conlink 2.0.3 → 2.1.0

package/.github/workflows/push.yml

@@ -13,5 +13,12 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
 
-      - name: stub step
-        run: "echo stub stub"
+      - name: npm install
+        run: npm install
+
+      - name: compose build of conlink
+        run: docker compose -f examples/test1-compose.yaml build
+
+      - name: "./run-tests.sh"
+        timeout-minutes: 5
+        run: time ./run-tests.sh

package/Dockerfile

@@ -24,11 +24,11 @@ FROM node:16-slim as run
 RUN apt-get -y update
 # Runtime deps and utilities
 RUN apt-get -y install libpcap-dev tcpdump iproute2 iputils-ping curl \
-                       iptables bridge-utils \
+                       iptables bridge-utils ethtool \
                        openvswitch-switch openvswitch-testcontroller
 
 COPY --from=build /app/ /app/
-ADD link-add.sh link-del.sh /app/
+ADD link-add.sh link-del.sh link-mirred.sh /app/
 ADD schema.yaml /app/build/
 
 ENV PATH /app:$PATH

package/README.md

@@ -13,6 +13,8 @@ General:
 Other:
 * For Open vSwtich (OVS) bridging, the `openvswitch` kernel module
   must loaded on the host system (where docker engine is running).
+* For patch connections (`bridge: patch`), the kernel must support
+  tc qdisc mirred filtering via the `act_mirred` kernel module.
 * For podman usage (e.g. second part of `test3`), podman is required.
 * For remote connections/links (e.g. `test5`), the `geneve` (and/or
   `vxlan`) kernel module must be loaded on the host system (where
@@ -44,17 +46,28 @@ will also be required for the conlink container. In particular, if the
 container uses systemd, then it will likely use `SYS_NICE` and
 `NET_BROADCAST` and conlink will likewise need those capabilities.
 
-### Bridging: Open vSwtich/OVS or Linux bridge
-
-Conlink creates bridges/switches and connects veth container links to
-those bridges (specified by `bridge:` in the link specification).
-By default, conlink will attempt to create Open vSwitch/OVS bridges
-for these connections, however, if the kernel does not provide support
-(`openvswitch` kernel module loaded), then conlink will fallback to
-using standard Linux bridges. The fallback behavior can be changed by
-setting the `--bridge-mode` option to either "ovs" or "linux". If the
-bridge mode is set to "ovs" then conlink will fail to start if the
-`openvswitch` kernel module is not detected.
+### Bridging: Open vSwtich/OVS, Linux bridge, and patch
+
+Conlink connects container veth links together via a bridge or via a
+direct patch. All veth type links must have a `bridge` property that
+defines which links will be connected together (i.e. the same
+broadcast domain). The default bridge mode is defined by the
+`--default-bridge-mode` parameter and defaults to "auto". If a bridge
+is set to mode "auto" then conlink will check if the kernel has the
+`openvswitch` kernel module loaded and if so it will create an Open
+vSwitch/OVS bridge/switch for that bridge, otherwise it will create a
+regular Linux bridge (e.g. brctl). If any bridges are explicitly
+defined with an "ovs" mode and the kernel does not have support then
+conlink will stop/error on startup.
+
+The "patch" mode will connect two links together using tc qdisc
+ingress filters. This type connection is equivalent to a patch panel
+("bump-in-the-wire") connection and all traffic will be passed between
+the two links unchanged unlike Linux and OVS bridges which typically
+block certain bridge control broadcast traffic). The primary downside
+of "patch" connections is that they limited to two links whereas "ovs"
+and "linux" bridge modes can support many links connected into the
+same bridge (broadcast domain).
 
 ## Network Configuration Syntax
 
@@ -122,6 +135,21 @@ than the MTU of the parent (outer-dev) device.
 For the `netem` property, refer to the `netem` man page. The `OPTIONS`
 grammar defines the valid strings for the `netem` property.
 
+### Bridges
+
+The bridge settings currently only support the "mode" setting. If
+the mode is not specified in this section or the section is omitted
+entirely, then bridges specified in the links configuration will
+default to the value of the `--default-bridge-mode` parameter (which
+itself defaults to "auto").
+
+The following table describes the bridge properties:
+
+| property  | format  | description                    |
+|-----------|---------|--------------------------------|
+| bridge    | string  | conlink bridge / domain name   |
+| mode      | string  | auto, ovs, or linux            |
+
 ### Tunnels
 
 Tunnels links/interfaces will be created and attached to the specified
@@ -476,6 +504,19 @@ Note: to connect to the vlan node (NODE2_HOST_ADDRESS) you will need
 to configure your physical switch/router with routing/connectivity to
 VLAN 5 on the same physical link to your host.
 
+### test9: bridge modes
+
+This example demonstrates the supported bridge modes.
+
+Start the test9 compose configuration using different bridge modes and
+validate connectivity using ping:
+
+```
+export BRIDGE_MODE="linux"  # "ovs", "patch", "auto"
+docker-compose -f examples/test9-compose.yaml up --build --force-recreate
+docker-compose -f examples/test9-compose.yaml exec node ping 10.0.1.2
+```
+
 ## GraphViz network configuration rendering
 
 You can use d3 and GraphViz to create a visual graph rendering of

package/examples/test4-multiple/modes/web/compose.yaml

@@ -1,5 +1,10 @@
 version: "2.4"
 
+services:
+  r0:
+    volumes:
+      - ./scripts:/scripts
+
 x-network:
   commands:
     - {service: r0, command: "python3 -m http.server 80"}

package/examples/test9-compose.yaml

@@ -0,0 +1,32 @@
+# This file demonstrates using different bridge modes and
+# usage of the --default-brige-mode parameter.
+
+version: "2.4"
+
+services:
+  network:
+    build: {context: ../}
+    image: conlink
+    pid: host
+    network_mode: none
+    cap_add: [SYS_ADMIN, NET_ADMIN, SYS_NICE, NET_BROADCAST, IPC_LOCK]
+    security_opt: [ 'apparmor:unconfined' ] # needed on Ubuntu 18.04
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker:/var/lib/docker
+      - ./:/test
+    environment:
+      - BRIDGE_MODE
+    command: /app/build/conlink.js --default-bridge-mode linux --compose-file /test/test9-compose.yaml
+
+  node:
+    image: alpine
+    network_mode: none
+    scale: 2
+    command: sleep Infinity
+
+x-network:
+  links:
+    - {bridge: s1, service: node, ip: 10.0.1.1/24}
+  bridges:
+    - {bridge: s1, mode: "${BRIDGE_MODE:-auto}"}

package/link-mirred.sh

@@ -0,0 +1,114 @@
+#!/bin/bash
+
+# Copyright (c) 2024, Equinix, Inc
+# Licensed under MPL 2.0
+
+set -e
+
+usage () {
+  echo >&2 "${0} [OPTIONS] INTF0 INTF1"
+  echo >&2 ""
+  echo >&2 "Create traffic mirror/redirect between INTF0 and INTF1."
+  echo >&2 ""
+  echo >&2 "Positional arguments:"
+  echo >&2 "  INTF0 is the first interface name"
+  echo >&2 "  INTF1 is the second interface name"
+  echo >&2 ""
+  echo >&2 "INTF0 must exist, but if INTF1 is missing, then exit with 0."
+  echo >&2 "Each interface will be checked for correct ingress/mirred config"
+  echo >&2 "and configured if the configuration is missing."
+  echo >&2 "These two aspect make this script idempotent. It can be called"
+  echo >&2 "whenever either interface appears and when the second appears,"
+  echo >&2 "the mirror/redirect action will be setup fully/bidirectionally."
+  echo >&2 ""
+  echo >&2 "OPTIONS:"
+  echo >&2 "  --verbose                - Verbose output (set -x)"
+  exit 2
+}
+
+info() { echo "link-mirred [${LOG_ID}] ${*}"; }
+warn() { >&2 echo "link-mirred [${LOG_ID}] ${*}"; }
+die()  { warn "ERROR: ${*}"; exit 1; }
+
+# Idempotently add ingress qdisc to an interface
+add_ingress() {
+  local IF=$1 res=
+
+  res=$(tc qdisc show dev ${IF} 2>&1)
+  case "${res}" in
+    *"qdisc ingress ffff:"*)
+      info "${IF0} already has ingress qdisc"
+      ;;
+    ""|*"qdisc noqueue"*)
+      info "Adding ingress qdisc to ${IF}"
+      tc qdisc add dev "${IF}" ingress \
+        || die "Could not add ingress qdisc to ${IF}"
+      ;;
+    *)
+      die "${IF} has invalid ingress qdisc or could not be queried"
+      ;;
+  esac
+}
+
+# Idempotently add mirred filter redirect rule to an interface
+add_mirred() {
+  local IF0=$1 IF1=$2 res=
+
+  res=$(tc filter show dev ${IF0} parent ffff: 2>&1)
+  case "${res}" in
+    *"action order 1: mirred (Egress Redirect to device ${IF1}"*)
+      info "${IF0} already has filter redirect action"
+      ;;
+    "")
+      info "Adding filter redirect action from ${IF0} to ${IF1}"
+      tc filter add dev ${IF0} parent ffff: protocol all u32 match u8 0 0 action \
+        mirred egress redirect dev ${IF1} \
+        || die "Could not add filter redirect action from ${IF0} to ${IF1}"
+      ;;
+    *)
+      die "${IF0} has invalid filter redirect action or could not be queried"
+      ;;
+  esac
+}
+
+# Parse arguments
+VERBOSE=${VERBOSE:-}
+positional=
+while [ "${*}" ]; do
+  param=$1; OPTARG=$2
+  case ${param} in
+  --verbose)        VERBOSE=1 ;;
+  -h|--help)        usage ;;
+  *)                positional="${positional} $1" ;;
+  esac
+  shift
+done
+set -- ${positional}
+IF0=$1 IF1=$2
+
+[ "${VERBOSE}" ] && set -x || true
+
+# Sanity check arguments
+[ "${IF0}" -a "${IF1}" ] || usage
+
+LOG_ID="mirred ${IF0}:${IF1}"
+
+# Sanity checks
+if ! ip link show ${IF0} >/dev/null; then
+  die "${IF0} does not exist"
+fi
+if ! ip link show ${IF1} >/dev/null; then
+  info "${IF1} missing, exiting"
+  exit 0
+fi
+
+### Do the work
+
+info "Creating filter rediction action between ${IF0} and ${IF1}"
+
+add_ingress ${IF0}
+add_ingress ${IF1}
+add_mirred ${IF0} ${IF1}
+add_mirred ${IF1} ${IF0}
+
+info "Created filter rediction action between ${IF0} and ${IF1}"

package/mdc

@@ -17,6 +17,7 @@ LS=$(which ls)
 RESOLVE_DEPS="${RESOLVE_DEPS-./node_modules/@lonocloud/resolve-deps/resolve-deps.py}"
 DOCKER_COMPOSE="${DOCKER_COMPOSE:-docker-compose}"
 
+[ -f "${RESOLVE_DEPS}" ] || die "Missing ${RESOLVE_DEPS}. Perhaps 'npm install'?"
 MODE_SPEC="${1}"; shift
 if [ "${RESOLVE_DEPS}" ]; then
     MODES="$(${RESOLVE_DEPS} "${MODES_DIR}" ${MODE_SPEC})"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "conlink",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "description": "conlink -  Declarative Low-Level Networking for Containers",
   "repository": "https://github.com/LonoCloud/conlink",
   "license": "SEE LICENSE IN LICENSE",

package/run-tests.sh

@@ -0,0 +1,191 @@
+#!/usr/bin/env bash
+
+export VERBOSE=${VERBOSE:-}
+export COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME:-conlink-test}
+declare TEST_NUM=0
+declare -A RESULTS
+declare PASS=0
+declare FAIL=0
+
+die() { echo >&2 "${*}"; exit 1; }
+vecho() { [ "${VERBOSE}" ] && echo "${*}" || true; }
+dc() { ${DOCKER_COMPOSE} "${@}"; }
+mdc() { ./mdc "${@}" || die "mdc invocation failed"; }
+
+# Determine compose command
+for dc in "docker compose" "docker-compose"; do
+  ${dc} version 2>/dev/null >&2 && DOCKER_COMPOSE="${dc}" && break
+done
+[ "${DOCKER_COMPOSE}" ] || die "No compose command found"
+echo >&2 "Using compose command '${DOCKER_COMPOSE}'"
+
+dc_init() {
+  local cont="${1}" idx="${2}"
+  dc down --remove-orphans -t1
+  dc up -d --force-recreate "${@}"
+  while ! dc logs network | grep "All links connected"; do
+    vecho "waiting for conlink startup"
+    sleep 1
+  done
+}
+
+dc_wait() {
+  local tries="${1}" cont="${2}" try=1 svc= idx= result=
+  case "${cont}" in
+      *_[0-9]|*_[0-9][0-9]) svc="${cont%_*}" idx="${cont##*_}" ;;
+      *)                    svc="${cont}"    idx=1            ;;
+  esac
+  shift; shift
+
+  #echo "target: ${1}, service: ${svc}, index: ${idx}"
+  while true; do
+    result=0
+    if [ "${VERBOSE}" ]; then
+      vecho "Running: dc exec -T --index ${idx} ${svc} sh -c ${*}"
+      dc exec -T --index ${idx} ${svc} sh -c "${*}" || result=$?
+    else
+      dc exec -T --index ${idx} ${svc} sh -c "${*}" > /dev/null || result=$?
+    fi
+    [ "${result}" -eq 0 -o "${try}" -ge "${tries}" ] && break
+    echo "    command failed (${result}), sleeping 2s before retry (${try}/${tries})"
+    sleep 2
+    try=$(( try + 1 ))
+  done
+  return ${result}
+}
+
+dc_test() {
+  name="${TEST_NUM} ${GROUP}: ${@}"
+  TEST_NUM=$(( TEST_NUM + 1 ))
+  vecho "  > Running test: ${name}"
+  dc_wait 1 "${@}"
+  RESULTS["${name}"]=$?
+  if [ "${RESULTS["${name}"]}" = 0 ]; then
+    PASS=$(( PASS + 1 ))
+    vecho "  > PASS (0 for ${*})"
+  else
+    FAIL=$(( FAIL + 1 ))
+    echo "  > FAIL (${RESULTS[${name}]} for ${*})"
+  fi
+}
+
+
+echo -e "\n\n>>> test1: combined config"
+GROUP=test1
+echo "COMPOSE_FILE=examples/test1-compose.yaml" > .env
+dc_init || die "test1 startup failed"
+
+echo " >> Ping nodes from other nodes"
+dc_test h1 ping -c1 10.0.0.100
+dc_test h2 ping -c1 192.168.1.100
+dc_test h3 ping -c1 172.16.0.100
+
+echo -e "\n\n>>> test2: separate config and scaling"
+GROUP=test2
+echo "COMPOSE_FILE=examples/test2-compose.yaml" > .env
+dc_init || die "test2 startup failed"
+
+echo " >> Cross-node ping and ping the 'internet'"
+dc_test node_1 ping -c1 10.0.1.2
+dc_test node_2 ping -c1 10.0.1.1
+dc_test node_1 ping -c1 8.8.8.8
+dc_test node_2 ping -c1 8.8.8.8
+
+echo " >> Scale the nodes from 2 to 5"
+dc up -d --scale node=5
+dc_wait 10 node_5 'ip addr | grep "10\.0\.1\.5"' || die "test2 scale-up failed"
+echo " >> Ping the fifth node from the second"
+dc_test node_2 ping -c1 10.0.1.5
+
+
+echo -e "\n\n>>> test4: multiple compose / mdc"
+GROUP=test4
+export MODES_DIR=./examples/test4-multiple/modes
+
+mdc node1
+dc_init; dc_wait 10 r0_1 'ip addr | grep "10\.1\.0\.100"' \
+    || die "test4 node1 startup failed"
+echo " >> Ping the r0 router host from node1"
+dc_test node1_1 ping -c1 10.0.0.100
+
+mdc node1,nodes2
+dc_init; dc_wait 10 node2_2 'ip addr | grep "10\.2\.0\.2"' \
+    || die "test4 node1,nodes2 startup failed"
+echo " >> From both node2 replicas, ping node1 across the r0 router"
+dc_test node2_1 ping -c1 10.1.0.1
+dc_test node2_2 ping -c1 10.1.0.1
+echo " >> From node1, ping both node2 replicas across the r0 router"
+dc_test node1 ping -c1 10.2.0.1
+dc_test node1 ping -c1 10.2.0.2
+
+mdc all
+dc_init; dc exec -T r0 /scripts/wait.sh -t 10.0.0.100:80 \
+    || die "test4 all startup failed"
+echo " >> From node2, download from the web server in r0"
+dc_test node2_1 wget -O- 10.0.0.100
+dc_test node2_2 wget -O- 10.0.0.100
+
+
+echo -e "\n\n>>> test7: MAC, MTU, and NetEm settings"
+GROUP=test7
+echo "COMPOSE_FILE=examples/test7-compose.yaml" > .env
+
+dc_init; dc_wait 10 node_1 'ip addr | grep "10\.0\.1\.1"' \
+    || die "test7 startup failed"
+echo " >> Ensure MAC and MTU are set correctly"
+dc_test node_1 'ip link show eth0 | grep "ether 00:0a:0b:0c:0d:01"'
+dc_test node_2 'ip link show eth0 | grep "ether 00:0a:0b:0c:0d:02"'
+dc_test node_1 'ip link show eth0 | grep "mtu 4111"'
+dc_test node_2 'ip link show eth0 | grep "mtu 4111"'
+echo " >> Check for round-trip ping delay of 80ms"
+dc_test node_1 'ping -c2 10.0.1.2 | tail -n1 | grep "max = 80\."'
+
+
+echo -e "\n\n>>> test9: bridge modes and variable templating"
+echo "COMPOSE_FILE=examples/test9-compose.yaml" > .env
+
+echo -e "\n\n >> test9: bridge mode: auto"
+GROUP=test9-auto
+export BRIDGE_MODE=auto
+dc_init; dc_wait 10 node_1 'ip addr | grep "10\.0\.1\.1"' \
+    || die "test9 (auto) startup failed"
+echo " >> Check for round-trip ping connectivity (BRIDGE_MODE=auto)"
+dc_test node_1 'ping -c2 10.0.1.2'
+
+echo -e "\n\n >> test9: bridge mode: linux"
+GROUP=test9-linux
+export BRIDGE_MODE=linux
+dc_init; dc_wait 10 node_1 'ip addr | grep "10\.0\.1\.1"' \
+    || die "test9 (linux) startup failed"
+echo " >> Check for round-trip ping connectivity (BRIDGE_MODE=linux)"
+dc_test node_1 'ping -c2 10.0.1.2'
+
+echo -e "\n\n >> test9: bridge mode: patch"
+GROUP=test9-patch
+export BRIDGE_MODE=patch
+dc_init; dc_wait 10 node_1 'ip addr | grep "10\.0\.1\.1"' \
+    || die "test9 startup failed"
+echo " >> Ensure ingest filter rules exist (BRIDGE_MODE=patch)"
+dc_test network 'tc filter show dev node_1-eth0 parent ffff: | grep "action order 1: mirred"'
+echo " >> Check for round-trip ping connectivity (BRIDGE_MODE=patch)"
+dc_test node_1 'ping -c2 10.0.1.2'
+
+
+echo -e "\n\n>>> Cleaning up"
+dc down -t1 --remove-orphans
+rm -f .env
+
+if [ "${VERBOSE}" ]; then
+  for t in "${!RESULTS[@]}"; do
+    echo "RESULT: '${t}' -> ${RESULTS[${t}]}"
+  done
+fi
+
+if [ "${FAIL}" = 0 ]; then
+  echo -e "\n\n>>> ALL ${PASS} TESTS PASSED"
+  exit 0
+else
+  echo -e "\n\n>>> ${FAIL} TESTS FAILED, ${PASS} TESTS PASSED"
+  exit 1
+fi
+

package/schema.yaml

@@ -46,6 +46,13 @@ properties:
         mode:      {type: string}
         vlanid:    {type: number}
 
+  bridges:
+    type: array
+    items:
+      type: object
+      properties:
+        mode: {type: string, enum: [auto, ovs, linux, patch]}
+
   tunnels:
     type: array
     items:

package/src/conlink/core.cljs

@@ -27,7 +27,7 @@ General Options:
   -v, --verbose                     Show verbose output (stderr)
                                     [env: VERBOSE]
   --show-config                     Print loaded network config JSON and exit
-  --bridge-mode BRIDGE-MODE         Bridge mode (ovs, linux, or auto)
+  --default-bridge-mode BRIDGE-MODE Default bridge mode (ovs, linux, patch, or auto)
                                     to use for bridge/switch connections
                                     [default: auto] [env: CONLINK_BRIDGE_MODE]
   --network-file NETWORK-FILE...    Network config file
@@ -58,10 +58,12 @@ General Options:
 (def LINK-ADD-OPTS [:ip :mac :route :mtu :nat :netem :mode :vlanid :remote :vni])
 (def INTF-MAX-LEN 15)
 
-(def ctx (atom {:error #(apply Eprintln "ERROR:" %&)
-                :warn  #(apply Eprintln "WARNING:" %&)
-                :log   Eprintln
-                :info  list}))
+(def ctx (atom {:error        #(apply Eprintln "ERROR:" %&)
+                :warn         #(apply Eprintln "WARNING:" %&)
+                :log          Eprintln
+                :info         #(identity nil)
+                :kmod-ovs?    false
+                :kmod-mirred? false}))
 
 ;; Simple utility functions
 (defn json-str [obj]
@@ -94,12 +96,13 @@ General Options:
     net-cfg))
 
 (defn enrich-link
-  "Add default values to a link:
+  "Resolve bridge name to full bridge map.
+  Add default values to a link:
     - type: veth
     - dev: eth0
     - mtu: 9000 (for non *vlan type)
     - base: :conlink for veth type, :host for *vlan types, :local otherwise"
-  [{:as link :keys [type base bridge ip vlanid]}]
+  [{:as link :keys [type base bridge ip vlanid]} bridges]
   (let [type (keyword (or type "veth"))
         base-default (cond (= :veth type)     :conlink
                            (VLAN-TYPES type)  :host
@@ -110,18 +113,57 @@ General Options:
                {:type type
                 :dev  (get link :dev "eth0")
                 :base base}
+               (when bridge
+                 {:bridge (get bridges bridge)})
                (when (not (VLAN-TYPES type))
                  {:mtu  (get link :mtu 9000)}))]
     link))
 
+(defn enrich-bridge
+  "If bridge mode is :auto then return :ovs if the 'openvswitch' kernel module
+  is loaded otherwise fall back to :linux. Exit with an error if mode is :ovs
+  or :patch and the 'openvswitch' or 'act_mirred' kernel modules are not
+  loaded respectively."
+  [{:as bridge-opts :keys [bridge mode]}]
+  (let [{:keys [warn default-bridge-mode kmod-ovs? kmod-mirred?]} @ctx
+        mode (keyword (or mode default-bridge-mode))
+        _ (when (and (= :ovs mode) (not kmod-ovs?))
+            (fatal 1 (str "bridge " bridge " mode is 'ovs', "
+                          "but no 'openvswitch' kernel module loaded")))
+        _ (when (and (= :patch mode) (not kmod-mirred?))
+            (warn (str "bridge " bridge " mode is 'patch', "
+                       "but no 'act_mirred' kernel module loaded, "
+                       " assuming it will load when needed.")))
+        _ (when (and (= :auto mode) (not kmod-ovs?))
+            (warn (str "bridge " bridge " mode is 'auto', "
+                       " but no 'openvswitch' kernel module loaded, "
+                       " so falling back to 'linux'")))
+        mode (if (= :auto mode)
+              (if kmod-ovs? :ovs :linux)
+              mode)]
+    (assoc bridge-opts :mode mode)))
+
 (defn enrich-network-config
-  "Validate and update each link (enrich-link) and add
-  :containers and :services maps with restructured link and command
-  configuration to provide a more efficient structure for looking up
-  configuration later."
-  [{:as cfg :keys [links commands]}]
-  (let [links (vec (map enrich-link links))
-        cfg (merge cfg {:links links :containers {} :services {}})
+  "Validate and update each bridge (enrich-bridge) and link (enrich-link) and
+  add :bridges, :containers, and :services maps with restructured bridge, link,
+  and command configuration to provide a more efficient structure for looking
+  up configuration later."
+  [{:as cfg :keys [links commands bridges]}]
+  (let [bridge-map (reduce (fn [acc b] (assoc acc (:bridge b) b))
+                           {} bridges)
+        ;; Add bridges specified in links only
+        all-bridges (reduce (fn [bs b]
+                              (assoc bs b (get bs b {:bridge b})))
+                            bridge-map
+                            (keep :bridge links))
+        ;; Enrich each bridge
+        bridges (reduce (fn [bs [k v]] (assoc bs k (enrich-bridge v)))
+                        {} all-bridges)
+        links (mapv #(enrich-link % bridges) links)
+        cfg (merge cfg {:links links
+                        :bridges bridges
+                        :containers {}
+                        :services {}})
         rfn (fn [kind cfg {:as x :keys [container service]}]
               (cond-> cfg
                 container (update-in [:containers container kind] conjv x)
@@ -153,15 +195,17 @@ General Options:
                         "\nUser config:\n" (indent-pprint-str data "  "))
                       "\nValidation errors:\n" msg))))))
 
+
+;;; Runtime state related
+
 (defn gen-network-state
   "Generate network state/context from network configuration. Adds
   empty :devices map and :bridges map containing nil status for
   each bridge mentioned in the network config :links and :tunnels."
-  [{:keys [links tunnels]}]
-  (reduce (fn [state bridge]
-            (assoc-in state [:bridges bridge :status] nil))
-          {:devices {} :bridges {}}
-          (keep :bridge (concat links tunnels))))
+  [{:keys [links tunnels bridges]}]
+  {:devices {}
+   :bridges (into {} (for [[k v] bridges]
+                       [k (merge v {:status nil :links #{}})]))})
 
 (defn link-outer-dev
   "outer-dev format:
@@ -298,81 +342,127 @@ General Options:
           res (run cmd {:quiet true})]
     (and (= 0 (:code res)) (= kmod (trim (:stdout res))))))
 
-;;; Link and bridge commands
+;;; Bridge commands
 
 (defn check-no-bridge
   "Check that no bridge named 'bridge' is currently configured.
-  Bridge type is dependent on bridge-mode (:ovs or :linux). Exit with
+  Bridge type is dependent on mode (:ovs or :linux). Exit with
   error if the bridge already exists."
-  [bridge]
-  (P/let [{:keys [info bridge-mode]} @ctx
+  [{:keys [bridge mode]}]
+  (P/let [{:keys [info]} @ctx
           cmd (get {:ovs (str "ovs-vsctl list-ifaces " bridge)
-                    :linux (str "ip link show type bridge " bridge)}
-                   bridge-mode)
-          res (run cmd {:quiet true})]
-    (if (= 0 (:code res))
-      ;; TODO: maybe mark as :exists and use without cleanup
-      (fatal 1 (str "Bridge " bridge " already exists"))
-      (if (re-seq #"(does not exist|no bridge named)" (:stderr res))
-        true
-        (fatal 1 (str "Unable to run '" cmd "': " (:stderr res)))))))
+                    :linux (str "ip link show type bridge " bridge)
+                    :patch nil}
+                   mode)]
+    (if (not cmd)
+      true
+      (P/let [res (run cmd {:quiet true})]
+        (if (= 0 (:code res))
+          ;; TODO: maybe mark as :exists and use without cleanup
+          (fatal 1 (str "Bridge " bridge " already exists"))
+          (if (re-seq #"(does not exist|no bridge named)" (:stderr res))
+            true
+            (fatal 1 (str "Unable to run '" cmd "': " (:stderr res)))))))))
 
 
 (defn bridge-create
   "Create a bridge named 'bridge'.
-  Bridge type is dependent on bridge-mode (:ovs or :linux)."
-  [bridge]
-  (P/let [{:keys [info error bridge-mode]} @ctx
-          _ (info "Creating bridge/switch" bridge)
+  Bridge type is dependent on mode (:ovs or :linux)."
+  [{:keys [bridge mode]}]
+  (P/let [{:keys [info error]} @ctx
           cmd (get {:ovs (str "ovs-vsctl add-br " bridge)
-                    :linux (str "ip link add " bridge " up type bridge")}
-                   bridge-mode)
-          res (run cmd)]
-    (if (not= 0 (:code res))
-      (error (str "Unable to create bridge/switch " bridge))
-      (swap! ctx assoc-in [:network-state :bridges bridge :status] :created))
-    res))
+                    :linux (str "ip link add " bridge " up type bridge")
+                    :patch nil}
+                   mode)]
+    (if (not cmd)
+      (info (str "Ignoring bridge/switch " bridge " for mode " mode))
+      (P/let [_ (info "Creating bridge/switch" bridge)
+              res (run cmd)]
+        (if (not= 0 (:code res))
+          (error (str "Unable to create bridge/switch " bridge))
+          (swap! ctx assoc-in [:network-state :bridges bridge :status] :created))
+        true))))
 
 (defn bridge-del
   "Delete the bridge named 'bridge'.
-  Bridge type is dependent on bridge-mode (:ovs or :linux)."
-  [bridge]
-  (P/let [{:keys [info error bridge-mode]} @ctx
-          _ (info "Deleting bridge/switch" bridge)
+  Bridge type is dependent on mode (:ovs or :linux)."
+  [{:keys [bridge mode]}]
+  (P/let [{:keys [info error]} @ctx
           cmd (get {:ovs (str "ovs-vsctl del-br " bridge)
-                    :linux (str "ip link del " bridge)} bridge-mode)
-          res (run cmd)]
-    (if (not= 0 (:code res))
-      (error (str "Unable to delete bridge " bridge))
-      (swap! ctx assoc-in [:network-state :bridges bridge :status] nil))
-    res))
+                    :linux (str "ip link del " bridge)
+                    :patch nil} mode)]
+    (if (not cmd)
+      (info (str "Ignoring bridge/switch " bridge " for mode " mode))
+      (P/let [_ (info "Deleting bridge/switch" bridge)
+              res (run cmd)]
+        (if (not= 0 (:code res))
+          (error (str "Unable to delete bridge " bridge))
+          (swap! ctx assoc-in [:network-state :bridges bridge :status] nil))
+        true))))
 
 (defn bridge-add-link
   "Add the link/interface 'dev' to the bridge 'bridge'.
-  Bridge type is dependent on bridge-mode (:ovs or :linux)."
-  [bridge dev]
-  (P/let [{:keys [error bridge-mode]} @ctx
+  Bridge type is dependent on mode (:ovs or :linux)."
+  [{:keys [bridge mode]} dev]
+  (P/let [{:keys [error]} @ctx
           cmd (get {:ovs (str "ovs-vsctl add-port " bridge " " dev)
                     :linux (str "ip link set dev " dev " master " bridge)}
-                   bridge-mode)
+                   mode)
           res (run cmd)]
-    (when (not= 0 (:code res))
-      (error (str "Unable to add link " dev " into " bridge)))
-    res))
+    (if (= 0 (:code res))
+      (swap! ctx update-in [:network-state :bridges bridge :links] conj dev)
+      (error (str "Unable to add link " dev " into " bridge)))))
 
 (defn bridge-drop-link
   "Remove the link/interface 'dev' from the bridge 'bridge'.
-  Bridge type is dependent on bridge-mode (:ovs or :linux)."
-  [bridge dev]
-  (P/let [{:keys [error bridge-mode]} @ctx
+  Bridge type is dependent on mode (:ovs or :linux)."
+  [{:keys [bridge mode]} dev]
+  (P/let [{:keys [error]} @ctx
           cmd (get {:ovs (str "ovs-vsctl del-port " bridge " " dev)
                     :linux (str "ip link set dev " dev " nomaster")}
-                   bridge-mode)
+                   mode)
           res (run cmd)]
-    (when (not= 0 (:code res))
-      (error (str "Unable to drop link " dev " from " bridge)))
-    res))
+    (if (= 0 (:code res))
+      (swap! ctx update-in [:network-state :bridges bridge :links] disj dev)
+      (error (str "Unable to drop link " dev " from " bridge)))))
+
+(defn patch-add-link
+  "Setup patch between 'dev' and its peer link using tc qdisc mirred
+  filter action. Peer links are tracked in pseudo-bridge 'bridge'."
+  [{:keys [bridge mode]} dev]
+  (let [{:keys [info error]} @ctx
+        links-path [:network-state :bridges bridge :links]
+        links (get-in @ctx links-path)
+        peers (disj links dev)]
+    (condp = (count peers)
+      0
+      (P/do
+        (info (str "Registering first peer link "
+                   dev " in :patch 'bridge' " bridge))
+        (swap! ctx update-in links-path conj dev))
+
+      1
+      (P/let [cmd (str "link-mirred.sh " dev " " (first peers))
+              res (run cmd)]
+        (if (= 0 (:code res))
+          (swap! ctx update-in links-path conj dev)
+          (error (str "Failed to setup tc filter action for "
+                      dev " in :patch 'bridge' " bridge))))
+
+      (error "Cannot add third peer link "
+             dev " to :patch 'bridge' " bridge))))
 
+(defn patch-drop-link
+  "Remove tracking of 'dev' from pseudo-bridge 'bridge'."
+  [{:keys [bridge mode]} dev]
+  (let [{:keys [info error]} @ctx
+        links-path [:network-state :bridges bridge :links]]
+    (info (str "Removing peer link "
+               dev " from :patch 'bridge' " bridge))
+    ;; State is in the links, no extra cleanup
+    (swap! ctx update-in links-path conj dev)))
+
+;;; Link commands
 
 (defn link-add
   "Create a link/interface defined by 'link' in a container by calling
@@ -519,7 +609,10 @@ General Options:
         (P/do
           (swap! ctx assoc-in status-path :creating)
           (link-add link)
-          (when bridge (bridge-add-link bridge outer-dev))
+          (when bridge
+            (if (= :patch (:mode bridge))
+              (patch-add-link bridge outer-dev)
+              (bridge-add-link bridge outer-dev)))
           (swap! ctx assoc-in status-path :created)))
 
       "die"
@@ -527,7 +620,10 @@ General Options:
         (error (str "Link " dev-id " does not exist"))
         (P/do
           (swap! ctx assoc-in status-path :deleting)
-          (when bridge (bridge-drop-link bridge outer-dev))
+          (when bridge
+            (if (= :patch (:mode bridge))
+              (patch-drop-link bridge outer-dev)
+              (bridge-drop-link bridge outer-dev)))
           (link-del link)
           (swap! ctx assoc-in status-path nil))))))
 
@@ -635,7 +731,7 @@ General Options:
       (when (seq bridges)
         (P/do
           (log (str "Removing bridges: " (S/join ", " (keys bridges))))
-          (P/all (map bridge-del (keys bridges)))))
+          (P/all (map bridge-del (vals bridges)))))
       (js/process.exit 127))))
 
 
@@ -650,40 +746,6 @@ General Options:
   (when (empty? config-schema)
     (fatal 2 "Could not find config-schema" orig-config-schema)))
 
-(defn startup-checks
-  "Check startup state and return map of :bridge-mode, :docker, and
-  :podman. If bridge-mode is :auto then return :ovs if the
-  'openvswitch' kernel module is loaded otherwise fall back to :linux.
-  Exit with an error if bridge-mode is :ovs and the 'openvswitch'
-  kernel module is not loaded or if neither a docker or podman
-  connection could be established."
-  [{:keys [bridge-mode docker-socket podman-socket]}]
-  (P/let
-    [{:keys [info warn]} @ctx
-     ovs? (kmod-loaded? "openvswitch")
-     bridge-mode (condp = [bridge-mode ovs?]
-                   [:auto true]
-                   :ovs
-
-                   [:auto false]
-                   (do
-                     (warn (str "bridge-mode is 'auto' but no 'openvswitch' "
-                                "kernel module loaded, so using 'linux'"))
-                    :linux)
-
-                   [:ovs false]
-                   (fatal 1 (str "bridge-mode is 'ovs', but no 'openvswitch' "
-                                 "kernel module loaded"))
-
-                   bridge-mode)
-     docker (docker-client docker-socket)
-     podman (docker-client podman-socket)]
-    (when (and (not docker) (not podman))
-      (fatal 1 "Failed to start either docker or podman client/listener"))
-    {:bridge-mode bridge-mode
-     :docker docker
-     :podman podman}))
-
 (defn server
   "Process:
     - parse/validate command line options
@@ -692,7 +754,7 @@ General Options:
     - determine our own container ID and compose properties (if any)
     - generate runtime network state and other process context/state
     - install exit/cleanup handlers
-    - start/init openvswitch daemons/config (if :ovs bridge-mode)
+    - start/init openvswitch daemons/config (if any bridges use :ovs mode)
     - check that any defined bridges do not already exist
     - create any bridges defined in network config links
     - start listening/handling docker/podman container events
@@ -704,7 +766,7 @@ General Options:
      {:keys [log info]} (swap! ctx merge (when verbose {:info Eprintln}))
      opts (merge
             opts
-            {:bridge-mode (keyword (:bridge-mode opts))
+            {:default-bridge-mode (keyword (:default-bridge-mode opts))
              :orig-config-schema (:config-schema opts)
              :config-schema (resolve-path (:config-schema opts) SCHEMA-PATHS)
              :network-file (mapcat #(S/split % #":") (:network-file opts))
@@ -716,6 +778,11 @@ General Options:
      env (js->clj (js/Object.assign #js {} js/process.env))
      self-pid js/process.pid
      schema (load-config (:config-schema opts))
+     kmod-ovs? (kmod-loaded? "openvswitch")
+     kmod-mirred? (kmod-loaded? "act_mirred")
+     _ (swap! ctx merge {:default-bridge-mode (:default-bridge-mode opts)
+                         :kmod-ovs? kmod-ovs?
+                         :kmod-mirred? kmod-mirred?})
      network-config (P/-> (load-configs compose-file network-file)
                           (interpolate-walk env)
                           (check-schema schema verbose)
@@ -724,7 +791,11 @@ General Options:
          (println (js/JSON.stringify (->js network-config)))
          (js/process.exit 0))
 
-     {:keys [bridge-mode docker podman]} (startup-checks opts)
+     docker (docker-client (:docker-socket opts))
+     podman (docker-client (:podman-socket opts))
+     _ (when (and (not docker) (not podman))
+         (fatal 1 "Failed to start either docker or podman client/listener"))
+
      self-cid (get-container-id)
      self-container-obj (when self-cid
                           (get-container (or docker podman) self-cid))
@@ -733,8 +804,7 @@ General Options:
                     {:project compose-project}
                     (get-compose-labels self-container))
      network-state (gen-network-state network-config)
-     ctx-data {:bridge-mode bridge-mode
-               :network-config network-config
+     ctx-data {:network-config network-config
                :network-state network-state
                :compose-opts compose-opts
                :docker docker
@@ -749,7 +819,6 @@ General Options:
     (js/process.on "SIGTERM" #(exit-handler % "signal"))
     (js/process.on "uncaughtException" #(exit-handler %1 %2))
 
-    (log "Bridge mode:" (name bridge-mode))
     (log (str "Using schema at '" (:config-schema opts) "'"))
     (info (str "Starting network config\n"
                (indent-pprint-str network-config "  ")))
@@ -764,15 +833,16 @@ General Options:
       (when self-cid
         (rename-docker-eth0))
 
-      (when (= :ovs bridge-mode)
+      (when (some #(= :ovs (:mode %)) (-> network-config :bridges vals))
         (start-ovs))
 
       ;; Check that bridges/switches do not already exist
-      (P/all (for [bridge (-> network-state :bridges keys)]
+      (P/all (for [bridge (vals (:bridges network-state))]
                (check-no-bridge bridge)))
+
       ;; Create bridges/switch configs
       ;; TODO: should be done on-demand
-      (P/all (for [bridge (-> network-state :bridges keys)]
+      (P/all (for [bridge (vals (:bridges network-state))]
                (bridge-create bridge)))
 
       ;; Create tunnels configs