diff --git a/interface-definitions/interfaces_vxlan.xml.in b/interface-definitions/interfaces_vxlan.xml.in index 504c08e7e..937acb123 100644 --- a/interface-definitions/interfaces_vxlan.xml.in +++ b/interface-definitions/interfaces_vxlan.xml.in @@ -1,133 +1,153 @@ <?xml version="1.0"?> <interfaceDefinition> <node name="interfaces"> <children> <tagNode name="vxlan" owner="${vyos_conf_scripts_dir}/interfaces_vxlan.py"> <properties> <help>Virtual Extensible LAN (VXLAN) Interface</help> <priority>460</priority> <constraint> <regex>vxlan[0-9]+</regex> </constraint> <constraintErrorMessage>VXLAN interface must be named vxlanN</constraintErrorMessage> <valueHelp> <format>vxlanN</format> <description>VXLAN interface name</description> </valueHelp> </properties> <children> #include <include/interface/address-ipv4-ipv6.xml.i> #include <include/generic-description.xml.i> #include <include/interface/disable.xml.i> <leafNode name="gpe"> <properties> <help>Enable Generic Protocol extension (VXLAN-GPE)</help> <valueless/> </properties> </leafNode> <leafNode name="group"> <properties> <help>Multicast group address for VXLAN interface</help> <valueHelp> <format>ipv4</format> <description>Multicast IPv4 group address</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>Multicast IPv6 group address</description> </valueHelp> <constraint> <validator name="ipv4-multicast"/> <validator name="ipv6-multicast"/> </constraint> <constraintErrorMessage>Multicast IPv4/IPv6 address required</constraintErrorMessage> </properties> </leafNode> #include <include/interface/ipv4-options.xml.i> #include <include/interface/ipv6-options.xml.i> #include <include/interface/mac.xml.i> #include <include/interface/mtu-1200-16000.xml.i> #include <include/interface/mirror.xml.i> <node name="parameters"> <properties> <help>VXLAN tunnel parameters</help> </properties> <children> <node name="ip"> <properties> <help>IPv4 specific tunnel parameters</help> </properties> <children> #include <include/interface/parameters-df.xml.i> #include <include/interface/parameters-tos.xml.i> #include <include/interface/parameters-ttl.xml.i> <leafNode name="ttl"> <defaultValue>16</defaultValue> </leafNode> </children> </node> <node name="ipv6"> <properties> <help>IPv6 specific tunnel parameters</help> </properties> <children> #include <include/interface/parameters-flowlabel.xml.i> </children> </node> <leafNode name="external"> <properties> <help>Use external control plane</help> <valueless/> </properties> </leafNode> <leafNode name="nolearning"> <properties> <help>Do not add unknown addresses into forwarding database</help> <valueless/> </properties> </leafNode> <leafNode name="neighbor-suppress"> <properties> <help>Enable neighbor discovery (ARP and ND) suppression</help> <valueless/> </properties> </leafNode> <leafNode name="vni-filter"> <properties> <help>Enable VNI filter support</help> <valueless/> </properties> </leafNode> </children> </node> #include <include/port-number.xml.i> <leafNode name="port"> <defaultValue>4789</defaultValue> </leafNode> #include <include/source-address-ipv4-ipv6.xml.i> #include <include/source-interface.xml.i> #include <include/interface/tunnel-remote-multi.xml.i> #include <include/interface/redirect.xml.i> #include <include/interface/vrf.xml.i> #include <include/vni.xml.i> <tagNode name="vlan-to-vni"> <properties> <help>Configuring VLAN-to-VNI mappings for EVPN-VXLAN</help> <valueHelp> <format>u32:0-4094</format> <description>Virtual Local Area Network (VLAN) ID</description> </valueHelp> + <valueHelp> + <format><start-end></format> + <description>VLAN IDs range (use '-' as delimiter)</description> + </valueHelp> <constraint> - <validator name="numeric" argument="--range 0-4094"/> + <validator name="numeric" argument="--allow-range --range 0-4094"/> </constraint> - <constraintErrorMessage>VLAN ID must be between 0 and 4094</constraintErrorMessage> + <constraintErrorMessage>Not a valid VLAN ID or range, VLAN ID must be between 0 and 4094</constraintErrorMessage> </properties> <children> - #include <include/vni.xml.i> + <leafNode name="vni"> + <properties> + <help>Virtual Network Identifier</help> + <valueHelp> + <format>u32:0-16777214</format> + <description>VXLAN virtual network identifier</description> + </valueHelp> + <valueHelp> + <format><start-end></format> + <description>VXLAN virtual network IDs range (use '-' as delimiter)</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--allow-range --range 0-16777214"/> + </constraint> + <constraintErrorMessage>Not a valid VXLAN virtual network ID or range</constraintErrorMessage> + </properties> + </leafNode> </children> - </tagNode> + </tagNode> </children> </tagNode> </children> </node> </interfaceDefinition> diff --git a/python/vyos/ifconfig/vxlan.py b/python/vyos/ifconfig/vxlan.py index 918aea202..1023c58d1 100644 --- a/python/vyos/ifconfig/vxlan.py +++ b/python/vyos/ifconfig/vxlan.py @@ -1,197 +1,211 @@ # Copyright 2019-2024 VyOS maintainers and contributors <maintainers@vyos.io> # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library. If not, see <http://www.gnu.org/licenses/>. from vyos.configdict import list_diff from vyos.ifconfig import Interface from vyos.utils.assertion import assert_list from vyos.utils.dict import dict_search from vyos.utils.network import get_interface_config from vyos.utils.network import get_vxlan_vlan_tunnels from vyos.utils.network import get_vxlan_vni_filter @Interface.register class VXLANIf(Interface): """ The VXLAN protocol is a tunnelling protocol designed to solve the problem of limited VLAN IDs (4096) in IEEE 802.1q. With VXLAN the size of the identifier is expanded to 24 bits (16777216). VXLAN is described by IETF RFC 7348, and has been implemented by a number of vendors. The protocol runs over UDP using a single destination port. This document describes the Linux kernel tunnel device, there is also a separate implementation of VXLAN for Openvswitch. Unlike most tunnels, a VXLAN is a 1 to N network, not just point to point. A VXLAN device can learn the IP address of the other endpoint either dynamically in a manner similar to a learning bridge, or make use of statically-configured forwarding entries. For more information please refer to: https://www.kernel.org/doc/Documentation/networking/vxlan.txt """ iftype = 'vxlan' definition = { **Interface.definition, **{ 'section': 'vxlan', 'prefixes': ['vxlan', ], 'bridgeable': True, } } _command_set = {**Interface._command_set, **{ 'neigh_suppress': { 'validate': lambda v: assert_list(v, ['on', 'off']), 'shellcmd': 'bridge link set dev {ifname} neigh_suppress {value} learning off', }, 'vlan_tunnel': { 'validate': lambda v: assert_list(v, ['on', 'off']), 'shellcmd': 'bridge link set dev {ifname} vlan_tunnel {value}', }, }} def _create(self): # This table represents a mapping from VyOS internal config dict to # arguments used by iproute2. For more information please refer to: # - https://man7.org/linux/man-pages/man8/ip-link.8.html mapping = { 'group' : 'group', 'gpe' : 'gpe', 'parameters.external' : 'external', 'parameters.ip.df' : 'df', 'parameters.ip.tos' : 'tos', 'parameters.ip.ttl' : 'ttl', 'parameters.ipv6.flowlabel' : 'flowlabel', 'parameters.nolearning' : 'nolearning', 'parameters.vni_filter' : 'vnifilter', 'remote' : 'remote', 'source_address' : 'local', 'source_interface' : 'dev', 'vni' : 'id', } # IPv6 flowlabels can only be used on IPv6 tunnels, thus we need to # ensure that at least the first remote IP address is passed to the # tunnel creation command. Subsequent tunnel remote addresses can later # be added to the FDB remote_list = None if 'remote' in self.config: # skip first element as this is already configured as remote remote_list = self.config['remote'][1:] self.config['remote'] = self.config['remote'][0] cmd = 'ip link add {ifname} type {type} dstport {port}' for vyos_key, iproute2_key in mapping.items(): # dict_search will return an empty dict "{}" for valueless nodes like # "parameters.nolearning" - thus we need to test the nodes existence # by using isinstance() tmp = dict_search(vyos_key, self.config) if isinstance(tmp, dict): cmd += f' {iproute2_key}' elif tmp != None: cmd += f' {iproute2_key} {tmp}' self._cmd(cmd.format(**self.config)) # interface is always A/D down. It needs to be enabled explicitly self.set_admin_state('down') # VXLAN tunnel is always recreated on any change - see interfaces_vxlan.py if remote_list: for remote in remote_list: cmd = f'bridge fdb append to 00:00:00:00:00:00 dst {remote} ' \ 'port {port} dev {ifname}' self._cmd(cmd.format(**self.config)) def set_neigh_suppress(self, state): """ Controls whether neigh discovery (arp and nd) proxy and suppression is enabled on the port. By default this flag is off. """ # Determine current OS Kernel neigh_suppress setting - only adjust when needed tmp = get_interface_config(self.ifname) cur_state = 'on' if dict_search(f'linkinfo.info_slave_data.neigh_suppress', tmp) == True else 'off' new_state = 'on' if state else 'off' if cur_state != new_state: self.set_interface('neigh_suppress', state) def set_vlan_vni_mapping(self, state): """ Controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off. """ + def range_to_dict(vlan_to_vni): + """ Converts dict of ranges to dict """ + result_dict = {} + for vlan, vlan_conf in vlan_to_vni.items(): + vni = vlan_conf['vni'] + vlan_range, vni_range = vlan.split('-'), vni.split('-') + if len(vlan_range) > 1: + vlan_range = range(int(vlan_range[0]), int(vlan_range[1]) + 1) + vni_range = range(int(vni_range[0]), int(vni_range[1]) + 1) + dict_to_add = {str(k): {'vni': str(v)} for k, v in zip(vlan_range, vni_range)} + result_dict.update(dict_to_add) + return result_dict + if not isinstance(state, bool): raise ValueError('Value out of range') if 'vlan_to_vni_removed' in self.config: cur_vni_filter = None if dict_search('parameters.vni_filter', self.config) != None: cur_vni_filter = get_vxlan_vni_filter(self.ifname) - for vlan, vlan_config in self.config['vlan_to_vni_removed'].items(): + for vlan, vlan_config in range_to_dict(self.config['vlan_to_vni_removed']).items(): # If VNI filtering is enabled, remove matching VNI filter if cur_vni_filter != None: vni = vlan_config['vni'] if vni in cur_vni_filter: self._cmd(f'bridge vni delete dev {self.ifname} vni {vni}') self._cmd(f'bridge vlan del dev {self.ifname} vid {vlan}') # Determine current OS Kernel vlan_tunnel setting - only adjust when needed tmp = get_interface_config(self.ifname) cur_state = 'on' if dict_search(f'linkinfo.info_slave_data.vlan_tunnel', tmp) == True else 'off' new_state = 'on' if state else 'off' if cur_state != new_state: self.set_interface('vlan_tunnel', new_state) if 'vlan_to_vni' in self.config: # Determine current OS Kernel configured VLANs + vlan_vni_mapping = range_to_dict(self.config['vlan_to_vni']) os_configured_vlan_ids = get_vxlan_vlan_tunnels(self.ifname) - add_vlan = list_diff(list(self.config['vlan_to_vni'].keys()), os_configured_vlan_ids) + add_vlan = list_diff(list(vlan_vni_mapping.keys()), os_configured_vlan_ids) - for vlan, vlan_config in self.config['vlan_to_vni'].items(): + for vlan, vlan_config in vlan_vni_mapping.items(): # VLAN mapping already exists - skip if vlan not in add_vlan: continue vni = vlan_config['vni'] # The following commands must be run one after another, # they can not be combined with linux 6.1 and iproute2 6.1 self._cmd(f'bridge vlan add dev {self.ifname} vid {vlan}') self._cmd(f'bridge vlan add dev {self.ifname} vid {vlan} tunnel_info id {vni}') # If VNI filtering is enabled, install matching VNI filter if dict_search('parameters.vni_filter', self.config) != None: self._cmd(f'bridge vni add dev {self.ifname} vni {vni}') def update(self, config): """ General helper function which works on a dictionary retrived by get_config_dict(). It's main intention is to consolidate the scattered interface setup code and provide a single point of entry when workin on any interface. """ # call base class last super().update(config) # Enable/Disable VLAN tunnel mapping # This is only possible after the interface was assigned to the bridge self.set_vlan_vni_mapping(dict_search('vlan_to_vni', config) != None) # Enable/Disable neighbor suppression and learning, there is no need to # explicitly "disable" it, as VXLAN interface will be recreated if anything # under "parameters" changes. if dict_search('parameters.neighbor_suppress', config) != None: self.set_neigh_suppress('on') diff --git a/smoketest/scripts/cli/test_interfaces_vxlan.py b/smoketest/scripts/cli/test_interfaces_vxlan.py index 18676491b..b2076b43b 100755 --- a/smoketest/scripts/cli/test_interfaces_vxlan.py +++ b/smoketest/scripts/cli/test_interfaces_vxlan.py @@ -1,319 +1,366 @@ #!/usr/bin/env python3 # # Copyright (C) 2020-2023 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import unittest from vyos.configsession import ConfigSessionError from vyos.ifconfig import Interface from vyos.ifconfig import Section from vyos.utils.network import get_bridge_fdb from vyos.utils.network import get_interface_config from vyos.utils.network import interface_exists from vyos.utils.network import get_vxlan_vlan_tunnels from vyos.utils.network import get_vxlan_vni_filter from vyos.template import is_ipv6 from base_interfaces_test import BasicInterfaceTest +def convert_to_list(ranges_to_convert): + result_list = [] + for r in ranges_to_convert: + ranges = r.split('-') + result_list.extend([str(i) for i in range(int(ranges[0]), int(ranges[1]) + 1)]) + return result_list + class VXLANInterfaceTest(BasicInterfaceTest.TestCase): @classmethod def setUpClass(cls): cls._base_path = ['interfaces', 'vxlan'] cls._options = { 'vxlan10': ['vni 10', 'remote 127.0.0.2'], 'vxlan20': ['vni 20', 'group 239.1.1.1', 'source-interface eth0', 'mtu 1450'], 'vxlan30': ['vni 30', 'remote 2001:db8:2000::1', 'source-address 2001:db8:1000::1', 'parameters ipv6 flowlabel 0x1000'], 'vxlan40': ['vni 40', 'remote 127.0.0.2', 'remote 127.0.0.3'], 'vxlan50': ['vni 50', 'remote 2001:db8:2000::1', 'remote 2001:db8:2000::2', 'parameters ipv6 flowlabel 0x1000'], } cls._interfaces = list(cls._options) cls._mtu = '1450' # call base-classes classmethod super(VXLANInterfaceTest, cls).setUpClass() def test_vxlan_parameters(self): tos = '40' ttl = 20 for intf in self._interfaces: for option in self._options.get(intf, []): self.cli_set(self._base_path + [intf] + option.split()) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'df', 'set']) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'tos', tos]) self.cli_set(self._base_path + [intf, 'parameters', 'ip', 'ttl', str(ttl)]) ttl += 10 self.cli_commit() ttl = 20 for interface in self._interfaces: options = get_interface_config(interface) bridge = get_bridge_fdb(interface) vni = options['linkinfo']['info_data']['id'] self.assertIn(f'vni {vni}', self._options[interface]) if any('source-interface' in s for s in self._options[interface]): link = options['linkinfo']['info_data']['link'] self.assertIn(f'source-interface {link}', self._options[interface]) # Verify source-address setting was properly configured on the Kernel if any('source-address' in s for s in self._options[interface]): for s in self._options[interface]: if 'source-address' in s: address = s.split()[-1] if is_ipv6(address): tmp = options['linkinfo']['info_data']['local6'] else: tmp = options['linkinfo']['info_data']['local'] self.assertIn(f'source-address {tmp}', self._options[interface]) # Verify remote setting was properly configured on the Kernel if any('remote' in s for s in self._options[interface]): for s in self._options[interface]: if 'remote' in s: for fdb in bridge: if 'mac' in fdb and fdb['mac'] == '00:00:00:00:00:00': remote = fdb['dst'] self.assertIn(f'remote {remote}', self._options[interface]) if any('group' in s for s in self._options[interface]): group = options['linkinfo']['info_data']['group'] self.assertIn(f'group {group}', self._options[interface]) if any('flowlabel' in s for s in self._options[interface]): label = options['linkinfo']['info_data']['label'] self.assertIn(f'parameters ipv6 flowlabel {label}', self._options[interface]) if any('external' in s for s in self._options[interface]): self.assertTrue(options['linkinfo']['info_data']['external']) self.assertEqual('vxlan', options['linkinfo']['info_kind']) self.assertEqual('set', options['linkinfo']['info_data']['df']) self.assertEqual(f'0x{tos}', options['linkinfo']['info_data']['tos']) self.assertEqual(ttl, options['linkinfo']['info_data']['ttl']) self.assertEqual(Interface(interface).get_admin_state(), 'up') ttl += 10 def test_vxlan_external(self): interface = 'vxlan0' source_address = '192.0.2.1' self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-address', source_address]) # Both 'VNI' and 'external' can not be specified at the same time. self.cli_set(self._base_path + [interface, 'vni', '111']) with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_delete(self._base_path + [interface, 'vni']) # Now add some more interfaces - this must fail and a CLI error needs # to be generated as Linux can only handle one VXLAN tunnel when using # external mode. for intf in self._interfaces: for option in self._options.get(intf, []): self.cli_set(self._base_path + [intf] + option.split()) with self.assertRaises(ConfigSessionError): self.cli_commit() # Remove those test interfaces again for intf in self._interfaces: self.cli_delete(self._base_path + [intf]) self.cli_commit() options = get_interface_config(interface) self.assertTrue(options['linkinfo']['info_data']['external']) self.assertEqual('vxlan', options['linkinfo']['info_kind']) def test_vxlan_vlan_vni_mapping(self): bridge = 'br0' interface = 'vxlan0' source_address = '192.0.2.99' vlan_to_vni = { '10': '10010', '11': '10011', '12': '10012', '13': '10013', '20': '10020', '30': '10030', '31': '10031', } + vlan_to_vni_ranges = { + '40-43': '10040-10043', + '45-47': '10045-10047' + } + self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-address', source_address]) for vlan, vni in vlan_to_vni.items(): self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni]) # This must fail as this VXLAN interface is not associated with any bridge with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface]) # It is not allowed to use duplicate VNIs self.cli_set(self._base_path + [interface, 'vlan-to-vni', '11', 'vni', vlan_to_vni['10']]) with self.assertRaises(ConfigSessionError): self.cli_commit() # restore VLAN - VNI mappings for vlan, vni in vlan_to_vni.items(): self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni]) # commit configuration self.cli_commit() self.assertTrue(interface_exists(bridge)) self.assertTrue(interface_exists(interface)) tmp = get_interface_config(interface) self.assertEqual(tmp['master'], bridge) self.assertFalse(tmp['linkinfo']['info_slave_data']['neigh_suppress']) tmp = get_vxlan_vlan_tunnels('vxlan0') self.assertEqual(tmp, list(vlan_to_vni)) + # add ranged VLAN - VNI mapping + for vlan, vni in vlan_to_vni_ranges.items(): + self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni]) + self.cli_commit() + + tmp = get_vxlan_vlan_tunnels('vxlan0') + vlans_list = convert_to_list(vlan_to_vni_ranges.keys()) + self.assertEqual(tmp, list(vlan_to_vni) + vlans_list) + + # check validate() - cannot map VNI range to a single VLAN id + self.cli_set(self._base_path + [interface, 'vlan-to-vni', '100', 'vni', '100-102']) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(self._base_path + [interface, 'vlan-to-vni', '100']) + + # check validate() - cannot map VLAN to VNI with different ranges + self.cli_set(self._base_path + [interface, 'vlan-to-vni', '100-102', 'vni', '100-105']) + with self.assertRaises(ConfigSessionError): + self.cli_commit() + self.cli_delete(['interfaces', 'bridge', bridge]) def test_vxlan_neighbor_suppress(self): bridge = 'br555' interface = 'vxlan555' source_interface = 'dum0' self.cli_set(['interfaces', Section.section(source_interface), source_interface, 'mtu', '9000']) self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-interface', source_interface]) self.cli_set(self._base_path + [interface, 'parameters', 'neighbor-suppress']) # This must fail as this VXLAN interface is not associated with any bridge with self.assertRaises(ConfigSessionError): self.cli_commit() self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface]) # commit configuration self.cli_commit() self.assertTrue(interface_exists(bridge)) self.assertTrue(interface_exists(interface)) tmp = get_interface_config(interface) self.assertEqual(tmp['master'], bridge) self.assertTrue(tmp['linkinfo']['info_slave_data']['neigh_suppress']) self.assertFalse(tmp['linkinfo']['info_slave_data']['learning']) # Remove neighbor suppress configuration and re-test self.cli_delete(self._base_path + [interface, 'parameters', 'neighbor-suppress']) # commit configuration self.cli_commit() tmp = get_interface_config(interface) self.assertEqual(tmp['master'], bridge) self.assertFalse(tmp['linkinfo']['info_slave_data']['neigh_suppress']) self.assertTrue(tmp['linkinfo']['info_slave_data']['learning']) self.cli_delete(['interfaces', 'bridge', bridge]) self.cli_delete(['interfaces', Section.section(source_interface), source_interface]) def test_vxlan_vni_filter(self): interfaces = ['vxlan987', 'vxlan986', 'vxlan985'] source_address = '192.0.2.77' for interface in interfaces: self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-address', source_address]) # This must fail as there can only be one "external" VXLAN device unless "vni-filter" is defined with self.assertRaises(ConfigSessionError): self.cli_commit() # Enable "vni-filter" on the first VXLAN interface self.cli_set(self._base_path + [interfaces[0], 'parameters', 'vni-filter']) # This must fail as if it's enabled on one VXLAN interface, it must be enabled on all # VXLAN interfaces with self.assertRaises(ConfigSessionError): self.cli_commit() for interface in interfaces: self.cli_set(self._base_path + [interface, 'parameters', 'vni-filter']) # commit configuration self.cli_commit() for interface in interfaces: self.assertTrue(interface_exists(interface)) tmp = get_interface_config(interface) self.assertTrue(tmp['linkinfo']['info_data']['vnifilter']) def test_vxlan_vni_filter_add_remove(self): interface = 'vxlan987' source_address = '192.0.2.66' bridge = 'br0' self.cli_set(self._base_path + [interface, 'parameters', 'external']) self.cli_set(self._base_path + [interface, 'source-address', source_address]) self.cli_set(self._base_path + [interface, 'parameters', 'vni-filter']) # commit configuration self.cli_commit() # Check if VXLAN interface got created self.assertTrue(interface_exists(interface)) # VNI filter configured? tmp = get_interface_config(interface) self.assertTrue(tmp['linkinfo']['info_data']['vnifilter']) # Now create some VLAN mappings and VNI filter vlan_to_vni = { '50': '10050', '51': '10051', '52': '10052', '53': '10053', '54': '10054', '60': '10060', '69': '10069', } + + vlan_to_vni_ranges = { + '70-73': '10070-10073', + '75-77': '10075-10077' + } + for vlan, vni in vlan_to_vni.items(): self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni]) # we need a bridge ... self.cli_set(['interfaces', 'bridge', bridge, 'member', 'interface', interface]) # commit configuration self.cli_commit() # All VNIs configured? tmp = get_vxlan_vni_filter(interface) self.assertListEqual(list(vlan_to_vni.values()), tmp) # # Delete a VLAN mappings and check if all VNIs are properly set up # vlan_to_vni.popitem() self.cli_delete(self._base_path + [interface, 'vlan-to-vni']) for vlan, vni in vlan_to_vni.items(): self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni]) # commit configuration self.cli_commit() # All VNIs configured? tmp = get_vxlan_vni_filter(interface) self.assertListEqual(list(vlan_to_vni.values()), tmp) + # add ranged VLAN - VNI mapping + for vlan, vni in vlan_to_vni_ranges.items(): + self.cli_set(self._base_path + [interface, 'vlan-to-vni', vlan, 'vni', vni]) + self.cli_commit() + + tmp = get_vxlan_vni_filter(interface) + vnis_list = convert_to_list(vlan_to_vni_ranges.values()) + self.assertListEqual(list(vlan_to_vni.values()) + vnis_list, tmp) + self.cli_delete(['interfaces', 'bridge', bridge]) if __name__ == '__main__': unittest.main(verbosity=2) diff --git a/src/conf_mode/interfaces_vxlan.py b/src/conf_mode/interfaces_vxlan.py index bc4918a52..68646e8ff 100755 --- a/src/conf_mode/interfaces_vxlan.py +++ b/src/conf_mode/interfaces_vxlan.py @@ -1,236 +1,259 @@ #!/usr/bin/env python3 # # Copyright (C) 2019-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. from sys import exit from vyos.base import Warning from vyos.config import Config from vyos.configdict import get_interface_dict from vyos.configdict import leaf_node_changed from vyos.configdict import is_node_changed from vyos.configdict import node_changed from vyos.configverify import verify_address from vyos.configverify import verify_bridge_delete from vyos.configverify import verify_mtu_ipv6 from vyos.configverify import verify_mirror_redirect from vyos.configverify import verify_source_interface from vyos.configverify import verify_bond_bridge_member from vyos.configverify import verify_vrf from vyos.ifconfig import Interface from vyos.ifconfig import VXLANIf from vyos.template import is_ipv6 from vyos.utils.dict import dict_search from vyos.utils.network import interface_exists from vyos import ConfigError from vyos import airbag airbag.enable() def get_config(config=None): """ Retrive CLI config as dictionary. Dictionary can never be empty, as at least the interface name will be added or a deleted flag """ if config: conf = config else: conf = Config() base = ['interfaces', 'vxlan'] ifname, vxlan = get_interface_dict(conf, base) # VXLAN interfaces are picky and require recreation if certain parameters # change. But a VXLAN interface should - of course - not be re-created if # it's description or IP address is adjusted. Feels somehow logic doesn't it? for cli_option in ['parameters', 'gpe', 'group', 'port', 'remote', 'source-address', 'source-interface', 'vni']: if is_node_changed(conf, base + [ifname, cli_option]): vxlan.update({'rebuild_required': {}}) break # When dealing with VNI filtering we need to know what VNI was actually removed, # so build up a dict matching the vlan_to_vni structure but with removed values. tmp = node_changed(conf, base + [ifname, 'vlan-to-vni'], recursive=True) if tmp: vxlan.update({'vlan_to_vni_removed': {}}) for vlan in tmp: vni = leaf_node_changed(conf, base + [ifname, 'vlan-to-vni', vlan, 'vni']) vxlan['vlan_to_vni_removed'].update({vlan : {'vni' : vni[0]}}) # We need to verify that no other VXLAN tunnel is configured when external # mode is in use - Linux Kernel limitation conf.set_level(base) vxlan['other_tunnels'] = conf.get_config_dict([], key_mangling=('-', '_'), get_first_key=True, no_tag_node_value_mangle=True) # This if-clause is just to be sure - it will always evaluate to true ifname = vxlan['ifname'] if ifname in vxlan['other_tunnels']: del vxlan['other_tunnels'][ifname] if len(vxlan['other_tunnels']) == 0: del vxlan['other_tunnels'] return vxlan def verify(vxlan): if 'deleted' in vxlan: verify_bridge_delete(vxlan) return None if int(vxlan['mtu']) < 1500: Warning('RFC7348 recommends VXLAN tunnels preserve a 1500 byte MTU') if 'group' in vxlan: if 'source_interface' not in vxlan: raise ConfigError('Multicast VXLAN requires an underlaying interface') verify_source_interface(vxlan) if not any(tmp in ['group', 'remote', 'source_address', 'source_interface'] for tmp in vxlan): raise ConfigError('Group, remote, source-address or source-interface must be configured') if 'vni' not in vxlan and dict_search('parameters.external', vxlan) == None: raise ConfigError('Must either configure VXLAN "vni" or use "external" CLI option!') if dict_search('parameters.external', vxlan) != None: if 'vni' in vxlan: raise ConfigError('Can not specify both "external" and "VNI"!') if 'other_tunnels' in vxlan: # When multiple VXLAN interfaces are defined and "external" is used, # all VXLAN interfaces need to have vni-filter enabled! # See Linux Kernel commit f9c4bb0b245cee35ef66f75bf409c9573d934cf9 other_vni_filter = False for tunnel, tunnel_config in vxlan['other_tunnels'].items(): if dict_search('parameters.vni_filter', tunnel_config) != None: other_vni_filter = True break # eqivalent of the C foo ? 'a' : 'b' statement vni_filter = True and (dict_search('parameters.vni_filter', vxlan) != None) or False # If either one is enabled, so must be the other. Both can be off and both can be on if (vni_filter and not other_vni_filter) or (not vni_filter and other_vni_filter): raise ConfigError(f'Using multiple VXLAN interfaces with "external" '\ 'requires all VXLAN interfaces to have "vni-filter" configured!') if not vni_filter and not other_vni_filter: other_tunnels = ', '.join(vxlan['other_tunnels']) raise ConfigError(f'Only one VXLAN tunnel is supported when "external" '\ f'CLI option is used and "vni-filter" is unset. '\ f'Additional tunnels: {other_tunnels}') if 'gpe' in vxlan and 'external' not in vxlan: raise ConfigError(f'VXLAN-GPE is only supported when "external" '\ f'CLI option is used.') if 'source_interface' in vxlan: # VXLAN adds at least an overhead of 50 byte - we need to check the # underlaying device if our VXLAN package is not going to be fragmented! vxlan_overhead = 50 if 'source_address' in vxlan and is_ipv6(vxlan['source_address']): # IPv6 adds an extra 20 bytes overhead because the IPv6 header is 20 # bytes larger than the IPv4 header - assuming no extra options are # in use. vxlan_overhead += 20 # If source_address is not used - check IPv6 'remote' list elif 'remote' in vxlan: if any(is_ipv6(a) for a in vxlan['remote']): vxlan_overhead += 20 lower_mtu = Interface(vxlan['source_interface']).get_mtu() if lower_mtu < (int(vxlan['mtu']) + vxlan_overhead): raise ConfigError(f'Underlaying device MTU is to small ({lower_mtu} '\ f'bytes) for VXLAN overhead ({vxlan_overhead} bytes!)') # Check for mixed IPv4 and IPv6 addresses protocol = None if 'source_address' in vxlan: if is_ipv6(vxlan['source_address']): protocol = 'ipv6' else: protocol = 'ipv4' if 'remote' in vxlan: error_msg = 'Can not mix both IPv4 and IPv6 for VXLAN underlay' for remote in vxlan['remote']: if is_ipv6(remote): if protocol == 'ipv4': raise ConfigError(error_msg) protocol = 'ipv6' else: if protocol == 'ipv6': raise ConfigError(error_msg) protocol = 'ipv4' if 'vlan_to_vni' in vxlan: if 'is_bridge_member' not in vxlan: raise ConfigError('VLAN to VNI mapping requires that VXLAN interface '\ 'is member of a bridge interface!') vnis_used = [] + vlans_used = [] for vif, vif_config in vxlan['vlan_to_vni'].items(): if 'vni' not in vif_config: raise ConfigError(f'Must define VNI for VLAN "{vif}"!') vni = vif_config['vni'] - if vni in vnis_used: - raise ConfigError(f'VNI "{vni}" is already assigned to a different VLAN!') - vnis_used.append(vni) + + err_msg = f'VLAN range "{vif}" does not match VNI range "{vni}"!' + vif_range, vni_range = list(map(int, vif.split('-'))), list(map(int, vni.split('-'))) + + if len(vif_range) != len(vni_range): + raise ConfigError(err_msg) + + if len(vif_range) > 1: + if vni_range[0] > vni_range[-1] or vif_range[0] > vif_range[-1]: + raise ConfigError('The upper bound of the range must be greater than the lower bound!') + vni_range = range(vni_range[0], vni_range[1] + 1) + vif_range = range(vif_range[0], vif_range[1] + 1) + + if len(vif_range) != len(vni_range): + raise ConfigError(err_msg) + + for vni_id in vni_range: + if vni_id in vnis_used: + raise ConfigError(f'VNI "{vni_id}" is already assigned to a different VLAN!') + vnis_used.append(vni_id) + + for vif_id in vif_range: + if vif_id in vlans_used: + raise ConfigError(f'VLAN "{vif_id}" is already in use!') + vlans_used.append(vif_id) if dict_search('parameters.neighbor_suppress', vxlan) != None: if 'is_bridge_member' not in vxlan: raise ConfigError('Neighbor suppression requires that VXLAN interface '\ 'is member of a bridge interface!') verify_mtu_ipv6(vxlan) verify_address(vxlan) verify_vrf(vxlan) verify_bond_bridge_member(vxlan) verify_mirror_redirect(vxlan) # We use a defaultValue for port, thus it's always safe to use if vxlan['port'] == '8472': Warning('Starting from VyOS 1.4, the default port for VXLAN '\ 'has been changed to 4789. This matches the IANA assigned '\ 'standard port number!') return None def generate(vxlan): return None def apply(vxlan): # Check if the VXLAN interface already exists if 'rebuild_required' in vxlan or 'delete' in vxlan: if interface_exists(vxlan['ifname']): v = VXLANIf(**vxlan) # VXLAN is super picky and the tunnel always needs to be recreated, # thus we can simply always delete it first. v.remove() if 'deleted' not in vxlan: # Finally create the new interface v = VXLANIf(**vxlan) v.update(vxlan) return None if __name__ == '__main__': try: c = get_config() verify(c) generate(c) apply(c) except ConfigError as e: print(e) exit(1)