[pve-devel] [PATCH v2 pve-network 5/5] zones: simple: fix ip-forward && ipv6 snat
Alexandre Derumier
aderumier at odiso.com
Wed Apr 21 22:55:49 CEST 2021
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
PVE/Network/SDN/Zones/SimplePlugin.pm | 34 ++++++++++++++-----
.../simple/hetzner/expected_sdn_interfaces | 19 +++++++++++
test/zones/simple/hetzner/interfaces | 6 ++++
test/zones/simple/hetzner/sdn_config | 34 +++++++++++++++++++
.../zones/simple/ipv4/expected_sdn_interfaces | 1 +
.../simple/ipv4snat/expected_sdn_interfaces | 1 +
.../simple/ipv4v6/expected_sdn_interfaces | 11 ++++++
test/zones/simple/ipv4v6/interfaces | 5 +++
test/zones/simple/ipv4v6/sdn_config | 27 +++++++++++++++
.../simple/ipv6snat/expected_sdn_interfaces | 13 +++++++
test/zones/simple/ipv6snat/interfaces | 7 ++++
test/zones/simple/ipv6snat/sdn_config | 24 +++++++++++++
12 files changed, 174 insertions(+), 8 deletions(-)
create mode 100644 test/zones/simple/hetzner/expected_sdn_interfaces
create mode 100644 test/zones/simple/hetzner/interfaces
create mode 100644 test/zones/simple/hetzner/sdn_config
create mode 100644 test/zones/simple/ipv4v6/expected_sdn_interfaces
create mode 100644 test/zones/simple/ipv4v6/interfaces
create mode 100644 test/zones/simple/ipv4v6/sdn_config
create mode 100644 test/zones/simple/ipv6snat/expected_sdn_interfaces
create mode 100644 test/zones/simple/ipv6snat/interfaces
create mode 100644 test/zones/simple/ipv6snat/sdn_config
diff --git a/PVE/Network/SDN/Zones/SimplePlugin.pm b/PVE/Network/SDN/Zones/SimplePlugin.pm
index 9f74f3e..caea5a8 100644
--- a/PVE/Network/SDN/Zones/SimplePlugin.pm
+++ b/PVE/Network/SDN/Zones/SimplePlugin.pm
@@ -47,8 +47,6 @@ sub generate_sdn_config {
return $config if$config->{$vnetid}; # nothing to do
- my $ipv4 = $vnet->{ipv4};
- my $ipv6 = $vnet->{ipv6};
my $mac = $vnet->{mac};
my $alias = $vnet->{alias};
my $mtu = $plugin_config->{mtu} if $plugin_config->{mtu};
@@ -59,6 +57,9 @@ sub generate_sdn_config {
my $address = {};
my $subnets = PVE::Network::SDN::Vnets::get_subnets($vnetid, 1);
+ my $ipv4 = undef;
+ my $ipv6 = undef;
+
foreach my $subnetid (sort keys %{$subnets}) {
my $subnet = $subnets->{$subnetid};
my $cidr = $subnet->{cidr};
@@ -69,18 +70,33 @@ sub generate_sdn_config {
push @iface_config, "address $gateway/$mask" if !defined($address->{$gateway});
$address->{$gateway} = 1;
}
+
+ my $iptables = undef;
+ my $checkrouteip = undef;
+ my $ipversion = Net::IP::ip_is_ipv6($gateway) ? 6 : 4;
+
+ if ( $ipversion == 6) {
+ $ipv6 = 1;
+ $iptables = "ip6tables";
+ $checkrouteip = '2001:4860:4860::8888';
+ } else {
+ $ipv4 = 1;
+ $iptables = "iptables";
+ $checkrouteip = '8.8.8.8';
+ }
+
#add route for /32 pointtopoint
- push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32;
+ push @iface_config, "up ip route add $cidr dev $vnetid" if $mask == 32 && $ipversion == 4;
if ($subnet->{snat}) {
#find outgoing interface
- my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip('8.8.8.8');
+ my ($outip, $outiface) = PVE::Network::SDN::Zones::Plugin::get_local_route_ip($checkrouteip);
if ($outip && $outiface) {
#use snat, faster than masquerade
- push @iface_config, "post-up iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
- push @iface_config, "post-down iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+ push @iface_config, "post-up $iptables -t nat -A POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
+ push @iface_config, "post-down $iptables -t nat -D POSTROUTING -s '$cidr' -o $outiface -j SNAT --to-source $outip";
#add conntrack zone once on outgoing interface
- push @iface_config, "post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1";
- push @iface_config, "post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1";
+ push @iface_config, "post-up $iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1";
+ push @iface_config, "post-down $iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1";
}
}
}
@@ -95,6 +111,8 @@ sub generate_sdn_config {
}
push @iface_config, "mtu $mtu" if $mtu;
push @iface_config, "alias $alias" if $alias;
+ push @iface_config, "ip-forward on" if $ipv4;
+ push @iface_config, "ip6-forward on" if $ipv6;
push @{$config->{$vnetid}}, @iface_config;
diff --git a/test/zones/simple/hetzner/expected_sdn_interfaces b/test/zones/simple/hetzner/expected_sdn_interfaces
new file mode 100644
index 0000000..f47ac53
--- /dev/null
+++ b/test/zones/simple/hetzner/expected_sdn_interfaces
@@ -0,0 +1,19 @@
+#version:1
+
+auto myvnet
+iface myvnet
+ address 144.76.100.65/29
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+ ip-forward on
+
+auto myvnet2
+iface myvnet2
+ address 144.76.0.1/32
+ up ip route add 144.76.200.65/32 dev myvnet2
+ up ip route add 144.76.200.66/32 dev myvnet2
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+ ip-forward on
diff --git a/test/zones/simple/hetzner/interfaces b/test/zones/simple/hetzner/interfaces
new file mode 100644
index 0000000..5ab9635
--- /dev/null
+++ b/test/zones/simple/hetzner/interfaces
@@ -0,0 +1,6 @@
+auto eth0
+iface eth0 inet static
+ address 144.76.0.1
+ netmask 255.255.255.255
+ pointopoint 172.31.1.1
+ gateway 172.31.1.1
\ No newline at end of file
diff --git a/test/zones/simple/hetzner/sdn_config b/test/zones/simple/hetzner/sdn_config
new file mode 100644
index 0000000..30773ca
--- /dev/null
+++ b/test/zones/simple/hetzner/sdn_config
@@ -0,0 +1,34 @@
+{
+ version => 1,
+ vnets => {
+ ids => {
+ myvnet => { type => "vnet", zone => "myzone" },
+ myvnet2 => { type => "vnet", zone => "myzone" },
+ },
+ },
+ zones => {
+ ids => { myzone => { ipam => "pve", type => "simple" } },
+ },
+
+ subnets => {
+ ids => {
+ 'myzone-144.76.100.64-29' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '144.76.100.65',
+ },
+ 'myzone-144.76.200.65-32' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet2',
+ 'gateway' => '144.76.0.1',
+ },
+ 'myzone-144.76.200.66-32' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet2',
+ 'gateway' => '144.76.0.1',
+ },
+ }
+ }
+}
+
+
diff --git a/test/zones/simple/ipv4/expected_sdn_interfaces b/test/zones/simple/ipv4/expected_sdn_interfaces
index d84075d..06e43ad 100644
--- a/test/zones/simple/ipv4/expected_sdn_interfaces
+++ b/test/zones/simple/ipv4/expected_sdn_interfaces
@@ -6,3 +6,4 @@ iface myvnet
bridge_ports none
bridge_stp off
bridge_fd 0
+ ip-forward on
diff --git a/test/zones/simple/ipv4snat/expected_sdn_interfaces b/test/zones/simple/ipv4snat/expected_sdn_interfaces
index c822af1..69d7986 100644
--- a/test/zones/simple/ipv4snat/expected_sdn_interfaces
+++ b/test/zones/simple/ipv4snat/expected_sdn_interfaces
@@ -10,3 +10,4 @@ iface myvnet
bridge_ports none
bridge_stp off
bridge_fd 0
+ ip-forward on
diff --git a/test/zones/simple/ipv4v6/expected_sdn_interfaces b/test/zones/simple/ipv4v6/expected_sdn_interfaces
new file mode 100644
index 0000000..34ed5db
--- /dev/null
+++ b/test/zones/simple/ipv4v6/expected_sdn_interfaces
@@ -0,0 +1,11 @@
+#version:1
+
+auto myvnet
+iface myvnet
+ address 192.168.0.1/24
+ address 2a08:2142:302:3::1/64
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+ ip-forward on
+ ip6-forward on
diff --git a/test/zones/simple/ipv4v6/interfaces b/test/zones/simple/ipv4v6/interfaces
new file mode 100644
index 0000000..68b6a88
--- /dev/null
+++ b/test/zones/simple/ipv4v6/interfaces
@@ -0,0 +1,5 @@
+auto vmbr0
+iface vmbr0 inet manual
+ bridge-ports eth0
+ bridge-stp off
+ bridge-fd 0
diff --git a/test/zones/simple/ipv4v6/sdn_config b/test/zones/simple/ipv4v6/sdn_config
new file mode 100644
index 0000000..b8ed848
--- /dev/null
+++ b/test/zones/simple/ipv4v6/sdn_config
@@ -0,0 +1,27 @@
+{
+ version => 1,
+ vnets => {
+ ids => {
+ myvnet => { type => "vnet", zone => "myzone" },
+ },
+ },
+ zones => {
+ ids => { myzone => { ipam => "pve", type => "simple" } },
+ },
+ subnets => {
+ ids => {
+ 'myzone-192.168.0.0-24' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '192.168.0.1',
+ },
+ 'myzone-2a08:2142:302:3::-64' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '2a08:2142:302:3::1',
+ }
+ }
+ }
+}
+
+
diff --git a/test/zones/simple/ipv6snat/expected_sdn_interfaces b/test/zones/simple/ipv6snat/expected_sdn_interfaces
new file mode 100644
index 0000000..d3adc24
--- /dev/null
+++ b/test/zones/simple/ipv6snat/expected_sdn_interfaces
@@ -0,0 +1,13 @@
+#version:1
+
+auto myvnet
+iface myvnet
+ address 2a08:2142:302:3::1/64
+ post-up ip6tables -t nat -A POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1
+ post-down ip6tables -t nat -D POSTROUTING -s '2a08:2142:302:3::/64' -o vmbr0 -j SNAT --to-source 192.168.0.1
+ post-up ip6tables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1
+ post-down ip6tables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1
+ bridge_ports none
+ bridge_stp off
+ bridge_fd 0
+ ip6-forward on
diff --git a/test/zones/simple/ipv6snat/interfaces b/test/zones/simple/ipv6snat/interfaces
new file mode 100644
index 0000000..66bb826
--- /dev/null
+++ b/test/zones/simple/ipv6snat/interfaces
@@ -0,0 +1,7 @@
+auto vmbr0
+iface vmbr0 inet static
+ address 192.168.0.1/24
+ gateway 192.168.0.254
+ bridge-ports eth0
+ bridge-stp off
+ bridge-fd 0
diff --git a/test/zones/simple/ipv6snat/sdn_config b/test/zones/simple/ipv6snat/sdn_config
new file mode 100644
index 0000000..bc38527
--- /dev/null
+++ b/test/zones/simple/ipv6snat/sdn_config
@@ -0,0 +1,24 @@
+{
+ version => 1,
+ vnets => {
+ ids => {
+ myvnet => { type => "vnet", zone => "myzone" },
+ },
+ },
+ zones => {
+ ids => { myzone => { ipam => "pve", type => "simple" } },
+ },
+
+ subnets => {
+ ids => {
+ 'myzone-2a08:2142:302:3::-64' => {
+ 'type' => 'subnet',
+ 'vnet' => 'myvnet',
+ 'gateway' => '2a08:2142:302:3::1',
+ 'snat' => 1
+ }
+ }
+ }
+}
+
+
--
2.20.1
More information about the pve-devel
mailing list