1 /* SPDX-License-Identifier: LGPL-2.1+ */
5 #include <linux/veth.h>
10 #include "sd-netlink.h"
12 #include "alloc-util.h"
13 #include "ether-addr-util.h"
14 #include "lockfile-util.h"
15 #include "missing_network.h"
16 #include "netif-naming-scheme.h"
17 #include "netlink-util.h"
18 #include "nspawn-network.h"
19 #include "parse-util.h"
20 #include "siphash24.h"
21 #include "socket-netlink.h"
22 #include "socket-util.h"
23 #include "stat-util.h"
24 #include "string-util.h"
26 #include "udev-util.h"
29 #define HOST_HASH_KEY SD_ID128_MAKE(1a,37,6f,c7,46,ec,45,0b,ad,a3,d5,31,06,60,5d,b1)
30 #define CONTAINER_HASH_KEY SD_ID128_MAKE(c3,c4,f9,19,b5,57,b2,1c,e6,cf,14,27,03,9c,ee,a2)
31 #define VETH_EXTRA_HOST_HASH_KEY SD_ID128_MAKE(48,c7,f6,b7,ea,9d,4c,9e,b7,28,d4,de,91,d5,bf,66)
32 #define VETH_EXTRA_CONTAINER_HASH_KEY SD_ID128_MAKE(af,50,17,61,ce,f9,4d,35,84,0d,2b,20,54,be,ce,59)
33 #define MACVLAN_HASH_KEY SD_ID128_MAKE(00,13,6d,bc,66,83,44,81,bb,0c,f9,51,1f,24,a6,6f)
34 #define SHORTEN_IFNAME_HASH_KEY SD_ID128_MAKE(e1,90,a4,04,a8,ef,4b,51,8c,cc,c3,3a,9f,11,fc,a2)
36 static int remove_one_link(sd_netlink
*rtnl
, const char *name
) {
37 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
43 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_DELLINK
, 0);
45 return log_error_errno(r
, "Failed to allocate netlink message: %m");
47 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, name
);
49 return log_error_errno(r
, "Failed to add netlink interface name: %m");
51 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
52 if (r
== -ENODEV
) /* Already gone */
55 return log_error_errno(r
, "Failed to remove interface %s: %m", name
);
60 static int generate_mac(
61 const char *machine_name
,
62 struct ether_addr
*mac
,
71 l
= strlen(machine_name
);
72 sz
= sizeof(sd_id128_t
) + l
;
76 v
= newa(uint8_t, sz
);
78 /* fetch some persistent data unique to the host */
79 r
= sd_id128_get_machine((sd_id128_t
*) v
);
83 /* combine with some data unique (on this host) to this
84 * container instance */
85 i
= mempcpy(v
+ sizeof(sd_id128_t
), machine_name
, l
);
88 memcpy(i
, &idx
, sizeof(idx
));
91 /* Let's hash the host machine ID plus the container name. We
92 * use a fixed, but originally randomly created hash key here. */
93 result
= htole64(siphash24(v
, sz
, hash_key
.bytes
));
95 assert_cc(ETH_ALEN
<= sizeof(result
));
96 memcpy(mac
->ether_addr_octet
, &result
, ETH_ALEN
);
98 /* see eth_random_addr in the kernel */
99 mac
->ether_addr_octet
[0] &= 0xfe; /* clear multicast bit */
100 mac
->ether_addr_octet
[0] |= 0x02; /* set local assignment bit (IEEE802) */
105 static int set_alternative_ifname(sd_netlink
*rtnl
, const char *ifname
, const char *altifname
) {
114 if (strlen(altifname
) >= ALTIFNAMSIZ
)
115 return log_warning_errno(SYNTHETIC_ERRNO(ERANGE
),
116 "Alternative interface name '%s' for '%s' is too long, ignoring",
119 r
= rtnl_set_link_alternative_names_by_ifname(&rtnl
, ifname
, STRV_MAKE(altifname
));
121 return log_warning_errno(r
,
122 "Failed to set alternative interface name '%s' to '%s', ignoring: %m",
131 const char *ifname_host
,
132 const char *altifname_host
,
133 const struct ether_addr
*mac_host
,
134 const char *ifname_container
,
135 const struct ether_addr
*mac_container
) {
137 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
143 assert(ifname_container
);
144 assert(mac_container
);
146 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
148 return log_error_errno(r
, "Failed to allocate netlink message: %m");
150 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, ifname_host
);
152 return log_error_errno(r
, "Failed to add netlink interface name: %m");
154 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, mac_host
);
156 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
158 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
160 return log_error_errno(r
, "Failed to open netlink container: %m");
162 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "veth");
164 return log_error_errno(r
, "Failed to open netlink container: %m");
166 r
= sd_netlink_message_open_container(m
, VETH_INFO_PEER
);
168 return log_error_errno(r
, "Failed to open netlink container: %m");
170 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, ifname_container
);
172 return log_error_errno(r
, "Failed to add netlink interface name: %m");
174 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, mac_container
);
176 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
178 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
180 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
182 r
= sd_netlink_message_close_container(m
);
184 return log_error_errno(r
, "Failed to close netlink container: %m");
186 r
= sd_netlink_message_close_container(m
);
188 return log_error_errno(r
, "Failed to close netlink container: %m");
190 r
= sd_netlink_message_close_container(m
);
192 return log_error_errno(r
, "Failed to close netlink container: %m");
194 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
196 return log_error_errno(r
, "Failed to add new veth interfaces (%s:%s): %m", ifname_host
, ifname_container
);
198 (void) set_alternative_ifname(rtnl
, ifname_host
, altifname_host
);
203 /* This is almost base64char(), but not entirely, as it uses the "url and filename safe" alphabet, since we
204 * don't want "/" appear in interface names (since interfaces appear in sysfs as filenames). See section #5
206 static char urlsafe_base64char(int x
) {
207 static const char table
[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
208 "abcdefghijklmnopqrstuvwxyz"
210 return table
[x
& 63];
213 static int shorten_ifname(char *ifname
) {
214 char new_ifname
[IFNAMSIZ
];
218 if (strlen(ifname
) < IFNAMSIZ
) /* Name is short enough */
221 if (naming_scheme_has(NAMING_NSPAWN_LONG_HASH
)) {
224 /* Calculate 64bit hash value */
225 h
= siphash24(ifname
, strlen(ifname
), SHORTEN_IFNAME_HASH_KEY
.bytes
);
227 /* Set the final four bytes (i.e. 32bit) to the lower 24bit of the hash, encoded in url-safe base64 */
228 memcpy(new_ifname
, ifname
, IFNAMSIZ
- 5);
229 new_ifname
[IFNAMSIZ
- 5] = urlsafe_base64char(h
>> 18);
230 new_ifname
[IFNAMSIZ
- 4] = urlsafe_base64char(h
>> 12);
231 new_ifname
[IFNAMSIZ
- 3] = urlsafe_base64char(h
>> 6);
232 new_ifname
[IFNAMSIZ
- 2] = urlsafe_base64char(h
);
234 /* On old nspawn versions we just truncated the name, provide compatibility */
235 memcpy(new_ifname
, ifname
, IFNAMSIZ
-1);
237 new_ifname
[IFNAMSIZ
- 1] = 0;
239 /* Log the incident to make it more discoverable */
240 log_warning("Network interface name '%s' has been changed to '%s' to fit length constraints.", ifname
, new_ifname
);
242 strcpy(ifname
, new_ifname
);
246 int setup_veth(const char *machine_name
,
248 char iface_name
[IFNAMSIZ
],
251 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
252 struct ether_addr mac_host
, mac_container
;
257 assert(machine_name
);
261 /* Use two different interface name prefixes depending whether
262 * we are in bridge mode or not. */
263 n
= strjoina(bridge
? "vb-" : "ve-", machine_name
);
264 r
= shorten_ifname(n
);
266 a
= strjoina(bridge
? "vb-" : "ve-", machine_name
);
268 r
= generate_mac(machine_name
, &mac_container
, CONTAINER_HASH_KEY
, 0);
270 return log_error_errno(r
, "Failed to generate predictable MAC address for container side: %m");
272 r
= generate_mac(machine_name
, &mac_host
, HOST_HASH_KEY
, 0);
274 return log_error_errno(r
, "Failed to generate predictable MAC address for host side: %m");
276 r
= sd_netlink_open(&rtnl
);
278 return log_error_errno(r
, "Failed to connect to netlink: %m");
280 r
= add_veth(rtnl
, pid
, n
, a
, &mac_host
, "host0", &mac_container
);
284 u
= if_nametoindex(n
); /* We don't need to use resolve_ifname() here because the
285 * name we assigned is always the main name. */
287 return log_error_errno(errno
, "Failed to resolve interface %s: %m", n
);
289 strcpy(iface_name
, n
);
293 int setup_veth_extra(
294 const char *machine_name
,
298 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
303 assert(machine_name
);
306 if (strv_isempty(pairs
))
309 r
= sd_netlink_open(&rtnl
);
311 return log_error_errno(r
, "Failed to connect to netlink: %m");
313 STRV_FOREACH_PAIR(a
, b
, pairs
) {
314 struct ether_addr mac_host
, mac_container
;
316 r
= generate_mac(machine_name
, &mac_container
, VETH_EXTRA_CONTAINER_HASH_KEY
, idx
);
318 return log_error_errno(r
, "Failed to generate predictable MAC address for container side of extra veth link: %m");
320 r
= generate_mac(machine_name
, &mac_host
, VETH_EXTRA_HOST_HASH_KEY
, idx
);
322 return log_error_errno(r
, "Failed to generate predictable MAC address for host side of extra veth link: %m");
324 r
= add_veth(rtnl
, pid
, *a
, NULL
, &mac_host
, *b
, &mac_container
);
334 static int join_bridge(sd_netlink
*rtnl
, const char *veth_name
, const char *bridge_name
) {
335 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
342 bridge_ifi
= resolve_interface(&rtnl
, bridge_name
);
346 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, 0);
350 r
= sd_rtnl_message_link_set_flags(m
, IFF_UP
, IFF_UP
);
354 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, veth_name
);
358 r
= sd_netlink_message_append_u32(m
, IFLA_MASTER
, bridge_ifi
);
362 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
369 static int create_bridge(sd_netlink
*rtnl
, const char *bridge_name
) {
370 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
373 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
377 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, bridge_name
);
381 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
385 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "bridge");
389 r
= sd_netlink_message_close_container(m
);
393 r
= sd_netlink_message_close_container(m
);
397 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
404 int setup_bridge(const char *veth_name
, const char *bridge_name
, bool create
) {
405 _cleanup_(release_lock_file
) LockFile bridge_lock
= LOCK_FILE_INIT
;
406 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
413 r
= sd_netlink_open(&rtnl
);
415 return log_error_errno(r
, "Failed to connect to netlink: %m");
418 /* We take a system-wide lock here, so that we can safely check whether there's still a member in the
419 * bridge before removing it, without risking interference from other nspawn instances. */
421 r
= make_lock_file("/run/systemd/nspawn-network-zone", LOCK_EX
, &bridge_lock
);
423 return log_error_errno(r
, "Failed to take network zone lock: %m");
427 bridge_ifi
= join_bridge(rtnl
, veth_name
, bridge_name
);
430 if (bridge_ifi
!= -ENODEV
|| !create
|| n
> 10)
431 return log_error_errno(bridge_ifi
, "Failed to add interface %s to bridge %s: %m", veth_name
, bridge_name
);
433 /* Count attempts, so that we don't enter an endless loop here. */
436 /* The bridge doesn't exist yet. Let's create it */
437 r
= create_bridge(rtnl
, bridge_name
);
439 return log_error_errno(r
, "Failed to create bridge interface %s: %m", bridge_name
);
441 /* Try again, now that the bridge exists */
445 int remove_bridge(const char *bridge_name
) {
446 _cleanup_(release_lock_file
) LockFile bridge_lock
= LOCK_FILE_INIT
;
447 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
451 /* Removes the specified bridge, but only if it is currently empty */
453 if (isempty(bridge_name
))
456 r
= make_lock_file("/run/systemd/nspawn-network-zone", LOCK_EX
, &bridge_lock
);
458 return log_error_errno(r
, "Failed to take network zone lock: %m");
460 path
= strjoina("/sys/class/net/", bridge_name
, "/brif");
462 r
= dir_is_empty(path
);
463 if (r
== -ENOENT
) /* Already gone? */
466 return log_error_errno(r
, "Can't detect if bridge %s is empty: %m", bridge_name
);
467 if (r
== 0) /* Still populated, leave it around */
470 r
= sd_netlink_open(&rtnl
);
472 return log_error_errno(r
, "Failed to connect to netlink: %m");
474 return remove_one_link(rtnl
, bridge_name
);
477 int test_network_interface_initialized(const char *name
) {
478 _cleanup_(sd_device_unrefp
) sd_device
*d
= NULL
;
480 char ifi_str
[2 + DECIMAL_STR_MAX(int)];
482 if (path_is_read_only_fs("/sys"))
485 /* udev should be around. */
487 ifi
= resolve_interface_or_warn(NULL
, name
);
491 sprintf(ifi_str
, "n%i", ifi
);
492 r
= sd_device_new_from_device_id(&d
, ifi_str
);
494 return log_error_errno(r
, "Failed to get device %s: %m", name
);
496 r
= sd_device_get_is_initialized(d
);
498 return log_error_errno(r
, "Failed to determine whether interface %s is initialized: %m", name
);
500 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
), "Network interface %s is not initialized yet.", name
);
502 r
= device_is_renaming(d
);
504 return log_error_errno(r
, "Failed to determine the interface %s is being renamed: %m", name
);
506 return log_error_errno(SYNTHETIC_ERRNO(EBUSY
), "Interface %s is being renamed.", name
);
511 int move_network_interfaces(int netns_fd
, char **ifaces
) {
512 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
516 if (strv_isempty(ifaces
))
519 r
= sd_netlink_open(&rtnl
);
521 return log_error_errno(r
, "Failed to connect to netlink: %m");
523 STRV_FOREACH(i
, ifaces
) {
524 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
527 ifi
= resolve_interface_or_warn(&rtnl
, *i
);
531 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_SETLINK
, ifi
);
533 return log_error_errno(r
, "Failed to allocate netlink message: %m");
535 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_FD
, netns_fd
);
537 return log_error_errno(r
, "Failed to append namespace fd to netlink message: %m");
539 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
541 return log_error_errno(r
, "Failed to move interface %s to namespace: %m", *i
);
547 int setup_macvlan(const char *machine_name
, pid_t pid
, char **ifaces
) {
548 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
553 if (strv_isempty(ifaces
))
556 r
= sd_netlink_open(&rtnl
);
558 return log_error_errno(r
, "Failed to connect to netlink: %m");
560 STRV_FOREACH(i
, ifaces
) {
561 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
562 _cleanup_free_
char *n
= NULL
, *a
= NULL
;
563 struct ether_addr mac
;
566 ifi
= resolve_interface_or_warn(&rtnl
, *i
);
570 r
= generate_mac(machine_name
, &mac
, MACVLAN_HASH_KEY
, idx
++);
572 return log_error_errno(r
, "Failed to create MACVLAN MAC address: %m");
574 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
576 return log_error_errno(r
, "Failed to allocate netlink message: %m");
578 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
580 return log_error_errno(r
, "Failed to add netlink interface index: %m");
582 n
= strjoin("mv-", *i
);
586 r
= shorten_ifname(n
);
588 a
= strjoin("mv-", *i
);
593 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
595 return log_error_errno(r
, "Failed to add netlink interface name: %m");
597 r
= sd_netlink_message_append_ether_addr(m
, IFLA_ADDRESS
, &mac
);
599 return log_error_errno(r
, "Failed to add netlink MAC address: %m");
601 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
603 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
605 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
607 return log_error_errno(r
, "Failed to open netlink container: %m");
609 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "macvlan");
611 return log_error_errno(r
, "Failed to open netlink container: %m");
613 r
= sd_netlink_message_append_u32(m
, IFLA_MACVLAN_MODE
, MACVLAN_MODE_BRIDGE
);
615 return log_error_errno(r
, "Failed to append macvlan mode: %m");
617 r
= sd_netlink_message_close_container(m
);
619 return log_error_errno(r
, "Failed to close netlink container: %m");
621 r
= sd_netlink_message_close_container(m
);
623 return log_error_errno(r
, "Failed to close netlink container: %m");
625 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
627 return log_error_errno(r
, "Failed to add new macvlan interfaces: %m");
629 (void) set_alternative_ifname(rtnl
, n
, a
);
635 int setup_ipvlan(const char *machine_name
, pid_t pid
, char **ifaces
) {
636 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
640 if (strv_isempty(ifaces
))
643 r
= sd_netlink_open(&rtnl
);
645 return log_error_errno(r
, "Failed to connect to netlink: %m");
647 STRV_FOREACH(i
, ifaces
) {
648 _cleanup_(sd_netlink_message_unrefp
) sd_netlink_message
*m
= NULL
;
649 _cleanup_free_
char *n
= NULL
, *a
= NULL
;
652 ifi
= resolve_interface_or_warn(&rtnl
, *i
);
656 r
= sd_rtnl_message_new_link(rtnl
, &m
, RTM_NEWLINK
, 0);
658 return log_error_errno(r
, "Failed to allocate netlink message: %m");
660 r
= sd_netlink_message_append_u32(m
, IFLA_LINK
, ifi
);
662 return log_error_errno(r
, "Failed to add netlink interface index: %m");
664 n
= strjoin("iv-", *i
);
668 r
= shorten_ifname(n
);
670 a
= strjoin("iv-", *i
);
675 r
= sd_netlink_message_append_string(m
, IFLA_IFNAME
, n
);
677 return log_error_errno(r
, "Failed to add netlink interface name: %m");
679 r
= sd_netlink_message_append_u32(m
, IFLA_NET_NS_PID
, pid
);
681 return log_error_errno(r
, "Failed to add netlink namespace field: %m");
683 r
= sd_netlink_message_open_container(m
, IFLA_LINKINFO
);
685 return log_error_errno(r
, "Failed to open netlink container: %m");
687 r
= sd_netlink_message_open_container_union(m
, IFLA_INFO_DATA
, "ipvlan");
689 return log_error_errno(r
, "Failed to open netlink container: %m");
691 r
= sd_netlink_message_append_u16(m
, IFLA_IPVLAN_MODE
, IPVLAN_MODE_L2
);
693 return log_error_errno(r
, "Failed to add ipvlan mode: %m");
695 r
= sd_netlink_message_close_container(m
);
697 return log_error_errno(r
, "Failed to close netlink container: %m");
699 r
= sd_netlink_message_close_container(m
);
701 return log_error_errno(r
, "Failed to close netlink container: %m");
703 r
= sd_netlink_call(rtnl
, m
, 0, NULL
);
705 return log_error_errno(r
, "Failed to add new ipvlan interfaces: %m");
707 (void) set_alternative_ifname(rtnl
, n
, a
);
713 int veth_extra_parse(char ***l
, const char *p
) {
714 _cleanup_free_
char *a
= NULL
, *b
= NULL
;
717 r
= extract_first_word(&p
, &a
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
720 if (r
== 0 || !ifname_valid(a
))
723 r
= extract_first_word(&p
, &b
, ":", EXTRACT_DONT_COALESCE_SEPARATORS
);
726 if (r
== 0 || !ifname_valid(b
)) {
736 r
= strv_push_pair(l
, a
, b
);
744 int remove_veth_links(const char *primary
, char **pairs
) {
745 _cleanup_(sd_netlink_unrefp
) sd_netlink
*rtnl
= NULL
;
749 /* In some cases the kernel might pin the veth links between host and container even after the namespace
750 * died. Hence, let's better remove them explicitly too. */
752 if (isempty(primary
) && strv_isempty(pairs
))
755 r
= sd_netlink_open(&rtnl
);
757 return log_error_errno(r
, "Failed to connect to netlink: %m");
759 remove_one_link(rtnl
, primary
);
761 STRV_FOREACH_PAIR(a
, b
, pairs
)
762 remove_one_link(rtnl
, *a
);
projects / thirdparty / systemd.git / blob