[pve-network.git] / PVE / Network / SDN / Controllers / EvpnPlugin.pm

package PVE::Network::SDN::Controllers::EvpnPlugin;

use strict;
use warnings;

use PVE::INotify;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Tools qw(run_command file_set_contents file_get_contents);

use PVE::Network::SDN::Controllers::Plugin;
use PVE::Network::SDN::Zones::Plugin;
use Net::IP;

use base('PVE::Network::SDN::Controllers::Plugin');

sub type {
    return 'evpn';
}

sub properties {
    return {
	asn => {
	    type => 'integer',
	    description => "autonomous system number",
	    minimum => 0,
	    maximum => 4294967296
	},
	peers => {
	    description => "peers address list.",
	    type => 'string', format => 'ip-list'
	},
    };
}

sub options {
    return {
	'asn' => { optional => 0 },
	'peers' => { optional => 0 },
    };
}

# Plugin implementation
sub generate_controller_config {
    my ($class, $plugin_config, $controller_cfg, $id, $uplinks, $config) = @_;

    my @peers;
    @peers = PVE::Tools::split_list($plugin_config->{'peers'}) if $plugin_config->{'peers'};

    my $local_node = PVE::INotify::nodename();

    my $asn = $plugin_config->{asn};
    my $ebgp = undef;
    my $loopback = undef;
    my $autortas = undef;
    my $bgprouter = find_bgp_controller($local_node, $controller_cfg);
    if ($bgprouter) {
	$ebgp = 1 if $plugin_config->{'asn'} ne $bgprouter->{asn};
	$loopback = $bgprouter->{loopback} if $bgprouter->{loopback};
	$asn = $bgprouter->{asn} if $bgprouter->{asn};
	$autortas = $plugin_config->{'asn'} if $ebgp;
    }

    return if !$asn;

    my $bgp = $config->{frr}->{router}->{"bgp $asn"} //= {};

    my ($ifaceip, $interface) = PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers, $loopback);

    my $remoteas = $ebgp ? "external" : $asn;

    #global options
    my @controller_config = (
	"bgp router-id $ifaceip",
	"no bgp default ipv4-unicast",
	"coalesce-time 1000",
    );

    push(@{$bgp->{""}}, @controller_config) if keys %{$bgp} == 0;

    @controller_config = ();

    #VTEP neighbors
    push @controller_config, "neighbor VTEP peer-group";
    push @controller_config, "neighbor VTEP remote-as $remoteas";
    push @controller_config, "neighbor VTEP bfd";

    if($ebgp && $loopback) {
	push @controller_config, "neighbor VTEP ebgp-multihop 10";
	push @controller_config, "neighbor VTEP update-source $loopback";
    }

    # VTEP peers
    foreach my $address (@peers) {
	next if $address eq $ifaceip;
	push @controller_config, "neighbor $address peer-group VTEP";
    }

    push(@{$bgp->{""}}, @controller_config);

    # address-family l2vpn
    @controller_config = ();
    push @controller_config, "neighbor VTEP route-map MAP_VTEP_IN in";
    push @controller_config, "neighbor VTEP route-map MAP_VTEP_OUT out";
    push @controller_config, "neighbor VTEP activate";
    push @controller_config, "advertise-all-vni";
    push @controller_config, "autort as $autortas" if $autortas;
    push(@{$bgp->{"address-family"}->{"l2vpn evpn"}}, @controller_config);

    my $routemap = { rule => undef, action => "permit" };
    push(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap );
    push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap );

    return $config;
}

sub generate_controller_zone_config {
    my ($class, $plugin_config, $controller, $controller_cfg, $id, $uplinks, $config) = @_;

    my $local_node = PVE::INotify::nodename();

    my $vrf = "vrf_$id";
    my $vrfvxlan = $plugin_config->{'vrf-vxlan'};
    my $exitnodes = $plugin_config->{'exitnodes'};
    my $exitnodes_primary = $plugin_config->{'exitnodes-primary'};
    my $advertisesubnets = $plugin_config->{'advertise-subnets'};
    my $exitnodes_local_routing = $plugin_config->{'exitnodes-local-routing'};
    my $rt_import;
    $rt_import = [PVE::Tools::split_list($plugin_config->{'rt-import'})] if $plugin_config->{'rt-import'};

    my $asn = $controller->{asn};
    my @peers;
    @peers = PVE::Tools::split_list($controller->{'peers'}) if $controller->{'peers'};
    my $ebgp = undef;
    my $loopback = undef;
    my $autortas = undef;
    my $bgprouter = find_bgp_controller($local_node, $controller_cfg);
    if($bgprouter) {
        $ebgp = 1 if $controller->{'asn'} ne $bgprouter->{asn};
	$loopback = $bgprouter->{loopback} if $bgprouter->{loopback};
	$asn = $bgprouter->{asn} if $bgprouter->{asn};
	$autortas = $controller->{'asn'} if $ebgp;
    }

    return if !$vrf || !$vrfvxlan || !$asn;

    my ($ifaceip, $interface) = PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers, $loopback);

    # vrf
    my @controller_config = ();
    push @controller_config, "vni $vrfvxlan";
    push(@{$config->{frr}->{vrf}->{"$vrf"}}, @controller_config);

    #main vrf router
    @controller_config = ();
    push @controller_config, "bgp router-id $ifaceip";
#    push @controller_config, "!";
    push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{""}}, @controller_config);

    if ($autortas) {
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, "route-target import $autortas:$vrfvxlan");
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, "route-target export $autortas:$vrfvxlan");
    }

    my $is_gateway = $exitnodes->{$local_node};

    if ($is_gateway) {

	if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {
	    #filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
	    my $routemap_config = ();
	    push @{$routemap_config}, "match evpn route-type prefix";
	    my $routemap = { rule => $routemap_config, action => "deny" };
	    unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
	} elsif ($exitnodes_primary ne $local_node) {
	    my $routemap_config = ();
	    push @{$routemap_config}, "match evpn vni $vrfvxlan";
	    push @{$routemap_config}, "match evpn route-type prefix";
	    push @{$routemap_config}, "set metric 200";
	    my $routemap = { rule => $routemap_config, action => "permit" };
	    unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
        }


	if (!$exitnodes_local_routing) {
	    @controller_config = ();
	    #import /32 routes of evpn network from vrf1 to default vrf (for packet return)
	    push @controller_config, "import vrf $vrf";
	    push(@{$config->{frr}->{router}->{"bgp $asn"}->{"address-family"}->{"ipv4 unicast"}}, @controller_config);
	    push(@{$config->{frr}->{router}->{"bgp $asn"}->{"address-family"}->{"ipv6 unicast"}}, @controller_config);

	    @controller_config = ();
	    #redistribute connected to be able to route to local vms on the gateway
	    push @controller_config, "redistribute connected";
	    push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv4 unicast"}}, @controller_config);
	    push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv6 unicast"}}, @controller_config);
	}

	@controller_config = ();
	#add default originate to announce 0.0.0.0/0 type5 route in evpn
	push @controller_config, "default-originate ipv4";
	push @controller_config, "default-originate ipv6";
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
    } elsif ($advertisesubnets) {

	@controller_config = ();
	#redistribute connected networks
	push @controller_config, "redistribute connected";
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv4 unicast"}}, @controller_config);
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv6 unicast"}}, @controller_config);

	@controller_config = ();
	#advertise connected networks type5 route in evpn
	push @controller_config, "advertise ipv4 unicast";
	push @controller_config, "advertise ipv6 unicast";
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
    }

    if ($rt_import) {
	@controller_config = ();
	foreach my $rt (sort @{$rt_import}) {
	    push @controller_config, "route-target import $rt";
	}
	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
    }

    return $config;
}

sub generate_controller_vnet_config {
    my ($class, $plugin_config, $controller, $zone, $zoneid, $vnetid, $config) = @_;

    my $exitnodes = $zone->{'exitnodes'};
    my $exitnodes_local_routing = $zone->{'exitnodes-local-routing'};

    return if !$exitnodes_local_routing;

    my $local_node = PVE::INotify::nodename();
    my $is_gateway = $exitnodes->{$local_node};

    return if !$is_gateway;

    my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
    my @controller_config = ();
    foreach my $subnetid (sort keys %{$subnets}) {
        my $subnet = $subnets->{$subnetid};
	my $cidr = $subnet->{cidr};
	push @controller_config, "ip route $cidr 10.255.255.2 xvrf_$zoneid";
    }
    push(@{$config->{frr}->{''}}, @controller_config);
}

sub on_delete_hook {
    my ($class, $controllerid, $zone_cfg) = @_;

    # verify that zone is associated to this controller
    foreach my $id (keys %{$zone_cfg->{ids}}) {
	my $zone = $zone_cfg->{ids}->{$id};
	die "controller $controllerid is used by $id"
	    if (defined($zone->{controller}) && $zone->{controller} eq $controllerid);
    }
}

sub on_update_hook {
    my ($class, $controllerid, $controller_cfg) = @_;

    # we can only have 1 evpn controller / 1 asn by server

    my $controllernb = 0;
    foreach my $id (keys %{$controller_cfg->{ids}}) {
	next if $id eq $controllerid;
	my $controller = $controller_cfg->{ids}->{$id};
	next if $controller->{type} ne "evpn";
	$controllernb++;
	die "only 1 global evpn controller can be defined" if $controllernb > 1;
    }
}

sub find_bgp_controller {
    my ($nodename, $controller_cfg) = @_;

    my $controller = undef;
    foreach my $id  (keys %{$controller_cfg->{ids}}) {
        $controller = $controller_cfg->{ids}->{$id};
        next if $controller->{type} ne 'bgp';
        next if $controller->{node} ne $nodename;
	last;
    }

    return $controller;
}


sub sort_frr_config {
    my $order = {};
    $order->{''} = 0;
    $order->{'vrf'} = 1;
    $order->{'ipv4 unicast'} = 1;
    $order->{'ipv6 unicast'} = 2;
    $order->{'l2vpn evpn'} = 3;

    my $a_val = 100;
    my $b_val = 100;

    $a_val = $order->{$a} if defined($order->{$a});
    $b_val = $order->{$b} if defined($order->{$b});

    if ($a =~ /bgp (\d+)$/) {
	$a_val = 2;
    }

    if ($b =~ /bgp (\d+)$/) {
	$b_val = 2;
    }

    return $a_val <=> $b_val;
}

sub generate_frr_recurse{
   my ($final_config, $content, $parentkey, $level) = @_;

   my $keylist = {};
   $keylist->{vrf} = 1;
   $keylist->{'address-family'} = 1;
   $keylist->{router} = 1;

   my $exitkeylist = {};
   $exitkeylist->{vrf} = 1;
   $exitkeylist->{'address-family'} = 1;

   my $simple_exitkeylist = {};
   $simple_exitkeylist->{router} = 1;

   # FIXME: make this generic
   my $paddinglevel = undef;
   if ($level == 1 || $level == 2) {
	$paddinglevel = $level - 1;
   } elsif ($level == 3 || $level ==  4) {
	$paddinglevel = $level - 2;
   }

   my $padding = "";
   $padding = ' ' x ($paddinglevel) if $paddinglevel;

   if (ref $content eq  'HASH') {
	foreach my $key (sort sort_frr_config keys %$content) {
	    if ($parentkey && defined($keylist->{$parentkey})) {
		push @{$final_config}, $padding."!";
		push @{$final_config}, $padding."$parentkey $key";
	    } elsif ($key ne '' && !defined($keylist->{$key})) {
		push @{$final_config}, $padding."$key";
	    }

	    my $option = $content->{$key};
	    generate_frr_recurse($final_config, $option, $key, $level+1);

	    push @{$final_config}, $padding."exit-$parentkey" if $parentkey && defined($exitkeylist->{$parentkey});
	    push @{$final_config}, $padding."exit" if $parentkey && defined($simple_exitkeylist->{$parentkey});
	}
    }

    if (ref $content eq 'ARRAY') {
	push @{$final_config}, map { $padding . "$_" } @$content;
    }
}

sub generate_frr_routemap {
   my ($final_config, $routemaps) = @_;

   foreach my $id (sort keys %$routemaps) {

	my $routemap = $routemaps->{$id};
	my $order = 0;
	foreach my $seq (@$routemap) {
		$order++;
		next if !defined($seq->{action});
		my @config = ();
		push @config, "!";
		push @config, "route-map $id $seq->{action} $order";
		my $rule = $seq->{rule};
		push @config, map { " $_" } @$rule;
		push @{$final_config}, @config;
		push @{$final_config}, "exit";
	}
   }
}

sub generate_frr_accesslist {
    my ($final_config, $accesslists) = @_;

    my $config = [];

    for my $id (sort keys %$accesslists) {
	my $accesslist = $accesslists->{$id};

	for my $seq (sort keys %$accesslist) {
	    my $rule = $accesslist->{$seq};
	    push @$config, "access-list $id seq $seq $rule";
	}
    }

    if (@$config > 0) {
	push @{$final_config}, "!", @$config;
    }
}

sub generate_controller_rawconfig {
    my ($class, $plugin_config, $config) = @_;

    my $nodename = PVE::INotify::nodename();

    my $final_config = [];
    push @{$final_config}, "frr version 8.2.2";
    push @{$final_config}, "frr defaults datacenter";
    push @{$final_config}, "hostname $nodename";
    push @{$final_config}, "log syslog informational";
    push @{$final_config}, "service integrated-vtysh-config";
    push @{$final_config}, "!";

    if (-e "/etc/frr/frr.conf.local") {
	my $local_conf = file_get_contents("/etc/frr/frr.conf.local");
	parse_merge_frr_local_config($config, $local_conf);
    }

    generate_frr_recurse($final_config, $config->{frr}, undef, 0);
    generate_frr_accesslist($final_config, $config->{frr_access_list});
    generate_frr_routemap($final_config, $config->{frr_routemap});

    push @{$final_config}, "!";
    push @{$final_config}, "line vty";
    push @{$final_config}, "!";

    my $rawconfig = join("\n", @{$final_config});

    return if !$rawconfig;
    return $rawconfig;
}

sub parse_merge_frr_local_config {
    my ($config, $local_conf) = @_;

    my $section = \$config->{""};
    my $router = undef;
    my $routemap = undef;
    my $routemap_config = ();
    my $routemap_action = undef;

    while ($local_conf =~ /^\s*(.+?)\s*$/gm) {
        my $line = $1;
	$line =~ s/^\s+|\s+$//g;

	if ($line =~ m/^router (.+)$/) {
	    $router = $1;
	    $section = \$config->{'frr'}->{'router'}->{$router}->{""};
	    next;
	} elsif ($line =~ m/^vrf (.+)$/) {
	    $section = \$config->{'frr'}->{'vrf'}->{$1};
	    next;
	} elsif ($line =~ m/address-family (.+)$/) {
	    $section = \$config->{'frr'}->{'router'}->{$router}->{'address-family'}->{$1};
	    next;
	} elsif ($line =~ m/^route-map (.+) (permit|deny) (\d+)/) {
	    $routemap = $1;
	    $routemap_config = ();
	    $routemap_action = $2;
	    $section = \$config->{'frr_routemap'}->{$routemap};
	    next;
	} elsif ($line =~ m/^access-list (.+) seq (\d+) (.+)$/) {
	    $config->{'frr_access_list'}->{$1}->{$2} = $3;
	    next;
	} elsif($line =~ m/^exit-address-family$/) {
	    next;
	} elsif($line =~ m/^exit$/) {
	    if($router) {
		$section = \$config->{''};
		$router = undef;
	    } elsif($routemap) {
		push(@{$$section}, { rule => $routemap_config, action => $routemap_action });
		$section = \$config->{''};
		$routemap = undef;
		$routemap_action = undef;
		$routemap_config = ();
	    }
	    next;
	} elsif($line =~ m/!/) {
	    next;
	}

	next if !$section;
	if($routemap) {
	    push(@{$routemap_config}, $line);
	} else {
	    push(@{$$section}, $line);
	}
    }
}

sub write_controller_config {
    my ($class, $plugin_config, $config) = @_;

    my $rawconfig = $class->generate_controller_rawconfig($plugin_config, $config);
    return if !$rawconfig;
    return if !-d "/etc/frr";

    file_set_contents("/etc/frr/frr.conf", $rawconfig);
}

sub reload_controller {
    my ($class) = @_;

    my $conf_file = "/etc/frr/frr.conf";
    my $bin_path = "/usr/lib/frr/frr-reload.py";

    if (!-e $bin_path) {
	warn "missing $bin_path. Please install frr-pythontools package";
	return;
    }

    my $err = sub {
	my $line = shift;
	if ($line =~ /ERROR:/) {
	    warn "$line \n";
	}
    };

    if (-e $conf_file && -e $bin_path) {
	eval {
	    run_command([$bin_path, '--stdout', '--reload', $conf_file], outfunc => {}, errfunc => $err);
	};
	if ($@) {
	    warn "frr reload command fail. Restarting frr.";
	    eval { run_command(['systemctl', 'restart', 'frr']); };
	}
    }
}

1;
Commit	Line	Data
fa253735	1	package PVE::Network::SDN::Controllers::EvpnPlugin;
32602a38 AD	2
	3	use strict;
	4	use warnings;
cdf2c819	5
074d270b AD	6	use PVE::INotify;
074d270b AD	7	use PVE::JSONSchema qw(get_standard_option);
cdf2c819 TL	8	use PVE::Tools qw(run_command file_set_contents file_get_contents);
	9
	10	use PVE::Network::SDN::Controllers::Plugin;
1f543c5f	11	use PVE::Network::SDN::Zones::Plugin;
f23633dc	12	use Net::IP;
cdf2c819	13
f5eabba0	14	use base('PVE::Network::SDN::Controllers::Plugin');
32602a38 AD	15
32602a38 AD	16	sub type {
fa253735	17	return 'evpn';
8fb1ee7f AD	18	}
8fb1ee7f AD	19
32602a38 AD	20	sub properties {
32602a38 AD	21	return {
92526f0e TL	22	asn => {
	23	type => 'integer',
	24	description => "autonomous system number",
9e6b99fd AD	25	minimum => 0,
9e6b99fd AD	26	maximum => 4294967296
92526f0e TL	27	},
	28	peers => {
	29	description => "peers address list.",
	30	type => 'string', format => 'ip-list'
	31	},
32602a38 AD	32	};
	33	}
	34
	35	sub options {
32602a38	36	return {
92526f0e TL	37	'asn' => { optional => 0 },
92526f0e TL	38	'peers' => { optional => 0 },
32602a38 AD	39	};
	40	}
	41
	42	# Plugin implementation
8fb1ee7f	43	sub generate_controller_config {
f23633dc	44	my ($class, $plugin_config, $controller_cfg, $id, $uplinks, $config) = @_;
32602a38	45
3caa7687 FG	46	my @peers;
3caa7687 FG	47	@peers = PVE::Tools::split_list($plugin_config->{'peers'}) if $plugin_config->{'peers'};
32602a38	48
f23633dc AD	49	my $local_node = PVE::INotify::nodename();
f23633dc AD	50
074d270b	51	my $asn = $plugin_config->{asn};
f23633dc AD	52	my $ebgp = undef;
	53	my $loopback = undef;
	54	my $autortas = undef;
	55	my $bgprouter = find_bgp_controller($local_node, $controller_cfg);
359796b0	56	if ($bgprouter) {
f23633dc AD	57	$ebgp = 1 if $plugin_config->{'asn'} ne $bgprouter->{asn};
	58	$loopback = $bgprouter->{loopback} if $bgprouter->{loopback};
	59	$asn = $bgprouter->{asn} if $bgprouter->{asn};
	60	$autortas = $plugin_config->{'asn'} if $ebgp;
	61	}
074d270b AD	62
074d270b AD	63	return if !$asn;
32602a38	64
92526f0e TL	65	my $bgp = $config->{frr}->{router}->{"bgp $asn"} //= {};
92526f0e TL	66
f23633dc	67	my ($ifaceip, $interface) = PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers, $loopback);
32602a38	68
f23633dc	69	my $remoteas = $ebgp ? "external" : $asn;
17854295	70
f23633dc	71	#global options
92526f0e TL	72	my @controller_config = (
	73	"bgp router-id $ifaceip",
	74	"no bgp default ipv4-unicast",
	75	"coalesce-time 1000",
	76	);
32602a38	77
f23633dc AD	78	push(@{$bgp->{""}}, @controller_config) if keys %{$bgp} == 0;
	79
	80	@controller_config = ();
359796b0	81
f23633dc AD	82	#VTEP neighbors
	83	push @controller_config, "neighbor VTEP peer-group";
	84	push @controller_config, "neighbor VTEP remote-as $remoteas";
	85	push @controller_config, "neighbor VTEP bfd";
	86
	87	if($ebgp && $loopback) {
	88	push @controller_config, "neighbor VTEP ebgp-multihop 10";
	89	push @controller_config, "neighbor VTEP update-source $loopback";
	90	}
	91
	92	# VTEP peers
32602a38 AD	93	foreach my $address (@peers) {
32602a38 AD	94	next if $address eq $ifaceip;
f23633dc	95	push @controller_config, "neighbor $address peer-group VTEP";
7d35eaf5	96	}
074d270b	97
92526f0e	98	push(@{$bgp->{""}}, @controller_config);
074d270b	99
f23633dc	100	# address-family l2vpn
56cdcac9	101	@controller_config = ();
916488cc	102	push @controller_config, "neighbor VTEP route-map MAP_VTEP_IN in";
847f5144	103	push @controller_config, "neighbor VTEP route-map MAP_VTEP_OUT out";
f23633dc	104	push @controller_config, "neighbor VTEP activate";
56cdcac9	105	push @controller_config, "advertise-all-vni";
f23633dc	106	push @controller_config, "autort as $autortas" if $autortas;
92526f0e	107	push(@{$bgp->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
32602a38	108
916488cc AD	109	my $routemap = { rule => undef, action => "permit" };
	110	push(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap );
	111	push(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap );
847f5144	112
32602a38 AD	113	return $config;
	114	}
	115
56cdcac9	116	sub generate_controller_zone_config {
f23633dc AD	117	my ($class, $plugin_config, $controller, $controller_cfg, $id, $uplinks, $config) = @_;
	118
	119	my $local_node = PVE::INotify::nodename();
0589eb09	120
1de0abc0	121	my $vrf = "vrf_$id";
0589eb09	122	my $vrfvxlan = $plugin_config->{'vrf-vxlan'};
f23633dc	123	my $exitnodes = $plugin_config->{'exitnodes'};
847f5144	124	my $exitnodes_primary = $plugin_config->{'exitnodes-primary'};
92d8effb	125	my $advertisesubnets = $plugin_config->{'advertise-subnets'};
3d135423	126	my $exitnodes_local_routing = $plugin_config->{'exitnodes-local-routing'};
be39cee9 TL	127	my $rt_import;
be39cee9 TL	128	$rt_import = [PVE::Tools::split_list($plugin_config->{'rt-import'})] if $plugin_config->{'rt-import'};
f23633dc	129
56cdcac9	130	my $asn = $controller->{asn};
be39cee9 TL	131	my @peers;
be39cee9 TL	132	@peers = PVE::Tools::split_list($controller->{'peers'}) if $controller->{'peers'};
f23633dc AD	133	my $ebgp = undef;
	134	my $loopback = undef;
	135	my $autortas = undef;
	136	my $bgprouter = find_bgp_controller($local_node, $controller_cfg);
	137	if($bgprouter) {
	138	$ebgp = 1 if $controller->{'asn'} ne $bgprouter->{asn};
	139	$loopback = $bgprouter->{loopback} if $bgprouter->{loopback};
	140	$asn = $bgprouter->{asn} if $bgprouter->{asn};
	141	$autortas = $controller->{'asn'} if $ebgp;
	142	}
0589eb09 AD	143
	144	return if !$vrf \|\| !$vrfvxlan \|\| !$asn;
	145
f34a898e AD	146	my ($ifaceip, $interface) = PVE::Network::SDN::Zones::Plugin::find_local_ip_interface_peers(\@peers, $loopback);
f34a898e AD	147
92526f0e	148	# vrf
56cdcac9 AD	149	my @controller_config = ();
	150	push @controller_config, "vni $vrfvxlan";
	151	push(@{$config->{frr}->{vrf}->{"$vrf"}}, @controller_config);
0589eb09	152
f23633dc AD	153	#main vrf router
f23633dc AD	154	@controller_config = ();
f34a898e	155	push @controller_config, "bgp router-id $ifaceip";
f23633dc AD	156	# push @controller_config, "!";
f23633dc AD	157	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{""}}, @controller_config);
659c27c2	158
f23633dc AD	159	if ($autortas) {
	160	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, "route-target import $autortas:$vrfvxlan");
	161	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, "route-target export $autortas:$vrfvxlan");
	162	}
0589eb09	163
b634e577 AD	164	my $is_gateway = $exitnodes->{$local_node};
b634e577 AD	165
0589eb09 AD	166	if ($is_gateway) {
0589eb09 AD	167
359796b0	168	if (!$exitnodes_primary \|\| $exitnodes_primary eq $local_node) {
916488cc AD	169	#filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
	170	my $routemap_config = ();
	171	push @{$routemap_config}, "match evpn route-type prefix";
	172	my $routemap = { rule => $routemap_config, action => "deny" };
	173	unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
	174	} elsif ($exitnodes_primary ne $local_node) {
847f5144 AD	175	my $routemap_config = ();
	176	push @{$routemap_config}, "match evpn vni $vrfvxlan";
	177	push @{$routemap_config}, "match evpn route-type prefix";
	178	push @{$routemap_config}, "set metric 200";
916488cc AD	179	my $routemap = { rule => $routemap_config, action => "permit" };
916488cc AD	180	unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
847f5144 AD	181	}
847f5144 AD	182
916488cc	183
3d135423 AD	184	if (!$exitnodes_local_routing) {
	185	@controller_config = ();
	186	#import /32 routes of evpn network from vrf1 to default vrf (for packet return)
	187	push @controller_config, "import vrf $vrf";
	188	push(@{$config->{frr}->{router}->{"bgp $asn"}->{"address-family"}->{"ipv4 unicast"}}, @controller_config);
	189	push(@{$config->{frr}->{router}->{"bgp $asn"}->{"address-family"}->{"ipv6 unicast"}}, @controller_config);
0589eb09	190
3d135423 AD	191	@controller_config = ();
	192	#redistribute connected to be able to route to local vms on the gateway
	193	push @controller_config, "redistribute connected";
	194	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv4 unicast"}}, @controller_config);
	195	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv6 unicast"}}, @controller_config);
	196	}
0589eb09	197
56cdcac9	198	@controller_config = ();
0589eb09	199	#add default originate to announce 0.0.0.0/0 type5 route in evpn
56cdcac9 AD	200	push @controller_config, "default-originate ipv4";
	201	push @controller_config, "default-originate ipv6";
	202	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
92d8effb AD	203	} elsif ($advertisesubnets) {
	204
	205	@controller_config = ();
	206	#redistribute connected networks
	207	push @controller_config, "redistribute connected";
	208	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv4 unicast"}}, @controller_config);
	209	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"ipv6 unicast"}}, @controller_config);
	210
	211	@controller_config = ();
	212	#advertise connected networks type5 route in evpn
	213	push @controller_config, "advertise ipv4 unicast";
	214	push @controller_config, "advertise ipv6 unicast";
	215	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
0589eb09 AD	216	}
0589eb09 AD	217
359796b0	218	if ($rt_import) {
96794fd6 AD	219	@controller_config = ();
	220	foreach my $rt (sort @{$rt_import}) {
	221	push @controller_config, "route-target import $rt";
	222	}
	223	push(@{$config->{frr}->{router}->{"bgp $asn vrf $vrf"}->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
	224	}
	225
0589eb09 AD	226	return $config;
	227	}
	228
3d135423 AD	229	sub generate_controller_vnet_config {
	230	my ($class, $plugin_config, $controller, $zone, $zoneid, $vnetid, $config) = @_;
	231
	232	my $exitnodes = $zone->{'exitnodes'};
	233	my $exitnodes_local_routing = $zone->{'exitnodes-local-routing'};
	234
	235	return if !$exitnodes_local_routing;
	236
	237	my $local_node = PVE::INotify::nodename();
	238	my $is_gateway = $exitnodes->{$local_node};
359796b0	239
3d135423 AD	240	return if !$is_gateway;
	241
	242	my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
	243	my @controller_config = ();
	244	foreach my $subnetid (sort keys %{$subnets}) {
	245	my $subnet = $subnets->{$subnetid};
	246	my $cidr = $subnet->{cidr};
	247	push @controller_config, "ip route $cidr 10.255.255.2 xvrf_$zoneid";
	248	}
	249	push(@{$config->{frr}->{''}}, @controller_config);
	250	}
	251
32602a38	252	sub on_delete_hook {
56cdcac9	253	my ($class, $controllerid, $zone_cfg) = @_;
32602a38	254
56cdcac9 AD	255	# verify that zone is associated to this controller
56cdcac9 AD	256	foreach my $id (keys %{$zone_cfg->{ids}}) {
92526f0e TL	257	my $zone = $zone_cfg->{ids}->{$id};
	258	die "controller $controllerid is used by $id"
	259	if (defined($zone->{controller}) && $zone->{controller} eq $controllerid);
5bda8607	260	}
32602a38 AD	261	}
	262
	263	sub on_update_hook {
56cdcac9	264	my ($class, $controllerid, $controller_cfg) = @_;
5bda8607	265
c7bb4ac5 AD	266	# we can only have 1 evpn controller / 1 asn by server
c7bb4ac5 AD	267
f23633dc	268	my $controllernb = 0;
56cdcac9 AD	269	foreach my $id (keys %{$controller_cfg->{ids}}) {
56cdcac9 AD	270	next if $id eq $controllerid;
92526f0e	271	my $controller = $controller_cfg->{ids}->{$id};
f23633dc AD	272	next if $controller->{type} ne "evpn";
	273	$controllernb++;
	274	die "only 1 global evpn controller can be defined" if $controllernb > 1;
	275	}
	276	}
	277
	278	sub find_bgp_controller {
	279	my ($nodename, $controller_cfg) = @_;
	280
	281	my $controller = undef;
	282	foreach my $id (keys %{$controller_cfg->{ids}}) {
	283	$controller = $controller_cfg->{ids}->{$id};
	284	next if $controller->{type} ne 'bgp';
	285	next if $controller->{node} ne $nodename;
	286	last;
5bda8607	287	}
f23633dc AD	288
f23633dc AD	289	return $controller;
32602a38 AD	290	}
32602a38 AD	291
f23633dc	292
8fb1ee7f AD	293	sub sort_frr_config {
	294	my $order = {};
	295	$order->{''} = 0;
	296	$order->{'vrf'} = 1;
	297	$order->{'ipv4 unicast'} = 1;
	298	$order->{'ipv6 unicast'} = 2;
	299	$order->{'l2vpn evpn'} = 3;
	300
	301	my $a_val = 100;
	302	my $b_val = 100;
	303
	304	$a_val = $order->{$a} if defined($order->{$a});
	305	$b_val = $order->{$b} if defined($order->{$b});
	306
92526f0e	307	if ($a =~ /bgp (\d+)$/) {
8fb1ee7f AD	308	$a_val = 2;
	309	}
	310
92526f0e	311	if ($b =~ /bgp (\d+)$/) {
8fb1ee7f AD	312	$b_val = 2;
	313	}
	314
	315	return $a_val <=> $b_val;
	316	}
	317
	318	sub generate_frr_recurse{
	319	my ($final_config, $content, $parentkey, $level) = @_;
	320
	321	my $keylist = {};
	322	$keylist->{vrf} = 1;
	323	$keylist->{'address-family'} = 1;
	324	$keylist->{router} = 1;
	325
	326	my $exitkeylist = {};
	327	$exitkeylist->{vrf} = 1;
	328	$exitkeylist->{'address-family'} = 1;
	329
32870bdc AD	330	my $simple_exitkeylist = {};
	331	$simple_exitkeylist->{router} = 1;
	332
92526f0e	333	# FIXME: make this generic
8fb1ee7f	334	my $paddinglevel = undef;
92526f0e TL	335	if ($level == 1 \|\| $level == 2) {
92526f0e TL	336	$paddinglevel = $level - 1;
8fb1ee7f	337	} elsif ($level == 3 \|\| $level == 4) {
92526f0e	338	$paddinglevel = $level - 2;
8fb1ee7f AD	339	}
	340
	341	my $padding = "";
	342	$padding = ' ' x ($paddinglevel) if $paddinglevel;
	343
92526f0e	344	if (ref $content eq 'HASH') {
8fb1ee7f AD	345	foreach my $key (sort sort_frr_config keys %$content) {
8fb1ee7f AD	346	if ($parentkey && defined($keylist->{$parentkey})) {
92526f0e TL	347	push @{$final_config}, $padding."!";
	348	push @{$final_config}, $padding."$parentkey $key";
	349	} elsif ($key ne '' && !defined($keylist->{$key})) {
	350	push @{$final_config}, $padding."$key";
8fb1ee7f AD	351	}
	352
	353	my $option = $content->{$key};
	354	generate_frr_recurse($final_config, $option, $key, $level+1);
	355
	356	push @{$final_config}, $padding."exit-$parentkey" if $parentkey && defined($exitkeylist->{$parentkey});
32870bdc	357	push @{$final_config}, $padding."exit" if $parentkey && defined($simple_exitkeylist->{$parentkey});
8fb1ee7f AD	358	}
8fb1ee7f AD	359	}
32602a38	360
8fb1ee7f	361	if (ref $content eq 'ARRAY') {
92526f0e	362	push @{$final_config}, map { $padding . "$_" } @$content;
8fb1ee7f AD	363	}
	364	}
	365
847f5144 AD	366	sub generate_frr_routemap {
	367	my ($final_config, $routemaps) = @_;
	368
	369	foreach my $id (sort keys %$routemaps) {
	370
	371	my $routemap = $routemaps->{$id};
	372	my $order = 0;
	373	foreach my $seq (@$routemap) {
	374	$order++;
916488cc	375	next if !defined($seq->{action});
847f5144 AD	376	my @config = ();
847f5144 AD	377	push @config, "!";
916488cc AD	378	push @config, "route-map $id $seq->{action} $order";
	379	my $rule = $seq->{rule};
	380	push @config, map { " $_" } @$rule;
847f5144	381	push @{$final_config}, @config;
32870bdc	382	push @{$final_config}, "exit";
847f5144 AD	383	}
	384	}
	385	}
78f249bc AD	386
	387	sub generate_frr_accesslist {
	388	my ($final_config, $accesslists) = @_;
	389
359796b0	390	my $config = [];
78f249bc AD	391
78f249bc AD	392	for my $id (sort keys %$accesslists) {
78f249bc AD	393	my $accesslist = $accesslists->{$id};
	394
	395	for my $seq (sort keys %$accesslist) {
	396	my $rule = $accesslist->{$seq};
359796b0	397	push @$config, "access-list $id seq $seq $rule";
78f249bc AD	398	}
	399	}
	400
359796b0 TL	401	if (@$config > 0) {
359796b0 TL	402	push @{$final_config}, "!", @$config;
78f249bc AD	403	}
	404	}
	405
9cef13e9	406	sub generate_controller_rawconfig {
8fb1ee7f AD	407	my ($class, $plugin_config, $config) = @_;
8fb1ee7f AD	408
659c27c2 AD	409	my $nodename = PVE::INotify::nodename();
659c27c2 AD	410
8fb1ee7f	411	my $final_config = [];
4bd3d7bf	412	push @{$final_config}, "frr version 8.2.2";
67a0f815	413	push @{$final_config}, "frr defaults datacenter";
659c27c2	414	push @{$final_config}, "hostname $nodename";
9c7dded6 AD	415	push @{$final_config}, "log syslog informational";
9c7dded6 AD	416	push @{$final_config}, "service integrated-vtysh-config";
8fb1ee7f AD	417	push @{$final_config}, "!";
8fb1ee7f AD	418
0d1ab7dc	419	if (-e "/etc/frr/frr.conf.local") {
cdf2c819	420	my $local_conf = file_get_contents("/etc/frr/frr.conf.local");
78f249bc	421	parse_merge_frr_local_config($config, $local_conf);
0d1ab7dc	422	}
8fb1ee7f	423
78f249bc AD	424	generate_frr_recurse($final_config, $config->{frr}, undef, 0);
	425	generate_frr_accesslist($final_config, $config->{frr_access_list});
	426	generate_frr_routemap($final_config, $config->{frr_routemap});
	427
8fb1ee7f AD	428	push @{$final_config}, "!";
	429	push @{$final_config}, "line vty";
	430	push @{$final_config}, "!";
	431
	432	my $rawconfig = join("\n", @{$final_config});
	433
9cef13e9 AD	434	return if !$rawconfig;
	435	return $rawconfig;
	436	}
	437
78f249bc AD	438	sub parse_merge_frr_local_config {
	439	my ($config, $local_conf) = @_;
	440
	441	my $section = \$config->{""};
	442	my $router = undef;
	443	my $routemap = undef;
	444	my $routemap_config = ();
	445	my $routemap_action = undef;
	446
	447	while ($local_conf =~ /^\s(.+?)\s$/gm) {
	448	my $line = $1;
	449	$line =~ s/^\s+\|\s+$//g;
	450
	451	if ($line =~ m/^router (.+)$/) {
	452	$router = $1;
	453	$section = \$config->{'frr'}->{'router'}->{$router}->{""};
	454	next;
	455	} elsif ($line =~ m/^vrf (.+)$/) {
	456	$section = \$config->{'frr'}->{'vrf'}->{$1};
	457	next;
	458	} elsif ($line =~ m/address-family (.+)$/) {
	459	$section = \$config->{'frr'}->{'router'}->{$router}->{'address-family'}->{$1};
	460	next;
	461	} elsif ($line =~ m/^route-map (.+) (permit\|deny) (\d+)/) {
	462	$routemap = $1;
	463	$routemap_config = ();
	464	$routemap_action = $2;
	465	$section = \$config->{'frr_routemap'}->{$routemap};
	466	next;
	467	} elsif ($line =~ m/^access-list (.+) seq (\d+) (.+)$/) {
	468	$config->{'frr_access_list'}->{$1}->{$2} = $3;
	469	next;
	470	} elsif($line =~ m/^exit-address-family$/) {
	471	next;
	472	} elsif($line =~ m/^exit$/) {
	473	if($router) {
	474	$section = \$config->{''};
	475	$router = undef;
	476	} elsif($routemap) {
	477	push(@{$$section}, { rule => $routemap_config, action => $routemap_action });
	478	$section = \$config->{''};
	479	$routemap = undef;
	480	$routemap_action = undef;
	481	$routemap_config = ();
	482	}
	483	next;
	484	} elsif($line =~ m/!/) {
	485	next;
	486	}
	487
	488	next if !$section;
	489	if($routemap) {
	490	push(@{$routemap_config}, $line);
	491	} else {
	492	push(@{$$section}, $line);
	493	}
	494	}
	495	}
	496
9cef13e9 AD	497	sub write_controller_config {
	498	my ($class, $plugin_config, $config) = @_;
	499
	500	my $rawconfig = $class->generate_controller_rawconfig($plugin_config, $config);
8fb1ee7f AD	501	return if !$rawconfig;
	502	return if !-d "/etc/frr";
	503
cdf2c819	504	file_set_contents("/etc/frr/frr.conf", $rawconfig);
8fb1ee7f AD	505	}
8fb1ee7f AD	506
fa609bdd AD	507	sub reload_controller {
	508	my ($class) = @_;
	509
	510	my $conf_file = "/etc/frr/frr.conf";
659c27c2 AD	511	my $bin_path = "/usr/lib/frr/frr-reload.py";
	512
	513	if (!-e $bin_path) {
	514	warn "missing $bin_path. Please install frr-pythontools package";
	515	return;
	516	}
fa609bdd AD	517
	518	my $err = sub {
	519	my $line = shift;
659c27c2 AD	520	if ($line =~ /ERROR:/) {
659c27c2 AD	521	warn "$line \n";
fa609bdd AD	522	}
	523	};
	524
	525	if (-e $conf_file && -e $bin_path) {
9c24bcc5 AD	526	eval {
	527	run_command([$bin_path, '--stdout', '--reload', $conf_file], outfunc => {}, errfunc => $err);
	528	};
	529	if ($@) {
	530	warn "frr reload command fail. Restarting frr.";
	531	eval { run_command(['systemctl', 'restart', 'frr']); };
	532	}
fa609bdd AD	533	}
	534	}
	535
8fb1ee7f	536	1;
32602a38	537
0589eb09	538