1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #include <linux/veth.h>
8 #include "sd-netlink.h"
10 #include "alloc-util.h"
11 #include "ether-addr-util.h"
12 #include "lockfile-util.h"
13 #include "missing_network.h"
14 #include "netif-naming-scheme.h"
15 #include "netlink-util.h"
16 #include "nspawn-network.h"
17 #include "parse-util.h"
18 #include "siphash24.h"
19 #include "socket-util.h"
20 #include "stat-util.h"
21 #include "string-util.h"
23 #include "udev-util.h"
26 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
27 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
28 #define VETH_EXTRA_HOST_HASH_KEY SD_ID128_MAKE(48,c7,f6,b7,ea,9d,4c,9e,b7,28,d4,de,91,d5,bf,66)
29 #define VETH_EXTRA_CONTAINER_HASH_KEY SD_ID128_MAKE(af,50,17,61,ce,f9,4d,35,84,0d,2b,20,54,be,ce,59)
30 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
31 #define SHORTEN_IFNAME_HASH_KEY SD_ID128_MAKE(e1,90,a4,04,a8,ef,4b,51,8c,cc,c3,3a,9f,11,fc,a2)
33 static int remove_one_link(sd_netlink
*rtnl
, const char *name
) {
34 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
40 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_DELLINK
, 0);
42 return log_error_errno(r
, "Failed to allocate netlink message: %m");
44 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, name
);
46 return log_error_errno(r
, "Failed to add netlink interface name: %m");
48 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
49 if (r
== -ENODEV
) /* Already gone */
52 return log_error_errno(r
, "Failed to remove interface %s: %m", name
);
57 static int generate_mac(
58 const char *machine_name
,
59 struct ether_addr
*mac
,
68 l
= strlen(machine_name
);
69 sz
= sizeof(sd_id128_t
) + l
;
73 v
= newa(uint8_t, sz
);
75 /* fetch some persistent data unique to the host */
76 r
= sd_id128_get_machine((sd_id128_t
*) v
);
80 /* combine with some data unique (on this host) to this
81 * container instance */
82 i
= mempcpy(v
+ sizeof(sd_id128_t
), machine_name
, l
);
85 memcpy(i
, &idx
, sizeof(idx
));
88 /* Let's hash the host machine ID plus the container name. We
89 * use a fixed, but originally randomly created hash key here. */
90 result
= htole64(siphash24(v
, sz
, hash_key
.bytes
));
92 assert_cc(ETH_ALEN
<= sizeof(result
));
93 memcpy(mac
->ether_addr_octet
, &result
, ETH_ALEN
);
95 /* see eth_random_addr in the kernel */
96 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
97 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
105 const char *ifname_host
,
106 const struct ether_addr
*mac_host
,
107 const char *ifname_container
,
108 const struct ether_addr
*mac_container
) {
110 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
116 assert(ifname_container
);
117 assert(mac_container
);
119 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
121 return log_error_errno(r
, "Failed to allocate netlink message: %m");
123 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, ifname_host
);
125 return log_error_errno(r
, "Failed to add netlink interface name: %m");
127 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, mac_host
);
129 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
131 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
133 return log_error_errno(r
, "Failed to open netlink container: %m");
135 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
137 return log_error_errno(r
, "Failed to open netlink container: %m");
139 r
= sd_netlink_message_open_container(m
, VETH_INFO_PEER
);
141 return log_error_errno(r
, "Failed to open netlink container: %m");
143 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, ifname_container
);
145 return log_error_errno(r
, "Failed to add netlink interface name: %m");
147 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, mac_container
);
149 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
151 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
153 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
155 r
= sd_netlink_message_close_container(m
);
157 return log_error_errno(r
, "Failed to close netlink container: %m");
159 r
= sd_netlink_message_close_container(m
);
161 return log_error_errno(r
, "Failed to close netlink container: %m");
163 r
= sd_netlink_message_close_container(m
);
165 return log_error_errno(r
, "Failed to close netlink container: %m");
167 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
169 return log_error_errno(r
, "Failed to add new veth interfaces (%s:%s): %m", ifname_host
, ifname_container
);
174 /* This is almost base64char(), but not entirely, as it uses the "url and filename safe" alphabet, since we
175 * don't want "/" appear in interface names (since interfaces appear in sysfs as filenames). See section #5
177 static char urlsafe_base64char(int x
) {
178 static const char table
[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
179 "abcdefghijklmnopqrstuvwxyz"
181 return table
[x
& 63];
184 static void shorten_ifname(char *ifname
) {
185 char new_ifname
[IFNAMSIZ
];
189 if (strlen(ifname
) < IFNAMSIZ
) /* Name is short enough */
192 if (naming_scheme_has(NAMING_NSPAWN_LONG_HASH
)) {
195 /* Calculate 64bit hash value */
196 h
= siphash24(ifname
, strlen(ifname
), SHORTEN_IFNAME_HASH_KEY
.bytes
);
198 /* Set the final four bytes (i.e. 32bit) to the lower 24bit of the hash, encoded in url-safe base64 */
199 memcpy(new_ifname
, ifname
, IFNAMSIZ
- 5);
200 new_ifname
[IFNAMSIZ
- 5] = urlsafe_base64char(h
>> 18);
201 new_ifname
[IFNAMSIZ
- 4] = urlsafe_base64char(h
>> 12);
202 new_ifname
[IFNAMSIZ
- 3] = urlsafe_base64char(h
>> 6);
203 new_ifname
[IFNAMSIZ
- 2] = urlsafe_base64char(h
);
205 /* On old nspawn versions we just truncated the name, provide compatibility */
206 memcpy(new_ifname
, ifname
, IFNAMSIZ
-1);
208 new_ifname
[IFNAMSIZ
- 1] = 0;
210 /* Log the incident to make it more discoverable */
211 log_warning("Network interface name '%s' has been changed to '%s' to fit length constraints.", ifname
, new_ifname
);
213 strcpy(ifname
, new_ifname
);
216 int setup_veth(const char *machine_name
,
218 char iface_name
[IFNAMSIZ
],
221 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
222 struct ether_addr mac_host
, mac_container
;
227 assert(machine_name
);
231 /* Use two different interface name prefixes depending whether
232 * we are in bridge mode or not. */
233 n
= strjoina(bridge
? "vb-" : "ve-", machine_name
);
236 r
= generate_mac(machine_name
, &mac_container
, CONTAINER_HASH_KEY
, 0);
238 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
240 r
= generate_mac(machine_name
, &mac_host
, HOST_HASH_KEY
, 0);
242 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
244 r
= sd_netlink_open(&rtnl
);
246 return log_error_errno(r
, "Failed to connect to netlink: %m");
248 r
= add_veth(rtnl
, pid
, n
, &mac_host
, "host0", &mac_container
);
252 u
= if_nametoindex(n
);
254 return log_error_errno(errno
, "Failed to resolve interface %s: %m", n
);
256 strcpy(iface_name
, n
);
260 int setup_veth_extra(
261 const char *machine_name
,
265 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
270 assert(machine_name
);
273 if (strv_isempty(pairs
))
276 r
= sd_netlink_open(&rtnl
);
278 return log_error_errno(r
, "Failed to connect to netlink: %m");
280 STRV_FOREACH_PAIR(a
, b
, pairs
) {
281 struct ether_addr mac_host
, mac_container
;
283 r
= generate_mac(machine_name
, &mac_container
, VETH_EXTRA_CONTAINER_HASH_KEY
, idx
);
285 return log_error_errno(r
, "Failed to generate predictable MAC address for container side of extra veth link: %m");
287 r
= generate_mac(machine_name
, &mac_host
, VETH_EXTRA_HOST_HASH_KEY
, idx
);
289 return log_error_errno(r
, "Failed to generate predictable MAC address for container side of extra veth link: %m");
291 r
= add_veth(rtnl
, pid
, *a
, &mac_host
, *b
, &mac_container
);
301 static int join_bridge(sd_netlink
*rtnl
, const char *veth_name
, const char *bridge_name
) {
302 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
309 r
= parse_ifindex_or_ifname(bridge_name
, &bridge_ifi
);
313 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
317 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
321 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, veth_name
);
325 r
= sd_netlink_message_append_u32(m
, IFLA_MASTER
, bridge_ifi
);
329 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
336 static int create_bridge(sd_netlink
*rtnl
, const char *bridge_name
) {
337 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
340 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
344 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, bridge_name
);
348 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
352 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "bridge");
356 r
= sd_netlink_message_close_container(m
);
360 r
= sd_netlink_message_close_container(m
);
364 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
371 int setup_bridge(const char *veth_name
, const char *bridge_name
, bool create
) {
372 _cleanup_(release_lock_file
) LockFile bridge_lock
= LOCK_FILE_INIT
;
373 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
380 r
= sd_netlink_open(&rtnl
);
382 return log_error_errno(r
, "Failed to connect to netlink: %m");
385 /* We take a system-wide lock here, so that we can safely check whether there's still a member in the
386 * bridge before removing it, without risking interference from other nspawn instances. */
388 r
= make_lock_file("/run/systemd/nspawn-network-zone", LOCK_EX
, &bridge_lock
);
390 return log_error_errno(r
, "Failed to take network zone lock: %m");
394 bridge_ifi
= join_bridge(rtnl
, veth_name
, bridge_name
);
397 if (bridge_ifi
!= -ENODEV
|| !create
|| n
> 10)
398 return log_error_errno(bridge_ifi
, "Failed to add interface %s to bridge %s: %m", veth_name
, bridge_name
);
400 /* Count attempts, so that we don't enter an endless loop here. */
403 /* The bridge doesn't exist yet. Let's create it */
404 r
= create_bridge(rtnl
, bridge_name
);
406 return log_error_errno(r
, "Failed to create bridge interface %s: %m", bridge_name
);
408 /* Try again, now that the bridge exists */
412 int remove_bridge(const char *bridge_name
) {
413 _cleanup_(release_lock_file
) LockFile bridge_lock
= LOCK_FILE_INIT
;
414 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
418 /* Removes the specified bridge, but only if it is currently empty */
420 if (isempty(bridge_name
))
423 r
= make_lock_file("/run/systemd/nspawn-network-zone", LOCK_EX
, &bridge_lock
);
425 return log_error_errno(r
, "Failed to take network zone lock: %m");
427 path
= strjoina("/sys/class/net/", bridge_name
, "/brif");
429 r
= dir_is_empty(path
);
430 if (r
== -ENOENT
) /* Already gone? */
433 return log_error_errno(r
, "Can't detect if bridge %s is empty: %m", bridge_name
);
434 if (r
== 0) /* Still populated, leave it around */
437 r
= sd_netlink_open(&rtnl
);
439 return log_error_errno(r
, "Failed to connect to netlink: %m");
441 return remove_one_link(rtnl
, bridge_name
);
444 static int parse_interface(const char *name
) {
445 _cleanup_(sd_device_unrefp
) sd_device
*d
= NULL
;
448 r
= parse_ifindex_or_ifname(name
, &ifi
);
450 return log_error_errno(r
, "Failed to resolve interface %s: %m", name
);
452 if (path_is_read_only_fs("/sys") <= 0) {
453 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
455 /* udev should be around. */
457 sprintf(ifi_str
, "n%i", ifi
);
458 r
= sd_device_new_from_device_id(&d
, ifi_str
);
460 return log_error_errno(r
, "Failed to get device %s: %m", name
);
462 r
= sd_device_get_is_initialized(d
);
464 return log_error_errno(r
, "Failed to determine whether interface %s is initialized: %m", name
);
466 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
), "Network interface %s is not initialized yet.", name
);
468 r
= device_is_renaming(d
);
470 return log_error_errno(r
, "Failed to determine the interface %s is being renamed: %m", name
);
472 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
), "Interface %s is being renamed.", name
);
478 int move_network_interfaces(pid_t pid
, char **ifaces
) {
479 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
483 if (strv_isempty(ifaces
))
486 r
= sd_netlink_open(&rtnl
);
488 return log_error_errno(r
, "Failed to connect to netlink: %m");
490 STRV_FOREACH(i
, ifaces
) {
491 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
494 ifi
= parse_interface(*i
);
498 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
500 return log_error_errno(r
, "Failed to allocate netlink message: %m");
502 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
504 return log_error_errno(r
, "Failed to append namespace PID to netlink message: %m");
506 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
508 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
514 int setup_macvlan(const char *machine_name
, pid_t pid
, char **ifaces
) {
515 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
520 if (strv_isempty(ifaces
))
523 r
= sd_netlink_open(&rtnl
);
525 return log_error_errno(r
, "Failed to connect to netlink: %m");
527 STRV_FOREACH(i
, ifaces
) {
528 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
529 _cleanup_free_
char *n
= NULL
;
530 struct ether_addr mac
;
533 ifi
= parse_interface(*i
);
537 r
= generate_mac(machine_name
, &mac
, MACVLAN_HASH_KEY
, idx
++);
539 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
541 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
543 return log_error_errno(r
, "Failed to allocate netlink message: %m");
545 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
547 return log_error_errno(r
, "Failed to add netlink interface index: %m");
549 n
= strjoin("mv-", *i
);
555 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
557 return log_error_errno(r
, "Failed to add netlink interface name: %m");
559 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
561 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
563 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
565 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
567 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
569 return log_error_errno(r
, "Failed to open netlink container: %m");
571 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
573 return log_error_errno(r
, "Failed to open netlink container: %m");
575 r
= sd_netlink_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
577 return log_error_errno(r
, "Failed to append macvlan mode: %m");
579 r
= sd_netlink_message_close_container(m
);
581 return log_error_errno(r
, "Failed to close netlink container: %m");
583 r
= sd_netlink_message_close_container(m
);
585 return log_error_errno(r
, "Failed to close netlink container: %m");
587 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
589 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
595 int setup_ipvlan(const char *machine_name
, pid_t pid
, char **ifaces
) {
596 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
600 if (strv_isempty(ifaces
))
603 r
= sd_netlink_open(&rtnl
);
605 return log_error_errno(r
, "Failed to connect to netlink: %m");
607 STRV_FOREACH(i
, ifaces
) {
608 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
609 _cleanup_free_
char *n
= NULL
;
612 ifi
= parse_interface(*i
);
616 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
618 return log_error_errno(r
, "Failed to allocate netlink message: %m");
620 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
622 return log_error_errno(r
, "Failed to add netlink interface index: %m");
624 n
= strjoin("iv-", *i
);
630 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
632 return log_error_errno(r
, "Failed to add netlink interface name: %m");
634 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
636 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
638 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
640 return log_error_errno(r
, "Failed to open netlink container: %m");
642 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
644 return log_error_errno(r
, "Failed to open netlink container: %m");
646 r
= sd_netlink_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
648 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
650 r
= sd_netlink_message_close_container(m
);
652 return log_error_errno(r
, "Failed to close netlink container: %m");
654 r
= sd_netlink_message_close_container(m
);
656 return log_error_errno(r
, "Failed to close netlink container: %m");
658 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
660 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
666 int veth_extra_parse(char ***l
, const char *p
) {
667 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
670 r
= extract_first_word(&p
, &a
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
673 if (r
== 0 || !ifname_valid(a
))
676 r
= extract_first_word(&p
, &b
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
679 if (r
== 0 || !ifname_valid(b
)) {
689 r
= strv_push_pair(l
, a
, b
);
697 int remove_veth_links(const char *primary
, char **pairs
) {
698 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
702 /* In some cases the kernel might pin the veth links between host and container even after the namespace
703 * died. Hence, let's better remove them explicitly too. */
705 if (isempty(primary
) && strv_isempty(pairs
))
708 r
= sd_netlink_open(&rtnl
);
710 return log_error_errno(r
, "Failed to connect to netlink: %m");
712 remove_one_link(rtnl
, primary
);
714 STRV_FOREACH_PAIR(a
, b
, pairs
)
715 remove_one_link(rtnl
, *a
);