def configure_ipv6_ra(namespace, dev_name, value): """Configure handling of IPv6 Router Advertisements on an interface. See common/constants.py for possible values. """ cmd = ['net.ipv6.conf.%(dev)s.accept_ra=%(value)s' % {'dev': dev_name, 'value': value}] ip_lib.sysctl(cmd, namespace=namespace)
def configure_ipv6_forwarding(namespace, dev_name, enabled): """Configure IPv6 forwarding on an interface.""" cmd = [ 'net.ipv6.conf.%(dev)s.forwarding=%(enabled)s' % { 'dev': dev_name, 'enabled': int(enabled) } ] ip_lib.sysctl(cmd, namespace=namespace)
def create(self): super(SnatNamespace, self).create() # This might be an HA router namespaces and it should not have # ip_nonlocal_bind enabled ip_lib.set_ip_nonlocal_bind_for_namespace(self.name) # Set nf_conntrack_tcp_loose to 0 to ensure mid-stream # TCP conversations aren't taken over by SNAT cmd = ['net.netfilter.nf_conntrack_tcp_loose=0'] ip_lib.sysctl(cmd, namespace=self.name)
def external_gateway_added(self, ex_gw_port, interface_name): # TODO(Carl) Refactor external_gateway_added/updated/removed to use # super class implementation where possible. Looks like preserve_ips, # and ns_name are the key differences. cmd = ['net.ipv4.conf.all.send_redirects=0'] ip_lib.sysctl(cmd, namespace=self.ns_name) self.enable_snat_redirect_rules(ex_gw_port) for port in self.get_snat_interfaces(): for ip in port['fixed_ips']: self._update_arp_entry(ip['ip_address'], port['mac_address'], ip['subnet_id'], 'add')
def _snat_redirect_modify(self, gateway, sn_port, sn_int, is_add): """Adds or removes rules and routes for SNAT redirection.""" cmd = ['net.ipv4.conf.%s.send_redirects=0' % sn_int] try: ns_ipd = ip_lib.IPDevice(sn_int, namespace=self.ns_name) for port_fixed_ip in sn_port['fixed_ips']: # Iterate and find the gateway IP address matching # the IP version port_ip_addr = port_fixed_ip['ip_address'] port_ip_vers = netaddr.IPAddress(port_ip_addr).version for gw_fixed_ip in gateway['fixed_ips']: gw_ip_addr = gw_fixed_ip['ip_address'] if netaddr.IPAddress(gw_ip_addr).version == port_ip_vers: sn_port_cidr = common_utils.ip_to_cidr( port_ip_addr, port_fixed_ip['prefixlen']) snat_idx = self._get_snat_idx(sn_port_cidr) if is_add: ns_ipd.route.add_gateway(gw_ip_addr, table=snat_idx) ip_lib.add_ip_rule(namespace=self.ns_name, ip=sn_port_cidr, table=snat_idx, priority=snat_idx) ip_lib.sysctl(cmd, namespace=self.ns_name) else: self._delete_gateway_device_if_exists(ns_ipd, gw_ip_addr, snat_idx) ip_lib.delete_ip_rule(self.ns_name, ip=sn_port_cidr, table=snat_idx, priority=snat_idx) except Exception: if is_add: exc = 'DVR: error adding redirection logic' else: exc = ('DVR: snat remove failed to clear the rule ' 'and device') LOG.exception(exc)
def _setup_system(self): # Make sure to allow ip forward cmd = ['net.ipv4.ip_forward=1'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv4.ip_forward=1.") sys.exit(1) # Make sure to allow tcp packet to pass though default vrf cmd = ['net.ipv4.tcp_l3mdev_accept=1'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv4.tcp_l3mdev_accept=1.") sys.exit(1) # Make sure to allow udp packet to pass though default vrf cmd = ['net.ipv4.udp_l3mdev_accept=1'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv4.udp_l3mdev_accept=1.") sys.exit(1) cmd = ['net.ipv6.conf.all.seg6_enabled=1'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv6.conf.all.seg6_enabled=1.") sys.exit(1) cmd = ['net.ipv6.conf.all.forwarding=1'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv6.conf.all.forwarding=1.") sys.exit(1) cmd = ['net.ipv4.conf.all.rp_filter=0'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv4.conf.all.rp_filter=0.") sys.exit(1) for interface in cfg.CONF.sr.srv6_interfaces: cmd = ['net.ipv4.conf.%s.rp_filter=0' % interface] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.ipv4.conf.%s.rp_filter=0.", interface) sys.exit(1) # Make sure to allow bridge to call iptables cmd = ['net.bridge.bridge-nf-call-iptables=1'] result = ip_lib.sysctl(cmd) if result == 1: LOG.error("Failed to enable net.bridge.bridge-nf-call-iptables=1.") sys.exit(1)
def configure_tap(self, tap_device_name, vm_mac, related_ips, ports, vrf, vrf_ip, vrf_cidr): """Configure tap device The traffic for vm's ip goes to tap device vm connected to. NB: 1 port could have multiple ip address. that's why related_ips is list including ip informations Args: tap_device_name(String): tap device name vm_mac(String): mac address VM use related_ips(list<dict>): [{'gw_ip': <gateway_ip>, 'cidr': <cidr of subnet>, 'vm_ip': <vm ip address>}] Return: None """ tap_dev = ip_lib.IPDevice(tap_device_name) tap_dev.addr = IpAddrCommandAcceptArgs(tap_dev) for related_ip in related_ips: # Ensure veth qvb, qvr = self._get_veth_pair_names(tap_device_name[3:]) qvr_dev = self._add_veth(qvb, qvr) # Create brdige br_name = "qbr%s" % tap_device_name[3:] self._ensure_bridge(br_name, [qvb, tap_dev.name]) cidr = '/' + related_ip['cidr'] # assign virtual gateway ip to qvr qvr_address = related_ip['gw_ip'] + cidr LOG.debug("Ensure %s having %s" % (qvr_dev.name, qvr_address)) self._ensure_dev_having_ip(qvr_dev, qvr_address) # Ensure vrf exist vrf_table = self._ensure_vrf(vrf, vrf_ip, vrf_cidr) # assign qvr to vrf self._add_avr_to_vrf(vrf, qvr) # Configure SRv6 self._set_srv6_rules(vrf, vrf_ip, ports) # add static route /32 to tap vm_ip_for_route = related_ip['vm_ip'] + '/' + '32' LOG.debug("Ensure root namespace having route %s via %s" % (vm_ip_for_route, qvr_dev.name)) self._ensure_vm_route(qvr_dev, vm_ip_for_route, vrf_table) for kernel_opts in ("net.ipv4.conf.%s.proxy_arp=1", "net.ipv4.neigh.%s.proxy_delay=0"): cmd = [kernel_opts % qvr] result = ip_lib.sysctl(cmd) if result == 1: raise SysctlCommandError(cmd=cmd)
def configure_ipv6_ra(namespace, dev_name): """Configure acceptance of IPv6 route advertisements on an intf.""" # Learn the default router's IP address via RAs cmd = ['net.ipv6.conf.%s.accept_ra=2' % dev_name] ip_lib.sysctl(cmd, namespace=namespace)
def configure_ipv6_forwarding(namespace, dev_name, enabled): """Configure IPv6 forwarding on an interface.""" cmd = ['net.ipv6.conf.%(dev)s.forwarding=%(enabled)s' % {'dev': dev_name, 'enabled': int(enabled)}] ip_lib.sysctl(cmd, namespace=namespace)