def configure_ipv6_ra(namespace, dev_name, value):
"""Configure handling of IPv6 Router Advertisements on an
interface. See common/constants.py for possible values.
"""
cmd = ['net.ipv6.conf.%(dev)s.accept_ra=%(value)s' % {'dev': dev_name,
'value': value}]
ip_lib.sysctl(cmd, namespace=namespace)
def configure_ipv6_ra(namespace, dev_name, value):
"""Configure handling of IPv6 Router Advertisements on an
interface. See common/constants.py for possible values.
"""
cmd = ['net.ipv6.conf.%(dev)s.accept_ra=%(value)s' % {'dev': dev_name,
'value': value}]
ip_lib.sysctl(cmd, namespace=namespace)
def configure_ipv6_forwarding(namespace, dev_name, enabled):
"""Configure IPv6 forwarding on an interface."""
cmd = [
'net.ipv6.conf.%(dev)s.forwarding=%(enabled)s' % {
'dev': dev_name,
'enabled': int(enabled)
}
]
ip_lib.sysctl(cmd, namespace=namespace)
def create(self):
super(SnatNamespace, self).create()
# This might be an HA router namespaces and it should not have
# ip_nonlocal_bind enabled
ip_lib.set_ip_nonlocal_bind_for_namespace(self.name)
# Set nf_conntrack_tcp_loose to 0 to ensure mid-stream
# TCP conversations aren't taken over by SNAT
cmd = ['net.netfilter.nf_conntrack_tcp_loose=0']
ip_lib.sysctl(cmd, namespace=self.name)
def create(self):
super(SnatNamespace, self).create()
# This might be an HA router namespaces and it should not have
# ip_nonlocal_bind enabled
ip_lib.set_ip_nonlocal_bind_for_namespace(self.name)
# Set nf_conntrack_tcp_loose to 0 to ensure mid-stream
# TCP conversations aren't taken over by SNAT
cmd = ['net.netfilter.nf_conntrack_tcp_loose=0']
ip_lib.sysctl(cmd, namespace=self.name)
def external_gateway_added(self, ex_gw_port, interface_name):
# TODO(Carl) Refactor external_gateway_added/updated/removed to use
# super class implementation where possible. Looks like preserve_ips,
# and ns_name are the key differences.
cmd = ['net.ipv4.conf.all.send_redirects=0']
ip_lib.sysctl(cmd, namespace=self.ns_name)
self.enable_snat_redirect_rules(ex_gw_port)
for port in self.get_snat_interfaces():
for ip in port['fixed_ips']:
self._update_arp_entry(ip['ip_address'], port['mac_address'],
ip['subnet_id'], 'add')
def external_gateway_added(self, ex_gw_port, interface_name):
# TODO(Carl) Refactor external_gateway_added/updated/removed to use
# super class implementation where possible. Looks like preserve_ips,
# and ns_name are the key differences.
cmd = ['net.ipv4.conf.all.send_redirects=0']
ip_lib.sysctl(cmd, namespace=self.ns_name)
self.enable_snat_redirect_rules(ex_gw_port)
for port in self.get_snat_interfaces():
for ip in port['fixed_ips']:
self._update_arp_entry(ip['ip_address'],
port['mac_address'],
ip['subnet_id'],
'add')
def _snat_redirect_modify(self, gateway, sn_port, sn_int, is_add):
"""Adds or removes rules and routes for SNAT redirection."""
cmd = ['net.ipv4.conf.%s.send_redirects=0' % sn_int]
try:
ns_ipd = ip_lib.IPDevice(sn_int, namespace=self.ns_name)
for port_fixed_ip in sn_port['fixed_ips']:
# Iterate and find the gateway IP address matching
# the IP version
port_ip_addr = port_fixed_ip['ip_address']
port_ip_vers = netaddr.IPAddress(port_ip_addr).version
for gw_fixed_ip in gateway['fixed_ips']:
gw_ip_addr = gw_fixed_ip['ip_address']
if netaddr.IPAddress(gw_ip_addr).version == port_ip_vers:
sn_port_cidr = common_utils.ip_to_cidr(
port_ip_addr, port_fixed_ip['prefixlen'])
snat_idx = self._get_snat_idx(sn_port_cidr)
if is_add:
ns_ipd.route.add_gateway(gw_ip_addr,
table=snat_idx)
ip_lib.add_ip_rule(namespace=self.ns_name,
ip=sn_port_cidr,
table=snat_idx,
priority=snat_idx)
ip_lib.sysctl(cmd, namespace=self.ns_name)
else:
self._delete_gateway_device_if_exists(ns_ipd,
gw_ip_addr,
snat_idx)
ip_lib.delete_ip_rule(self.ns_name,
ip=sn_port_cidr,
table=snat_idx,
priority=snat_idx)
except Exception:
if is_add:
exc = 'DVR: error adding redirection logic'
else:
exc = ('DVR: snat remove failed to clear the rule '
'and device')
LOG.exception(exc)
def _snat_redirect_modify(self, gateway, sn_port, sn_int, is_add):
"""Adds or removes rules and routes for SNAT redirection."""
cmd = ['net.ipv4.conf.%s.send_redirects=0' % sn_int]
try:
ns_ipd = ip_lib.IPDevice(sn_int, namespace=self.ns_name)
for port_fixed_ip in sn_port['fixed_ips']:
# Iterate and find the gateway IP address matching
# the IP version
port_ip_addr = port_fixed_ip['ip_address']
port_ip_vers = netaddr.IPAddress(port_ip_addr).version
for gw_fixed_ip in gateway['fixed_ips']:
gw_ip_addr = gw_fixed_ip['ip_address']
if netaddr.IPAddress(gw_ip_addr).version == port_ip_vers:
sn_port_cidr = common_utils.ip_to_cidr(
port_ip_addr, port_fixed_ip['prefixlen'])
snat_idx = self._get_snat_idx(sn_port_cidr)
if is_add:
ns_ipd.route.add_gateway(gw_ip_addr,
table=snat_idx)
ip_lib.add_ip_rule(namespace=self.ns_name,
ip=sn_port_cidr,
table=snat_idx,
priority=snat_idx)
ip_lib.sysctl(cmd, namespace=self.ns_name)
else:
self._delete_gateway_device_if_exists(ns_ipd,
gw_ip_addr,
snat_idx)
ip_lib.delete_ip_rule(self.ns_name,
ip=sn_port_cidr,
table=snat_idx,
priority=snat_idx)
except Exception:
if is_add:
exc = 'DVR: error adding redirection logic'
else:
exc = ('DVR: snat remove failed to clear the rule '
'and device')
LOG.exception(exc)
def _setup_system(self):
# Make sure to allow ip forward
cmd = ['net.ipv4.ip_forward=1']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv4.ip_forward=1.")
sys.exit(1)
# Make sure to allow tcp packet to pass though default vrf
cmd = ['net.ipv4.tcp_l3mdev_accept=1']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv4.tcp_l3mdev_accept=1.")
sys.exit(1)
# Make sure to allow udp packet to pass though default vrf
cmd = ['net.ipv4.udp_l3mdev_accept=1']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv4.udp_l3mdev_accept=1.")
sys.exit(1)
cmd = ['net.ipv6.conf.all.seg6_enabled=1']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv6.conf.all.seg6_enabled=1.")
sys.exit(1)
cmd = ['net.ipv6.conf.all.forwarding=1']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv6.conf.all.forwarding=1.")
sys.exit(1)
cmd = ['net.ipv4.conf.all.rp_filter=0']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv4.conf.all.rp_filter=0.")
sys.exit(1)
for interface in cfg.CONF.sr.srv6_interfaces:
cmd = ['net.ipv4.conf.%s.rp_filter=0' % interface]
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.ipv4.conf.%s.rp_filter=0.",
interface)
sys.exit(1)
# Make sure to allow bridge to call iptables
cmd = ['net.bridge.bridge-nf-call-iptables=1']
result = ip_lib.sysctl(cmd)
if result == 1:
LOG.error("Failed to enable net.bridge.bridge-nf-call-iptables=1.")
sys.exit(1)
def configure_tap(self, tap_device_name, vm_mac, related_ips, ports, vrf,
vrf_ip, vrf_cidr):
"""Configure tap device
The traffic for vm's ip goes to tap device vm connected to.
NB: 1 port could have multiple ip address. that's why
related_ips is list including ip informations
Args:
tap_device_name(String): tap device name
vm_mac(String): mac address VM use
related_ips(list<dict>): [{'gw_ip': <gateway_ip>,
'cidr': <cidr of subnet>,
'vm_ip': <vm ip address>}]
Return:
None
"""
tap_dev = ip_lib.IPDevice(tap_device_name)
tap_dev.addr = IpAddrCommandAcceptArgs(tap_dev)
for related_ip in related_ips:
# Ensure veth
qvb, qvr = self._get_veth_pair_names(tap_device_name[3:])
qvr_dev = self._add_veth(qvb, qvr)
# Create brdige
br_name = "qbr%s" % tap_device_name[3:]
self._ensure_bridge(br_name, [qvb, tap_dev.name])
cidr = '/' + related_ip['cidr']
# assign virtual gateway ip to qvr
qvr_address = related_ip['gw_ip'] + cidr
LOG.debug("Ensure %s having %s" % (qvr_dev.name, qvr_address))
self._ensure_dev_having_ip(qvr_dev, qvr_address)
# Ensure vrf exist
vrf_table = self._ensure_vrf(vrf, vrf_ip, vrf_cidr)
# assign qvr to vrf
self._add_avr_to_vrf(vrf, qvr)
# Configure SRv6
self._set_srv6_rules(vrf, vrf_ip, ports)
# add static route /32 to tap
vm_ip_for_route = related_ip['vm_ip'] + '/' + '32'
LOG.debug("Ensure root namespace having route %s via %s" %
(vm_ip_for_route, qvr_dev.name))
self._ensure_vm_route(qvr_dev, vm_ip_for_route, vrf_table)
for kernel_opts in ("net.ipv4.conf.%s.proxy_arp=1",
"net.ipv4.neigh.%s.proxy_delay=0"):
cmd = [kernel_opts % qvr]
result = ip_lib.sysctl(cmd)
if result == 1:
raise SysctlCommandError(cmd=cmd)
def configure_ipv6_ra(namespace, dev_name):
"""Configure acceptance of IPv6 route advertisements on an intf."""
# Learn the default router's IP address via RAs
cmd = ['net.ipv6.conf.%s.accept_ra=2' % dev_name]
ip_lib.sysctl(cmd, namespace=namespace)
def configure_ipv6_forwarding(namespace, dev_name, enabled):
"""Configure IPv6 forwarding on an interface."""
cmd = ['net.ipv6.conf.%(dev)s.forwarding=%(enabled)s' %
{'dev': dev_name, 'enabled': int(enabled)}]
ip_lib.sysctl(cmd, namespace=namespace)
