[pve-manager.git] / PVE / API2 / Network.pm

package PVE::API2::Network;

use strict;
use warnings;

use Net::IP qw(:PROC);
use PVE::Tools qw(extract_param dir_glob_regex);
use PVE::SafeSyslog;
use PVE::INotify;
use PVE::Exception qw(raise_param_exc);
use PVE::RESTHandler;
use PVE::RPCEnvironment;
use PVE::JSONSchema qw(get_standard_option);
use PVE::AccessControl;
use IO::File;

use base qw(PVE::RESTHandler);

my $have_sdn;
eval {
    require PVE::Network::SDN::Zones;
    require PVE::Network::SDN::Controllers;
    $have_sdn = 1;
};

my $iflockfn = "/etc/network/.pve-interfaces.lock";

my $bond_mode_enum = [
    'balance-rr',
    'active-backup', # OVS and Linux
    'balance-xor',
    'broadcast',
    '802.3ad',
    'balance-tlb',
    'balance-alb',
    'balance-slb', # OVS 
    'lacp-balance-slb', # OVS
    'lacp-balance-tcp', # OVS
    ];

my $network_type_enum = ['bridge', 'bond', 'eth', 'alias', 'vlan',
			 'OVSBridge', 'OVSBond', 'OVSPort', 'OVSIntPort'];

my $confdesc = {
    type => {
	description => "Network interface type",
	type => 'string',
	enum => [@$network_type_enum, 'unknown'],
    },
    comments => {
	description => "Comments",
	type => 'string',
	optional => 1,
    },
    comments6 => {
	description => "Comments",
	type => 'string',
	optional => 1,
    },
    autostart => {
	description => "Automatically start interface on boot.",
	type => 'boolean',
	optional => 1,
    },
    bridge_vlan_aware => {
	description => "Enable bridge vlan support.",
	type => 'boolean',
	optional => 1,
    },
    bridge_ports => {
	description => "Specify the interfaces you want to add to your bridge.",
	optional => 1,
	type => 'string', format => 'pve-iface-list',
    },
    ovs_ports => {
	description => "Specify the interfaces you want to add to your bridge.",
	optional => 1,
	type => 'string', format => 'pve-iface-list',
    },
    ovs_tag => {
	description => "Specify a VLan tag (used by OVSPort, OVSIntPort, OVSBond)",
	optional => 1,
	type => 'integer',
	minimum => 1,
	maximum => 4094,
    },
    ovs_options => {
	description => "OVS interface options.",
	optional => 1,
	type => 'string',
	maxLength => 1024,
    },
    ovs_bridge => {
	description => "The OVS bridge associated with a OVS port. This is required when you create an OVS port.",
	optional => 1,
	type => 'string', format => 'pve-iface',
    },
    slaves => {
	description => "Specify the interfaces used by the bonding device.",
	optional => 1,
	type => 'string', format => 'pve-iface-list',
    },
    ovs_bonds => {
	description => "Specify the interfaces used by the bonding device.",
	optional => 1,
	type => 'string', format => 'pve-iface-list',
    },
    bond_mode => {
	description => "Bonding mode.",
	optional => 1,
	type => 'string', enum => $bond_mode_enum,
    },
    'bond-primary' => {
	description => "Specify the primary interface for active-backup bond.",
	optional => 1,
	type => 'string', format => 'pve-iface',
    },
    bond_xmit_hash_policy => {
	description => "Selects the transmit hash policy to use for slave selection in balance-xor and 802.3ad modes.",
	optional => 1,
	type => 'string', 
	enum => ['layer2', 'layer2+3', 'layer3+4' ],
    },
    'vlan-raw-device' => {
	description => "Specify the raw interface for the vlan interface.",
	optional => 1,
	type => 'string', format => 'pve-iface',
    },
    'vlan-id' => {
	description => "vlan-id for a custom named vlan interface (ifupdown2 only).",
	optional => 1,
	type => 'integer',
	minimum => 1,
	maximum => 4094,
    },
    gateway => {
	description => 'Default gateway address.',
	type => 'string', format => 'ipv4',
	optional => 1,
    },
    netmask => {
	description => 'Network mask.',
	type => 'string', format => 'ipv4mask',
	optional => 1,
	requires => 'address',
    },
    address => {
	description => 'IP address.',
	type => 'string', format => 'ipv4',
	optional => 1,
	requires => 'netmask',
    },
    cidr => {
	description => 'IPv4 CIDR.',
	type => 'string', format => 'CIDRv4',
	optional => 1,
    },
    mtu => {
	description => 'MTU.',
	optional => 1,
	type => 'integer',
	minimum => 1280,
	maximum => 65520,
    },
    gateway6 => {
	description => 'Default ipv6 gateway address.',
	type => 'string', format => 'ipv6',
	optional => 1,
    },
    netmask6 => {
	description => 'Network mask.',
	type => 'integer', minimum => 0, maximum => 128,
	optional => 1,
	requires => 'address6',
    },
    address6 => {
	description => 'IP address.',
	type => 'string', format => 'ipv6',
	optional => 1,
	requires => 'netmask6',
    },
    cidr6 => {
	description => 'IPv6 CIDR.',
	type => 'string', format => 'CIDRv6',
	optional => 1,
    },
};

sub json_config_properties {
    my $prop = shift;

    foreach my $opt (keys %$confdesc) {
	$prop->{$opt} = $confdesc->{$opt};
    }

    return $prop;
}

__PACKAGE__->register_method({
    name => 'index', 
    path => '', 
    method => 'GET',
    permissions => { user => 'all' },
    description => "List available networks",
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    type => {
		description => "Only list specific interface types.",
		type => 'string',
		enum => [ @$network_type_enum, 'any_bridge' ],
		optional => 1,
	    },
	},
    },
    returns => {
	type => "array",
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{iface}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();

	my $tmp = PVE::INotify::read_file('interfaces', 1);
	my $config = $tmp->{data};
	my $changes = $tmp->{changes};

	$rpcenv->set_result_attrib('changes', $changes) if $changes;

	my $ifaces = $config->{ifaces};

	delete $ifaces->{lo}; # do not list the loopback device

	if ($param->{type}) {
	    foreach my $k (keys %$ifaces) {
		my $type = $ifaces->{$k}->{type};
		my $match =  ($param->{type} eq $type) || (
		    ($param->{type} eq 'any_bridge') && 
		    ($type eq 'bridge' || $type eq 'OVSBridge'));
		delete $ifaces->{$k} if !$match;
	    }
	}

	return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
   }});

__PACKAGE__->register_method({
    name => 'revert_network_changes', 
    path => '', 
    method => 'DELETE',
    permissions => {
	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
    },
    protected => 1,
    description => "Revert network configuration changes.",
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	},
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	unlink "/etc/network/interfaces.new";

	return undef;
    }});

my $check_duplicate = sub {
    my ($config, $newiface, $key, $name) = @_;

    foreach my $iface (keys %$config) {
	raise_param_exc({ $key => "$name already exists on interface '$iface'." })
	    if ($newiface ne $iface) && $config->{$iface}->{$key};
    }
};

my $check_duplicate_gateway = sub {
    my ($config, $newiface) = @_;
    return &$check_duplicate($config, $newiface, 'gateway', 'Default gateway');
};

my $check_duplicate_gateway6 = sub {
    my ($config, $newiface) = @_;
    return &$check_duplicate($config, $newiface, 'gateway6', 'Default ipv6 gateway');
};

sub ipv6_tobin {
    return Net::IP::ip_iptobin(Net::IP::ip_expand_address(shift, 6), 6);
}

my $check_ipv6_settings = sub {
    my ($address, $netmask) = @_;

    raise_param_exc({ netmask => "$netmask is not a valid subnet length for ipv6" })
	if $netmask < 0 || $netmask > 128;

    raise_param_exc({ address => "$address is not a valid host IPv6 address." })
	if !Net::IP::ip_is_ipv6($address);

    my $binip = ipv6_tobin($address);
    my $binmask = Net::IP::ip_get_mask($netmask, 6);

    my $type = ($binip eq $binmask) ? 'ANYCAST' : Net::IP::ip_iptypev6($binip);

    if (defined($type) && $type !~ /^(?:(?:GLOBAL|(?:UNIQUE|LINK)-LOCAL)-UNICAST)$/) {
	raise_param_exc({ address => "$address with type '$type', cannot be used as host IPv6 address." });
    }
};

my $map_cidr_to_address_netmask = sub {
    my ($param) = @_;

    if ($param->{cidr}) {
	raise_param_exc({ address => "address conflicts with cidr" })
	    if $param->{address};
	raise_param_exc({ netmask => "netmask conflicts with cidr" })
	    if $param->{netmask};

	my ($address, $netmask) = $param->{cidr} =~ m!^(.*)/(\d+)$!;
	$param->{address} = $address;
	$param->{netmask} = $netmask;
	delete $param->{cidr};
    }

    if ($param->{cidr6}) {
	raise_param_exc({ address6 => "address6 conflicts with cidr6" })
	    if $param->{address6};
	raise_param_exc({ netmask6 => "netmask6 conflicts with cidr6" })
	    if $param->{netmask6};

	my ($address, $netmask) = $param->{cidr6} =~ m!^(.*)/(\d+)$!;
	$param->{address6} = $address;
	$param->{netmask6} = $netmask;
	delete $param->{cidr6};
    }
};

__PACKAGE__->register_method({
    name => 'create_network', 
    path => '', 
    method => 'POST',
    permissions => {
	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
    },
    description => "Create network device configuration",
    protected => 1,
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => json_config_properties({
	    node => get_standard_option('pve-node'),
	    iface => get_standard_option('pve-iface')}),
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	my $node = extract_param($param, 'node');
	my $iface = extract_param($param, 'iface');

	my $code = sub {
	    my $config = PVE::INotify::read_file('interfaces');
	    my $ifaces = $config->{ifaces};

	    raise_param_exc({ iface => "interface already exists" })
		if $ifaces->{$iface};

	    &$check_duplicate_gateway($ifaces, $iface)
		if $param->{gateway};
	    &$check_duplicate_gateway6($ifaces, $iface)
		if $param->{gateway6};

	    $map_cidr_to_address_netmask->($param);

	    &$check_ipv6_settings($param->{address6}, int($param->{netmask6}))
		if $param->{address6};

	    my $families = $param->{families} = [];
	    push @$families, 'inet'
		if $param->{address} && !grep(/^inet$/, @$families);
	    push @$families, 'inet6'
		if $param->{address6} && !grep(/^inet6$/, @$families);
	    @$families = ('inet') if !scalar(@$families);

	    $param->{method} = $param->{address} ? 'static' : 'manual'; 
	    $param->{method6} = $param->{address6} ? 'static' : 'manual'; 

	    if ($param->{type} =~ m/^OVS/) {
		-x '/usr/bin/ovs-vsctl' ||
		    die "Open VSwitch is not installed (need package 'openvswitch-switch')\n";
	    }

	    if ($param->{type} eq 'OVSIntPort' || $param->{type} eq 'OVSBond') {
		my $brname = $param->{ovs_bridge};
		raise_param_exc({ ovs_bridge => "parameter is required" }) if !$brname;
		my $br = $ifaces->{$brname};
		raise_param_exc({ ovs_bridge => "bridge '$brname' does not exist" }) if !$br;
		raise_param_exc({ ovs_bridge => "interface '$brname' is no OVS bridge" }) 
		    if $br->{type} ne 'OVSBridge';

		my @ports = split (/\s+/, $br->{ovs_ports} || '');
		$br->{ovs_ports} = join(' ', @ports, $iface)
		    if ! grep { $_ eq $iface } @ports;
	    }

	    $ifaces->{$iface} = $param;

	    PVE::INotify::write_file('interfaces', $config);
	};

	PVE::Tools::lock_file($iflockfn, 10, $code);
	die $@ if $@;

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'update_network', 
    path => '{iface}', 
    method => 'PUT',
    permissions => {
	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
    },
    description => "Update network device configuration",
    protected => 1,
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => json_config_properties({
	    node => get_standard_option('pve-node'),
	    iface => get_standard_option('pve-iface'),
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    }}),
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	my $node = extract_param($param, 'node');
	my $iface = extract_param($param, 'iface');
	my $delete = extract_param($param, 'delete');

	my $code = sub {
	    my $config = PVE::INotify::read_file('interfaces');
	    my $ifaces = $config->{ifaces};

	    raise_param_exc({ iface => "interface does not exist" })
		if !$ifaces->{$iface};

	    my $families = ($param->{families} ||= []);
	    foreach my $k (PVE::Tools::split_list($delete)) {
		delete $ifaces->{$iface}->{$k};
		@$families = grep(!/^inet$/, @$families) if $k eq 'address';
		@$families = grep(!/^inet6$/, @$families) if $k eq 'address6';
		if ($k eq 'cidr') {
		    delete $ifaces->{$iface}->{netmask};
		    delete $ifaces->{$iface}->{address};
		} elsif ($k eq 'cidr6') {
		    delete $ifaces->{$iface}->{netmask6};
		    delete $ifaces->{$iface}->{address6};
		}
	    }

	    $map_cidr_to_address_netmask->($param);

	    &$check_duplicate_gateway($ifaces, $iface)
		if $param->{gateway};
	    &$check_duplicate_gateway6($ifaces, $iface)
		if $param->{gateway6};

	    if ($param->{address}) {
		push @$families, 'inet' if !grep(/^inet$/, @$families);
	    } else {
		@$families = grep(!/^inet$/, @$families);
	    }
	    if ($param->{address6}) {
		&$check_ipv6_settings($param->{address6}, int($param->{netmask6}));
		push @$families, 'inet6' if !grep(/^inet6$/, @$families);
	    } else {
		@$families = grep(!/^inet6$/, @$families);
	    }
	    @$families = ('inet') if !scalar(@$families);

	    $param->{method} = $param->{address} ? 'static' : 'manual'; 
	    $param->{method6} = $param->{address6} ? 'static' : 'manual'; 

	    foreach my $k (keys %$param) {
		$ifaces->{$iface}->{$k} = $param->{$k};
	    }
	    
	    PVE::INotify::write_file('interfaces', $config);
	};

	PVE::Tools::lock_file($iflockfn, 10, $code);
	die $@ if $@;

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'network_config', 
    path => '{iface}', 
    method => 'GET',
    permissions => {
	check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
    },
    description => "Read network device configuration",
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    iface => get_standard_option('pve-iface'),
	},
    },
    returns => {
	type => "object",
	properties => {
	    type => { 
		type => 'string', 
	    },
	    method => {
		type => 'string', 
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $config = PVE::INotify::read_file('interfaces');
	my $ifaces = $config->{ifaces};

	raise_param_exc({ iface => "interface does not exist" })
	    if !$ifaces->{$param->{iface}};

	return $ifaces->{$param->{iface}};
   }});

sub ifupdown2_version {
    my $v;
    PVE::Tools::run_command(['ifreload', '-V'], outfunc => sub { $v //= shift });
    return if !defined($v) || $v !~ /^\s*ifupdown2:(\S+)\s*$/;
    $v = $1;
    my ($major, $minor, $extra, $pve) = split(/\.|-/, $v);
    my $is_pve = defined($pve) && $pve =~ /pve/;

    return ($major * 100000 + $minor * 1000 + $extra * 10, $is_pve, $v);
}
sub assert_ifupdown2_installed {
    die "you need ifupdown2 to reload network configuration\n" if ! -e '/usr/share/ifupdown2';
    my ($v, $pve, $v_str) = ifupdown2_version();
    die "incompatible 'ifupdown2' package version '$v_str'! Did you installed from Proxmox repositories?\n"
        if $v < (1*100000 + 2*1000 + 8*10) || !$pve;
}

__PACKAGE__->register_method({
    name => 'reload_network_config',
    path => '',
    method => 'PUT',
    permissions => {
	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
    },
    description => "Reload network configuration",
    protected => 1,
    proxyto => 'node',
    parameters => {
	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	},
    },
    returns => { type => 'string' },
    code => sub {

	my ($param) = @_;

        my $rpcenv = PVE::RPCEnvironment::get();

        my $authuser = $rpcenv->get_user();

	my $current_config_file = "/etc/network/interfaces";
	my $new_config_file = "/etc/network/interfaces.new";

	assert_ifupdown2_installed();

	my $worker = sub {

	    rename($new_config_file, $current_config_file) if -e $new_config_file;

	    if ($have_sdn) {
		my $network_sdn_config = PVE::Network::SDN::Zones::generate_etc_network_config();
		PVE::Network::SDN::Zones::write_etc_network_config($network_sdn_config);
	    }

	    my $err = sub {
		my $line = shift;
		if ($line =~ /(warning|error): (\S+):/) {
		    print "$2 : $line \n";
		}
	    };
	    PVE::Tools::run_command(['ifreload', '-a'], errfunc => $err);

	    if ($have_sdn) {
		my $controller_config = PVE::Network::SDN::Controllers::generate_controller_config();
		PVE::Network::SDN::Controllers::write_controller_config($controller_config) if ($controller_config);
		PVE::Network::SDN::Controllers::reload_controller();
	    }
	};
	return $rpcenv->fork_worker('srvreload', 'networking', $authuser, $worker);
   }});

__PACKAGE__->register_method({
    name => 'delete_network', 
    path => '{iface}', 
    method => 'DELETE',
    permissions => {
	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
    },
    description => "Delete network device configuration",
    protected => 1,
    proxyto => 'node',
    parameters => {
    	additionalProperties => 0,
	properties => {
	    node => get_standard_option('pve-node'),
	    iface => get_standard_option('pve-iface'),
	},
    },
    returns => { type => 'null' },
    code => sub {
	my ($param) = @_;

	my $code = sub {
	    my $config = PVE::INotify::read_file('interfaces');
	    my $ifaces = $config->{ifaces};

	    raise_param_exc({ iface => "interface does not exist" })
		if !$ifaces->{$param->{iface}};

	    my $d = $ifaces->{$param->{iface}};
	    if ($d->{type} eq 'OVSIntPort' || $d->{type} eq 'OVSBond') {
		if (my $brname = $d->{ovs_bridge}) {
		    if (my $br = $ifaces->{$brname}) {
			if ($br->{ovs_ports}) {
			    my @ports = split (/\s+/, $br->{ovs_ports});
			    my @new = grep { $_ ne $param->{iface} } @ports;
			    $br->{ovs_ports} = join(' ', @new);
			}
		    }
		}
	    }

	    delete $ifaces->{$param->{iface}};

	    PVE::INotify::write_file('interfaces', $config);
	};

	PVE::Tools::lock_file($iflockfn, 10, $code);
	die $@ if $@;

	return undef;
    }});
Commit	Line	Data
aff192e6 DM	1	package PVE::API2::Network;
	2
	3	use strict;
	4	use warnings;
	5
d09f6f7d	6	use Net::IP qw(:PROC);
cacd7547	7	use PVE::Tools qw(extract_param dir_glob_regex);
aff192e6 DM	8	use PVE::SafeSyslog;
	9	use PVE::INotify;
	10	use PVE::Exception qw(raise_param_exc);
	11	use PVE::RESTHandler;
	12	use PVE::RPCEnvironment;
	13	use PVE::JSONSchema qw(get_standard_option);
	14	use PVE::AccessControl;
	15	use IO::File;
	16
	17	use base qw(PVE::RESTHandler);
	18
2bca9b77 AD	19	my $have_sdn;
2bca9b77 AD	20	eval {
20dc8bbe AD	21	require PVE::Network::SDN::Zones;
20dc8bbe AD	22	require PVE::Network::SDN::Controllers;
2bca9b77 AD	23	$have_sdn = 1;
	24	};
	25
aff192e6 DM	26	my $iflockfn = "/etc/network/.pve-interfaces.lock";
	27
	28	my $bond_mode_enum = [
	29	'balance-rr',
10a9563e	30	'active-backup', # OVS and Linux
aff192e6 DM	31	'balance-xor',
	32	'broadcast',
	33	'802.3ad',
	34	'balance-tlb',
d11733f8	35	'balance-alb',
10a9563e DM	36	'balance-slb', # OVS
	37	'lacp-balance-slb', # OVS
	38	'lacp-balance-tcp', # OVS
aff192e6 DM	39	];
aff192e6 DM	40
3f0d1a4b	41	my $network_type_enum = ['bridge', 'bond', 'eth', 'alias', 'vlan',
d11733f8 DM	42	'OVSBridge', 'OVSBond', 'OVSPort', 'OVSIntPort'];
d11733f8 DM	43
aff192e6	44	my $confdesc = {
d11733f8 DM	45	type => {
	46	description => "Network interface type",
	47	type => 'string',
	48	enum => [@$network_type_enum, 'unknown'],
	49	},
44d353a7 DM	50	comments => {
	51	description => "Comments",
	52	type => 'string',
b5eda023	53	optional => 1,
44d353a7	54	},
3ed15e6c WB	55	comments6 => {
	56	description => "Comments",
	57	type => 'string',
	58	optional => 1,
	59	},
aff192e6 DM	60	autostart => {
	61	description => "Automatically start interface on boot.",
	62	type => 'boolean',
	63	optional => 1,
	64	},
a1604d70 AD	65	bridge_vlan_aware => {
	66	description => "Enable bridge vlan support.",
	67	type => 'boolean',
	68	optional => 1,
	69	},
aff192e6	70	bridge_ports => {
76189130	71	description => "Specify the interfaces you want to add to your bridge.",
aff192e6 DM	72	optional => 1,
	73	type => 'string', format => 'pve-iface-list',
	74	},
d11733f8	75	ovs_ports => {
76189130	76	description => "Specify the interfaces you want to add to your bridge.",
d11733f8 DM	77	optional => 1,
	78	type => 'string', format => 'pve-iface-list',
	79	},
4c917e97 DM	80	ovs_tag => {
	81	description => "Specify a VLan tag (used by OVSPort, OVSIntPort, OVSBond)",
	82	optional => 1,
	83	type => 'integer',
	84	minimum => 1,
	85	maximum => 4094,
	86	},
d11733f8 DM	87	ovs_options => {
	88	description => "OVS interface options.",
	89	optional => 1,
	90	type => 'string',
	91	maxLength => 1024,
	92	},
	93	ovs_bridge => {
	94	description => "The OVS bridge associated with a OVS port. This is required when you create an OVS port.",
	95	optional => 1,
	96	type => 'string', format => 'pve-iface',
	97	},
aff192e6 DM	98	slaves => {
	99	description => "Specify the interfaces used by the bonding device.",
	100	optional => 1,
	101	type => 'string', format => 'pve-iface-list',
	102	},
d11733f8 DM	103	ovs_bonds => {
	104	description => "Specify the interfaces used by the bonding device.",
	105	optional => 1,
	106	type => 'string', format => 'pve-iface-list',
	107	},
aff192e6 DM	108	bond_mode => {
	109	description => "Bonding mode.",
	110	optional => 1,
	111	type => 'string', enum => $bond_mode_enum,
	112	},
7942a7bb AD	113	'bond-primary' => {
	114	description => "Specify the primary interface for active-backup bond.",
	115	optional => 1,
	116	type => 'string', format => 'pve-iface',
	117	},
ffffb625 DM	118	bond_xmit_hash_policy => {
	119	description => "Selects the transmit hash policy to use for slave selection in balance-xor and 802.3ad modes.",
	120	optional => 1,
	121	type => 'string',
	122	enum => ['layer2', 'layer2+3', 'layer3+4' ],
	123	},
9d2e1c8b AD	124	'vlan-raw-device' => {
	125	description => "Specify the raw interface for the vlan interface.",
	126	optional => 1,
	127	type => 'string', format => 'pve-iface',
	128	},
	129	'vlan-id' => {
	130	description => "vlan-id for a custom named vlan interface (ifupdown2 only).",
	131	optional => 1,
	132	type => 'integer',
	133	minimum => 1,
	134	maximum => 4094,
	135	},
aff192e6 DM	136	gateway => {
	137	description => 'Default gateway address.',
	138	type => 'string', format => 'ipv4',
	139	optional => 1,
	140	},
	141	netmask => {
	142	description => 'Network mask.',
	143	type => 'string', format => 'ipv4mask',
	144	optional => 1,
1904114e	145	requires => 'address',
aff192e6 DM	146	},
	147	address => {
	148	description => 'IP address.',
	149	type => 'string', format => 'ipv4',
	150	optional => 1,
	151	requires => 'netmask',
3ed15e6c	152	},
69106e5c DC	153	cidr => {
69106e5c DC	154	description => 'IPv4 CIDR.',
e9af22b0	155	type => 'string', format => 'CIDRv4',
69106e5c DC	156	optional => 1,
69106e5c DC	157	},
94011309 AD	158	mtu => {
	159	description => 'MTU.',
	160	optional => 1,
	161	type => 'integer',
	162	minimum => 1280,
	163	maximum => 65520,
	164	},
3ed15e6c WB	165	gateway6 => {
	166	description => 'Default ipv6 gateway address.',
	167	type => 'string', format => 'ipv6',
	168	optional => 1,
	169	},
	170	netmask6 => {
	171	description => 'Network mask.',
	172	type => 'integer', minimum => 0, maximum => 128,
	173	optional => 1,
	174	requires => 'address6',
	175	},
	176	address6 => {
	177	description => 'IP address.',
	178	type => 'string', format => 'ipv6',
	179	optional => 1,
	180	requires => 'netmask6',
69106e5c DC	181	},
	182	cidr6 => {
	183	description => 'IPv6 CIDR.',
e9af22b0	184	type => 'string', format => 'CIDRv6',
69106e5c DC	185	optional => 1,
69106e5c DC	186	},
aff192e6 DM	187	};
	188
	189	sub json_config_properties {
	190	my $prop = shift;
	191
	192	foreach my $opt (keys %$confdesc) {
	193	$prop->{$opt} = $confdesc->{$opt};
	194	}
	195
	196	return $prop;
	197	}
	198
	199	__PACKAGE__->register_method({
	200	name => 'index',
	201	path => '',
	202	method => 'GET',
	203	permissions => { user => 'all' },
	204	description => "List available networks",
	205	proxyto => 'node',
	206	parameters => {
	207	additionalProperties => 0,
	208	properties => {
	209	node => get_standard_option('pve-node'),
	210	type => {
	211	description => "Only list specific interface types.",
	212	type => 'string',
4c917e97	213	enum => [ @$network_type_enum, 'any_bridge' ],
aff192e6 DM	214	optional => 1,
	215	},
	216	},
	217	},
	218	returns => {
	219	type => "array",
	220	items => {
	221	type => "object",
	222	properties => {},
	223	},
	224	links => [ { rel => 'child', href => "{iface}" } ],
	225	},
	226	code => sub {
	227	my ($param) = @_;
	228
e4d5bf72 DM	229	my $rpcenv = PVE::RPCEnvironment::get();
	230
	231	my $tmp = PVE::INotify::read_file('interfaces', 1);
	232	my $config = $tmp->{data};
	233	my $changes = $tmp->{changes};
	234
	235	$rpcenv->set_result_attrib('changes', $changes) if $changes;
aff192e6	236
3ed15e6c WB	237	my $ifaces = $config->{ifaces};
	238
	239	delete $ifaces->{lo}; # do not list the loopback device
aff192e6 DM	240
aff192e6 DM	241	if ($param->{type}) {
3ed15e6c WB	242	foreach my $k (keys %$ifaces) {
3ed15e6c WB	243	my $type = $ifaces->{$k}->{type};
4c917e97 DM	244	my $match = ($param->{type} eq $type) \|\| (
	245	($param->{type} eq 'any_bridge') &&
	246	($type eq 'bridge' \|\| $type eq 'OVSBridge'));
3ed15e6c	247	delete $ifaces->{$k} if !$match;
aff192e6 DM	248	}
	249	}
	250
3ed15e6c	251	return PVE::RESTHandler::hash_to_array($ifaces, 'iface');
aff192e6 DM	252	}});
aff192e6 DM	253
e4d5bf72 DM	254	__PACKAGE__->register_method({
	255	name => 'revert_network_changes',
	256	path => '',
	257	method => 'DELETE',
	258	permissions => {
	259	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
	260	},
	261	protected => 1,
	262	description => "Revert network configuration changes.",
	263	proxyto => 'node',
	264	parameters => {
	265	additionalProperties => 0,
	266	properties => {
	267	node => get_standard_option('pve-node'),
	268	},
	269	},
	270	returns => { type => "null" },
	271	code => sub {
	272	my ($param) = @_;
	273
	274	unlink "/etc/network/interfaces.new";
	275
	276	return undef;
	277	}});
aff192e6	278
3ed15e6c WB	279	my $check_duplicate = sub {
3ed15e6c WB	280	my ($config, $newiface, $key, $name) = @_;
aff192e6 DM	281
aff192e6 DM	282	foreach my $iface (keys %$config) {
3ed15e6c WB	283	raise_param_exc({ $key => "$name already exists on interface '$iface'." })
3ed15e6c WB	284	if ($newiface ne $iface) && $config->{$iface}->{$key};
aff192e6 DM	285	}
	286	};
	287
3ed15e6c WB	288	my $check_duplicate_gateway = sub {
	289	my ($config, $newiface) = @_;
	290	return &$check_duplicate($config, $newiface, 'gateway', 'Default gateway');
	291	};
	292
	293	my $check_duplicate_gateway6 = sub {
	294	my ($config, $newiface) = @_;
	295	return &$check_duplicate($config, $newiface, 'gateway6', 'Default ipv6 gateway');
	296	};
	297
3ed15e6c WB	298	sub ipv6_tobin {
	299	return Net::IP::ip_iptobin(Net::IP::ip_expand_address(shift, 6), 6);
	300	}
	301
	302	my $check_ipv6_settings = sub {
	303	my ($address, $netmask) = @_;
	304
	305	raise_param_exc({ netmask => "$netmask is not a valid subnet length for ipv6" })
	306	if $netmask < 0 \|\| $netmask > 128;
	307
0f6e6f6b	308	raise_param_exc({ address => "$address is not a valid host IPv6 address." })
3ed15e6c WB	309	if !Net::IP::ip_is_ipv6($address);
	310
	311	my $binip = ipv6_tobin($address);
	312	my $binmask = Net::IP::ip_get_mask($netmask, 6);
	313
0f6e6f6b	314	my $type = ($binip eq $binmask) ? 'ANYCAST' : Net::IP::ip_iptypev6($binip);
3ed15e6c	315
0f6e6f6b	316	if (defined($type) && $type !~ /^(?:(?:GLOBAL\|(?:UNIQUE\|LINK)-LOCAL)-UNICAST)$/) {
68f371d4	317	raise_param_exc({ address => "$address with type '$type', cannot be used as host IPv6 address." });
0f6e6f6b	318	}
3ed15e6c WB	319	};
3ed15e6c WB	320
69106e5c DC	321	my $map_cidr_to_address_netmask = sub {
	322	my ($param) = @_;
	323
	324	if ($param->{cidr}) {
	325	raise_param_exc({ address => "address conflicts with cidr" })
	326	if $param->{address};
	327	raise_param_exc({ netmask => "netmask conflicts with cidr" })
	328	if $param->{netmask};
	329
e9af22b0 TL	330	my ($address, $netmask) = $param->{cidr} =~ m!^(.*)/(\d+)$!;
	331	$param->{address} = $address;
	332	$param->{netmask} = $netmask;
69106e5c DC	333	delete $param->{cidr};
	334	}
	335
	336	if ($param->{cidr6}) {
	337	raise_param_exc({ address6 => "address6 conflicts with cidr6" })
	338	if $param->{address6};
	339	raise_param_exc({ netmask6 => "netmask6 conflicts with cidr6" })
	340	if $param->{netmask6};
	341
e9af22b0 TL	342	my ($address, $netmask) = $param->{cidr6} =~ m!^(.*)/(\d+)$!;
	343	$param->{address6} = $address;
	344	$param->{netmask6} = $netmask;
69106e5c DC	345	delete $param->{cidr6};
	346	}
	347	};
	348
aff192e6 DM	349	__PACKAGE__->register_method({
	350	name => 'create_network',
	351	path => '',
	352	method => 'POST',
	353	permissions => {
7d020b42	354	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
aff192e6 DM	355	},
	356	description => "Create network device configuration",
	357	protected => 1,
	358	proxyto => 'node',
	359	parameters => {
	360	additionalProperties => 0,
	361	properties => json_config_properties({
	362	node => get_standard_option('pve-node'),
	363	iface => get_standard_option('pve-iface')}),
	364	},
	365	returns => { type => 'null' },
	366	code => sub {
	367	my ($param) = @_;
	368
	369	my $node = extract_param($param, 'node');
	370	my $iface = extract_param($param, 'iface');
	371
	372	my $code = sub {
	373	my $config = PVE::INotify::read_file('interfaces');
3ed15e6c	374	my $ifaces = $config->{ifaces};
aff192e6 DM	375
aff192e6 DM	376	raise_param_exc({ iface => "interface already exists" })
3ed15e6c	377	if $ifaces->{$iface};
aff192e6	378
3ed15e6c	379	&$check_duplicate_gateway($ifaces, $iface)
aff192e6	380	if $param->{gateway};
3ed15e6c WB	381	&$check_duplicate_gateway6($ifaces, $iface)
3ed15e6c WB	382	if $param->{gateway6};
aff192e6	383
69106e5c DC	384	$map_cidr_to_address_netmask->($param);
69106e5c DC	385
3ed15e6c WB	386	&$check_ipv6_settings($param->{address6}, int($param->{netmask6}))
	387	if $param->{address6};
	388
	389	my $families = $param->{families} = [];
	390	push @$families, 'inet'
	391	if $param->{address} && !grep(/^inet$/, @$families);
	392	push @$families, 'inet6'
	393	if $param->{address6} && !grep(/^inet6$/, @$families);
	394	@$families = ('inet') if !scalar(@$families);
e16a27be	395
aff192e6	396	$param->{method} = $param->{address} ? 'static' : 'manual';
3ed15e6c	397	$param->{method6} = $param->{address6} ? 'static' : 'manual';
aff192e6	398
bdfa2498 DM	399	if ($param->{type} =~ m/^OVS/) {
	400	-x '/usr/bin/ovs-vsctl' \|\|
	401	die "Open VSwitch is not installed (need package 'openvswitch-switch')\n";
	402	}
	403
d11733f8 DM	404	if ($param->{type} eq 'OVSIntPort' \|\| $param->{type} eq 'OVSBond') {
	405	my $brname = $param->{ovs_bridge};
	406	raise_param_exc({ ovs_bridge => "parameter is required" }) if !$brname;
3ed15e6c	407	my $br = $ifaces->{$brname};
d11733f8 DM	408	raise_param_exc({ ovs_bridge => "bridge '$brname' does not exist" }) if !$br;
	409	raise_param_exc({ ovs_bridge => "interface '$brname' is no OVS bridge" })
	410	if $br->{type} ne 'OVSBridge';
	411
	412	my @ports = split (/\s+/, $br->{ovs_ports} \|\| '');
	413	$br->{ovs_ports} = join(' ', @ports, $iface)
	414	if ! grep { $_ eq $iface } @ports;
	415	}
	416
3ed15e6c	417	$ifaces->{$iface} = $param;
aff192e6 DM	418
	419	PVE::INotify::write_file('interfaces', $config);
	420	};
	421
	422	PVE::Tools::lock_file($iflockfn, 10, $code);
	423	die $@ if $@;
	424
	425	return undef;
	426	}});
	427
	428	__PACKAGE__->register_method({
	429	name => 'update_network',
	430	path => '{iface}',
	431	method => 'PUT',
	432	permissions => {
7d020b42	433	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
aff192e6 DM	434	},
	435	description => "Update network device configuration",
	436	protected => 1,
	437	proxyto => 'node',
	438	parameters => {
	439	additionalProperties => 0,
	440	properties => json_config_properties({
	441	node => get_standard_option('pve-node'),
	442	iface => get_standard_option('pve-iface'),
	443	delete => {
	444	type => 'string', format => 'pve-configid-list',
	445	description => "A list of settings you want to delete.",
	446	optional => 1,
	447	}}),
	448	},
	449	returns => { type => 'null' },
	450	code => sub {
	451	my ($param) = @_;
	452
	453	my $node = extract_param($param, 'node');
	454	my $iface = extract_param($param, 'iface');
	455	my $delete = extract_param($param, 'delete');
	456
	457	my $code = sub {
	458	my $config = PVE::INotify::read_file('interfaces');
3ed15e6c	459	my $ifaces = $config->{ifaces};
aff192e6 DM	460
aff192e6 DM	461	raise_param_exc({ iface => "interface does not exist" })
3ed15e6c	462	if !$ifaces->{$iface};
aff192e6	463
3ed15e6c	464	my $families = ($param->{families} \|\|= []);
aff192e6	465	foreach my $k (PVE::Tools::split_list($delete)) {
3ed15e6c WB	466	delete $ifaces->{$iface}->{$k};
	467	@$families = grep(!/^inet$/, @$families) if $k eq 'address';
	468	@$families = grep(!/^inet6$/, @$families) if $k eq 'address6';
47d13c02 DC	469	if ($k eq 'cidr') {
	470	delete $ifaces->{$iface}->{netmask};
	471	delete $ifaces->{$iface}->{address};
	472	} elsif ($k eq 'cidr6') {
	473	delete $ifaces->{$iface}->{netmask6};
	474	delete $ifaces->{$iface}->{address6};
	475	}
aff192e6 DM	476	}
aff192e6 DM	477
69106e5c DC	478	$map_cidr_to_address_netmask->($param);
69106e5c DC	479
3ed15e6c	480	&$check_duplicate_gateway($ifaces, $iface)
aff192e6	481	if $param->{gateway};
3ed15e6c WB	482	&$check_duplicate_gateway6($ifaces, $iface)
	483	if $param->{gateway6};
	484
	485	if ($param->{address}) {
3ed15e6c WB	486	push @$families, 'inet' if !grep(/^inet$/, @$families);
	487	} else {
	488	@$families = grep(!/^inet$/, @$families);
	489	}
	490	if ($param->{address6}) {
	491	&$check_ipv6_settings($param->{address6}, int($param->{netmask6}));
	492	push @$families, 'inet6' if !grep(/^inet6$/, @$families);
	493	} else {
	494	@$families = grep(!/^inet6$/, @$families);
	495	}
	496	@$families = ('inet') if !scalar(@$families);
e16a27be	497
aff192e6	498	$param->{method} = $param->{address} ? 'static' : 'manual';
3ed15e6c	499	$param->{method6} = $param->{address6} ? 'static' : 'manual';
aff192e6 DM	500
aff192e6 DM	501	foreach my $k (keys %$param) {
3ed15e6c	502	$ifaces->{$iface}->{$k} = $param->{$k};
aff192e6 DM	503	}
	504
	505	PVE::INotify::write_file('interfaces', $config);
	506	};
	507
	508	PVE::Tools::lock_file($iflockfn, 10, $code);
	509	die $@ if $@;
	510
	511	return undef;
	512	}});
	513
	514	__PACKAGE__->register_method({
	515	name => 'network_config',
	516	path => '{iface}',
	517	method => 'GET',
	518	permissions => {
7d020b42	519	check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
aff192e6 DM	520	},
	521	description => "Read network device configuration",
	522	proxyto => 'node',
	523	parameters => {
	524	additionalProperties => 0,
	525	properties => {
	526	node => get_standard_option('pve-node'),
	527	iface => get_standard_option('pve-iface'),
	528	},
	529	},
	530	returns => {
	531	type => "object",
	532	properties => {
	533	type => {
	534	type => 'string',
	535	},
	536	method => {
	537	type => 'string',
	538	},
	539	},
	540	},
	541	code => sub {
	542	my ($param) = @_;
	543
	544	my $config = PVE::INotify::read_file('interfaces');
3ed15e6c	545	my $ifaces = $config->{ifaces};
aff192e6 DM	546
aff192e6 DM	547	raise_param_exc({ iface => "interface does not exist" })
3ed15e6c	548	if !$ifaces->{$param->{iface}};
aff192e6	549
3ed15e6c	550	return $ifaces->{$param->{iface}};
aff192e6 DM	551	}});
aff192e6 DM	552
a6ed0aa6 TL	553	sub ifupdown2_version {
	554	my $v;
	555	PVE::Tools::run_command(['ifreload', '-V'], outfunc => sub { $v //= shift });
	556	return if !defined($v) \|\| $v !~ /^\sifupdown2:(\S+)\s$/;
	557	$v = $1;
	558	my ($major, $minor, $extra, $pve) = split(/\.\|-/, $v);
	559	my $is_pve = defined($pve) && $pve =~ /pve/;
	560
	561	return ($major * 100000 + $minor * 1000 + $extra * 10, $is_pve, $v);
	562	}
	563	sub assert_ifupdown2_installed {
	564	die "you need ifupdown2 to reload network configuration\n" if ! -e '/usr/share/ifupdown2';
	565	my ($v, $pve, $v_str) = ifupdown2_version();
	566	die "incompatible 'ifupdown2' package version '$v_str'! Did you installed from Proxmox repositories?\n"
	567	if $v < (1100000 + 21000 + 8*10) \|\| !$pve;
	568	}
	569
cacd7547 AD	570	__PACKAGE__->register_method({
	571	name => 'reload_network_config',
	572	path => '',
	573	method => 'PUT',
	574	permissions => {
	575	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
	576	},
	577	description => "Reload network configuration",
	578	protected => 1,
	579	proxyto => 'node',
	580	parameters => {
	581	additionalProperties => 0,
	582	properties => {
	583	node => get_standard_option('pve-node'),
	584	},
	585	},
	586	returns => { type => 'string' },
	587	code => sub {
	588
	589	my ($param) = @_;
	590
	591	my $rpcenv = PVE::RPCEnvironment::get();
	592
	593	my $authuser = $rpcenv->get_user();
	594
	595	my $current_config_file = "/etc/network/interfaces";
	596	my $new_config_file = "/etc/network/interfaces.new";
	597
a6ed0aa6	598	assert_ifupdown2_installed();
6159470e	599
cacd7547 AD	600	my $worker = sub {
cacd7547 AD	601
e46bf624	602	rename($new_config_file, $current_config_file) if -e $new_config_file;
cacd7547	603
2bca9b77	604	if ($have_sdn) {
20dc8bbe AD	605	my $network_sdn_config = PVE::Network::SDN::Zones::generate_etc_network_config();
20dc8bbe AD	606	PVE::Network::SDN::Zones::write_etc_network_config($network_sdn_config);
2bca9b77 AD	607	}
2bca9b77 AD	608
cacd7547 AD	609	my $err = sub {
	610	my $line = shift;
	611	if ($line =~ /(warning\|error): (\S+):/) {
e46bf624	612	print "$2 : $line \n";
cacd7547 AD	613	}
cacd7547 AD	614	};
084e6030	615	PVE::Tools::run_command(['ifreload', '-a'], errfunc => $err);
cacd7547	616
20dc8bbe AD	617	if ($have_sdn) {
	618	my $controller_config = PVE::Network::SDN::Controllers::generate_controller_config();
	619	PVE::Network::SDN::Controllers::write_controller_config($controller_config) if ($controller_config);
	620	PVE::Network::SDN::Controllers::reload_controller();
084e6030	621	}
cacd7547 AD	622	};
	623	return $rpcenv->fork_worker('srvreload', 'networking', $authuser, $worker);
	624	}});
	625
aff192e6 DM	626	__PACKAGE__->register_method({
	627	name => 'delete_network',
	628	path => '{iface}',
	629	method => 'DELETE',
	630	permissions => {
7d020b42	631	check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
aff192e6 DM	632	},
	633	description => "Delete network device configuration",
	634	protected => 1,
	635	proxyto => 'node',
	636	parameters => {
	637	additionalProperties => 0,
	638	properties => {
	639	node => get_standard_option('pve-node'),
	640	iface => get_standard_option('pve-iface'),
	641	},
	642	},
	643	returns => { type => 'null' },
	644	code => sub {
	645	my ($param) = @_;
	646
	647	my $code = sub {
	648	my $config = PVE::INotify::read_file('interfaces');
3ed15e6c	649	my $ifaces = $config->{ifaces};
aff192e6 DM	650
aff192e6 DM	651	raise_param_exc({ iface => "interface does not exist" })
3ed15e6c	652	if !$ifaces->{$param->{iface}};
aff192e6	653
3ed15e6c	654	my $d = $ifaces->{$param->{iface}};
d11733f8 DM	655	if ($d->{type} eq 'OVSIntPort' \|\| $d->{type} eq 'OVSBond') {
d11733f8 DM	656	if (my $brname = $d->{ovs_bridge}) {
3ed15e6c	657	if (my $br = $ifaces->{$brname}) {
d11733f8 DM	658	if ($br->{ovs_ports}) {
	659	my @ports = split (/\s+/, $br->{ovs_ports});
	660	my @new = grep { $_ ne $param->{iface} } @ports;
	661	$br->{ovs_ports} = join(' ', @new);
	662	}
	663	}
	664	}
	665	}
	666
3ed15e6c	667	delete $ifaces->{$param->{iface}};
aff192e6 DM	668
	669	PVE::INotify::write_file('interfaces', $config);
	670	};
	671
	672	PVE::Tools::lock_file($iflockfn, 10, $code);
	673	die $@ if $@;
	674
	675	return undef;
	676	}});