Bridge and VRF dependency error
EasyNetDev opened this issue · comments
interfaces.d/01-vrf:
auto vrf1
iface vrf1
vrf-table 110
interfaces.d/15-bridge:
auto lan1
iface lan1
use bridge
bridge-stp off
bridge-fd 2
vrf vrf1
Then the bridge executor is failing with :
# ifup lan1
RTNETLINK answers: Invalid argument
cat: /sys/class/net/lan1/brif/vrf1/state: No such file or directory
can't add vrf1 to bridge lan1: Invalid argument
Adding an export > /tmp/$IFACE-bridge.txt command to executor I've notice this:
# cat /tmp/lan1-bridge.txt
export IFACE='lan1'
export IF_ADDRESSES=''
export IF_BRIDGE_FD='2'
export IF_BRIDGE_PORTS='vrf1 '
export IF_BRIDGE_STP='off'
export IF_GATEWAYS=''
export IF_REQUIRES='vrf1'
export IF_USE='vrf'
export IF_VRF_MEMBER='vrf1'
export INTERFACES_FILE='/etc/network/interfaces'
export METHOD='none'
export MODE='start'
export PHASE='post-up'
export PWD='/etc/network/interfaces.d'
The debug output of ifup -v lan1:
ifupdown: vrf1: attempting to run link executor for phase depend
/usr/libexec/ifupdown-ng/link
+ is_vlan
+ [ -z ]
+ return 1
+ [ = veth -a ]
ifupdown: vrf1: attempting to run vrf executor for phase depend
/usr/libexec/ifupdown-ng/vrf
+ echo
+ exit 0
ifup: acquiring lock on /run/ifstate.lan1.lock
ifup: changing state of interface lan1 to 'up'
ifupdown: skipping dependent interface vrf1 (of lan1) -- already configured
ifupdown: lan1: attempting to run link executor for phase create
...
ifupdown: vrf1: attempting to run vrf executor for phase depend
/usr/libexec/ifupdown-ng/vrf
+ echo
+ exit 0
..
ifupdown: skipping dependent interface vrf1 (of lan1) -- already configured
ifupdown: lan1: attempting to run link executor for phase create
/usr/libexec/ifupdown-ng/link
+ [ = dummy ]
+ [ = veth ]
+ is_vlan
+ [ -z ]
+ return 1
ifupdown: lan1: attempting to run bridge executor for phase create
/usr/libexec/ifupdown-ng/bridge
+ export
+ PORTS=vrf1
+ [ vrf1 -a ! -d /sys/class/net/lan1 ]
+ ip link add lan1 type bridge
ifupdown: lan1: attempting to run vrf executor for phase create
/usr/libexec/ifupdown-ng/vrf
+ [ -n ]
+ exit 0
ifupdown: lan1: attempting to run link executor for phase pre-up
/usr/libexec/ifupdown-ng/link
ifupdown: lan1: attempting to run bridge executor for phase pre-up
/usr/libexec/ifupdown-ng/bridge
+ export
+ PORTS=vrf1
+ [ vrf1 ]
+ wait_ports
+ local timeout= waitports=
+ [ -z ]
+ return 0
+ set_bridge_opts
+ [ -x /sbin/bridge ]
+ set_bridge_opts_iproute2
+ [ -n ]
+ [ -n ]
+ [ -n 2 ]
+ ip link set dev lan1 type bridge forward_delay 2
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n off ]
+ yesno off
+ echo 0
+ ip link set dev lan1 type bridge stp 0
+ [ -n ]
+ [ -x /sbin/brctl ]
+ set_bridge_opts_brctl
+ [ -n ]
+ [ -n ]
+ [ -n 2 ]
+ brctl setfd lan1 2
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n ]
+ [ -n off ]
+ brctl stp lan1 off
+ return 0
+ set_bridge_vlans
+ [ ]
+ configure_trunk_port lan1 self
+ port=lan1
+ self=self
+ [ self ]
+ allow_untagged=
+ pvid=
+ vids=
+ yesno
+ echo 0
+ [ -a 0 = 0 ]
+ [ ]
+ add_ports
+ local port=
+ [ -n ]
+ ip link set dev vrf1 master lan1
RTNETLINK answers: Invalid argument
+ set_bridge_port_vlans
+ ifquery -p bridge-access vrf1
+ access_vlan=
+ [ ]
+ configure_trunk_port vrf1
+ port=vrf1
+ self=
+ [ ]
+ ifquery -p bridge-allow-untagged vrf1
+ allow_untagged=
+ ifquery -p bridge-pvid vrf1
+ pvid=
+ ifquery -p bridge-vids vrf1
+ vids=
+ yesno
+ echo 0
+ [ -a 0 = 0 ]
+ [ ]
+ wait_bridge
+ local timeout=
+ [ -z ]
+ find_maxwait
+ awk {printf("%.f\n", 2 * $0 / 100); } /sys/class/net/lan1/bridge/forward_delay
+ timeout=4
+ ip link set dev lan1 up
+ all_ports_ready
+ local port=
+ cat /sys/class/net/lan1/brif/vrf1/state
cat: /sys/class/net/lan1/brif/vrf1/state: No such file or directory
+ return 0
ifupdown: lan1: attempting to run vrf executor for phase pre-up
/usr/libexec/ifupdown-ng/vrf
+ [ -n vrf1 ]
+ handle_member
+ /sbin/ip link set lan1 master vrf1
+ exit 0
/bin/run-parts /etc/network/if-pre-up.d
can't add vrf1 to bridge lan1: Invalid argument
ifupdown: lan1: attempting to run link executor for phase up
/usr/libexec/ifupdown-ng/link
+ IF_LINK_OPTIONS=
+ [ -n ]
+ [ -n ]
+ ip link set up dev lan1
+ [ ]
ifupdown: lan1: attempting to run bridge executor for phase up
/usr/libexec/ifupdown-ng/bridge
+ export
+ PORTS=vrf1
ifupdown: lan1: attempting to run vrf executor for phase up
/usr/libexec/ifupdown-ng/vrf
+ exit 0
/bin/run-parts /etc/network/if-up.d
ifupdown: lan1: attempting to run link executor for phase post-up
/usr/libexec/ifupdown-ng/link
ifupdown: lan1: attempting to run bridge executor for phase post-up
/usr/libexec/ifupdown-ng/bridge
+ export
+ PORTS=vrf1
ifupdown: lan1: attempting to run vrf executor for phase post-up
/usr/libexec/ifupdown-ng/vrf
+ exit 0
I don't understand why the VRF interface is added in the bridge-ports members.
Found the issue.
Armbian comes by default with this tools installed:
ifupdown, ifenslave,vlan,bridge-utils.
You need to remove ALL this tools if you are using ifupdown-ng: apt remove bridge-utils ifenslave vlan and apt purge bridge-utils ifenslave vlan
The error is still present in the script. I had to add:
if [ "$IF_VRF_MEMBER" = "$port" ]; then continue; fi
in functions:
add_ports() {
del_ports() {
all_ports_ready() {
set_bridge_port_vlans() {
To avoid bridge executor to add VRF interface under master bridge interface.
I think the problem is actually in the VRF scripts.
It should just ignore bridge interfaces for setting the VRF up, as bridge interfaces are not routed, so setting a VRF on a bridge interface is expected to return EINVAL.
I think the problem is actually in the VRF scripts.
It should just ignore bridge interfaces for setting the VRF up, as bridge interfaces are not routed, so setting a VRF on a bridge interface is expected to return EINVAL.
That's not necessarily true. A bridge interface can have members as well an IP and be the router of an L2 segment. So there might be use cases to do L3 termination on a bridge interface and put that into a VRF :)
I think the problem is actually in the VRF scripts.
It should just ignore bridge interfaces for setting the VRF up, as bridge interfaces are not routed, so setting a VRF on a bridge interface is expected to return
EINVAL.
Not true. You can set a bridge interface as L3 interface also.
There are several situations when you use bridge interface as L3: connecting VLANS in a bridge and use the bridge as routing interface.
For example OpenWRT and a lot of routers are using the bridge interface as L3 interface.
In my case I'm using VLANs under main bridge interface and that specific subinterface I'm adding under VRF.
So, yes, bridge can be L3 routed interface under a VRF.