1 package PVE
::API2
::Network
;
7 use PVE
::Tools
qw(extract_param dir_glob_regex);
10 use PVE
::Exception
qw(raise_param_exc);
12 use PVE
::RPCEnvironment
;
13 use PVE
::JSONSchema
qw(get_standard_option);
14 use PVE
::AccessControl
;
17 use base
qw(PVE::RESTHandler);
21 require PVE
::Network
::SDN
;
25 my $iflockfn = "/etc/network/.pve-interfaces.lock";
27 my $bond_mode_enum = [
29 'active-backup', # OVS and Linux
36 'lacp-balance-slb', # OVS
37 'lacp-balance-tcp', # OVS
40 my $network_type_enum = ['bridge', 'bond', 'eth', 'alias', 'vlan',
41 'OVSBridge', 'OVSBond', 'OVSPort', 'OVSIntPort'];
45 description
=> "Network interface type",
47 enum
=> [@$network_type_enum, 'unknown'],
50 description
=> "Comments",
55 description
=> "Comments",
60 description
=> "Automatically start interface on boot.",
64 bridge_vlan_aware
=> {
65 description
=> "Enable bridge vlan support.",
70 description
=> "Specify the interfaces you want to add to your bridge.",
72 type
=> 'string', format
=> 'pve-iface-list',
75 description
=> "Specify the interfaces you want to add to your bridge.",
77 type
=> 'string', format
=> 'pve-iface-list',
80 description
=> "Specify a VLan tag (used by OVSPort, OVSIntPort, OVSBond)",
87 description
=> "OVS interface options.",
93 description
=> "The OVS bridge associated with a OVS port. This is required when you create an OVS port.",
95 type
=> 'string', format
=> 'pve-iface',
98 description
=> "Specify the interfaces used by the bonding device.",
100 type
=> 'string', format
=> 'pve-iface-list',
103 description
=> "Specify the interfaces used by the bonding device.",
105 type
=> 'string', format
=> 'pve-iface-list',
108 description
=> "Bonding mode.",
110 type
=> 'string', enum
=> $bond_mode_enum,
113 description
=> "Specify the primary interface for active-backup bond.",
115 type
=> 'string', format
=> 'pve-iface',
117 bond_xmit_hash_policy
=> {
118 description
=> "Selects the transmit hash policy to use for slave selection in balance-xor and 802.3ad modes.",
121 enum
=> ['layer2', 'layer2+3', 'layer3+4' ],
123 'vlan-raw-device' => {
124 description
=> "Specify the raw interface for the vlan interface.",
126 type
=> 'string', format
=> 'pve-iface',
129 description
=> "vlan-id for a custom named vlan interface (ifupdown2 only).",
136 description
=> 'Default gateway address.',
137 type
=> 'string', format
=> 'ipv4',
141 description
=> 'Network mask.',
142 type
=> 'string', format
=> 'ipv4mask',
144 requires
=> 'address',
147 description
=> 'IP address.',
148 type
=> 'string', format
=> 'ipv4',
150 requires
=> 'netmask',
153 description
=> 'IPv4 CIDR.',
154 type
=> 'string', format
=> 'CIDRv4',
158 description
=> 'MTU.',
165 description
=> 'Default ipv6 gateway address.',
166 type
=> 'string', format
=> 'ipv6',
170 description
=> 'Network mask.',
171 type
=> 'integer', minimum
=> 0, maximum
=> 128,
173 requires
=> 'address6',
176 description
=> 'IP address.',
177 type
=> 'string', format
=> 'ipv6',
179 requires
=> 'netmask6',
182 description
=> 'IPv6 CIDR.',
183 type
=> 'string', format
=> 'CIDRv6',
188 sub json_config_properties
{
191 foreach my $opt (keys %$confdesc) {
192 $prop->{$opt} = $confdesc->{$opt};
198 __PACKAGE__-
>register_method({
202 permissions
=> { user
=> 'all' },
203 description
=> "List available networks",
206 additionalProperties
=> 0,
208 node
=> get_standard_option
('pve-node'),
210 description
=> "Only list specific interface types.",
212 enum
=> [ @$network_type_enum, 'any_bridge', 'any_local_bridge' ],
223 links
=> [ { rel
=> 'child', href
=> "{iface}" } ],
228 my $rpcenv = PVE
::RPCEnvironment
::get
();
229 my $authuser = $rpcenv->get_user();
231 my $tmp = PVE
::INotify
::read_file
('interfaces', 1);
232 my $config = $tmp->{data
};
233 my $changes = $tmp->{changes
};
235 $rpcenv->set_result_attrib('changes', $changes) if $changes;
237 my $ifaces = $config->{ifaces
};
239 delete $ifaces->{lo
}; # do not list the loopback device
241 if (my $tfilter = $param->{type
}) {
244 if ($have_sdn && $tfilter eq 'any_bridge') {
245 $vnets = PVE
::Network
::SDN
::get_local_vnets
(); # returns already access-filtered
248 for my $k (sort keys $ifaces->%*) {
249 my $type = $ifaces->{$k}->{type
};
250 my $match = ($tfilter eq $type) || (
251 ($tfilter =~ /^any(_local)?_bridge$/) &&
252 ($type eq 'bridge' || $type eq 'OVSBridge'));
253 delete $ifaces->{$k} if !$match;
256 if (defined($vnets)) {
257 $ifaces->{$_} = $vnets->{$_} for keys $vnets->%*
261 #always check bridge access
262 my $can_access_vnet = sub {
263 return 1 if $authuser eq 'root@pam';
264 return 1 if $rpcenv->check_sdn_bridge($authuser, "localnetwork", $_[0], ['SDN.Audit', 'SDN.Use'], 1);
266 for my $k (sort keys $ifaces->%*) {
267 my $type = $ifaces->{$k}->{type
};
268 delete $ifaces->{$k} if ($type eq 'bridge' || $type eq 'OVSBridge') && !$can_access_vnet->($k);
271 return PVE
::RESTHandler
::hash_to_array
($ifaces, 'iface');
274 __PACKAGE__-
>register_method({
275 name
=> 'revert_network_changes',
279 check
=> ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
282 description
=> "Revert network configuration changes.",
285 additionalProperties
=> 0,
287 node
=> get_standard_option
('pve-node'),
290 returns
=> { type
=> "null" },
294 unlink "/etc/network/interfaces.new";
299 my $check_duplicate = sub {
300 my ($config, $newiface, $key, $name) = @_;
302 foreach my $iface (keys %$config) {
303 raise_param_exc
({ $key => "$name already exists on interface '$iface'." })
304 if ($newiface ne $iface) && $config->{$iface}->{$key};
308 my $check_duplicate_gateway = sub {
309 my ($config, $newiface) = @_;
310 return &$check_duplicate($config, $newiface, 'gateway', 'Default gateway');
313 my $check_duplicate_gateway6 = sub {
314 my ($config, $newiface) = @_;
315 return &$check_duplicate($config, $newiface, 'gateway6', 'Default ipv6 gateway');
318 my $check_duplicate_ports = sub {
319 my ($config, $newiface, $newparam) = @_;
322 my $get_portlist = sub {
325 for my $k (qw(bridge_ports ovs_ports slaves ovs_bonds)) {
327 $ports .= " $param->{$k}";
331 return PVE
::Tools
::split_list
($ports);
335 for my $p ($get_portlist->($newparam)) {
336 $new_ports->{$p} = 1;
338 return if !(keys %$new_ports);
340 for my $iface (keys %$config) {
341 next if $iface eq $newiface;
343 my $d = $config->{$iface};
344 for my $p ($get_portlist->($d)) {
345 raise_param_exc
({ $param_name => "$p is already used on interface '$iface'." })
352 return Net
::IP
::ip_iptobin
(Net
::IP
::ip_expand_address
(shift, 6), 6);
355 my $check_ipv6_settings = sub {
356 my ($address, $netmask) = @_;
358 raise_param_exc
({ netmask
=> "$netmask is not a valid subnet length for ipv6" })
359 if $netmask < 0 || $netmask > 128;
361 raise_param_exc
({ address
=> "$address is not a valid host IPv6 address." })
362 if !Net
::IP
::ip_is_ipv6
($address);
364 my $binip = ipv6_tobin
($address);
365 my $binmask = Net
::IP
::ip_get_mask
($netmask, 6);
367 my $type = ($binip eq $binmask) ?
'ANYCAST' : Net
::IP
::ip_iptypev6
($binip);
369 if (defined($type) && $type !~ /^(?:(?:GLOBAL|(?:UNIQUE|LINK)-LOCAL)-UNICAST)$/) {
370 raise_param_exc
({ address
=> "$address with type '$type', cannot be used as host IPv6 address." });
374 my $map_cidr_to_address_netmask = sub {
377 if ($param->{cidr
}) {
378 raise_param_exc
({ address
=> "address conflicts with cidr" })
379 if $param->{address
};
380 raise_param_exc
({ netmask
=> "netmask conflicts with cidr" })
381 if $param->{netmask
};
383 my ($address, $netmask) = $param->{cidr
} =~ m!^(.*)/(\d+)$!;
384 $param->{address
} = $address;
385 $param->{netmask
} = $netmask;
386 delete $param->{cidr
};
389 if ($param->{cidr6
}) {
390 raise_param_exc
({ address6
=> "address6 conflicts with cidr6" })
391 if $param->{address6
};
392 raise_param_exc
({ netmask6
=> "netmask6 conflicts with cidr6" })
393 if $param->{netmask6
};
395 my ($address, $netmask) = $param->{cidr6
} =~ m!^(.*)/(\d+)$!;
396 $param->{address6
} = $address;
397 $param->{netmask6
} = $netmask;
398 delete $param->{cidr6
};
402 __PACKAGE__-
>register_method({
403 name
=> 'create_network',
407 check
=> ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
409 description
=> "Create network device configuration",
413 additionalProperties
=> 0,
414 properties
=> json_config_properties
({
415 node
=> get_standard_option
('pve-node'),
416 iface
=> get_standard_option
('pve-iface')}),
418 returns
=> { type
=> 'null' },
422 my $node = extract_param
($param, 'node');
423 my $iface = extract_param
($param, 'iface');
426 my $config = PVE
::INotify
::read_file
('interfaces');
427 my $ifaces = $config->{ifaces
};
429 raise_param_exc
({ iface
=> "interface already exists" })
430 if $ifaces->{$iface};
432 &$check_duplicate_gateway($ifaces, $iface)
433 if $param->{gateway
};
434 &$check_duplicate_gateway6($ifaces, $iface)
435 if $param->{gateway6
};
437 $check_duplicate_ports->($ifaces, $iface, $param);
439 $map_cidr_to_address_netmask->($param);
441 &$check_ipv6_settings($param->{address6
}, int($param->{netmask6
}))
442 if $param->{address6
};
444 my $families = $param->{families
} = [];
445 push @$families, 'inet'
446 if $param->{address
} && !grep(/^inet$/, @$families);
447 push @$families, 'inet6'
448 if $param->{address6
} && !grep(/^inet6$/, @$families);
449 @$families = ('inet') if !scalar(@$families);
451 $param->{method} = $param->{address
} ?
'static' : 'manual';
452 $param->{method6
} = $param->{address6
} ?
'static' : 'manual';
454 if ($param->{type
} =~ m/^OVS/) {
455 -x
'/usr/bin/ovs-vsctl' ||
456 die "Open VSwitch is not installed (need package 'openvswitch-switch')\n";
459 if ($param->{type
} eq 'OVSIntPort' || $param->{type
} eq 'OVSBond') {
460 my $brname = $param->{ovs_bridge
};
461 raise_param_exc
({ ovs_bridge
=> "parameter is required" }) if !$brname;
462 my $br = $ifaces->{$brname};
463 raise_param_exc
({ ovs_bridge
=> "bridge '$brname' does not exist" }) if !$br;
464 raise_param_exc
({ ovs_bridge
=> "interface '$brname' is no OVS bridge" })
465 if $br->{type
} ne 'OVSBridge';
467 my @ports = split (/\s+/, $br->{ovs_ports
} || '');
468 $br->{ovs_ports
} = join(' ', @ports, $iface)
469 if ! grep { $_ eq $iface } @ports;
472 $ifaces->{$iface} = $param;
474 PVE
::INotify
::write_file
('interfaces', $config);
477 PVE
::Tools
::lock_file
($iflockfn, 10, $code);
483 __PACKAGE__-
>register_method({
484 name
=> 'update_network',
488 check
=> ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
490 description
=> "Update network device configuration",
494 additionalProperties
=> 0,
495 properties
=> json_config_properties
({
496 node
=> get_standard_option
('pve-node'),
497 iface
=> get_standard_option
('pve-iface'),
499 type
=> 'string', format
=> 'pve-configid-list',
500 description
=> "A list of settings you want to delete.",
504 returns
=> { type
=> 'null' },
508 my $node = extract_param
($param, 'node');
509 my $iface = extract_param
($param, 'iface');
510 my $delete = extract_param
($param, 'delete');
513 my $config = PVE
::INotify
::read_file
('interfaces');
514 my $ifaces = $config->{ifaces
};
516 raise_param_exc
({ iface
=> "interface does not exist" })
517 if !$ifaces->{$iface};
519 my $families = ($param->{families
} ||= []);
520 foreach my $k (PVE
::Tools
::split_list
($delete)) {
521 delete $ifaces->{$iface}->{$k};
522 @$families = grep(!/^inet$/, @$families) if $k eq 'address';
523 @$families = grep(!/^inet6$/, @$families) if $k eq 'address6';
525 delete $ifaces->{$iface}->{netmask
};
526 delete $ifaces->{$iface}->{address
};
527 } elsif ($k eq 'cidr6') {
528 delete $ifaces->{$iface}->{netmask6
};
529 delete $ifaces->{$iface}->{address6
};
533 $map_cidr_to_address_netmask->($param);
535 &$check_duplicate_gateway($ifaces, $iface)
536 if $param->{gateway
};
537 &$check_duplicate_gateway6($ifaces, $iface)
538 if $param->{gateway6
};
540 $check_duplicate_ports->($ifaces, $iface, $param);
542 if ($param->{address
}) {
543 push @$families, 'inet' if !grep(/^inet$/, @$families);
545 @$families = grep(!/^inet$/, @$families);
547 if ($param->{address6
}) {
548 &$check_ipv6_settings($param->{address6
}, int($param->{netmask6
}));
549 push @$families, 'inet6' if !grep(/^inet6$/, @$families);
551 @$families = grep(!/^inet6$/, @$families);
553 @$families = ('inet') if !scalar(@$families);
555 $param->{method} = $param->{address
} ?
'static' : 'manual';
556 $param->{method6
} = $param->{address6
} ?
'static' : 'manual';
558 foreach my $k (keys %$param) {
559 $ifaces->{$iface}->{$k} = $param->{$k};
562 PVE
::INotify
::write_file
('interfaces', $config);
565 PVE
::Tools
::lock_file
($iflockfn, 10, $code);
571 __PACKAGE__-
>register_method({
572 name
=> 'network_config',
576 check
=> ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
578 description
=> "Read network device configuration",
581 additionalProperties
=> 0,
583 node
=> get_standard_option
('pve-node'),
584 iface
=> get_standard_option
('pve-iface'),
601 my $config = PVE
::INotify
::read_file
('interfaces');
602 my $ifaces = $config->{ifaces
};
604 raise_param_exc
({ iface
=> "interface does not exist" })
605 if !$ifaces->{$param->{iface
}};
607 return $ifaces->{$param->{iface
}};
610 sub ifupdown2_version
{
612 PVE
::Tools
::run_command
(['ifreload', '-V'], outfunc
=> sub { $v //= shift });
613 return if !defined($v) || $v !~ /^\s*ifupdown2:(\S+)\s*$/;
615 my ($major, $minor, $extra, $pve) = split(/\.|-/, $v);
616 my $is_pve = defined($pve) && $pve =~ /(pve|pmx|proxmox)/;
618 return ($major * 100000 + $minor * 1000 + $extra * 10, $is_pve, $v);
620 sub assert_ifupdown2_installed
{
621 die "you need ifupdown2 to reload network configuration\n" if ! -e
'/usr/share/ifupdown2';
622 my ($v, $pve, $v_str) = ifupdown2_version
();
623 die "incompatible 'ifupdown2' package version '$v_str'! Did you installed from Proxmox repositories?\n"
624 if $v < (1*100000 + 2*1000 + 8*10) || !$pve;
627 __PACKAGE__-
>register_method({
628 name
=> 'reload_network_config',
632 check
=> ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
634 description
=> "Reload network configuration",
638 additionalProperties
=> 0,
640 node
=> get_standard_option
('pve-node'),
643 returns
=> { type
=> 'string' },
648 my $rpcenv = PVE
::RPCEnvironment
::get
();
650 my $authuser = $rpcenv->get_user();
652 my $current_config_file = "/etc/network/interfaces";
653 my $new_config_file = "/etc/network/interfaces.new";
655 assert_ifupdown2_installed
();
659 rename($new_config_file, $current_config_file) if -e
$new_config_file;
662 PVE
::Network
::SDN
::generate_zone_config
();
667 if ($line =~ /(warning|error): (\S+):/) {
668 print "$2 : $line \n";
671 PVE
::Tools
::run_command
(['ifreload', '-a'], errfunc
=> $err);
674 PVE
::Network
::SDN
::generate_controller_config
(1);
677 return $rpcenv->fork_worker('srvreload', 'networking', $authuser, $worker);
680 __PACKAGE__-
>register_method({
681 name
=> 'delete_network',
685 check
=> ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
687 description
=> "Delete network device configuration",
691 additionalProperties
=> 0,
693 node
=> get_standard_option
('pve-node'),
694 iface
=> get_standard_option
('pve-iface'),
697 returns
=> { type
=> 'null' },
702 my $config = PVE
::INotify
::read_file
('interfaces');
703 my $ifaces = $config->{ifaces
};
705 raise_param_exc
({ iface
=> "interface does not exist" })
706 if !$ifaces->{$param->{iface
}};
708 my $d = $ifaces->{$param->{iface
}};
709 if ($d->{type
} eq 'OVSIntPort' || $d->{type
} eq 'OVSBond') {
710 if (my $brname = $d->{ovs_bridge
}) {
711 if (my $br = $ifaces->{$brname}) {
712 if ($br->{ovs_ports
}) {
713 my @ports = split (/\s+/, $br->{ovs_ports
});
714 my @new = grep { $_ ne $param->{iface
} } @ports;
715 $br->{ovs_ports
} = join(' ', @new);
721 delete $ifaces->{$param->{iface
}};
723 PVE
::INotify
::write_file
('interfaces', $config);
726 PVE
::Tools
::lock_file
($iflockfn, 10, $code);