP) + or return []; + + my $ifaces = []; + while(defined(my $line = <$fh>)) { + next if $line !~ /^\s*([^:\s]+):/; + my $ifname = $1; + my $ifreq = pack($STRUCT_IFREQ_SIOCGIFFLAGS, $ifname, 0); + if (!defined(ioctl($sock, SIOCGIFFLAGS, $ifreq))) { + warn "failed to get interface flags for: $ifname\n"; + next; + } + my ($name, $flags) = unpack($STRUCT_IFREQ_SIOCGIFFLAGS, $ifreq); + push @$ifaces, $ifname if ($flags & IFF_UP); + } + close $fh; + close $sock; + return $ifaces; +} + 1;