Conversation
|
l2tp's local address can be either ipv4 or ipv6 or one of 'auto, 'static' or 'dynamic' (for networkd) so the question is how to do that - reuse local and remote keys and move all verification to validate_tunnel() or have separate keys or even separate sections (not include them in "tunnels") |
|
Tunnel address validation was reworked to allow for hostnames, ports and keywords. Dummy interfaces were added so that empty bridges can be forced up on networkd (by adding a dummy). This is now feature-complete as far as I'm concerned. Please review the general idea. |
|
No way to test l2tp due to https://github.com/lxc/lxd/issues/5439 at the moment. Request overall review. |
cyphermox
left a comment
cyphermox
left a comment
There was a problem hiding this comment.
- is it a good idea to put them into tunnels section at all
No issues at all, those do make sense as tunnels.
-
l2tp has interesting format for local_ip, so what should be done:
Steve, what do you think? I think it would be best to keep the same key, but parse it differently for that tunnel type. -
wireguard has (optional) endpoint, should the remote key be reused for that?
One more for Steve. Reusing 'remote' seems like the most straightforward, but it might be confusing if common parlance for wireguard is to refer this as "endpoint" only. -
coverage does not exclude glib, the results are useless (bionic). any tips?
Coverage reports work fine here and automated through codecov. Have you run 'make check-coverage'? This should generate a proper html report for you under test-coverage/C/; and it only contains the relevant bits.
Could you please add unit tests that test the various changes to config generation you made so we can be sure there are no regressions in other parts of the code than to handle tunnels? Then I'll gladly write integration tests, with your input on what would be a good way to test these (with lxd or without).
| : netplan ID of the underlying device definition on which this VLAN gets | ||
| created. | ||
|
|
||
| ## Properties for device type ``dummies:`` |
There was a problem hiding this comment.
Please keep dummy interfaces separate, those are unrelated to L2TP / Wireguard tunnels.
Also, you couldn't know about this beforehand, but I have some different plans on how to address this particular device type :)
There was a problem hiding this comment.
What I mean by this is that it probably should be in a completely separate PR, since it's not directly related to tunnels.
There was a problem hiding this comment.
Well, yes, I agree it doesn't belong here. It just was slapped on top in hurry, because of how systemd-networkd refuses to up the bridge interface if it doesn't contain at least one other interface.
Can you share your plans?
|
In the current form it reuses local/remote for l2tp and wireguard. In wireguard it also parses 'endpoint' as equivalent to 'remote' because I think this minimizes confusion. re coverage - yes, I run check-coverage (btw it's broken on gcc8, but that's another topic) The result on master branch looks like due to what I suspect i'd just make a container with identical setup to codecov if I only knew what setup they have EDIT: ok, it sort of works on xenial, so I'll use this for the time being. |
|
On Wed, Mar 20, 2019 at 10:13:48AM -0700, Mathieu Trudel-Lapierre wrote:
- l2tp has interesting format for local_ip, so what should be done:
Steve, what do you think? I think it would be best to keep the same
key, but parse it differently for that tunnel type.
I agree that we should extend the existing key to accept these additional
values and define the schema as such; and reject these additional values
when used on a tunnel type that does not support them.
I see that the default value is defined as 'auto'. Arguably that is already
the default for other tunnel types that do not support this as an explicit
value, and we should accept this value for all tunnel types.
- wireguard has (optional) endpoint, should the remote key be reused for
that?
One more for Steve. Reusing 'remote' seems like the most
straightforward, but it might be confusing if common parlance for
wireguard is to refer this as "endpoint" only.
I think it's preferable to be consistent with the schema for tunnels and use
'remote', not conform to the tunnel-specific terms.
We might consider allowing 'endpoint' as an alias for 'remote'.
…--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
[email protected] [email protected]
|
|
Since this was split to separate PRs, I think we might want to close this. Either me or Lukas will look at the new ones in the nearest time. Thanks! |
4 participants
Description
preliminary.
add wireguard and l2tp support.
questions:
Checklist
make checksuccessfully.make check-coverage).