[pve-devel] [PATCH v2 pve-network 4/5] zones: evpn: fix arp-accept && ip-forward + ipv6 snat

Alexandre Derumier aderumier at odiso.com
Wed Apr 21 22:55:48 CEST 2021


they were lost during subnet work

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 PVE/Network/SDN/Zones/EvpnPlugin.pm           | 29 +++++++++---
 test/zones/evpn/ebgp/expected_sdn_interfaces  |  2 +
 .../ebgp_loopback/expected_sdn_interfaces     |  2 +
 .../evpn/exitnode/expected_sdn_interfaces     |  2 +
 .../exitnode_snat/expected_sdn_interfaces     | 25 +++++++++++
 test/zones/evpn/exitnode_snat/sdn_config      | 12 ++++-
 test/zones/evpn/ipv4/expected_sdn_interfaces  |  2 +
 .../evpn/ipv4ipv6/expected_controller_config  | 31 +++++++++++++
 .../evpn/ipv4ipv6/expected_sdn_interfaces     | 44 +++++++++++++++++++
 test/zones/evpn/ipv4ipv6/interfaces           |  7 +++
 test/zones/evpn/ipv4ipv6/sdn_config           | 32 ++++++++++++++
 .../evpn/ipv6/expected_controller_config      | 31 +++++++++++++
 test/zones/evpn/ipv6/expected_sdn_interfaces  | 42 ++++++++++++++++++
 test/zones/evpn/ipv6/interfaces               |  7 +++
 test/zones/evpn/ipv6/sdn_config               | 27 ++++++++++++
 15 files changed, 286 insertions(+), 9 deletions(-)
 create mode 100644 test/zones/evpn/ipv4ipv6/expected_controller_config
 create mode 100644 test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
 create mode 100644 test/zones/evpn/ipv4ipv6/interfaces
 create mode 100644 test/zones/evpn/ipv4ipv6/sdn_config
 create mode 100644 test/zones/evpn/ipv6/expected_controller_config
 create mode 100644 test/zones/evpn/ipv6/expected_sdn_interfaces
 create mode 100644 test/zones/evpn/ipv6/interfaces
 create mode 100644 test/zones/evpn/ipv6/sdn_config

diff --git a/PVE/Network/SDN/Zones/EvpnPlugin.pm b/PVE/Network/SDN/Zones/EvpnPlugin.pm
index d68d3ee..8d5250c 100644
--- a/PVE/Network/SDN/Zones/EvpnPlugin.pm
+++ b/PVE/Network/SDN/Zones/EvpnPlugin.pm
@@ -9,6 +9,7 @@ use PVE::Tools qw($IPV4RE);
 use PVE::INotify;
 use PVE::Cluster;
 use PVE::Tools;
+use Net::IP;
 
 use PVE::Network::SDN::Controllers::EvpnPlugin;
 
@@ -59,8 +60,6 @@ sub generate_sdn_config {
 
     my $tag = $vnet->{tag};
     my $alias = $vnet->{alias};
-    my $ipv4 = $vnet->{ipv4};
-    my $ipv6 = $vnet->{ipv6};
     my $mac = $plugin_config->{'mac'};
 
     my $vrf_iface = "vrf_$zoneid";
@@ -95,6 +94,8 @@ sub generate_sdn_config {
     @iface_config = ();
 
     my $address = {};
+    my $ipv4 = undef;
+    my $ipv6 = undef;
     my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
     foreach my $subnetid (sort keys %{$subnets}) {
 	my $subnet = $subnets->{$subnetid};
@@ -107,19 +108,33 @@ sub generate_sdn_config {
 	    $address->{$gateway} = 1;
 	}
 
+        my $iptables = undef;
+        my $checkrouteip = undef;
+        my $ipversion = Net::IP::ip_is_ipv6($gateway) ? 6 : 4;
+
+	if ($ipversion == 6) {
+	    $ipv6 = 1;
+	    $iptables = "ip6tables";
+	    $checkrouteip = '2001:4860:4860::8888';
+	} else {
+	    $ipv4 = 1;
+	    $iptables = "iptables";
+	    $checkrouteip = '8.8.8.8';
+	}
+
 	if ($subnet->{snat}) {
 
 	    my $is_evpn_gateway = $plugin_config->{'exitnodes'}->{$local_node};
 
             #find outgoing interface
-            my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip('8.8.8.8');
+            my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
             if ($outip && $outiface && $is_evpn_gateway) {
                 #use snat, faster than masquerade
-                push @iface_config, "post-up iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
-                push @iface_config, "post-down iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+                push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+                push @iface_config, "post-down $iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
                 #add conntrack zone once on outgoing interface
-                push @iface_config, "post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1";
-                push @iface_config, "post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1";
+                push @iface_config, "post-up $iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1";
+                push @iface_config, "post-down $iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1";
             }
         }
     }
diff --git a/test/zones/evpn/ebgp/expected_sdn_interfaces b/test/zones/evpn/ebgp/expected_sdn_interfaces
index 6d2d3b6..4cf13e0 100644
--- a/test/zones/evpn/ebgp/expected_sdn_interfaces
+++ b/test/zones/evpn/ebgp/expected_sdn_interfaces
@@ -7,6 +7,8 @@ iface myvnet
 	bridge_stp off
 	bridge_fd 0
 	mtu 1450
+	ip-forward on
+	arp-accept on
 	vrf vrf_myzone
 
 auto vrf_myzone
diff --git a/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces b/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces
index 6d2d3b6..4cf13e0 100644
--- a/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces
+++ b/test/zones/evpn/ebgp_loopback/expected_sdn_interfaces
@@ -7,6 +7,8 @@ iface myvnet
 	bridge_stp off
 	bridge_fd 0
 	mtu 1450
+	ip-forward on
+	arp-accept on
 	vrf vrf_myzone
 
 auto vrf_myzone
diff --git a/test/zones/evpn/exitnode/expected_sdn_interfaces b/test/zones/evpn/exitnode/expected_sdn_interfaces
index 6d2d3b6..4cf13e0 100644
--- a/test/zones/evpn/exitnode/expected_sdn_interfaces
+++ b/test/zones/evpn/exitnode/expected_sdn_interfaces
@@ -7,6 +7,8 @@ iface myvnet
 	bridge_stp off
 	bridge_fd 0
 	mtu 1450
+	ip-forward on
+	arp-accept on
 	vrf vrf_myzone
 
 auto vrf_myzone
diff --git a/test/zones/evpn/exitnode_snat/expected_sdn_interfaces b/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
index e8093a2..a2a183e 100644
--- a/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
+++ b/test/zones/evpn/exitnode_snat/expected_sdn_interfaces
@@ -11,6 +11,23 @@ iface myvnet
 	bridge_stp off
 	bridge_fd 0
 	mtu 1450
+	ip-forward on
+	arp-accept on
+	vrf vrf_myzone
+
+auto myvnet2
+iface myvnet2
+	address 2a08:2142:302:3::1/64
+	post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1
+	post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1
+	post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
+	post-down ip6tables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
+	bridge_ports vxlan_myvnet2
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	ip6-forward on
+	arp-accept on
 	vrf vrf_myzone
 
 auto vrf_myzone
@@ -41,3 +58,11 @@ iface vxlan_myvnet
 	bridge-learning off
 	bridge-arp-nd-suppress on
 	mtu 1450
+
+auto vxlan_myvnet2
+iface vxlan_myvnet2
+	vxlan-id 200
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
diff --git a/test/zones/evpn/exitnode_snat/sdn_config b/test/zones/evpn/exitnode_snat/sdn_config
index f40e8bd..35cdf5d 100644
--- a/test/zones/evpn/exitnode_snat/sdn_config
+++ b/test/zones/evpn/exitnode_snat/sdn_config
@@ -3,6 +3,7 @@
   vnets   => {
                ids => {
                         myvnet => { tag => "100", type => "vnet", zone => "myzone" },
+                        myvnet2 => { tag => "200", type => "vnet", zone => "myzone" },
                       },
              },
 
@@ -14,12 +15,19 @@
              },
 
   subnets => {
-              ids => { 'myzone-10.0.0.0-24' => {
+              ids => { 
+			'myzone-10.0.0.0-24' => {
 							'type' => 'subnet',
 							'vnet' => 'myvnet',
 							'gateway' => '10.0.0.1',
 							'snat' => 1
-						  }
+						  },
+                        'myzone-2a08:2142:302:3::-64' => {
+                                                        'type' => 'subnet',
+                                                        'vnet' => 'myvnet2',
+                                                        'gateway' => '2a08:2142:302:3::1',
+							'snat' => 1
+                                                  }
 		     }
 	     }
 }
diff --git a/test/zones/evpn/ipv4/expected_sdn_interfaces b/test/zones/evpn/ipv4/expected_sdn_interfaces
index e2d5a75..9d1c64c 100644
--- a/test/zones/evpn/ipv4/expected_sdn_interfaces
+++ b/test/zones/evpn/ipv4/expected_sdn_interfaces
@@ -8,6 +8,8 @@ iface myvnet
 	bridge_stp off
 	bridge_fd 0
 	mtu 1450
+	ip-forward on
+	arp-accept on
 	vrf vrf_myzone
 
 auto vrf_myzone
diff --git a/test/zones/evpn/ipv4ipv6/expected_controller_config b/test/zones/evpn/ipv4ipv6/expected_controller_config
new file mode 100644
index 0000000..c0ca898
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6/expected_controller_config
@@ -0,0 +1,31 @@
+log syslog informational
+ip forwarding
+ipv6 forwarding
+frr defaults datacenter
+service integrated-vtysh-config
+hostname localhost
+!
+!
+vrf vrf_myzone
+ vni 1000
+exit-vrf
+!
+router bgp 65000
+ bgp router-id 192.168.0.1
+ no bgp default ipv4-unicast
+ coalesce-time 1000
+ neighbor VTEP peer-group
+ neighbor VTEP remote-as 65000
+ neighbor VTEP bfd
+ neighbor 192.168.0.2 peer-group VTEP
+ neighbor 192.168.0.3 peer-group VTEP
+ !
+ address-family l2vpn evpn
+  neighbor VTEP activate
+  advertise-all-vni
+ exit-address-family
+!
+router bgp 65000 vrf vrf_myzone
+!
+line vty
+!
\ No newline at end of file
diff --git a/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces b/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
new file mode 100644
index 0000000..7a5d741
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6/expected_sdn_interfaces
@@ -0,0 +1,44 @@
+#version:1
+
+auto myvnet
+iface myvnet
+	address 10.0.0.1/24
+	address 2a08:2142:302:3::1/64
+	hwaddress A2:1D:CB:1A:C0:8B
+	bridge_ports vxlan_myvnet
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	ip-forward on
+	ip6-forward on
+	arp-accept on
+	vrf vrf_myzone
+
+auto vrf_myzone
+iface vrf_myzone
+	vrf-table auto
+	post-up ip route add vrf vrf_myzone unreachable default metric 4278198272
+
+auto vrfbr_myzone
+iface vrfbr_myzone
+	bridge-ports vrfvx_myzone
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	vrf vrf_myzone
+
+auto vrfvx_myzone
+iface vrfvx_myzone
+	vxlan-id 1000
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
+
+auto vxlan_myvnet
+iface vxlan_myvnet
+	vxlan-id 100
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
diff --git a/test/zones/evpn/ipv4ipv6/interfaces b/test/zones/evpn/ipv4ipv6/interfaces
new file mode 100644
index 0000000..66bb826
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6/interfaces
@@ -0,0 +1,7 @@
+auto vmbr0
+iface vmbr0 inet static
+	address 192.168.0.1/24
+	gateway 192.168.0.254
+        bridge-ports eth0
+        bridge-stp off
+        bridge-fd 0
diff --git a/test/zones/evpn/ipv4ipv6/sdn_config b/test/zones/evpn/ipv4ipv6/sdn_config
new file mode 100644
index 0000000..4583818
--- /dev/null
+++ b/test/zones/evpn/ipv4ipv6/sdn_config
@@ -0,0 +1,32 @@
+{
+  version => 1,
+  vnets   => {
+               ids => {
+                        myvnet => { tag => "100", type => "vnet", zone => "myzone" },
+                      },
+             },
+
+  zones   => {
+               ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B' } },
+             },
+  controllers  => {
+               ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } },
+             },
+
+  subnets => {
+              ids => { 
+			'myzone-10.0.0.0-24' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+							'gateway' => '10.0.0.1',
+						  },
+		        'myzone-2a08:2142:302:3::-64' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+							'gateway' => '2a08:2142:302:3::1',
+						  }
+		     }
+	     }
+}
+
+
diff --git a/test/zones/evpn/ipv6/expected_controller_config b/test/zones/evpn/ipv6/expected_controller_config
new file mode 100644
index 0000000..c0ca898
--- /dev/null
+++ b/test/zones/evpn/ipv6/expected_controller_config
@@ -0,0 +1,31 @@
+log syslog informational
+ip forwarding
+ipv6 forwarding
+frr defaults datacenter
+service integrated-vtysh-config
+hostname localhost
+!
+!
+vrf vrf_myzone
+ vni 1000
+exit-vrf
+!
+router bgp 65000
+ bgp router-id 192.168.0.1
+ no bgp default ipv4-unicast
+ coalesce-time 1000
+ neighbor VTEP peer-group
+ neighbor VTEP remote-as 65000
+ neighbor VTEP bfd
+ neighbor 192.168.0.2 peer-group VTEP
+ neighbor 192.168.0.3 peer-group VTEP
+ !
+ address-family l2vpn evpn
+  neighbor VTEP activate
+  advertise-all-vni
+ exit-address-family
+!
+router bgp 65000 vrf vrf_myzone
+!
+line vty
+!
\ No newline at end of file
diff --git a/test/zones/evpn/ipv6/expected_sdn_interfaces b/test/zones/evpn/ipv6/expected_sdn_interfaces
new file mode 100644
index 0000000..b2bdbfe
--- /dev/null
+++ b/test/zones/evpn/ipv6/expected_sdn_interfaces
@@ -0,0 +1,42 @@
+#version:1
+
+auto myvnet
+iface myvnet
+	address 2a08:2142:302:3::1/64
+	hwaddress A2:1D:CB:1A:C0:8B
+	bridge_ports vxlan_myvnet
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	ip6-forward on
+	arp-accept on
+	vrf vrf_myzone
+
+auto vrf_myzone
+iface vrf_myzone
+	vrf-table auto
+	post-up ip route add vrf vrf_myzone unreachable default metric 4278198272
+
+auto vrfbr_myzone
+iface vrfbr_myzone
+	bridge-ports vrfvx_myzone
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	vrf vrf_myzone
+
+auto vrfvx_myzone
+iface vrfvx_myzone
+	vxlan-id 1000
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
+
+auto vxlan_myvnet
+iface vxlan_myvnet
+	vxlan-id 100
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
diff --git a/test/zones/evpn/ipv6/interfaces b/test/zones/evpn/ipv6/interfaces
new file mode 100644
index 0000000..66bb826
--- /dev/null
+++ b/test/zones/evpn/ipv6/interfaces
@@ -0,0 +1,7 @@
+auto vmbr0
+iface vmbr0 inet static
+	address 192.168.0.1/24
+	gateway 192.168.0.254
+        bridge-ports eth0
+        bridge-stp off
+        bridge-fd 0
diff --git a/test/zones/evpn/ipv6/sdn_config b/test/zones/evpn/ipv6/sdn_config
new file mode 100644
index 0000000..949e886
--- /dev/null
+++ b/test/zones/evpn/ipv6/sdn_config
@@ -0,0 +1,27 @@
+{
+  version => 1,
+  vnets   => {
+               ids => {
+                        myvnet => { tag => "100", type => "vnet", zone => "myzone" },
+                      },
+             },
+
+  zones   => {
+               ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B' } },
+             },
+  controllers  => {
+               ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } },
+             },
+
+  subnets => {
+              ids => { 
+		        'myzone-2a08:2142:302:3::-64' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+							'gateway' => '2a08:2142:302:3::1',
+						  }
+		     }
+	     }
+}
+
+
-- 
2.20.1





More information about the pve-devel mailing list