[pve-devel] [PATCH pve-network 1/4] controllers: evpn: add ipv6 prefix-list support
Signed-off-by: Alexandre Derumier
---
src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 4
1 file changed, 4 insertions(+)
diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index f320139..e536226 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -484,6 +484,7 @@ sub generate_controller_rawconfig {
generate_frr_recurse($final_config, $config->{frr}, undef, 0);
generate_frr_list($final_config, $config->{frr_access_list},
"access-list");
generate_frr_list($final_config, $config->{frr_prefix_list}, "ip
prefix-list");
+generate_frr_list($final_config, $config->{frr_prefix_list_v6}, "ipv6
prefix-list");
generate_frr_routemap($final_config, $config->{frr_routemap});
generate_frr_ip_protocol($final_config, $config->{frr_ip_protocol});
@@ -535,6 +536,9 @@ sub parse_merge_frr_local_config {
} elsif ($line =~ m/^ip prefix-list (.+) seq (\d+) (.*)$/) {
$config->{'frr_prefix_list'}->{$1}->{$2} = $3;
next;
+ } elsif ($line =~ m/^ipv6 prefix-list (.+) seq (\d+) (.*)$/) {
+ $config->{'frr_prefix_list_v6'}->{$1}->{$2} = $3;
+ next;
} elsif($line =~ m/^exit-address-family$/) {
next;
} elsif($line =~ m/^exit$/) {
--
2.39.2
___
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network 4/4] controllers: evpn: fix null routes order && ipv6
- don't duplicate ip
- ipv6 use "ipv6 route"
- order correctly
Signed-off-by: Alexandre Derumier
---
src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 16 -
.../expected_controller_config| 7
.../exitnodenullroute/expected_sdn_interfaces | 8 +
.../zones/evpn/exitnodenullroute/sdn_config | 35 +++
4 files changed, 65 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 648f341..c2fdf88 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -162,11 +162,25 @@ sub generate_controller_zone_config {
#null routes subnets of other zones
if ($is_gateway) {
my $subnets = PVE::Network::SDN::Vnets::get_subnets();
+ my $cidrs = {};
foreach my $subnetid (sort keys %{$subnets}) {
my $subnet = $subnets->{$subnetid};
my $cidr = $subnet->{cidr};
my $zone = $subnet->{zone};
- push @controller_config, "ip route $cidr null0" if $zone ne $id;
+ my ($ip, $mask) = split(/\//, $cidr);
+ $cidrs->{$ip} = $mask if $zone ne $id;
+
+ }
+
+ my @sorted_ip =
+ map { $_->[0] }
+ sort { $a->[1] <=> $b->[1] }
+ map { [ $_, eval { Net::IP->new( $_ )->intip } ] }
+ keys %{$cidrs} if $cidrs;
+
+ foreach my $ip (@sorted_ip) {
+ my $ipversion = Net::IP::ip_is_ipv4($ip) ? 'ip' : 'ipv6';
+ push @controller_config, "$ipversion route $ip/$cidrs->{$ip} null0";
}
}
diff --git a/src/test/zones/evpn/exitnodenullroute/expected_controller_config
b/src/test/zones/evpn/exitnodenullroute/expected_controller_config
index e05fc77..a6403c0 100644
--- a/src/test/zones/evpn/exitnodenullroute/expected_controller_config
+++ b/src/test/zones/evpn/exitnodenullroute/expected_controller_config
@@ -7,13 +7,20 @@ service integrated-vtysh-config
!
vrf vrf_myzone
vni 1000
+ ip route 10.0.0.0/24 null0
ip route 172.16.0.0/24 null0
ip route 172.16.1.0/24 null0
+ ip route 172.16.3.0/24 null0
exit-vrf
!
vrf vrf_myzone2
vni 1001
ip route 10.0.0.0/24 null0
+ ip route 192.168.0.1/24 null0
+ ip route 192.168.10.1/24 null0
+ ipv6 route 2b0f:1480::/64 null0
+ ipv6 route 2b0f:1480:4000:6000::/64 null0
+ ipv6 route 2b0f:1480:4000:8000::/64 null0
exit-vrf
!
router bgp 65000
diff --git a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
index b6d9c13..4bf5ccf 100644
--- a/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
+++ b/src/test/zones/evpn/exitnodenullroute/expected_sdn_interfaces
@@ -3,17 +3,25 @@
auto myvnet
iface myvnet
address 10.0.0.1/24
+ address 192.168.0.1/24
+ address 192.168.10.1/24
+ address 2b0f:1480:4000:6000::1/64
+ address 2b0f:1480:4000:8000::1/64
+ address 2b0f:1480::1/64
bridge_ports vxlan_myvnet
bridge_stp off
bridge_fd 0
mtu 1450
ip-forward on
+ ip6-forward on
arp-accept on
vrf vrf_myzone
auto myvnet2
iface myvnet2
+ address 10.0.0.1/24
address 172.16.0.1/24
+ address 172.16.3.1/24
bridge_ports vxlan_myvnet2
bridge_stp off
bridge_fd 0
diff --git a/src/test/zones/evpn/exitnodenullroute/sdn_config
b/src/test/zones/evpn/exitnodenullroute/sdn_config
index 1060f83..5064ec4 100644
--- a/src/test/zones/evpn/exitnodenullroute/sdn_config
+++ b/src/test/zones/evpn/exitnodenullroute/sdn_config
@@ -19,16 +19,51 @@
subnets => {
ids => {
+ 'myzone-192.168.10.1-24' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '192.168.10.1',
+ },
+ 'myzone-192.168.0.1-24' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '192.168.0.1',
+ },
'myzone-10.0.0.0-24' => {
'type' => 'subnet',
'vnet' => 'myvnet',
'gateway' => '10.0.0.1',
},
+ 'myzone2-10.0.0.0-24' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet2',
+ 'gateway' => '10.0.0.1',
+ },
+ 'myzone-2b0f:1480:4000:8000::-64' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '2b0f:1480:4000:8000::1',
+ },
+ 'myzone-2b0f:1480::-64' => {
+ 'type' => 'subnet',
+
[pve-devel] [PATCH pve-network 3/4] controllers: evpn: frr config cleanup
Some values have been reordered in last version
- bump version to 8.5.2
- move no bgp graceful-restart notification
- move neighbor VTEP activate
Signed-off-by: Alexandre Derumier
---
src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 6 +++---
.../zones/evpn/advertise_subnets/expected_controller_config | 6 +++---
.../disable_arp_nd_suppression/expected_controller_config | 6 +++---
src/test/zones/evpn/ebgp/expected_controller_config | 6 +++---
.../zones/evpn/ebgp_loopback/expected_controller_config | 6 +++---
src/test/zones/evpn/exitnode/expected_controller_config | 6 +++---
.../evpn/exitnode_local_routing/expected_controller_config | 6 +++---
.../zones/evpn/exitnode_primary/expected_controller_config | 6 +++---
.../zones/evpn/exitnode_snat/expected_controller_config | 6 +++---
.../zones/evpn/exitnodenullroute/expected_controller_config | 6 +++---
src/test/zones/evpn/ipv4/expected_controller_config | 6 +++---
src/test/zones/evpn/ipv4ipv6/expected_controller_config | 6 +++---
.../zones/evpn/ipv4ipv6nogateway/expected_controller_config | 6 +++---
src/test/zones/evpn/ipv6/expected_controller_config | 6 +++---
src/test/zones/evpn/isis/expected_controller_config | 6 +++---
.../zones/evpn/isis_loopback/expected_controller_config | 6 +++---
.../zones/evpn/multipath_relax/expected_controller_config | 6 +++---
.../zones/evpn/multiplezones/expected_controller_config | 6 +++---
src/test/zones/evpn/rt_import/expected_controller_config| 6 +++---
src/test/zones/evpn/vxlanport/expected_controller_config| 6 +++---
20 files changed, 60 insertions(+), 60 deletions(-)
diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index f1605a3..648f341 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -77,9 +77,9 @@ sub generate_controller_config {
my @controller_config = (
"bgp router-id $ifaceip",
"no bgp hard-administrative-reset",
- "no bgp graceful-restart notification",
"no bgp default ipv4-unicast",
"coalesce-time 1000",
+ "no bgp graceful-restart notification",
);
push(@{$bgp->{""}}, @controller_config) if keys %{$bgp} == 0;
@@ -104,9 +104,9 @@ sub generate_controller_config {
# address-family l2vpn
@controller_config = ();
+push @controller_config, "neighbor VTEP activate";
push @controller_config, "neighbor VTEP route-map MAP_VTEP_IN in";
push @controller_config, "neighbor VTEP route-map MAP_VTEP_OUT out";
-push @controller_config, "neighbor VTEP activate";
push @controller_config, "advertise-all-vni";
push @controller_config, "autort as $autortas" if $autortas;
push(@{$bgp->{"address-family"}->{"l2vpn evpn"}}, @controller_config);
@@ -479,7 +479,7 @@ sub generate_controller_rawconfig {
my $nodename = PVE::INotify::nodename();
my $final_config = [];
-push @{$final_config}, "frr version 8.5.1";
+push @{$final_config}, "frr version 8.5.2";
push @{$final_config}, "frr defaults datacenter";
push @{$final_config}, "hostname $nodename";
push @{$final_config}, "log syslog informational";
diff --git a/src/test/zones/evpn/advertise_subnets/expected_controller_config
b/src/test/zones/evpn/advertise_subnets/expected_controller_config
index 15f4581..473a470 100644
--- a/src/test/zones/evpn/advertise_subnets/expected_controller_config
+++ b/src/test/zones/evpn/advertise_subnets/expected_controller_config
@@ -1,4 +1,4 @@
-frr version 8.5.1
+frr version 8.5.2
frr defaults datacenter
hostname localhost
log syslog informational
@@ -12,9 +12,9 @@ exit-vrf
router bgp 65000
bgp router-id 192.168.0.1
no bgp hard-administrative-reset
- no bgp graceful-restart notification
no bgp default ipv4-unicast
coalesce-time 1000
+ no bgp graceful-restart notification
neighbor VTEP peer-group
neighbor VTEP remote-as 65000
neighbor VTEP bfd
@@ -22,9 +22,9 @@ router bgp 65000
neighbor 192.168.0.3 peer-group VTEP
!
address-family l2vpn evpn
+ neighbor VTEP activate
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
- neighbor VTEP activate
advertise-all-vni
exit-address-family
exit
diff --git
a/src/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
b/src/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
index d5d310d..9d8ec60 100644
--- a/src/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
+++ b/src/test/zones/evpn/disable_arp_nd_suppression/expected_controller_config
@@ -1,4 +1,4 @@
-frr version 8.5.1
+frr version 8.5.2
frr defaults datacenter
hostname localhost
log syslog informational
@@ -12,9 +12,9 @@ exit-vrf
router bgp 65000
bgp router-id 192.168.0.1
no bgp hard-administrative-reset
- no bgp graceful-restart notification
no bgp default ipv4-unicast
coalesce
[pve-devel] [PATCH pve-network 0/4] evpn controller fix && cleanup
This patch serie is fixing 1 critical bug with multiple exit-nodes and other minor ipv6 bug with prefix-list && null routes. Also cleaning the re-ordering of some values in frr.conf to match the output of frr running config. Alexandre Derumier (4): controllers: evpn: add ipv6 prefix-list support controllers: evpn: bugfix: use prefix-list in route-map instead evpn match controllers: evpn: frr config cleanup controllers: evpn: fix null routes order && ipv6 src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 52 +++ .../expected_controller_config| 6 +-- .../expected_controller_config| 6 +-- .../evpn/ebgp/expected_controller_config | 6 +-- .../ebgp_loopback/expected_controller_config | 6 +-- .../evpn/exitnode/expected_controller_config | 19 --- .../expected_controller_config| 19 --- .../expected_controller_config| 18 +-- .../exitnode_snat/expected_controller_config | 19 --- .../expected_controller_config| 33 +--- .../exitnodenullroute/expected_sdn_interfaces | 8 +++ .../zones/evpn/exitnodenullroute/sdn_config | 35 + .../evpn/ipv4/expected_controller_config | 6 +-- .../evpn/ipv4ipv6/expected_controller_config | 6 +-- .../expected_controller_config| 6 +-- .../evpn/ipv6/expected_controller_config | 6 +-- .../evpn/isis/expected_controller_config | 6 +-- .../isis_loopback/expected_controller_config | 6 +-- .../expected_controller_config| 6 +-- .../multiplezones/expected_controller_config | 6 +-- .../evpn/rt_import/expected_controller_config | 6 +-- .../evpn/vxlanport/expected_controller_config | 6 +-- 22 files changed, 203 insertions(+), 84 deletions(-) -- 2.39.2 ___ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
[pve-devel] [PATCH pve-network 2/4] controllers: evpn: bugfix: use prefix-list in route-map instead evpn match
"match evpn" in route-map is broken since 8.5.0
https://github.com/FRRouting/frr/issues/14419
the patch
https://github.com/FRRouting/frr/commit/272c6d5db128ff7450fe9fcd16c046160594deb3
is converting type-2 && type-5 evpn routes to prefix-prefix.
(fixing prefix-list not working previously, but breaking "match evpn")
So, simply use prefix-list now, as "match epvn" was a workaround anyway.
reported on the forum, where user have routing loop between the 2 exit-nodes:
https://forum.proxmox.com/threads/sdn-with-evpn-controller-routing-loop-when-using-multiple-exit-nodes.137362/
Signed-off-by: Alexandre Derumier
---
src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 26 ++-
.../evpn/exitnode/expected_controller_config | 13 +++---
.../expected_controller_config| 13 +++---
.../expected_controller_config| 12 +++--
.../exitnode_snat/expected_controller_config | 13 +++---
.../expected_controller_config| 20 ++
6 files changed, 74 insertions(+), 23 deletions(-)
diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index e536226..f1605a3 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -188,22 +188,34 @@ sub generate_controller_zone_config {
if ($is_gateway) {
+ $config->{frr_prefix_list}->{'only_default'}->{1} = "permit 0.0.0.0/0";
+ $config->{frr_prefix_list_v6}->{'only_default_v6'}->{1} = "permit ::/0";
+
if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {
- #filter default type5 route coming from other exit nodes on primary
node or both nodes if no primary is defined.
+ #filter default route coming from other exit nodes on primary node
or both nodes if no primary is defined.
+ my $routemap_config_v6 = ();
+ push @{$routemap_config_v6}, "match ip address prefix-list
only_default_v6";
+ my $routemap_v6 = { rule => $routemap_config_v6, action => "deny" };
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap_v6);
+
my $routemap_config = ();
- push @{$routemap_config}, "match evpn vni $vrfvxlan";
- push @{$routemap_config}, "match evpn route-type prefix";
+ push @{$routemap_config}, "match ip address prefix-list
only_default";
my $routemap = { rule => $routemap_config, action => "deny" };
unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
+
} elsif ($exitnodes_primary ne $local_node) {
+ my $routemap_config_v6 = ();
+ push @{$routemap_config_v6}, "match ipv6 address prefix-list
only_default_v6";
+ push @{$routemap_config_v6}, "set metric 200";
+ my $routemap_v6 = { rule => $routemap_config_v6, action => "permit"
};
+ unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap_v6);
+
my $routemap_config = ();
- push @{$routemap_config}, "match evpn vni $vrfvxlan";
- push @{$routemap_config}, "match evpn route-type prefix";
+ push @{$routemap_config}, "match ip address prefix-list
only_default";
push @{$routemap_config}, "set metric 200";
my $routemap = { rule => $routemap_config, action => "permit" };
unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
-}
-
+ }
if (!$exitnodes_local_routing) {
@controller_config = ();
diff --git a/src/test/zones/evpn/exitnode/expected_controller_config
b/src/test/zones/evpn/exitnode/expected_controller_config
index 598233f..f327e34 100644
--- a/src/test/zones/evpn/exitnode/expected_controller_config
+++ b/src/test/zones/evpn/exitnode/expected_controller_config
@@ -56,12 +56,19 @@ router bgp 65000 vrf vrf_myzone
exit-address-family
exit
!
+ip prefix-list only_default seq 1 permit 0.0.0.0/0
+!
+ipv6 prefix-list only_default_v6 seq 1 permit ::/0
+!
route-map MAP_VTEP_IN deny 1
- match evpn vni 1000
- match evpn route-type prefix
+ match ip address prefix-list only_default
+exit
+!
+route-map MAP_VTEP_IN deny 2
+ match ip address prefix-list only_default_v6
exit
!
-route-map MAP_VTEP_IN permit 2
+route-map MAP_VTEP_IN permit 3
exit
!
route-map MAP_VTEP_OUT permit 1
diff --git
a/src/test/zones/evpn/exitnode_local_routing/expected_controller_config
b/src/test/zones/evpn/exitnode_local_routing/expected_controller_config
index 8c8e485..5b96cd8 100644
--- a/src/test/zones/evpn/exitnode_local_routing/expected_controller_config
+++ b/src/test/zones/evpn/exitnode_local_routing/expected_controller_config
@@ -40,12 +40,19 @@ router bgp 65000 vrf vrf_myzone
exit-address-family
exit
!
+ip prefix-list only_default seq 1 permit 0.0.0.0/0
+!
+ipv6 prefix-list only_default_v6 seq 1 permit ::/0
+!
route-map MAP_VTEP_IN deny 1
- match evpn vni 1000
- match evpn route-type prefix
+ match ip add
