[lxc-devel] [lxc/master] network: Adds layer 2 (ARP/NDP) proxy mode

tomponline on Github lxc-bot at linuxcontainers.org
Tue Apr 30 13:27:24 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 690 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190430/998fc280/attachment.bin>
-------------- next part --------------
From 382a62d0ec95110eb5e35353237424394827e016 Mon Sep 17 00:00:00 2001
From: tomponline <thomas.parrott at canonical.com>
Date: Tue, 30 Apr 2019 14:25:27 +0100
Subject: [PATCH] network: Adds layer 2 (ARP/NDP) proxy mode

Adds the lxc.net.[i].l2proxy flag that can be either 0 or 1.

Defaults to 0.

This, when used with lxc.net.[i].link, will add IP neighbour proxy entries on the linked device
for any IPv4 and IPv6 addresses on the container's network device.

For IPv6 addresses it will also set the sysctl net.ipv6.conf.[link].proxy_ndp=1.

Signed-off-by: tomponline <thomas.parrott at canonical.com>
---
 doc/api-extensions.md    |  7 ++++++
 src/lxc/api_extensions.h |  1 +
 src/lxc/confile.c        | 49 ++++++++++++++++++++++++++++++++++++++++
 src/lxc/confile_utils.c  |  4 ++++
 src/lxc/network.c        | 10 ++++----
 src/lxc/network.h        |  7 +-----
 6 files changed, 67 insertions(+), 11 deletions(-)

diff --git a/doc/api-extensions.md b/doc/api-extensions.md
index 8c95021ada..69727dbed0 100644
--- a/doc/api-extensions.md
+++ b/doc/api-extensions.md
@@ -51,3 +51,10 @@ The caller can read this message, inspect the syscalls including its arguments.
 This introduces the `lxc.net.[i].veth.ipv4.route` and `lxc.net.[i].veth.ipv6.route` properties
 on `veth` type network interfaces. This allows adding static routes on host to the container's
 network interface.
+
+## network\_l2proxy
+
+This introduces the `lxc.net.[i].l2proxy` that can be either `0` or `1`. Defaults to `0`.
+This, when used with `lxc.net.[i].link`, will add IP neighbour proxy entries on the linked device
+for any IPv4 and IPv6 addresses on the container's network device. For IPv6 addresses it will also
+set the sysctl `net.ipv6.conf.[link].proxy_ndp=1`.
diff --git a/src/lxc/api_extensions.h b/src/lxc/api_extensions.h
index 529f19863e..ce34cd5af1 100644
--- a/src/lxc/api_extensions.h
+++ b/src/lxc/api_extensions.h
@@ -45,6 +45,7 @@ static char *api_extensions[] = {
 	"seccomp_allow_nesting",
 	"seccomp_notify",
 	"network_veth_routes",
+	"network_l2proxy",
 };
 
 static size_t nr_api_extensions = sizeof(api_extensions) / sizeof(*api_extensions);
diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index ebed11522f..725e823dc1 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -129,6 +129,7 @@ lxc_config_define(net_ipv4_gateway);
 lxc_config_define(net_ipv6_address);
 lxc_config_define(net_ipv6_gateway);
 lxc_config_define(net_link);
+lxc_config_define(net_l2proxy);
 lxc_config_define(net_macvlan_mode);
 lxc_config_define(net_mtu);
 lxc_config_define(net_name);
@@ -220,6 +221,7 @@ static struct lxc_config_t config_jump_table[] = {
 	{ "lxc.net.ipv6.address",          set_config_net_ipv6_address,            get_config_net_ipv6_address,            clr_config_net_ipv6_address,          },
 	{ "lxc.net.ipv6.gateway",          set_config_net_ipv6_gateway,            get_config_net_ipv6_gateway,            clr_config_net_ipv6_gateway,          },
 	{ "lxc.net.link",                  set_config_net_link,                    get_config_net_link,                    clr_config_net_link,                  },
+	{ "lxc.net.l2proxy",               set_config_net_l2proxy,                 get_config_net_l2proxy,                 clr_config_net_l2proxy,               },
 	{ "lxc.net.macvlan.mode",          set_config_net_macvlan_mode,            get_config_net_macvlan_mode,            clr_config_net_macvlan_mode,          },
 	{ "lxc.net.mtu",                   set_config_net_mtu,                     get_config_net_mtu,                     clr_config_net_mtu,                   },
 	{ "lxc.net.name",                  set_config_net_name,                    get_config_net_name,                    clr_config_net_name,                  },
@@ -396,6 +398,33 @@ static int set_config_net_link(const char *key, const char *value,
 	return ret;
 }
 
+static int set_config_net_l2proxy(const char *key, const char *value,
+				     struct lxc_conf *lxc_conf, void *data)
+{
+	struct lxc_netdev *netdev = data;
+	unsigned int val = 0;
+
+	if (lxc_config_value_empty(value))
+		return clr_config_net_l2proxy(key, lxc_conf, data);
+
+	if (!netdev)
+		return -1;
+
+	if (lxc_safe_uint(value, &val) < 0)
+		return -EINVAL;
+
+	switch (val) {
+	case 0:
+		netdev->l2proxy = false;
+		return 0;
+	case 1:
+		netdev->l2proxy = true;
+		return 0;
+	}
+
+	return -EINVAL;
+}
+
 static int set_config_net_name(const char *key, const char *value,
 			       struct lxc_conf *lxc_conf, void *data)
 {
@@ -4915,6 +4944,19 @@ static int clr_config_net_link(const char *key, struct lxc_conf *lxc_conf,
 	return 0;
 }
 
+static int clr_config_net_l2proxy(const char *key, struct lxc_conf *lxc_conf,
+			       void *data)
+{
+	struct lxc_netdev *netdev = data;
+
+	if (!netdev)
+		return -1;
+
+	netdev->l2proxy = false;
+
+	return 0;
+}
+
 static int clr_config_net_macvlan_mode(const char *key,
 				       struct lxc_conf *lxc_conf, void *data)
 {
@@ -5205,6 +5247,13 @@ static int get_config_net_link(const char *key, char *retv, int inlen,
 	return fulllen;
 }
 
+static int get_config_net_l2proxy(const char *key, char *retv, int inlen,
+			       struct lxc_conf *c, void *data)
+{
+	struct lxc_netdev *netdev = data;
+	return lxc_get_conf_bool(c, retv, inlen, netdev->l2proxy);
+}
+
 static int get_config_net_name(const char *key, char *retv, int inlen,
 			       struct lxc_conf *c, void *data)
 {
diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
index 67bf0824a2..870c6b7e58 100644
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -328,6 +328,10 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf)
 			if (netdev->link[0] != '\0')
 				TRACE("link: %s", netdev->link);
 
+			/* l2proxy only used when link is specified */
+			if (netdev->link[0] != '\0')
+				TRACE("l2proxy: %s", netdev->l2proxy ? "true" : "false");
+
 			if (netdev->name[0] != '\0')
 				TRACE("name: %s", netdev->name);
 
diff --git a/src/lxc/network.c b/src/lxc/network.c
index ec7dbccccf..41689b376c 100644
--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -1497,7 +1497,7 @@ static int proc_sys_net_write(const char *path, const char *value)
 	return err;
 }
 
-static int neigh_proxy_set(const char *ifname, int family, int flag)
+static int lxc_neigh_proxy_set(const char *ifname, int family, int flag)
 {
 	int ret;
 	char path[PATH_MAX];
@@ -1514,14 +1514,14 @@ static int neigh_proxy_set(const char *ifname, int family, int flag)
 	return proc_sys_net_write(path, flag ? "1" : "0");
 }
 
-int lxc_neigh_proxy_on(const char *name, int family)
+static int lxc_neigh_proxy_on(const char *name, int family)
 {
-	return neigh_proxy_set(name, family, 1);
+	return lxc_neigh_proxy_set(name, family, 1);
 }
 
-int lxc_neigh_proxy_off(const char *name, int family)
+static int lxc_neigh_proxy_off(const char *name, int family)
 {
-	return neigh_proxy_set(name, family, 0);
+	return lxc_neigh_proxy_set(name, family, 0);
 }
 
 int lxc_convert_mac(char *macaddr, struct sockaddr *sockaddr)
diff --git a/src/lxc/network.h b/src/lxc/network.h
index e2757c1dba..244362b573 100644
--- a/src/lxc/network.h
+++ b/src/lxc/network.h
@@ -164,6 +164,7 @@ struct lxc_netdev {
 	int type;
 	int flags;
 	char link[IFNAMSIZ];
+	bool l2proxy;
 	char name[IFNAMSIZ];
 	char *hwaddr;
 	char *mtu;
@@ -240,12 +241,6 @@ extern int lxc_route_create_default(const char *addr, const char *ifname,
 extern int lxc_route_delete_default(const char *addr, const char *ifname,
 				    int gateway);
 
-/* Activate neighbor proxying. */
-extern int lxc_neigh_proxy_on(const char *name, int family);
-
-/* Disable neighbor proxying. */
-extern int lxc_neigh_proxy_off(const char *name, int family);
-
 /* Generate a new unique network interface name.
  * Allocated memory must be freed by caller.
  */


More information about the lxc-devel mailing list