add gateway ip to vnet and force /32 for ipv4 to avoid
arp problem, and disable forwarding by security
Signed-off-by: Alexandre Derumier <aderum...@odiso.com>
---
src/PVE/Network/SDN/Zones/VlanPlugin.pm | 33 +++++++++++++++++++
.../zones/vlan/dhcp/expected_sdn_interfaces | 27 +++++++++++++++
src/test/zones/vlan/dhcp/interfaces | 5 +++
src/test/zones/vlan/dhcp/sdn_config | 27 +++++++++++++++
.../zones/vlan/nodhcp/expected_sdn_interfaces | 23 +++++++++++++
src/test/zones/vlan/nodhcp/interfaces | 5 +++
src/test/zones/vlan/nodhcp/sdn_config | 27 +++++++++++++++
7 files changed, 147 insertions(+)
create mode 100644 src/test/zones/vlan/dhcp/expected_sdn_interfaces
create mode 100644 src/test/zones/vlan/dhcp/interfaces
create mode 100644 src/test/zones/vlan/dhcp/sdn_config
create mode 100644 src/test/zones/vlan/nodhcp/expected_sdn_interfaces
create mode 100644 src/test/zones/vlan/nodhcp/interfaces
create mode 100644 src/test/zones/vlan/nodhcp/sdn_config
diff --git a/src/PVE/Network/SDN/Zones/VlanPlugin.pm
b/src/PVE/Network/SDN/Zones/VlanPlugin.pm
index 6a68e8d..2fa0480 100644
--- a/src/PVE/Network/SDN/Zones/VlanPlugin.pm
+++ b/src/PVE/Network/SDN/Zones/VlanPlugin.pm
@@ -43,6 +43,7 @@ sub options {
reversedns => { optional => 1 },
dnszone => { optional => 1 },
ipam => { optional => 1 },
+ dhcp => { optional => 1 },
};
}
@@ -51,6 +52,8 @@ sub generate_sdn_config {
my ($class, $plugin_config, $zoneid, $vnetid, $vnet, $controller,
$controller_cfg, $subnet_cfg, $interfaces_config, $config) = @_;
my $bridge = $plugin_config->{bridge};
+ my $dhcp = $plugin_config->{dhcp};
+
PVE::Network::SDN::Zones::Plugin::find_bridge($bridge);
my $vlan_aware = PVE::Network::SDN::Zones::Plugin::is_vlanaware($bridge);
@@ -120,8 +123,36 @@ sub generate_sdn_config {
push(@{$config->{$bridgevlan}}, @iface_config) if
!$config->{$bridgevlan};
}
+
#vnet bridge
@iface_config = ();
+
+ my $disable_forward_v4 = undef;
+ my $disable_forward_v6 = undef;
+
+ if ($dhcp) {
+ my $address = {};
+ my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
+
+ foreach my $subnetid (sort keys %{$subnets}) {
+ my $subnet = $subnets->{$subnetid};
+ my $gateway = $subnet->{gateway};
+ if ($gateway) {
+
+ my $mask = $subnet->{mask};
+ if (Net::IP::ip_is_ipv6($gateway)) {
+ $disable_forward_v6 = 1;
+ } else {
+ $mask = '32';
+ $disable_forward_v4 = 1;
+ }
+
+ push @iface_config, "address $gateway/$mask" if
!defined($address->{$gateway});
+ $address->{$gateway} = 1;
+ }
+ }
+ }
+
push @iface_config, "bridge_ports $vnet_uplink";
push @iface_config, "bridge_stp off";
push @iface_config, "bridge_fd 0";
@@ -131,6 +162,8 @@ sub generate_sdn_config {
}
push @iface_config, "mtu $mtu" if $mtu;
push @iface_config, "alias $alias" if $alias;
+ push @iface_config, "ip-forward off" if $disable_forward_v4;
+ push @iface_config, "ip6-forward off" if $disable_forward_v6;
push(@{$config->{$vnetid}}, @iface_config) if !$config->{$vnetid};
return $config;
diff --git a/src/test/zones/vlan/dhcp/expected_sdn_interfaces
b/src/test/zones/vlan/dhcp/expected_sdn_interfaces
new file mode 100644
index 0000000..89e0d4a
--- /dev/null
+++ b/src/test/zones/vlan/dhcp/expected_sdn_interfaces
@@ -0,0 +1,27 @@
+#version:1
+
+auto ln_myvnet
+iface ln_myvnet
+ link-type veth
+ veth-peer-name pr_myvnet
+
+auto myvnet
+iface myvnet
+ address 192.168.0.1/32
+ address 2a08:2142:302:3::1/64
+ bridge_ports ln_myvnet
+ bridge_stp off
+ bridge_fd 0
+ ip-forward off
+ ip6-forward off
+
+auto pr_myvnet
+iface pr_myvnet
+ link-type veth
+ veth-peer-name ln_myvnet
+
+auto vmbr0v100
+iface vmbr0v100
+ bridge_ports eth0.100 pr_myvnet
+ bridge_stp off
+ bridge_fd 0
diff --git a/src/test/zones/vlan/dhcp/interfaces
b/src/test/zones/vlan/dhcp/interfaces
new file mode 100644
index 0000000..9eaf6ff
--- /dev/null
+++ b/src/test/zones/vlan/dhcp/interfaces
@@ -0,0 +1,5 @@
+auto vmbr0
+iface vmbr0 inet manual
+ bridge-ports eth0
+ bridge-stp off
+ bridge-fd 0
\ No newline at end of file
diff --git a/src/test/zones/vlan/dhcp/sdn_config
b/src/test/zones/vlan/dhcp/sdn_config
new file mode 100644
index 0000000..024ffa9
--- /dev/null
+++ b/src/test/zones/vlan/dhcp/sdn_config
@@ -0,0 +1,27 @@
+{
+ version => 1,
+ vnets => {
+ ids => {
+ myvnet => { type => "vnet", zone => "myzone", tag =>
100 },
+ },
+ },
+ zones => {
+ ids => { myzone => { bridge => "vmbr0", ipam => "pve", type =>
"vlan", dhcp => "dnsmasq" } },
+ },
+ subnets => {
+ ids => {
+ 'myzone-192.168.0.0-24' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' =>
'192.168.0.1',
+ },
+ 'myzone-2a08:2142:302:3::-64' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' =>
'2a08:2142:302:3::1',
+ }
+ }
+ }
+}
+
+
diff --git a/src/test/zones/vlan/nodhcp/expected_sdn_interfaces
b/src/test/zones/vlan/nodhcp/expected_sdn_interfaces
new file mode 100644
index 0000000..f9e96d1
--- /dev/null
+++ b/src/test/zones/vlan/nodhcp/expected_sdn_interfaces
@@ -0,0 +1,23 @@
+#version:1
+
+auto ln_myvnet
+iface ln_myvnet
+ link-type veth
+ veth-peer-name pr_myvnet
+
+auto myvnet
+iface myvnet
+ bridge_ports ln_myvnet
+ bridge_stp off
+ bridge_fd 0
+
+auto pr_myvnet
+iface pr_myvnet
+ link-type veth
+ veth-peer-name ln_myvnet
+
+auto vmbr0v100
+iface vmbr0v100
+ bridge_ports eth0.100 pr_myvnet
+ bridge_stp off
+ bridge_fd 0
diff --git a/src/test/zones/vlan/nodhcp/interfaces
b/src/test/zones/vlan/nodhcp/interfaces
new file mode 100644
index 0000000..9eaf6ff
--- /dev/null
+++ b/src/test/zones/vlan/nodhcp/interfaces
@@ -0,0 +1,5 @@
+auto vmbr0
+iface vmbr0 inet manual
+ bridge-ports eth0
+ bridge-stp off
+ bridge-fd 0
\ No newline at end of file
diff --git a/src/test/zones/vlan/nodhcp/sdn_config
b/src/test/zones/vlan/nodhcp/sdn_config
new file mode 100644
index 0000000..e47eac8
--- /dev/null
+++ b/src/test/zones/vlan/nodhcp/sdn_config
@@ -0,0 +1,27 @@
+{
+ version => 1,
+ vnets => {
+ ids => {
+ myvnet => { type => "vnet", zone => "myzone", tag =>
100 },
+ },
+ },
+ zones => {
+ ids => { myzone => { bridge => "vmbr0", ipam => "pve", type =>
"vlan" } },
+ },
+ subnets => {
+ ids => {
+ 'myzone-192.168.0.0-24' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' =>
'192.168.0.1',
+ },
+ 'myzone-2a08:2142:302:3::-64' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' =>
'2a08:2142:302:3::1',
+ }
+ }
+ }
+}
+
+
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
