From bf60dd06c784c4262987fa57d3885ba63de36209 Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Fri, 22 Sep 2023 12:15:55 +0200 Subject: [PATCH 1/3] mxrouterctl: Do not enable IPv6 routing We don't use ipv6 currently. There might be problems if ipv6 routing is enabled, e.g. potential reachability without the appropriate filewall rules. For now, just don't enable it. --- mxrouter/mxrouterctl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl index 97135863..b8fb6ed3 100755 --- a/mxrouter/mxrouterctl +++ b/mxrouter/mxrouterctl @@ -525,10 +525,10 @@ sub start { unless exists $want_route->{$_}; } - unless (get_ipv6_forwarding()>0) { - warn "enable IPV6 forwarding\n" unless $opt_quiet; - set_ipv6_forwarding(1); - } +# unless (get_ipv6_forwarding()>0) { +# warn "enable IPV6 forwarding\n" unless $opt_quiet; +# set_ipv6_forwarding(1); +# } unless (get_ipv4_routing()>0) { warn "enable IPV4 routing\n" unless $opt_quiet; From be147e1ae3aa957b09f8ecb20c8ae3c5d6d9826c Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Fri, 22 Sep 2023 12:25:15 +0200 Subject: [PATCH 2/3] mxrouterctl: Fix bug with inherited vlan interfaces Currently, when a vlan interface is created on the host system (e.g. with mxvlan) and moved to the mxrouter instance with interface(), it gets deleted, because it is recogized visible as a vlan interface in the router namespace but not configured via vlan(). Ignore existing vlan interfaces which are configured into the router namespace via interface(). --- mxrouter/mxrouterctl | 1 + 1 file changed, 1 insertion(+) diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl index b8fb6ed3..457241a2 100755 --- a/mxrouter/mxrouterctl +++ b/mxrouter/mxrouterctl @@ -488,6 +488,7 @@ sub start { } my ($have_vlan)=read_active_vlans(); + delete $have_vlan->{$_} for keys %$want_if; # vlan interfaces created in main and moved via interaface() my ($new_vlan,$del_vlan)=({},{},{},{}); for (keys %$want_vlan) { From 584b3e1db6b15dcbbec67a3981a4308950b88cfc Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Fri, 22 Sep 2023 12:29:10 +0200 Subject: [PATCH 3/3] mxrouterctl: Add veth feature This adds a `veth(NAME)` config call which creates a pair of connected veth devices, one in the default namespace and the other one on the router namespace, both with the same name. This can be used, for example, to create interfaces on the host for VMs with the traffic routed through a mxrouter instance. Example: interface('vlan.irouter'); ip('vlan.irouter','172.19.141.2/24'); route('default','172.19.141.1'); veth('veth.variation'); my $NET_VARIATION = '172.19.118.0/24'; ip('veth.variation', '172.19.118.1/24'); my $NET_WISNET='141.14.16.0/20'; rule('filter','FORWARD',"-m state --state ESTABLISHED,RELATED -j ACCEPT"); rule('filter','FORWARD','-p icmp --icmp-type 8 -j ACCEPT'); # ping rule('filter','FORWARD',"-d $NET_VARIATION -j variation-out"); rule('filter','variation-out',"-s $NET_WISNET -p tcp --dport 22 -j ACCEPT"); # ssh rule('filter','variation-out',"-j DROP"); rule('filter','FORWARD',"-j ACCEPT"); --- mxrouter/mxrouterctl | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl index 457241a2..d0eb1850 100755 --- a/mxrouter/mxrouterctl +++ b/mxrouter/mxrouterctl @@ -374,6 +374,7 @@ sub radvd { } our $want_if; +our $want_veth; our $DHCRELAY_FORWARD; our %DHCRELAY_IF; @@ -483,7 +484,7 @@ sub start { netif_is_up('lo') or sys('ip link set lo up'); - for my $dev (keys %$want_if) { + for my $dev (keys %$want_if, keys %$want_veth) { netif_is_up($dev) or sys('ip','link','set',$dev,'up'); } @@ -622,6 +623,11 @@ sub interface { $want_if->{$dev}=1; } +sub veth { + my ($dev) = @_; + $want_veth->{$dev} = 1; +} + my @SAVED_ARGV=@ARGV; GetOptions(OPTIONS) or die USAGE; @@ -776,6 +782,10 @@ if (!$opt_this_ns) { for my $dev (sort keys %$want_if) { move_dev_into_ns($dev,$NETNS); } + for my $dev (sort keys %$want_veth) { + sys('ip', 'link', 'add', $dev, 'type', 'veth', 'peer', 'name', $dev, 'netns', $NETNS); + sys('ip', 'link', 'set', $dev, 'up'); + } system('ip','netns','exec',$NETNS,$0,'--this-ns',@SAVED_ARGV) and exit 1; } elsif ($cmd eq 'stop') { have_netns($NETNS) or die "not running (network namespace $NETNS does not exist)\n";