Page MenuHomeVyOS Platform

Flush addresses from bridge members
Closed, ResolvedPublic

Description

Currently there are no checks on interfaces that are to be added to a bridge, they are simply added to the bridge regardless of their configuration.

Bridge members should not have any addresses. If a bridge member has an address, the outgoing packets from the router for those addresses will leave the interface directly, but all packets coming in to the router will be directed up to the bridge. While this technically may work if rp_filter is disabled, it's asymmetric behavior that's not wanted.

There are several possible solutions:
a) if an interface has any assigned addresses and the user is adding it to a bridge, raise a ConfigError.

This is the simplest fix, but may cause old systems that had invalid configurations (interfaces with addresses that were bridge members at the same time) to fail to boot. How common this invalid configuration is in live systems, I don't know.

b) remove all addresses from the interface while adding it to the bridge, keeping them stored in the interface's class instance, and restore them when removing it.

This would add 2 functions to ifconfig/interface.py: flush_addrs, which would delete all addresses from the physical interface, but keep them in the interface instance's 'self._addr' list, and restore_addrs, that restores all the addresses from self._addrs.

This would be a more universal solution that would not fail to boot with invalid configs. The bridge script would call these two functions on member add/remove. A warning could be added in verify() if any member has any address assigned.

Since IPv6 link-local addresses are a special case, they'd need to be flushed and re-added separately from all config-defined addresses, and flushing them would produce no warning.

This depends on T2362 (https://github.com/vyos/vyos-1x/pull/371) as that corrects the handling of IPv6 link-local addresses on all interfaces.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Improvement (missing useful functionality)