From 369b413beab047f64fd38b1eb8d128dc3d86b54e Mon Sep 17 00:00:00 2001 From: Milan Lenco Date: Mon, 24 Jun 2024 17:06:10 +0200 Subject: [PATCH] Try to generalize the concept of default route probing to any static route Signed-off-by: Milan Lenco --- proto/config/netcmn.proto | 1 + proto/config/netinst.proto | 111 +++++++++++++++++++------------------ proto/info/info.proto | 35 ++++++++++-- 3 files changed, 86 insertions(+), 61 deletions(-) diff --git a/proto/config/netcmn.proto b/proto/config/netcmn.proto index 928ff178..c5a4fbc0 100644 --- a/proto/config/netcmn.proto +++ b/proto/config/netcmn.proto @@ -124,6 +124,7 @@ enum ConnectivityProbeMethod { // Try to establish TCP connection with the probed endpoint to determine the connectivity // status. CONNECTIVITY_PROBE_METHOD_TCP = 2; + // TODO: Consider adding support for BFD probing. } // Configuration for user-defined connectivity-testing probe. diff --git a/proto/config/netinst.proto b/proto/config/netinst.proto index 762749a2..ab133186 100644 --- a/proto/config/netinst.proto +++ b/proto/config/netinst.proto @@ -82,51 +82,48 @@ message IPRoute { string destination_network = 1; // Gateway IP address. // This must be a valid IP address and can not be all-zeroes. + // At least one of 'gateway' or 'port' (see below) must be defined (both can be set). + // This can be an external gateway IP or an IP address of one of the apps connected + // to the network instance. string gateway = 2; + // Output device port for the routed traffic. + // Either a single NI port referenced by its name (SystemAdapter.Name, aka logical label) + // or an adapter shared-label matching zero or more NI ports (multipath routing). + // Can be used additionally to or instead of `gateway` to determine the next hop + // and the output network interface for the destination network. + // At least one of 'gateway' or 'port' must be defined. + // Since 'port' refers to one or more physical network adapters, it is not applicable + // to routes where gateway points to another application running on EVE. + // If shared label is used, EVE will pick one of the matched ports using connectivity + // probing (if enabled, see 'probe' below) or randomly. Note that load-balancing is + // not yet supported and EVE always picks at most one port. + // Note that if `gateway` is defined, only ports with subnets containing the gateway + // IP will be considered. + string port = 3; + // Periodically probe remote endpoint to determine connectivity status of every port + // selected for the route (by the 'port' label, see above). One of the ports with + // a working connectivity is then picked for the route (preferring the currently + // used one if any). + // Provides automatic fail-over between ports. + // If 'port' is not defined or references only a single port (e.g. directly by + // the logical label), probing is skipped (nothing to fail-over to anyway). + PortProbe probe = 4; + // TODO: Add config for multipath load-balancing. + // For now we will assume that load-balancing is disabled and EVE will always pick + // one port for multipath route. } // Configuration for port connectivity probe. message PortProbe { - // EVE uses ICMP ping against the port's gateway IP to determine connectivity status. - // Use disable_gw_ping to switch off this probing method. This is typically needed - // when the gateway router is configured to drop/ignore ICMP pings and therefore - // this probe would return false negatives. - bool disable_gw_ping = 1; + // Use ICMP ping towards the port's gateway IP to determine connectivity status. + // Avoid using this probe method if the gateway router is configured to drop/ignore + // ICMP pings and therefore this probe would return false negatives. + bool enable_gw_ping = 1; // User-defined method to use to determine the port connectivity status. - // Run additionally to gateway pings (unless turned off by disable_gw_ping). - // If probe method and endpoint are not specified and the port is marked as management, - // EVE will try to run HTTP GET request against the controller's URL. - // For app-shared ports there is no alternative default probing mechanism other than - // pinging the gateway IP. + // Run additionally to gateway pings (if enabled). ConnectivityProbe custom_probe = 3; } -// DefaultRouteSelection defines how local network instance picks the default route -// when it has multiple ports assigned. -message DefaultRouteSelection { - // Either a single NI port referenced by its name (SystemAdapter.Name, aka logical label) - // or an adapter shared-label matching zero or more NI ports (NI ports containing this label - // in SystemAdapter.SharedLabels). - // Empty default_port matches all NI ports. - // Currently, load-balancing is not supported and thus even if default_port matches multiple - // NI ports, EVE will pick only one of them for the default route. The selection is based on - // probing (if enabled, see below) or random (preferring the currently used one if any). - string default_port = 1; - // Probe remote endpoint to determine connectivity status of each port and pick one - // with a working connectivity (and known gateway IP) for the default route (preferring - // the currently used one if any). - // Provides automatic fail-over between ports. - // Probes NI ports, potentially further filtered down by default_port label (see above). - // If default_port references single port (e.g. directly by the logical label), probing - // is skipped (nothing to fail-over to anyway). - PortProbe probe = 2; - // TODO: Add config for load-balancing, applied when multiple ports match the criteria - // for the default route selection (matching default_port label and have working - // connectivity or probing is disabled). - // For now we will assume that load-balancing is disabled and EVE will always pick - // one port for the default route. -} - // Configuration for the Spanning Tree Protocol (STP), which is run for switch network // instance when the port label matches multiple network ports. message SpanningTreeProtocol { @@ -168,18 +165,20 @@ message NetworkInstanceConfig { // Local network instance will apply IP routes configured for the matched ports (either // statically or via DHCP) to select the next hop and the output port for the given flow. // Traffic not matching any link-local, statically-configured, or DHCP-received route, - // will be routed according to the default route, which is selected based on the - // defaultRouteSelection algorithm (see below). + // will be routed according to the default route. Unless user configures a static default + // route with customized output port selection, EVE will pick one of the ports for + // the default route by periodic probing. First, NI ports are filtered down to those with + // a known gateway IP. Then probing is used to determine connectivity status. For management + // ports, EVE checks the gateway IP reachability using ICMP pings and controller reachability + // with TCP connect to :443. For app-shared ports, only ICMP pings of the + // gateway IP are performed. EVE then picks port with a working connectivity, preferring + // the currently used one. Add a static default route (see 'static_routes" below) to customize + // the output port selection algorithm. Adapter port = 20; - // DefaultRouteSelection defines how local network instance picks the default route - // when it has multiple ports assigned. - // Not used with switch network instance. - DefaultRouteSelection default_route_selection = 21; - // Configuration for the Spanning Tree Protocol (STP), which is run for switch network // instance when the port label matches multiple network ports. - SpanningTreeProtocol stp = 22; + SpanningTreeProtocol stp = 21; // cfg - Used to pass some feature-specific configuration to the // network instance. For Ex: Lisp, StriongSwan etc @@ -191,14 +190,14 @@ message NetworkInstanceConfig { // network ip specification // Note that ip.gateway must be a valid IP address and can not be all-zeroes. // To suppress automatic propagation of the default route into apps, configure network - // instance as air-gapped (without uplink) or mark the uplink as app-shared - // (not for management) and ensure that it will not get a default route - // (e.g. set ip.gateway of the attached NetworkConfig to all-zeroes IP). + // instance as air-gapped (without port) or mark all NI ports as app-shared + // (not for management) and ensure that they will not get a default route + // (e.g. set ip.gateway of the attached NetworkConfig(s) to all-zeroes IP). ipspec ip = 40; // static DNS entry, if we are running DNS/DHCP service repeated ZnetStaticDNSEntry dns = 41; - // Enable to use DHCP to automatically propagate routes for uplink subnets + // Enable to use DHCP to automatically propagate routes for port subnets // into applications connected to them indirectly through local network instances. // This option is only valid for local network instances. For other types // of network instances, it will be ignored. @@ -219,8 +218,8 @@ message NetworkInstanceConfig { // // Note that the default route (with the bridge IP as the gateway) is automatically // propagated to connected applications, unless network instance is air-gapped - // (without uplink) or the uplink is app-shared (not management) and does not have - // a default route of its own. In both cases, it is possible to enforce default + // (without port) or all NI ports are app-shared (not management) and neither + // of them has a default route. In both cases, it is possible to enforce default // route propagation by configuring a static default route for the network instance. // // For more info on static and connected routes please refer to: @@ -260,10 +259,12 @@ message NetworkInstanceConfig { // instances, the user can run his own external DHCP server in the network with the MTU // option configured. // Please note that application traffic leaving or entering the device via a network - // adapter associated with the network instance is additionally limited by the MTU - // value of the adapter, configured within the NetworkConfig object (refer to netconfig.proto). - // If the configured network instance MTU differs from the network adapter MTU, EVE will - // flag the network instance with an error and use the adapter's MTU for the network - // instance instead (to prevent traffic from being dropped or fragmented inside EVE). + // adapter associated with the network instance is additionally limited by MTU values + // of NI ports, configured within their NetworkConfig objects (refer to netconfig.proto). + // If the configured network instance MTU is higher than MTU of any of the NI ports, + // EVE will flag the network instance with an error and use the lowest MTU among + // all the NI ports for the network instance instead. This is to prevent apps from sending + // packets exceeding the path MTU. Packets entering NI via port with a higher MTU and with + // size exceeding the NI MTU will get fragmented inside EVE (if allowed by IP header). uint32 mtu = 44; } diff --git a/proto/info/info.proto b/proto/info/info.proto index a679bf64..57493416 100644 --- a/proto/info/info.proto +++ b/proto/info/info.proto @@ -1044,8 +1044,9 @@ message ZInfoNetworkInstance { // Current uplink interface in use by this NI. // Deprecated - network instance can be associated with multiple device ports, // not just one. To find out which ports are being used by network instance, - // read the reported field "ports" instead (see below). Additionally, ports - // with the default route enabled are reported in the field "default_ports". + // read the reported field "ports" instead (see below). Additionally, "routes" + // informs about the routes configured for the NI and which ports are currently + // used to route the traffic out (this includes info for the default route) string CurrentUplinkIntf = 10 [deprecated = true]; // User defined namestring alias to this CurrentUplinkIntf. // Deprecated for the same reason as CurrentUplinkIntf. Additionally, logical @@ -1055,10 +1056,6 @@ message ZInfoNetworkInstance { // Ports are referenced by logical labels. // Empty if network instance is air-gapped. repeated string ports = 12; - // List of device ports with the default route enabled. - // Ports are referenced by logical labels. - // Until EVE supports load-balancing, this list will always contain at most one port. - repeated string default_ports = 13; uint32 bridgeNum = 20; string bridgeName = 21; string bridgeIPAddr = 22; @@ -1087,6 +1084,32 @@ message ZInfoNetworkInstance { // used and reported here if the configured MTU is invalid or conflicts with the MTU // of the associated device port (see NetworkInstanceConfig.mtu in netinst.proto). uint32 mtu = 42; + + // Global routes configured for the network instance (i.e. does not include link-local + // routes). + // This includes user-defined static routes (NetworkInstanceConfig.static_routes). + // Note that some user-defined static routes might not be applied (and thus not reported + // here) if they do not match IP config of currently used device ports. + // Additionally, static routes with shared port labels (matching multiple ports) + // are reported here each with the logical label of the (single) port, currently selected + // for the route by probing (see PortProbe). + IPRoute routes = 43; +} + +// Info about IP route configured for a network instance. +message IPRoute { + // Destination network address in the CIDR format: / + string destination_network = 1; + // Gateway IP address. + string gateway = 2; + // Logical label of the output device port for the routed traffic. + // Empty if the gateway is IP address of one of the applications. In that case, + // 'gateway_app' is defined instead. + string port = 3; + // UUID of the application used as the gateway for the route. + // Empty if the gateway is external (not one of the apps but outside of the device). + // In that case, 'port' is defined instead. + string gateway_app = 4; } message UsageInfo {