-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
mgmt_vrf_namespace: management vrf using namespace solution
- Loading branch information
Showing
11 changed files
with
504 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#!/bin//bash | ||
|
||
set -e | ||
|
||
VRFNAME="mgmt" | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A PREROUTING -i eth0 -j $IF_MGMT_VRF_CHAIN | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A POSTROUTING -p tcp -o $IF_PEER_IFACE -j SNAT --to-source $IF_IF1_IP:62000-65000 | ||
ip netns exec $VRFNAME iptables -t nat -A POSTROUTING -p udp -o $IF_PEER_IFACE -j SNAT --to-source $IF_IF1_IP:62000-65000 | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p tcp --dport 22 -j DNAT --to-destination $IF_IF2_IP | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p tcp --dport 20 -j DNAT --to-destination $IF_IF2_IP | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p tcp --dport 21 -j DNAT --to-destination $IF_IF2_IP | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p udp --dport 161 -j DNAT --to-destination $IF_IF2_IP | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p udp --dport 69 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p tcp --dport 80 -j DNAT --to-destination $IF_IF2_IP | ||
|
||
ip netns exec $VRFNAME iptables -t nat -A $IF_MGMT_VRF_CHAIN -p tcp --dport 443 -j DNAT --to-destination $IF_IF2_IP | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
#!/bin//bash | ||
|
||
set -e | ||
|
||
VRFNAME="mgmt" | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D PREROUTING -i eth0 -j $IF_MGMT_VRF_CHAIN | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D POSTROUTING -p tcp -o ${IF_PEER_IFACE} -j SNAT --to-source ${IF_IF1_IP}:62000-65000 | ||
ip netns exec $VRFNAME iptables -t nat -D POSTROUTING -p udp -o ${IF_PEER_IFACE} -j SNAT --to-source ${IF_IF1_IP}:62000-65000 | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 22 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 20 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 21 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p udp --dport 161 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p udp --dport 69 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 80 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME iptables -t nat -D $IF_MGMT_VRF_CHAIN -p tcp --dport 443 -j DNAT --to-destination ${IF_IF2_IP} | ||
|
||
ip netns exec $VRFNAME sysctl -w net.ipv4.conf.eth0.route_localnet=0 | ||
|
||
ip netns exec $VRFNAME sysctl -w net.ipv4.conf.${IF_PEER_IFACE}.route_localnet=0 | ||
|
||
sysctl -w net.ipv4.conf.${IFACE}.route_localnet=0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
#!/bin/sh | ||
|
||
set -e | ||
|
||
if [ -n "${IF_PEER_NETNS}" -a -n "${IF_PEER_IFACE}" ] | ||
then | ||
if OUTPUT=$(ip netns list | grep -w ${IF_PEER_NETNS}) | ||
then | ||
# Take down the remote end of the veth | ||
ip netns exec ${IF_PEER_NETNS} ip link set ${IF_PEER_IFACE} down | ||
|
||
case "${IF_CONFIGURE_INTERFACES}" in | ||
true|yes|on) | ||
# Ifdown the interfaces inside the netns and inside | ||
# a mount namespace with /run/network.nsname mounted | ||
# on /run/network | ||
unshare -m /bin/sh <<-EOF | ||
mount --make-rprivate / | ||
mount --bind /run/network.${IF_PEER_NETNS} /run/network | ||
/usr/bin/delete-mgmt-vrf-iptables.sh | ||
logger "if_down_netns: Doing ifdown for the interfaces present in management namespace." | ||
ip netns exec ${IF_PEER_NETNS} ifdown -i /etc/network/interfaces.${IF_PEER_NETNS} -a | ||
EOF | ||
;; | ||
esac | ||
fi | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#!/bin/sh | ||
# filename: | ||
|
||
set -e | ||
|
||
if [ -n "${IF_PEER_NETNS}" -a -n "${IF_PEER_IFACE}" ] | ||
then | ||
logger "if_pre_up_netns: User is enabling management VRF. interfaces.j2 has set the required variables. Create the management namespace if not already present." | ||
# Create netns if it doesn't already exist, and bring up the loopback | ||
if ! OUTPUT=$(ip netns list | grep -w ${IF_PEER_NETNS}) | ||
then | ||
logger "if_pre_up_netns: management vrf does not exist. Create it now." | ||
mkdir -p /run/network.${IF_PEER_NETNS} | ||
rm -rf /run/network.${IF_PEER_NETNS}/* | ||
ip netns add ${IF_PEER_NETNS} | ||
ip netns exec ${IF_PEER_NETNS} ip link set lo up | ||
else | ||
logger "if_pre_up_netns: management vrf already exists. No need to create it." | ||
fi | ||
|
||
if OUTPUT=$(ifconfig eth0) | ||
then | ||
logger "if_pre_up_netns: eth0 is in default VRF. Move it to management VRF" | ||
# Move the management interface eth0 from default namespace to management namespace | ||
ip link set dev eth0 netns ${IF_PEER_NETNS} | ||
else | ||
logger "if_pre_up_netns: eth0 is NOT in default VRF. No need to move it." | ||
fi | ||
|
||
# if veth pair is already existing, there will be a link by name if1@if2 | ||
if ! OUTPUT=$(ethtool -S if2) | ||
then | ||
logger "if_pre_up_netns: if1 & if2 are NOT in eth pair. Connect them via eth pair now" | ||
# Add the veth pair for if2 with peer as if1 | ||
ip link add name ${IFACE} type veth peer name ${IF_PEER_IFACE} | ||
else | ||
logger "if_pre_up_netns: if1 & if2 are already in eth pair. NO need to connect them via eth pair now" | ||
fi | ||
|
||
# if if1 is already part of management namespace, nothing to do. Else move it to the management namespace | ||
if ! OUTPUT=$(ip netns exec ${IF_PEER_NETNS} ifconfig if1) | ||
then | ||
logger "if_pre_up_netns: if1 is not in management VRF. Move it now" | ||
# Put the remote end interface if1 into the netns | ||
ip link set dev ${IF_PEER_IFACE} netns ${IF_PEER_NETNS} | ||
else | ||
logger "if_pre_up_netns: if1 is alerady in management VRF. no need to move it" | ||
fi | ||
|
||
# Set if2 as UP | ||
logger "if_pre_up_netns: Bringing up the if2" | ||
ip link set ${IFACE} up | ||
|
||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
#!/bin/sh | ||
# filename: | ||
|
||
set -e | ||
|
||
|
||
if [ -n "${IF_PEER_NETNS}" -a -n "${IF_PEER_IFACE}" ] | ||
then | ||
logger "if_up_netns: User is enabling management VRF. interfaces.j2 has set the required variables. management namespace was already created and eth0 is already moved to management namespace in if_pre_up_netns." | ||
|
||
# Bring up the remote end of the veth | ||
ip netns exec ${IF_PEER_NETNS} ip link set ${IF_PEER_IFACE} up | ||
|
||
case "${IF_CONFIGURE_INTERFACES}" in | ||
true|yes|on) | ||
logger "if_up_netns: Configuring the veth pair and internal IP addresses for the internal interfaces." | ||
ip netns exec ${IF_PEER_NETNS} ifconfig ${IF_PEER_IFACE} ${IF_IF1_IP}/${IF_IF1_PREFIXLEN} | ||
ifconfig ${IFACE} ${IF_IF2_IP}/${IF_IF2_PREFIXLEN} | ||
|
||
# Ifup the interfaces in the netns and inside | ||
# a mount namespace with /run/network.nsname mounted | ||
# on /run/network | ||
unshare -m /bin/sh <<-EOF | ||
mount --make-rprivate / | ||
mount --bind /run/network.${IF_PEER_NETNS} /run/network | ||
logger "if_up_netns: Doing ifup for the interfaces present in management namespace." | ||
ip netns exec ${IF_PEER_NETNS} ifup -i /etc/network/interfaces.${IF_PEER_NETNS} -a | ||
EOF | ||
;; | ||
esac | ||
|
||
logger "if_up_netns: flushing rules from MgmtVrfChain" | ||
ip netns exec ${IF_PEER_NETNS} iptables -t nat -F ${IF_MGMT_VRF_CHAIN} >/dev/null 2>&1 || true | ||
# In case if the MgmtVrfChain exists, creating it again will result in the script failing & exiting. Delete is before creating. | ||
logger "if_up_netns: Deleting MgmtVrfChain before creating it" | ||
ip netns exec ${IF_PEER_NETNS} iptables -t nat -X ${IF_MGMT_VRF_CHAIN} >/dev/null 2>&1 || true | ||
logger "if_up_netns: Creating MgmtVrfChain in management VRF." | ||
ip netns exec ${IF_PEER_NETNS} iptables -t nat -N ${IF_MGMT_VRF_CHAIN} | ||
logger "if_up_netns: Creating iptables rules in management VRF into MgmtVrfChain" | ||
/usr/bin/create-mgmt-vrf-iptables.sh | ||
|
||
# When 127 NW is used, default NS does not reply for the ARP request sent from management NS when default NS | ||
# loopback interface netmask is 255.0.0.0. Change it to 255.255.255.0 in both namespaces. | ||
|
||
ifconfig lo 127.0.0.1 netmask 255.255.255.0 | ||
ip netns exec ${IF_PEER_NETNS} ifconfig lo 127.0.0.1 netmask 255.255.255.0 | ||
|
||
# route_localnet should be set to 1 to force the linux to route packets for IP addresses 127.100.100.x | ||
logger "if_up_netns: Setting route_localnet for if2 in default VRF." | ||
sysctl -w net.ipv4.conf.$IFACE.route_localnet=1 | ||
|
||
logger "if_up_netns: Setting route_localnet for all interfaces in management VRF." | ||
ip netns exec ${IF_PEER_NETNS} sysctl -w net.ipv4.conf.all.route_localnet=1 | ||
fi | ||
|
||
if [ $IFACE = "lo" ]; | ||
then | ||
logger "if_up_netns: ifup for lo is executed." | ||
EXIST=`ip address show lo | grep "127.0.0.1/8" | wc -l` | ||
if [ $EXIST -eq 1 ] | ||
then | ||
logger "if_up_netns: 8 bit 127 address is there." | ||
EXIST2=`ip address show lo | grep "127.0.0.1/24" | wc -l` | ||
if [ $EXIST2 -eq 1 ] | ||
then | ||
logger "if_up_netns: 24 bit 127 address is also there." | ||
logger "if_up_netns: ifup for lo is executed. Deleting the 8 bit address which is conflicting with 24 bit mask" | ||
ip address del 127.0.0.1/8 dev lo | ||
else | ||
logger "if_up_netns: 24 bit 127 address is NOT there." | ||
fi | ||
else | ||
logger "if_up_netns: ifup for lo is executed. 8 bit address doe not exist and hence nothing to delete" | ||
fi | ||
fi | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# | ||
{% block banner %} | ||
# =============== Managed by SONiC Config Engine DO NOT EDIT! =============== | ||
# generated from /usr/share/sonic/templates/interfaces_mgmt.j2 using sonic-cfggen | ||
# file: /etc/network/interfaces.management | ||
# | ||
{% endblock banner %} | ||
|
||
{% block loopback %} | ||
# The loopback network interface | ||
auto lo | ||
iface lo inet loopback | ||
{% endblock loopback %} | ||
|
||
{% block mgmt_interface %} | ||
|
||
{% if MGMT_VRF_CONFIG['vrf_global']['mgmtVrfEnabled'] == "true" %} | ||
# The management network interface | ||
auto eth0 | ||
{% if MGMT_INTERFACE %} | ||
{% for (name, prefix) in MGMT_INTERFACE %} | ||
iface eth0 {{ 'inet' if prefix | ipv4 else 'inet6' }} static | ||
address {{ prefix | ip }} | ||
netmask {{ prefix | netmask if prefix | ipv4 else prefix | prefixlen }} | ||
########## management network policy routing rules | ||
# management port up rules | ||
up ip {{ '-4' if prefix | ipv4 else '-6' }} route add default via {{ MGMT_INTERFACE[(name, prefix)]['gwaddr'] }} dev eth0 table default | ||
#up ip {{ '-4' if prefix | ipv4 else '-6' }} route add default via {{ MGMT_INTERFACE[(name, prefix)]['gwaddr'] }} | ||
up ip {{ '-4' if prefix | ipv4 else '-6' }} route add {{ prefix | network }}/{{ prefix | prefixlen }} dev eth0 table default | ||
up ip {{ '-4' if prefix | ipv4 else '-6' }} rule add from {{ prefix | ip }}/{{ '32' if prefix | ipv4 else '128' }} table default | ||
{% for route in MGMT_INTERFACE[(name, prefix)]['forced_mgmt_routes'] %} | ||
up ip rule add to {{ route }} table default | ||
{% endfor %} | ||
# management port down rules | ||
down ip {{ '-4' if prefix | ipv4 else '-6' }} route delete default via {{ MGMT_INTERFACE[(name, prefix)]['gwaddr'] }} dev eth0 table default | ||
down ip {{ '-4' if prefix | ipv4 else '-6' }} route delete {{ prefix | network }}/{{ prefix | prefixlen }} dev eth0 table default | ||
down ip {{ '-4' if prefix | ipv4 else '-6' }} rule delete from {{ prefix | ip }}/{{ '32' if prefix | ipv4 else '128' }} table default | ||
{% for route in MGMT_INTERFACE[(name, prefix)]['forced_mgmt_routes'] %} | ||
down ip rule delete to {{ route }} table default | ||
{% endfor %} | ||
{# TODO: COPP policy type rules #} | ||
{% endfor %} | ||
{% else %} | ||
iface eth0 inet dhcp | ||
{% endif %} | ||
{% endif %} | ||
# | ||
{% endblock mgmt_interface %} |
Oops, something went wrong.