Merge pull request #1990 from gwenya/netlink

Use netlink instead of calling iproute2 commands

Author: stgraber

cmd/incusd/main_forknet.go

@@ -413,12 +413,13 @@ func (c *cmdForknet) dhcpRunV4(errorChannel chan error, iface string, hostname s
 	}
 
 	// Network configuration.
-	netMask, _ := lease.Offer.SubnetMask().Size()
-
 	addr := &ip.Addr{
 		DevName: iface,
-		Address: fmt.Sprintf("%s/%d", lease.Offer.YourIPAddr, netMask),
-		Family:  ip.FamilyV4,
+		Address: &net.IPNet{
+			IP:   lease.Offer.YourIPAddr,
+			Mask: lease.Offer.SubnetMask(),
+		},
+		Family: ip.FamilyV4,
 	}
 
 	err = addr.Add()
@@ -432,12 +433,12 @@ func (c *cmdForknet) dhcpRunV4(errorChannel chan error, iface string, hostname s
 		for _, staticRoute := range lease.Offer.ClasslessStaticRoute() {
 			route := &ip.Route{
 				DevName: iface,
-				Route:   staticRoute.Dest.String(),
+				Route:   staticRoute.Dest,
 				Family:  ip.FamilyV4,
 			}
 
 			if !staticRoute.Router.IsUnspecified() {
-				route.Via = staticRoute.Router.String()
+				route.Via = staticRoute.Router
 			}
 
 			err = route.Add()
@@ -450,8 +451,8 @@ func (c *cmdForknet) dhcpRunV4(errorChannel chan error, iface string, hostname s
 	} else {
 		route := &ip.Route{
 			DevName: iface,
-			Route:   "default",
-			Via:     lease.Offer.Router()[0].String(),
+			Route:   nil,
+			Via:     lease.Offer.Router()[0],
 			Family:  ip.FamilyV4,
 		}
 
@@ -575,8 +576,11 @@ func (c *cmdForknet) dhcpRunV6(errorChannel chan error, iface string, hostname s
 	for _, iaaddr := range ia.Options.Addresses() {
 		addr := &ip.Addr{
 			DevName: iface,
-			Address: fmt.Sprintf("%s/64", iaaddr.IPv6Addr),
-			Family:  ip.FamilyV6,
+			Address: &net.IPNet{
+				IP:   iaaddr.IPv6Addr,
+				Mask: net.CIDRMask(64, 128),
+			},
+			Family: ip.FamilyV6,
 		}
 
 		err = addr.Add()

internal/server/device/device_utils_network.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/mdlayher/arp"
 	"github.com/mdlayher/ndp"
+	"golang.org/x/sys/unix"
 
 	deviceConfig "github.com/lxc/incus/v6/internal/server/device/config"
 	pcidev "github.com/lxc/incus/v6/internal/server/device/pci"
@@ -216,13 +217,13 @@ func networkCreateVethPair(hostName string, m deviceConfig.Device) (string, uint
 
 	veth := &ip.Veth{
 		Link: ip.Link{
-			Name: hostName,
-			Up:   true,
+			Name:   hostName,
+			Up:     true,
+			Master: m["vrf"],
 		},
 		Peer: ip.Link{
 			Name: network.RandomDevName("veth"),
 		},
-		Master: m["vrf"],
 	}
 
 	// Set the MTU on both ends.
@@ -412,20 +413,20 @@ func networkNICRouteAdd(routeDev string, routes ...string) error {
 
 	for _, r := range routes {
 		route := r // Local var for revert.
-		ipAddress, _, err := net.ParseCIDR(route)
+		ipNet, err := ip.ParseIPNet(route)
 		if err != nil {
 			return fmt.Errorf("Invalid route %q: %w", route, err)
 		}
 
 		ipVersion := ip.FamilyV4
-		if ipAddress.To4() == nil {
+		if ipNet.IP.To4() == nil {
 			ipVersion = ip.FamilyV6
 		}
 
 		// Add IP route (using boot proto to avoid conflicts with network defined static routes).
 		r := &ip.Route{
 			DevName: routeDev,
-			Route:   route,
+			Route:   ipNet,
 			Proto:   "boot",
 			Family:  ipVersion,
 		}
@@ -438,7 +439,7 @@ func networkNICRouteAdd(routeDev string, routes ...string) error {
 		reverter.Add(func() {
 			r := &ip.Route{
 				DevName: routeDev,
-				Route:   route,
+				Route:   ipNet,
 				Proto:   "boot",
 				Family:  ipVersion,
 			}
@@ -466,21 +467,21 @@ func networkNICRouteDelete(routeDev string, routes ...string) {
 
 	for _, r := range routes {
 		route := r // Local var for revert.
-		ipAddress, _, err := net.ParseCIDR(route)
+		ipNet, err := ip.ParseIPNet(route)
 		if err != nil {
 			logger.Errorf("Failed to remove static route %q to %q: %v", route, routeDev, err)
 			continue
 		}
 
 		ipVersion := ip.FamilyV4
-		if ipAddress.To4() == nil {
+		if ipNet.IP.To4() == nil {
 			ipVersion = ip.FamilyV6
 		}
 
 		// Add IP route (using boot proto to avoid conflicts with network defined static routes).
 		r := &ip.Route{
 			DevName: routeDev,
-			Route:   route,
+			Route:   ipNet,
 			Proto:   "boot",
 			Family:  ipVersion,
 		}
@@ -527,14 +528,21 @@ func networkSetupHostVethLimits(d *deviceCommon, oldConfig deviceConfig.Device,
 	}
 
 	// Clean any existing entry
-	qdisc := &ip.Qdisc{Dev: veth, Root: true}
-	_ = qdisc.Delete()
-	qdisc = &ip.Qdisc{Dev: veth, Ingress: true}
-	_ = qdisc.Delete()
+	qdiscIngress := &ip.QdiscIngress{Qdisc: ip.Qdisc{Dev: veth, Handle: "ffff:0"}}
+	err = qdiscIngress.Delete()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return err
+	}
+
+	qdiscHTB := &ip.QdiscHTB{Qdisc: ip.Qdisc{Dev: veth, Handle: "1:0", Parent: "root"}}
+	err = qdiscHTB.Delete()
+	if err != nil && !errors.Is(err, unix.ENOENT) {
+		return err
+	}
 
 	// Apply new limits
 	if d.config["limits.ingress"] != "" {
-		qdiscHTB := &ip.QdiscHTB{Qdisc: ip.Qdisc{Dev: veth, Handle: "1:0", Root: true}, Default: "10"}
+		qdiscHTB = &ip.QdiscHTB{Qdisc: ip.Qdisc{Dev: veth, Handle: "1:0", Parent: "root"}, Default: 10}
 		err := qdiscHTB.Add()
 		if err != nil {
 			return fmt.Errorf("Failed to create root tc qdisc: %s", err)
@@ -546,22 +554,22 @@ func networkSetupHostVethLimits(d *deviceCommon, oldConfig deviceConfig.Device,
 			return fmt.Errorf("Failed to create limit tc class: %s", err)
 		}
 
-		filter := &ip.U32Filter{Filter: ip.Filter{Dev: veth, Parent: "1:0", Protocol: "all", Flowid: "1:1"}, Value: "0", Mask: "0"}
+		filter := &ip.U32Filter{Filter: ip.Filter{Dev: veth, Parent: "1:0", Protocol: "all", Flowid: "1:1"}, Value: 0, Mask: 0}
 		err = filter.Add()
 		if err != nil {
 			return fmt.Errorf("Failed to create tc filter: %s", err)
 		}
 	}
 
 	if d.config["limits.egress"] != "" {
-		qdisc = &ip.Qdisc{Dev: veth, Handle: "ffff:0", Ingress: true}
-		err := qdisc.Add()
+		qdiscIngress = &ip.QdiscIngress{Qdisc: ip.Qdisc{Dev: veth, Handle: "ffff:0"}}
+		err := qdiscIngress.Add()
 		if err != nil {
 			return fmt.Errorf("Failed to create ingress tc qdisc: %s", err)
 		}
 
-		police := &ip.ActionPolice{Rate: fmt.Sprintf("%dbit", egressInt), Burst: fmt.Sprintf("%d", egressInt/40), Mtu: "64kb", Drop: true}
-		filter := &ip.U32Filter{Filter: ip.Filter{Dev: veth, Parent: "ffff:0", Protocol: "all"}, Value: "0", Mask: "0", Actions: []ip.Action{police}}
+		police := &ip.ActionPolice{Rate: uint32(egressInt / 8), Burst: uint32(egressInt / 40), Mtu: 65535, Drop: true}
+		filter := &ip.U32Filter{Filter: ip.Filter{Dev: veth, Parent: "ffff:0", Protocol: "all"}, Value: 0, Mask: 0, Actions: []ip.Action{police}}
 		err = filter.Add()
 		if err != nil {
 			return fmt.Errorf("Failed to create ingress tc filter: %s", err)
@@ -690,7 +698,7 @@ func bgpRemovePrefix(d *deviceCommon, config map[string]string) error {
 	return nil
 }
 
-// networkSRIOVParentVFInfo returns info about an SR-IOV virtual function from the parent NIC using the ip tool.
+// networkSRIOVParentVFInfo returns info about an SR-IOV virtual function from the parent NIC.
 func networkSRIOVParentVFInfo(vfParent string, vfID int) (ip.VirtFuncInfo, error) {
 	link := &ip.Link{Name: vfParent}
 	vfi, err := link.GetVFInfo(vfID)
@@ -716,9 +724,9 @@ func networkSRIOVSetupVF(d deviceCommon, vfParent string, vfDevice string, vfID
 
 	// Record properties of VF settings on the parent device.
 	volatile["last_state.vf.parent"] = vfParent
-	volatile["last_state.vf.hwaddr"] = vfInfo.Address
+	volatile["last_state.vf.hwaddr"] = vfInfo.Address.String()
 	volatile["last_state.vf.id"] = fmt.Sprintf("%d", vfID)
-	volatile["last_state.vf.vlan"] = fmt.Sprintf("%d", vfInfo.VLANs[0]["vlan"])
+	volatile["last_state.vf.vlan"] = fmt.Sprintf("%d", vfInfo.VLAN)
 	volatile["last_state.vf.spoofcheck"] = fmt.Sprintf("%t", vfInfo.SpoofCheck)
 
 	// Record the host interface we represents the VF device which we will move into instance.
@@ -772,7 +780,7 @@ func networkSRIOVSetupVF(d deviceCommon, vfParent string, vfDevice string, vfID
 		}
 
 		// Now that MAC is set on VF, we can enable spoof checking.
-		err = link.SetVfSpoofchk(volatile["last_state.vf.id"], "on")
+		err = link.SetVfSpoofchk(volatile["last_state.vf.id"], true)
 		if err != nil {
 			return vfPCIDev, 0, fmt.Errorf("Failed enabling spoof check for VF %q: %w", volatile["last_state.vf.id"], err)
 		}
@@ -784,7 +792,7 @@ func networkSRIOVSetupVF(d deviceCommon, vfParent string, vfDevice string, vfID
 		_ = link.SetVfAddress(volatile["last_state.vf.id"], "00:00:00:00:00:00")
 
 		// Ensure spoof checking is disabled if not enabled in instance (only for real VF).
-		err = link.SetVfSpoofchk(volatile["last_state.vf.id"], "off")
+		err = link.SetVfSpoofchk(volatile["last_state.vf.id"], false)
 		if err != nil && d.config["security.mac_filtering"] != "" {
 			return vfPCIDev, 0, fmt.Errorf("Failed disabling spoof check for VF %q: %w", volatile["last_state.vf.id"], err)
 		}
@@ -897,11 +905,7 @@ func networkSRIOVRestoreVF(d deviceCommon, useSpoofCheck bool, volatile map[stri
 	// Reset VF MAC spoofing protection if recorded. Do this first before resetting the MAC
 	// to avoid any issues with zero MACs refusing to be set whilst spoof check is on.
 	if volatile["last_state.vf.spoofcheck"] != "" {
-		mode := "off"
-		if util.IsTrue(volatile["last_state.vf.spoofcheck"]) {
-			mode = "on"
-		}
-
+		mode := util.IsTrue(volatile["last_state.vf.spoofcheck"])
 		link := &ip.Link{Name: parent}
 		err := link.SetVfSpoofchk(volatile["last_state.vf.id"], mode)
 		if err != nil && d.config["security.mac_filtering"] != "" {

internal/server/device/nic_bridged.go

@@ -2001,22 +2001,22 @@ func (d *nicBridged) State() (*api.InstanceStateNetwork, error) {
 	// Get IP addresses from IP neighbour cache if present.
 	neighIPs, err := network.GetNeighbourIPs(d.config["parent"], hwAddr)
 	if err == nil {
-		validStates := []string{
-			string(ip.NeighbourIPStatePermanent),
-			string(ip.NeighbourIPStateNoARP),
-			string(ip.NeighbourIPStateReachable),
+		validStates := []ip.NeighbourIPState{
+			ip.NeighbourIPStatePermanent,
+			ip.NeighbourIPStateNoARP,
+			ip.NeighbourIPStateReachable,
 		}
 
 		// Add any valid-state neighbour IP entries first.
 		for _, neighIP := range neighIPs {
-			if slices.Contains(validStates, string(neighIP.State)) {
+			if slices.Contains(validStates, neighIP.State) {
 				ipStore(neighIP.Addr)
 			}
 		}
 
 		// Add any non-failed-state entries.
 		for _, neighIP := range neighIPs {
-			if neighIP.State != ip.NeighbourIPStateFailed && !slices.Contains(validStates, string(neighIP.State)) {
+			if neighIP.State != ip.NeighbourIPStateFailed && !slices.Contains(validStates, neighIP.State) {
 				ipStore(neighIP.Addr)
 			}
 		}

internal/server/device/nic_ipvlan.go

@@ -365,13 +365,13 @@ func (d *nicIPVLAN) Start() (*deviceConfig.RunConfig, error) {
 
 	// Perform network configuration.
 	for _, keyPrefix := range []string{"ipv4", "ipv6"} {
-		var ipFamilyArg string
+		var ipFamily ip.Family
 
 		switch keyPrefix {
 		case "ipv4":
-			ipFamilyArg = ip.FamilyV4
+			ipFamily = ip.FamilyV4
 		case "ipv6":
-			ipFamilyArg = ip.FamilyV6
+			ipFamily = ip.FamilyV6
 		}
 
 		addresses := util.SplitNTrimSpace(d.config[fmt.Sprintf("%s.address", keyPrefix)], ",", -1, true)
@@ -393,9 +393,9 @@ func (d *nicIPVLAN) Start() (*deviceConfig.RunConfig, error) {
 				// Apply host-side static routes to main routing table to allow neighbour proxy.
 				r := ip.Route{
 					DevName: "lo",
-					Route:   addr.String(),
+					Route:   addr,
 					Table:   "main",
-					Family:  ipFamilyArg,
+					Family:  ipFamily,
 				}
 
 				err = r.Add()
@@ -410,9 +410,9 @@ func (d *nicIPVLAN) Start() (*deviceConfig.RunConfig, error) {
 				if d.config[hostTableKey] != "" {
 					r := &ip.Route{
 						DevName: "lo",
-						Route:   addr.String(),
+						Route:   addr,
 						Table:   d.config[hostTableKey],
-						Family:  ipFamilyArg,
+						Family:  ipFamily,
 					}
 
 					err := r.Add()
@@ -540,13 +540,13 @@ func (d *nicIPVLAN) postStop() error {
 
 	// Clean up host-side network configuration.
 	for _, keyPrefix := range []string{"ipv4", "ipv6"} {
-		var ipFamilyArg string
+		var ipFamily ip.Family
 
 		switch keyPrefix {
 		case "ipv4":
-			ipFamilyArg = ip.FamilyV4
+			ipFamily = ip.FamilyV4
 		case "ipv6":
-			ipFamilyArg = ip.FamilyV6
+			ipFamily = ip.FamilyV6
 		}
 
 		addresses := util.SplitNTrimSpace(d.config[fmt.Sprintf("%s.address", keyPrefix)], ",", -1, true)
@@ -563,9 +563,9 @@ func (d *nicIPVLAN) postStop() error {
 			if mode == ipvlanModeL3S {
 				r := ip.Route{
 					DevName: "lo",
-					Route:   addr.String(),
+					Route:   addr,
 					Table:   "main",
-					Family:  ipFamilyArg,
+					Family:  ipFamily,
 				}
 
 				err := r.Delete()
@@ -588,9 +588,9 @@ func (d *nicIPVLAN) postStop() error {
 				if d.config[hostTableKey] != "" {
 					r := &ip.Route{
 						DevName: "lo",
-						Route:   addr.String(),
+						Route:   addr,
 						Table:   d.config[hostTableKey],
-						Family:  ipFamilyArg,
+						Family:  ipFamily,
 					}
 
 					err := r.Delete()