First byte of client ID is type, instead of value. See this from
RFC2132:
Code Len Type Client-Identifier
+-----+-----+-----+-----+-----+---
| 61 | n | t1 | i1 | i2 | ...
+-----+-----+-----+-----+-----+---
Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
Almost every first retry of DHCP will fail due to interface is not up. Add a
fast retry to reduce unnecessary latency.
Signed-off-by: SilverBut <SilverBut@users.noreply.github.com>
The new macspoofchk field is added to the bridge plugin to support
anti-mac-spoofing.
When the parameter is enabled, traffic is limited to the mac addresses
of the container interface (the veth peer that is placed in the
container ns).
Any traffic that exits the pod is checked against the source mac address
that is expected. If the mac address is different, the frames are
dropped.
The implementation is using nftables and should only be used on nodes
that support it.
Signed-off-by: Edward Haas <edwardh@redhat.com>
With this patch, when the IPs are provisioned via CNI args or via
`RuntimeConfig` the CIDR is only parsed once.
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
This commit addresses the scenarios when the invalid CIDR is
provisioned via:
- CNI_ARGS
- RuntimeConfig
Signed-off-by: Miguel Duarte Barroso <mdbarroso@redhat.com>
Controlling the mac address of the interface (veth peer) in the
container is useful for functionalities that depend on the mac address.
Examples range from dynamic IP allocations based on an identifier (the
mac) and up to firewall rules (e.g. no-mac-spoofing).
Enforcing a mac address at an early stage and not through a chained
plugin assures the configuration does not have wrong intermediate
configuration. This is especially critical when a dynamic IP may be
provided already in this period.
But it also has implications for future abilities that may land on the
bridge plugin, e.g. supporting no-mac-spoofing.
The field name used (`mac`) fits with other plugins which control the
mac address of the container interface.
The mac address may be specified through the following methods:
- CNI_ARGS
- Args
- RuntimeConfig [1]
The list is ordered by priority, from lowest to higher. The higher
priority method overrides any previous settings.
(e.g. if the mac is specified in RuntimeConfig, it will override any
specifications of the mac mentioned in CNI_ARGS or Args)
[1] To use RuntimeConfig, the network configuration should include the
`capabilities` field with `mac` specified (`"capabilities": {"mac": true}`).
Signed-off-by: Edward Haas <edwardh@redhat.com>
Now that the flannel CNI plugin has been moved to
https://github.com/flannel-io/cni-plugin, we should remove it from here.
Signed-off-by: Casey Callendrello <cdc@redhat.com>
- support v2 api
- unify v1 and v2 api
BREAKING CHANGE:
- remove `HcnPolicyArgs` field
- merge `HcnPolicyArgs` into `Policies` field
Signed-off-by: thxcode <thxcode0824@gmail.com>
Check tableID not in use for every ipCfg
This allows SBR plugin to accommodate for multi-ip interfaces
Fixes #581
Signed-off-by: Anurag Dwivedi <anuragensemble1@gmail.com>
Since the CNI Spec bump to v1.0 the tuning plugin no longer updates the
mac address in the cni result for 0.4.0 or below configs. I don't think
this ever worked when the cni result was converted to a different version.
A test has been added to ensure it is working for all spec versions.
Signed-off-by: Paul Holzinger <paul.holzinger@web.de>
This adds support to allow the tuning plugin to enable/disable the
allmulticast mode of the interface. When enabled it instructs the
network driver to retrieve all multicast packets from the network.
Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
Move default table routes which match the ipCfg config
This allows SBR plugin to accommodate for multi-ip interfaces
Fixes #581
Signed-off-by: Anurag Dwivedi <anuragensemble1@gmail.com>
