ifstate 1.9.0__tar.gz → 1.10.1__tar.gz

{ifstate-1.9.0 → ifstate-1.10.1}/PKG-INFO

@@ -1,21 +1,27 @@
 Metadata-Version: 2.1
 Name: ifstate
-Version: 1.9.0
+Version: 1.10.1
 Summary: Manage host interface settings in a declarative manner
 Home-page: https://ifstate.net/
 Author: Thomas Liske
 Author-email: thomas@fiasko-nw.net
 License: GPL3+
 Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: jsonschema
+Requires-Dist: pyroute2
+Requires-Dist: pyyaml
+Requires-Dist: setproctitle
 Provides-Extra: shell
+Requires-Dist: pygments; extra == "shell"
 Provides-Extra: wireguard
-License-File: LICENSE
+Requires-Dist: wgnlpy; extra == "wireguard"
 
 # IfState
 
 [![PyPI version](https://badge.fury.io/py/ifstate.svg)](https://badge.fury.io/py/ifstate)
 
-A python library to configure (linux) host interfaces in a declarative manner.
+A python tool to configure (linux) host interfaces in a declarative manner.
 It is a frontend for the kernel netlink protocol using
 [pyroute2](https://pyroute2.org/) and aims to be as powerful as the
 iproute2/bridge/ethtool/tc/wireguard commands.

{ifstate-1.9.0 → ifstate-1.10.1}/README.md

@@ -2,7 +2,7 @@
 
 [![PyPI version](https://badge.fury.io/py/ifstate.svg)](https://badge.fury.io/py/ifstate)
 
-A python library to configure (linux) host interfaces in a declarative manner.
+A python tool to configure (linux) host interfaces in a declarative manner.
 It is a frontend for the kernel netlink protocol using
 [pyroute2](https://pyroute2.org/) and aims to be as powerful as the
 iproute2/bridge/ethtool/tc/wireguard commands.

{ifstate-1.9.0 → ifstate-1.10.1}/ifstate.egg-info/PKG-INFO

@@ -1,21 +1,27 @@
 Metadata-Version: 2.1
 Name: ifstate
-Version: 1.9.0
+Version: 1.10.1
 Summary: Manage host interface settings in a declarative manner
 Home-page: https://ifstate.net/
 Author: Thomas Liske
 Author-email: thomas@fiasko-nw.net
 License: GPL3+
 Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: jsonschema
+Requires-Dist: pyroute2
+Requires-Dist: pyyaml
+Requires-Dist: setproctitle
 Provides-Extra: shell
+Requires-Dist: pygments; extra == "shell"
 Provides-Extra: wireguard
-License-File: LICENSE
+Requires-Dist: wgnlpy; extra == "wireguard"
 
 # IfState
 
 [![PyPI version](https://badge.fury.io/py/ifstate.svg)](https://badge.fury.io/py/ifstate)
 
-A python library to configure (linux) host interfaces in a declarative manner.
+A python tool to configure (linux) host interfaces in a declarative manner.
 It is a frontend for the kernel netlink protocol using
 [pyroute2](https://pyroute2.org/) and aims to be as powerful as the
 iproute2/bridge/ethtool/tc/wireguard commands.

{ifstate-1.9.0 → ifstate-1.10.1}/ifstate.egg-info/SOURCES.txt

@@ -20,6 +20,7 @@ libifstate/bpf/__init__.py
 libifstate/bpf/ctypes.py
 libifstate/bpf/map.py
 libifstate/brport/__init__.py
+libifstate/fdb/__init__.py
 libifstate/link/__init__.py
 libifstate/link/base.py
 libifstate/link/physical.py

{ifstate-1.9.0 → ifstate-1.10.1}/libifstate/__init__.py

@@ -1,11 +1,14 @@
 from libifstate.exception import LinkDuplicate
 from libifstate.link.base import ethtool_path, Link
 from libifstate.address import Addresses
+from libifstate.fdb import FDB
 from libifstate.neighbour import Neighbours
 from libifstate.routing import Tables, Rules, RTLookups
 from libifstate.parser import Parser
 from libifstate.tc import TC
 from libifstate.exception import netlinkerror_classes
+import bisect
+import pyroute2
 
 from pyroute2.netlink.rtnl.ifaddrmsg import IFA_F_PERMANENT
 try:
@@ -39,11 +42,12 @@ from copy import deepcopy
 import os
 import pkgutil
 import re
+import secrets
 import json
 import errno
 import logging
 
-__version__ = "1.9.0"
+__version__ = "1.10.1"
 
 
 class IfState():
@@ -119,8 +123,13 @@ class IfState():
         self._update(self.root_netns, ifstates)
         if 'namespaces' in ifstates:
             self.namespaces = {}
+            self.new_namespaces = []
             for netns_name, netns_ifstates in ifstates['namespaces'].items():
+                is_new = netns_name not in pyroute2.netns.listnetns()
                 self.namespaces[netns_name] = NetNameSpace(netns_name)
+                if is_new:
+                    self.new_namespaces.append(netns_name)
+                    self.link_registry.inventory_netns(self.namespaces[netns_name])
                 self._update(self.namespaces[netns_name], netns_ifstates)
 
     def _update(self, netns, ifstates):
@@ -128,10 +137,13 @@ class IfState():
         if 'options' in ifstates:
             # parse global sysctl settings
             if 'sysctl' in ifstates['options']:
-                for iface in ['all', 'default']:
-                    if iface in ifstates['options']['sysctl']:
+                for proto in  ifstates['options']['sysctl'].keys():
+                    if proto in ['all', 'default']:
                         netns.sysctl.add(
-                            iface, ifstates['options']['sysctl'][iface])
+                            proto, ifstates['options']['sysctl'][proto])
+                    else:
+                        netns.sysctl.add_global(
+                            proto, ifstates['options']['sysctl'][proto])
 
         # load BPF programs
         if 'bpf' in ifstates:
@@ -168,6 +180,11 @@ class IfState():
             elif defaults.get('clear_addresses', False):
                 netns.addresses[name] = Addresses(netns, name, [])
 
+            if 'fdb' in ifstate:
+                netns.fdb[name] = FDB(netns, name, ifstate['fdb'])
+            elif defaults.get('clear_fdb', False):
+                netns.fdb[name] = FDB(netns, name, [])
+
             if 'neighbours' in ifstate:
                 netns.neighbours[name] = Neighbours(netns, name, ifstate['neighbours'])
             elif defaults.get('clear_neighbours', False):
@@ -363,7 +380,7 @@ class IfState():
                         raise LinkCircularLinked()
 
                 # can be done right away
-                r.append(t)
+                r.append( sorted(t) )
                 # and cleaned up
                 d=dict(((k, v-t) for k, v in d.items() if v))
             return r
@@ -404,7 +421,7 @@ class IfState():
 
         # create and destroy namespaces to match config
         if not by_vrrp and self.namespaces is not None:
-            prepare_netns(do_apply, self.namespaces.keys())
+            prepare_netns(do_apply, self.namespaces.keys(), self.new_namespaces)
             logger.info("")
 
         # get link dependency tree
@@ -459,7 +476,7 @@ class IfState():
         # create/modify links in order of dependencies
         logger.info("configure interfaces...")
         for stage in stages:
-            for link_dep in sorted(stage):
+            for link_dep in stage:
                 logger.info(" {}".format(link_dep))
                 if link_dep.netns is None:
                     self._apply_iface(do_apply, self.root_netns, link_dep.ifname, by_vrrp, vrrp_type, vrrp_name, vrrp_state)
@@ -490,6 +507,13 @@ class IfState():
                     logger.info("configure sysctl settings...")
                     had_sysctl = True
                 netns.sysctl.apply(iface, do_apply)
+
+        if netns.sysctl.has_globals():
+            if not had_sysctl:
+                logger.info("configure sysctl settings...")
+                had_sysctl = True
+            netns.sysctl.apply_globals(do_apply)
+
         return had_sysctl
 
     def _apply_iface(self, do_apply, netns, ifname, by_vrrp, vrrp_type, vrrp_name, vrrp_state):
@@ -534,6 +558,9 @@ class IfState():
             netns.addresses[ifname].apply(self.ipaddr_ignore, self.ignore.get(
                 'ipaddr_dynamic', True), do_apply)
 
+        if ifname in netns.fdb:
+            netns.fdb[ifname].apply(do_apply)
+
         if ifname in netns.neighbours:
             netns.neighbours[ifname].apply(do_apply)
 
@@ -645,12 +672,23 @@ class IfState():
                             ifs_link['link'][attr] = ref
 
                 mtu = ipr_link.get_attr('IFLA_MTU')
-                if not mtu is None and not mtu in [1500, 65536]:
-                    ifs_link['link']['mtu'] = mtu
+                if not mtu is None:
+                    if not mtu in [1500, 65536] or name == 'lo':
+                        ifs_link['link']['mtu'] = mtu
 
                 brport.BRPort.show(netns.ipr, showall, ipr_link['index'], ifs_link)
 
-                ifs_links.append(ifs_link)
+                if name == 'lo':
+                    if ifs_link['addresses'] == Parser._default_lo_link['addresses']:
+                        del(ifs_link['addresses'])
+
+                    if ifs_link['link'] == Parser._default_lo_link['link']:
+                        del(ifs_link['link'])
+
+                    if len(ifs_link) > 1:
+                        ifs_links.append(ifs_link)
+                else:
+                    ifs_links.append(ifs_link)
 
         routing = {
             'routes': Tables(netns).show_routes(Parser._default_ifstates['ignore']['routes_builtin']),
@@ -659,7 +697,6 @@ class IfState():
 
         return {**{'interfaces': ifs_links, 'routing': routing}}
 
-
     def get_defaults(self, **kwargs):
         for default in self.defaults:
             for match in default['match']:
@@ -675,3 +712,13 @@ class IfState():
                     return default
 
         return {}
+
+    def gen_unique_ifname(self):
+        '''
+        Get a random unique ifname over all namespaces and configured ifnames.
+        '''
+        while True:
+            ifname = "ifs.tmp.{}".format(secrets.token_hex(3))
+            item = self.link_registry.get_link(ifname=ifname)
+            if item is None:
+                return ifname

ifstate-1.10.1/libifstate/fdb/__init__.py

@@ -0,0 +1,174 @@
+from libifstate.util import logger, IfStateLogging
+from libifstate.exception import netlinkerror_classes
+from ipaddress import ip_address
+from pyroute2.netlink.rtnl.ndmsg import NUD_NOARP, NUD_PERMANENT, NTF_SELF
+from pyroute2.config import AF_BRIDGE
+import pyroute2.netlink.rtnl.ndmsg
+
+class FDB():
+    def __init__(self, netns, iface, fdb):
+        self.netns = netns
+        self.iface = iface
+        self.fdb = {}
+        self.state_mask = NUD_NOARP|NUD_PERMANENT
+
+        for entry in fdb:
+            lladdr = entry['lladdr'].lower()
+            _entry = {
+                'lladdr': lladdr,
+            }
+
+            if 'port' not in entry:
+                _entry['port'] = 8472
+            else:
+                _entry['port'] = entry['port']
+
+            if 'dst' in entry:
+                _entry['dst'] = str(ip_address(entry['dst']))
+
+            if 'state' in entry:
+                _entry['state'] = 0
+                for name, value in pyroute2.netlink.rtnl.ndmsg.states.items():
+                    if name in entry['state']:
+                        _entry['state'] |= value
+
+            if 'flags' in entry:
+                _entry['flags'] = 0
+                for name, value in pyroute2.netlink.rtnl.ndmsg.flags.items():
+                    if name in entry['flags']:
+                        _entry['flags'] |= value
+            else:
+                _entry['flags'] = NTF_SELF
+
+            for opt in ['nhid', 'src_vni', 'vni']:
+                if opt in entry:
+                    _entry[opt] = entry[opt]
+
+            if not lladdr in self.fdb:
+                self.fdb[lladdr] = [_entry]
+            else:
+                self.fdb[lladdr].append(_entry)
+
+    def get_kernel_fdb(self):
+        # get fdb entries (NUD_NOARP|NUD_PERMANENT)
+        fdb = {}
+        for entry in self.netns.ipr.get_neighbours(ifindex=self.idx, family=AF_BRIDGE):
+            state = entry.get('state')
+
+            # look for permanent (local) or noarp (static) entries, only
+            if not state & self.state_mask:
+                continue
+
+            lladdr = entry.get_attr('NDA_LLADDR')
+            _entry = {
+                'lladdr': lladdr,
+                'state': state,
+                'flags': entry.get('flags')
+            }
+
+            attr = entry.get_attr('NDA_DST')
+            if attr is not None:
+                _entry['dst'] = str(ip_address(attr))
+
+            attr = entry.get_attr('NDA_PORT')
+            if attr is None or attr == 0:
+                _entry['port'] = 8472
+            else:
+                _entry['port'] = attr
+
+            for opt in ['nhid', 'src_vni', 'vni']:
+                attr = entry.get_attr(f"NDA_{opt.upper()}")
+                if attr is not None:
+                    _entry[opt] = attr
+
+            if not lladdr in fdb:
+                fdb[lladdr] = [_entry]
+            else:
+                fdb[lladdr].append(_entry)
+
+        return fdb
+
+    def apply(self, do_apply):
+        logger.debug('getting fdb', extra={'iface': self.iface})
+
+        # get ifindex and lladdr
+        link = next(iter(self.netns.ipr.get_links(ifname=self.iface)), None)
+
+        if link == None:
+            logger.warning('link missing', extra={'iface': self.iface})
+            return
+
+        self.idx = link['index']
+        self.lladdr = link.get_attr('IFLA_ADDRESS')
+
+        # prepare default state for entries w/o state specified (depends on link type)
+        default_state = NUD_PERMANENT
+
+        linkinfo = link.get_attr('IFLA_LINKINFO')
+        if linkinfo and linkinfo.get_attr('IFLA_INFO_KIND') in ['vxlan']:
+            default_state |= NUD_NOARP
+
+        # configure fdb entries
+        ipr_entries = self.get_kernel_fdb()
+        for lladdr, entries in self.fdb.items():
+            for entry in entries:
+                # set default_state if missing
+                if not 'state' in entry:
+                    entry['state'] = default_state
+
+                # check if fdb entry is already present
+                if lladdr in ipr_entries:
+                    if entry in ipr_entries[lladdr]:
+                        logger.log_ok('fdb', '= {}'.format(lladdr))
+                        continue
+
+                # fdb entry needs to be added
+                logger.log_add('fdb', '+ {}'.format(lladdr))
+
+                # prepare arguments
+                args = {
+                    'ifindex': self.idx,
+                    'family': AF_BRIDGE
+                }
+                args.update(entry)
+                logger.debug("bridge fdb append: {}".format(
+                    " ".join("{}={}".format(k, v) for k, v in args.items())))
+
+                if do_apply:
+                    try:
+                        self.netns.ipr.fdb("append", **args)
+                    except Exception as err:
+                        if not isinstance(err, netlinkerror_classes):
+                            raise
+                        logger.warning('add {} to fdb failed: {}'.format(
+                            entry['lladdr'], err.args[1]))
+
+        # cleanup orphan fdb entries
+        ipr_entries = self.get_kernel_fdb()
+        for lladdr, entries in ipr_entries.items():
+            # ignore lladdr of the link
+            if lladdr == self.lladdr:
+                continue
+
+            for entry in entries:
+                # check if fdb entry is already present
+                if lladdr not in self.fdb or entry not in self.fdb[lladdr]:
+                    logger.log_del('fdb', '- {}'.format(lladdr))
+
+                    # prepare arguments
+                    args = {
+                        'ifindex': self.idx,
+                        'family': AF_BRIDGE
+                    }
+                    args.update(entry)
+                    logger.debug("bridge fdb del: {}".format(
+                        " ".join("{}={}".format(k, v) for k, v in args.items())))
+
+                    if do_apply:
+                        try:
+                            self.netns.ipr.fdb("del", **args)
+                        except Exception as err:
+                            if not isinstance(err, netlinkerror_classes):
+                                raise
+                            logger.warning('remove {} from fdb failed: {}'.format(
+                                entry['lladdr'], err.args[1]))

{ifstate-1.9.0 → ifstate-1.10.1}/libifstate/link/base.py

@@ -80,6 +80,21 @@ class Link(ABC):
     attr_value_lookup = {
         'group': RTLookups.group,
     }
+    attr_bind_kinds = [
+        'ip6tnl',
+        'tun',
+        'vti',
+        'vti6',
+        'vxlan',
+        'ipip',
+        'gre',
+        'gretap',
+        'ip6gre',
+        'ip6gretap',
+        'geneve',
+        'wireguard',
+        'xfrm',
+    ]
 
     def __new__(cls, *args, **kwargs):
         cname = cls.__name__
@@ -170,6 +185,20 @@ class Link(ABC):
                                    extra={'iface': self.settings['ifname'], 'netns': self.netns})
                     del(self.settings[attr])
 
+        if self.settings['kind'] in self.attr_bind_kinds:
+            if not 'bind_netns' in self.settings:
+                logger.debug('set bind_netns to current netns',
+                             extra={'iface': self.settings['ifname'], 'netns': self.netns})
+                self.bind_netns = self.netns.netns
+            else:
+                self.bind_netns = self.settings['bind_netns']
+        elif 'bind_netns' in self.settings:
+            logger.warning('Ignoring not supported link attribute "bind_netns" for %s link.',
+                           self.settings['kind'],
+                           extra={'iface': self.settings['ifname'], 'netns': self.netns})
+        if 'bind_netns' in self.settings:
+            del(self.settings['bind_netns'])
+
     def search_link_registry(self):
         for args in self.link_registry_search_args:
             item = self.ifstate.link_registry.get_link(**args)
@@ -317,9 +346,61 @@ class Link(ABC):
             try:
                 with open(fn, 'w') as fh:
                     yaml.dump(self.ethtool[setting], fh)
-            except Exception as err:
+            except IOError as err:
                 logger.warning('failed write `{}`: {}'.format(fn, err.args[1]))
 
+    def get_bind_fn(self, netns_name, idx):
+        if netns_name is None:
+            dirname = "/run/ifstate/bind"
+        else:
+            dirname = "/run/ifstate/netns/{}/bind".format(netns_name)
+
+        try:
+            os.makedirs(dirname, exist_ok=True)
+        except:
+            pass
+
+        return "{}/{}.mount".format(dirname, idx)
+
+    def set_bind_state(self, state):
+        fn = self.get_bind_fn(self.netns.netns, self.idx)
+        try:
+            with open(fn, 'wb') as fh:
+                fh.write(state)
+        except IOError as err:
+            logger.warning('failed write `{}`: {}'.format(fn, err.args[1]))
+
+    def get_bind_netns(self):
+        if not hasattr(self, 'bind_netns'):
+            return None
+
+        if self.bind_netns is None:
+            return self.ifstate.root_netns
+
+        return self.ifstate.namespaces.get(self.bind_netns)
+
+    def bind_needs_recreate(self, item):
+        if not item.attributes['kind'] in self.attr_bind_kinds:
+            return False
+
+        bind_netns = self.get_bind_netns()
+        if bind_netns is None:
+            logger.warning('bind_netns "%s" is unknown',
+                        self.bind_netns,
+                        extra={
+                            'iface': self.settings['ifname'],
+                            'netns': self.netns})
+            return False
+
+        fn = self.get_bind_fn(item.netns.netns, item.index)
+        try:
+            with open(fn, 'rb') as fh:
+                state = fh.read()
+        except IOError:
+            return True
+
+        return state != bind_netns.mount
+
     def has_vrrp(self):
         return not self.vrrp is None
 
@@ -366,6 +447,14 @@ class Link(ABC):
         # get interface from registry
         item = self.search_link_registry()
 
+        # check if bind_netns option requires a recreate
+        if item is not None and self.bind_needs_recreate(item):
+            self.idx = item.index
+            self.recreate(do_apply, sysctl, excpts)
+
+            self.settings = osettings
+            return excpts
+
         # move interface into netns if required
         if item is not None and item.netns.netns != self.netns.netns:
             logger.log_change('netns')
@@ -382,7 +471,7 @@ class Link(ABC):
                     return excpts
 
         if item is not None:
-            self.idx = item.attributes['index']
+            self.idx = item.index
 
         if self.idx is not None:
             self.iface = next(iter(item.netns.ipr.get_links(self.idx)), None)
@@ -421,24 +510,50 @@ class Link(ABC):
         return excpts
 
     def create(self, do_apply, sysctl, excpts, oper="add"):
-        logger.log_add('link')
+        logger.log_add('link', oper)
+
+        settings = copy.deepcopy(self.settings)
+        bind_netns = self.get_bind_netns()
+        if bind_netns is not None and bind_netns.netns != self.netns.netns:
+            logger.debug("handle link binding", extra={
+                'iface': self.settings['ifname'],
+                'netns': self.netns})
+            settings['ifname'] = self.ifstate.gen_unique_ifname()
 
         logger.debug("ip link add: {}".format(
-            " ".join("{}={}".format(k, v) for k, v in self.settings.items())))
+            " ".join("{}={}".format(k, v) for k, v in settings.items())))
         if do_apply:
             try:
                 # set state later
-                state = self.settings.pop('state', None)
+                state = settings.pop('state', None)
 
                 # prevent altname conflict
                 self.prevent_altname_conflict()
 
                 # add link
-                self.netns.ipr.link('add', **(self.settings))
+                if bind_netns is None or bind_netns.netns == self.netns.netns:
+                    self.netns.ipr.link('add', **(settings))
+                    link = next(iter(self.netns.ipr.get_links(
+                                ifname=settings['ifname'])), None)
+                    if link is not None:
+                        item = self.ifstate.link_registry.add_link(self.netns, link)
+                # add and move link
+                else:
+                    bind_netns.ipr.link('add', **(settings))
+                    link = next(iter(bind_netns.ipr.get_links(
+                                ifname=settings['ifname'])), None)
+                    if link is not None:
+                        item = self.ifstate.link_registry.add_link(bind_netns, link)
+                        item.update_netns(self.netns)
+                        item.update_ifname(self.settings['ifname'])
+
                 self.idx = next(iter(self.netns.ipr.link_lookup(
                     ifname=self.settings['ifname'])), None)
 
                 if self.idx is not None:
+                    if bind_netns is not None:
+                        self.set_bind_state(bind_netns.mount)
+
                     # set sysctl settings if required
                     sysctl.apply(self.settings['ifname'], do_apply)
 
@@ -466,7 +581,7 @@ class Link(ABC):
                 self.settings['ifname'], self.ethtool.keys(), do_apply)
 
     def recreate(self, do_apply, sysctl, excpts):
-        logger.debug('has wrong link kind %s, removing', self.settings['kind'], extra={
+        logger.debug('needs to be recreated', extra={
                      'iface': self.settings['ifname'], 'netns': self.netns})
         if do_apply:
             try: