- Introduction
- Interfaces
- Base Interface
- IP
- Multipath TCP
- Ethtool
- Ethtool feature
- Ethtool coalesce
- Ethtool ring
- LLDP
- Ethernet Interface
- SR-IOV
- Bond Interface
- VLAN Interface
- VxLAN Interface
- Linux Bridge Interface
- Linux Bridge Ports
- Linux Bridge Port VLAN
- OpenvSwitch Bridge Interface
- OpenvSwitch Bridge Ports
- OpenvSwitch Internal Interface
- OpenvSwitch Bridge Patch Interface
- Mac VTAP Interface
- Mac VLAN Interface
- IP over InfiniBand Interface
- Virtual Routing and Forwarding (VRF) Interface
- Linux Virtual Ethernet(veth) Interface
- IPsec Encryption
- Routes
- Route Rules
- DNS Resolver
- Hostname
- OpenvSwitch Database
- Interfaces
Nmstate provides a set of bindings for querying and applying the network state in the format of YAML.
For properties not mentioned desired state, nmstate will try to preserve current configuration unless changes required by other desired property.
For example, to create an OpenvSwitch bridge:
#!/usr/bin/python3
import yaml
import libnmstate
desire_state = """
interfaces:
- name: eth1
type: ethernet
state: up
- name: br0
type: ovs-bridge
state: up
bridge:
port:
- name: eth1
- name: br0
- name: br0
type: ovs-interface
state: up
"""
libnmstate.apply(yaml.load(desire_state, Loader=yaml.SafeLoader))// SPDX-License-Identifier: Apache-2.0
fn main() -> Result<(), Box<dyn std::error::Error>> {
let desire_state: nmstate::NetworkState = serde_yaml::from_str(
r#"---
interfaces:
- name: eth1
type: ethernet
state: up
- name: br0
type: ovs-bridge
state: up
bridge:
port:
- name: eth1
- name: br0
- name: br0
type: ovs-interface
state: up
"#,
)?;
desire_state.apply()?;
Ok(())
}TODO: provide example code for using C binding.
The interfaces section is a list, for those interface not mentioned in desire
state, nmstate will not modify it unless required(for example, bridge port list
changed).
There are many properties that are available for all kind of network interfaces. The example this is a desire state of base interface properties only:
interfaces:
- name: eth1
profile-name: wan0
type: ethernet
state: up
mac-address: 1C:FF:EE:DD:3B:D3
permanent-mac-address: 1C:FF:EE:DD:BB:D3
mtu: 1500
min-mtu: 256
max-mtu: 2304
wait-ip: any
accept-all-mac-addresses: falseBesides above example, we also have these properties:
controllercopy-mac-from
The name property is the name string used in kernel or user space tool(for
example OpenvSwitch bridge interface name only exist in its user space
database).
You may also use this format to refer a SR-IOV VF interface:
sriov:<pf_name>:<vf_id>
Please check this document for detail.
The type property is the type name of interface. Please read on to get all
supported interface types.
All possible states of interface are:
-
up: Indicate network backend is managing this interface and activated configuration of specified interface. -
down: Indicate network backend deactivate configuration of specified interface. -
ignore: Indicate network backend is ignoring this interface. When applying state with interface marked asignore, the verification will ignore this interface also. -
absent: Only used when applying to instruct network backend to delete configuration of specified interface, this might or might not lead to the deletion in kernel.
The description of the interface. This value can be configured to any string. For example:
---
interfaces:
- name: eth1
type: ethernet
state: up
description: "Main interface connected to switch S1"The profile name used by network backend. For example:
---
interfaces:
- name: eth1
profile-name: wan0
type: veth
state: up
identifier: mac-address
mac-address: 8A:8C:92:1A:F6:98The identifier property is only valid for applying or generating
configurations. The valid values are:
name: Default value. Specified configuration is applied to interface holding the specified interface name.mac-address: Specified configuration is applied to interface holding the specified MAC address.
The mac-address property holds the MAC address of this interface. Please be
aware the IP over InfiniBand interface have 20 bytes which result in a string
like:
20:00:55:04:01:FE:80:00:00:00:00:00:00:00:02:C9:02:00:23:13:92
The loopback interface will hold MAC address as 00:00:00:00:00:00.
When showing, nmstate use upper case string. When applying, it is case-insensitive.
For applying or generating configurations:
identifieris undefined oridentifier: name, interface will be changed to hold the specified MAC addressidentifier: mac-address, interface holding the specified MAC address will be used instead of interface name.
The permanent-mac-address property holds the MAC addresses stored in
firmware of network card which will be persistent after system rebooted.
This is query only property and will be ignored when applying.
The mtu value is the Maximum Transmission Unit of specified interface.
It should be in the range between min_mtu and max_mtu.
Available since 2.2.0.
The minimum MTU supported by specified interface.
This is query only property and will be ignored when applying.
Available since 2.2.0.
The maximum MTU supported by specified interface.
This is query only property and will be ignored when applying.
Available since 2.1.3.
The wait-ip property defines which IP stack should network backend wait
before considering the interface activation finished.
It supports these values:
any-- (Default value) The activation is considered done once IPv4 stack or IPv6 stack is configure.ipv4-- The activation is considered done once IPv4 stack is configured.ipv6-- The activation is considered done once IPv6 stack is configured.ipv4+ipv6-- The activation is considered done once both IPv4 and IPv6 stack are configured.
Available since 2.2.2.
The controller property defines the controller of the specified interface.
This property is hidden when querying and only used for controller attaching
and detaching. Setting as controller: '' means detaching from current
controller.
This property might conflict with port list of controller, an error will be trigger when it happens.
Example yaml for attaching eth1 to br0 interface:
---
interfaces:
- name: eth1
state: up
controller: br0The accept-all-mac-addresses properties is the boolean switch for enabling
the promiscuous mode of specified interface which causing the kernel
to accept ethernet packages even its destination MAC address is not for
current interface.
The apply only property copy-mac-from is for clone MAC address of other
interface.
For example, to create bridge using the MAC address of eth1:
---
interfaces:
- name: br0
type: linux-bridge
state: up
copy-mac-from: eth2
bridge:
port:
- name: eth2
- name: eth1Since 2.2.17, nmstate has introduced support of invoking dispatch script upon the activation and deactivation of interface.
For example, this desire state will instruct network backend to invoke
echo post-up-eth1 | systemd-cat after the interface is activated, and
echo post-down-eth1 | systemd-cat after the interface been deactivated.
---
interfaces:
- name: eth1
type: ethernet
state: up
dispatch:
post-activation: |
echo post-up-eth1 | systemd-cat
post-deactivation: |
echo post-down-eth1 | systemd-catSetting the post-activation or post-deactivation to empty string will
remove the dispatch scripts. Removing the interface using
state: absent also remove the dispatch scripts.
This is the example of interface with static IP addresses:
---
interfaces:
- name: eth1
state: up
ipv4:
enabled: true
dhcp: false
address:
- ip: 192.0.2.252
prefix-length: 24
mptcp-flags:
- signal
- subflow
- ip: 192.0.2.251
prefix-length: 24
mptcp-flags:
- signal
- subflow
ipv6:
enabled: true
autoconf: false
dhcp: false
address:
- ip: 2001:db8:2::1
prefix-length: 64
mptcp-flags:
- signal
- subflow
- ip: 2001:db8:1::1
prefix-length: 64
mptcp-flags:
- signal
- subflowThis is the example of interface with dynamic IP addresses:
---
interfaces:
- name: eth1
type: ethernet
state: up
ipv4:
enabled: true
dhcp: true
auto-dns: true
auto-gateway: true
auto-routes: true
auto-route-table-id: 0
auto-route-metric: 101
ipv6:
enabled: true
dhcp: true
autoconf: true
auto-dns: true
auto-gateway: true
auto-routes: true
auto-route-table-id: 0
auto-route-metric: 102
The enabled property is the boolean switch to enable and disable the whole IP
stack.
For IPv6 with enabled: false, the link local address will also be removed
from this interface.
If explicitly set to enabled: false, all other IP parameters will be ignored
and will not fail the verification.
The dhcp property is the boolean switch for DHCP on specified interface.
When set to dhcp: false for IPv4, these properties will be ignored and will
not fail the verification:
auto-dnsauto-gatewayauto-routesauto-route-table-idauto-route-metric
When dynamic configuration disabled(IPv4 dhcp off, IPv6 dhcp off and autoconf off), these properties will be ignored and will not fail the verification:
auto-dnsauto-gatewayauto-routesauto-route-table-idauto-route-metric
The autoconf property is the boolean switch for IPv6 autoconf via Router
Advertisement (RA).
Limitation:
- Currently nmstate does not allows
autoconf: trueanddhcp: false.
The address property holds a list of object for IP address which contains
these parameters:
ipprefix-lengthmptcp-flags-- Query only, list of MPTCP flag string.
The order of IP address will be preserved when applying to kernel.
The auto-dns property is the boolean switch for whether apply DNS
configurations retried from dynamic configuration method.
Set to true by default unless current state set to false explicitly.
The auto-routes property is the boolean switch for whether apply routes
entries(including default gateway) retried from dynamic configuration method.
Set to true by default unless current state set to false explicitly.
The auto-routes property is the boolean switch for whether apply default
gateway retried from dynamic configuration method.
Set to true by default unless current state set to false explicitly.
The auto-route-table-id property is the integer for route table ID of
the routes retried from dynamic configuration method.
If not mentioned in desire state or set to 0, nmstate will use the main table ID 254.
Available since nmstate 2.2.1.
The auto-route-metric property is the integer for route metric of
the routes retried from dynamic configuration method.
If not mentioned in desire state or set to -1, nmstate will let network backend to determine the metric.
Available since nmstate 2.2.0.
The mptcp section of interface holds the Multipath TCP interface level
flags, it will apply flags to all valid IP addresses(both static and dynamic).
Network backend might has its own rule on excusing special scope of IP
address, e.g. IPv6 multicast address.
For example:
---
interfaces:
- name: eth1
type: ethernet
state: up
mptcp:
address-flags:
- backup
- signal
ipv4:
enabled: true
dhcp: false
address:
- ip: 192.0.2.2
prefix-length: 24
The only supported property of mptcp section is address-flags for now.
The address-flags property holds the list of MPTCP flags which could be:
signalsubflowbackupfullmess
Limitations:
- Per IP address MPTCP flags is ignored with an warning message when different from interface level MPTCP flags.
- Cannot set
signalalong withfullmeshdue to kernel restriction. - If sysctl has
net.mptcp.enabledset to 0, NetworkManager cannot apply MPTCP flags. User will get an failure suggest them to use third-party tools. - Cannot reapply on MPTCP changes, full activation will invoked when MPTCP flags changed.
- When MPTCP not supported by NetworkManager, the query will hide interface level MPTCP flags even it been enabled by third party tool.
Available since 1.1.0
The ethtool section of interface holds the ethtool settings of network cards,
including these subsections.
feature-- configurable offload protocol and other featuresring-- RX/TX ring parameterscoalesce-- Coalescing parameters
This is the example query output of netdevsim interface:
interfaces:
- name: sim0
type: ethernet
state: up
ethtool:
pause:
rx: true
tx: true
autoneg: false
feature:
rx-gro: true
tx-nocache-copy: false
hw-tc-offload: false
rx-udp_tunnel-port-offload: true
tx-generic-segmentation: true
rx-udp-gro-forwarding: false
rx-gro-list: false
coalesce:
adaptive-rx: false
adaptive-tx: false
pkt-rate-high: 0
pkt-rate-low: 0
rx-frames: 0
rx-frames-high: 0
rx-frames-low: 0
rx-usecs: 0
rx-usecs-high: 0
rx-usecs-irq: 0
rx-usecs-low: 0
sample-interval: 0
stats-block-usecs: 0
tx-frames: 0
tx-frames-high: 0
tx-frames-irq: 0
tx-frames-low: 0
tx-usecs: 0
tx-usecs-high: 0
tx-usecs-irq: 0
tx-usecs-low: 0
ring:
rx: 0
rx-max: 4096
rx-jumbo: 0
rx-jumbo-max: 4096
rx-mini: 0
rx-mini-max: 4096
tx: 0
tx-max: 4096The feature subsection of ethtool holds the changeable features of
specified interface using feature name as key string and boolean as value.
Currently, nmstate support enable/disable features(if NIC support so):
esp-hw-offloadesp-tx-csum-hw-offloadtx-checksum-fcoe-crcfcoe-mtutx-checksum-ip-genericrx-grotx-checksum-ipv4tx-generic-segmentationtx-checksum-ipv6highdmatx-checksum-sctphw-tc-offloadtx-esp-segmentationl2-fwd-offloadtx-fcoe-segmentationloopbacktx-gre-csum-segmentationrx-lrotx-gre-segmentationmacsec-hw-offloadtx-gso-listrx-ntuple-filtertx-gso-partialrx-checksumtx-gso-robustrx-alltx-ipxip4-segmentationrx-fcstx-ipxip6-segmentationrx-gro-hwtx-nocache-copyrx-gro-listtx-scatter-gatherrx-hashingtx-scatter-gather-fraglistrx-udp-gro-forwardingtx-sctp-segmentationrx-udp_tunnel-port-offloadtx-tcp6-segmentationrx-vlan-hw-parsetx-tcp-ecn-segmentationrx-vlan-filtertx-tcp-mangleid-segmentationrx-vlan-stag-filtertx-tcp-segmentationrx-vlan-stag-hw-parsetx-tunnel-remcsum-segmentationtx-scatter-gathertx-udp-segmentationtls-hw-recordtx-udp_tnl-csum-segmentationtls-hw-rx-offloadtx-udp_tnl-segmentationtls-hw-tx-offloadtx-vlan-hw-inserttsotx-vlan-stag-hw-insert
Nmstate also support these aliases used by ethtool CLI tool:
rx--rx-checksumrx-checksumming--rx-checksumufo--tx-udp-fragmentationgso--tx-generic-segmentationgeneric-segmentation-offload--tx-generic-segmentationgro--rx-grogeneric-receive-offload--rx-grolro--rx-lrolarge-receive-offload--rx-lrorxvlan--rx-vlan-hw-parserx-vlan-offload--rx-vlan-hw-parsetxvlan--tx-vlan-hw-inserttx-vlan-offload--tx-vlan-hw-insertntuple--rx-ntuple-filterntuple-filters--rx-ntuple-filterrxhash--rx-hashingreceive-hashing--rx-hashing
The coalesce subsection supports these parameters:
adaptive-rx: booleanadaptive-tx: booleanpkt-rate-high: 32 bits unsigned integerpkt-rate-low: 32 bits unsigned integerrx-frames: 32 bits unsigned integerrx-frames-high: 32 bits unsigned integerrx-frames-low: 32 bits unsigned integerrx-usecs: 32 bits unsigned integerrx-usecs-high: 32 bits unsigned integerrx-usecs-irq: 32 bits unsigned integerrx-usecs-low: 32 bits unsigned integersample-interval: 32 bits unsigned integerstats-block-usecs: 32 bits unsigned integertx-frames: 32 bits unsigned integertx-frames-high: 32 bits unsigned integertx-frames-irq: 32 bits unsigned integertx-frames-low: 32 bits unsigned integertx-usecs: 32 bits unsigned integertx-usecs-high: 32 bits unsigned integertx-usecs-irq: 32 bits unsigned integertx-usecs-low: 32 bits unsigned integer
The ring subsection supports these parameters:
rxrx-maxrx-jumborx-jumbo-maxrx-minirx-mini-maxtxtx-max
All of them are 32 bits unsigned integer.
Indicate whether LLDP listener is enabled for the interface or not. The
property type is boolean.
The neighbors section of LLDP holds the parameter of each neighbor reported
by the LLDP listener. This parameters are read-only.
This is the TLV type reported as described in IEEE 802.1AB. The property type
is integer.
This is the TLV subtype reported as described in IEEE 802.1AB. The property
type is integer.
This is the organization code or oui as described in IEEE 802.1AB. The property
type is integer.
The ethernet section of interface holds the parameters of ethernet specific
configurations. For example:
---
interfaces:
- name: eth1
type: ethernet
state: up
ethernet:
speed: 10000
duplex: full
auto-negotiation: falseThe speed property is the integer speed in Mbps.
This property is ignored when applying if auto-negotiation: true.
The duplex property supports:
fullhalf
This property is ignored when applying if auto-negotiation: true.
The auto-negotiation property is the boolean switch for enabling
auto negotiation on speed and duplex.
Default to true.
The sr-iov is subsection of ethernet interface. For example:
---
interfaces:
- name: eth1
type: ethernet
state: up
ethernet:
sr-iov:
total-vfs: 2
vfs:
- id: 0
mac-address: 00:11:22:33:00:FF
spoof-check: true
trust: false
min-tx-rate: 0
max-tx-rate: 0
vlan-id: 0
qos: 0
- id: 1
mac-address: 00:11:22:33:00:EF
spoof-check: true
trust: false
min-tx-rate: 0
max-tx-rate: 0
vlan-id: 0
qos: 0The total-vfs property defines the SRIOV VF count of PF interface.
The vfs section holds VF specific settings:
id-- VF IDmac-address-- VF MAC addressspoof-check-- Whether spoof check is enabledtrust-- Is Privileged (trusted) VF or notmin-tx-ratemax-tx-ratevlan-idqosvlan-proto-- choice of802.1q(default) or802.1ad
Once the vfs section is defined in desire state, user is required to provide
all VFS configuration, nmstate will not merge it with current status.
The link-aggregation section of interface holds the parameters of bond
specific configurations. For example:
---
interfaces:
- name: bond99
type: bond
state: up
link-aggregation:
mode: balance-rr
options:
all_slaves_active: dropped
arp_all_targets: any
arp_interval: 0
arp_validate: none
downdelay: 0
lp_interval: 1
miimon: 100
min_links: 0
packets_per_slave: 1
primary_reselect: always
resend_igmp: 1
updelay: 0
use_carrier: true
port:
- eth1
- eth2The mode property defines the bond mode:
balance-rror 0active-backupor 1balance-xoror 2broadcastor 3802.3ador 4balance-tlbor 5balance-albor 6
Please check kernel document for detail meaning of each mode.
The options property of bond supports:
ad_actor_sys_prioad_actor_systemad_selectad_user_port_keyall_slaves_activearp_all_targetsarp_intervalarp_ip_targetarp_validatedowndelayfail_over_maclacp_ratelp_intervalmiimonmin_linksnum_grat_arpnum_unsol_napackets_per_slaveprimaryprimary_reselectresend_igmptlb_dynamic_lbupdelayuse_carrierxmit_hash_policybalance_slb
Please check kernel document for their allowed value and combinations.
The balance_slb is not kernel option of bond, but user space configuration,
only supported by nmstate 2.2.1+, NetworkManager 1.41+ on patched linux kernel.
The verification process of nmstate will ignore bond option miss-match.
The port property of bond defines a list of bond ports.
When defined in desire state, user is required to provide all bond ports.
You may use ports also for applying since 2.1.4.
The vlan section of interface holds the parameters of VLAN specific
configurations. For example:
---
interfaces:
- name: eth1.101
type: vlan
state: up
vlan:
base-iface: eth1
id: 101
protocol: 802.1qThe vlan sections contains two parameters:
base-iface: The parent interface name.id: VLAN ID integer.protocol:802.1q(default) or802.1ad
With nmstate 2.2.1+, when using Nmstate with NetworkManager backend, nmstate
can creating VLAN over unmanaged interface, hence if you never mention VLAN
parent in interfaces section of desired state, nmstate will not convert
VxLAN parent interface from unmanaged to managed.
For generate configuration(gc) mode, unmentioned VLAN parent will not
get automatically created interface profile.
The vxlan section of interface holds the parameters of VxLAN specific
configurations. For example:
interfaces:
- name: eth1.102
type: vxlan
state: up
ipv6:
enabled: true
vxlan:
base-iface: eth1
id: 102
remote: 192.0.2.251
local: 192.0.2.252
learning: false
destination-port: 1235The vxlan sections contains two parameters:
base-iface: The parent interface name.id: VLAN ID integer.remote: The destination IP address to use in outgoing packages when the destination link layer address is not known in the VxLAN device forwarding database. Could be unicast IP or multicast IP.destination-port: The UDP destination port.local: The source IP address for outgoing packages.learning: Whether store unknown link-layer address to forward database.
Currently, we only support VxLAN based on IEEE 802.1Q protocol.
With nmstate 2.2.1+, when using Nmstate with NetworkManager backend, nmstate
can creating VxLAN over unmanaged interface, if you never mention VxLAN parent
in interfaces section of desired state, nmstate will not convert VxLAN
parent interface from unmanaged to managed.
For generate configuration(gc) mode, unmentioned VxLAN parent will not
get automatically created interface profile.
The bridge section of interface could hold parameters of Linux Bridge
specific configurations. For example:
interfaces:
- name: br0
type: linux-bridge
state: up
bridge:
options:
gc-timer: 29657
group-addr: 01:80:C2:00:00:00
group-forward-mask: 0
group-fwd-mask: 0
hash-max: 4096
hello-timer: 0
mac-ageing-time: 300
multicast-last-member-count: 2
multicast-last-member-interval: 100
multicast-membership-interval: 26000
multicast-querier: false
multicast-querier-interval: 25500
multicast-query-interval: 12500
multicast-query-response-interval: 1000
multicast-query-use-ifaddr: false
multicast-router: auto
multicast-snooping: true
multicast-startup-query-count: 2
multicast-startup-query-interval: 3125
stp:
enabled: false
forward-delay: 15
hello-time: 2
max-age: 20
priority: 32768
vlan-protocol: 802.1q
port:
- name: eth1
stp-hairpin-mode: false
stp-path-cost: 100
stp-priority: 32The options subsection of Linux bridge interface bridge section holds these
options:
gc_timer: Integer. Ignored when applying.group-addr: String.group-forward-mask: Integer.group-fwd-mask: alias ofgroup-forward-mask.hash-max: Integer.hello-timer: Integer. Ignored when applying.mac-ageing-time: Integer.multicast-last-member-count: Integer.multicast-last-member-interval: Integer.multicast-membership-interval: Integer.multicast-querier: Boolean.multicast-querier-interval: Integer.multicast-query-interval: Integer.multicast-query-response-interval: Integer.multicast-query-use-ifaddr: Boolean.multicast-router:auto,disabledorenabled.multicast-snooping: Boolean.multicast-startup-query-count: Integer.multicast-startup-query-interval: Integer.vlan-default-pvid: Integer.stp:enabled: Boolean. Other STP options will be ignored if setfalse.forward-delay: Integerhello-time: Integermax-age: Integerpriority: Integer
vlan-protocol:802.1q(default) or802.1ad
The port subsection of bridge section defines a list of linux bridge ports.
Each linux bridge port contains these properties:
name: Interface name.stp-hairpin-mode: Boolean.stp-path-cost: Integer.stp-priority: Integer.vlan: Please checkLinux Bridge Port VLANsection.
The vlan subsection of port section of linux bridge holds the VLAN
filtering of linux bridge. For example:
---
interfaces:
- name: br0
type: linux-bridge
state: up
bridge:
port:
- name: eth1
vlan:
mode: trunk
trunk-tags:
- id: 101
- id-range:
min: 500
max: 599
tag: 100
enable-native: true
- name: eth2
vlan:
mode: trunk
trunk-tags:
- id: 500The vlan subsection holds these parameters:
mode:accessortrunktag: Integer. VLAN Tag for native VLAN.enable-native: Boolean. Enable native VLAN or not.trunk-tags: List of VLAN IDs or ID ranges:id: Integer.id-range:min: Minimum VLAN ID(inclusive).max: Maximum VLAN ID(inclusive).
When vlan section not defined in desire state when applying, current VLAN
filtering settings will be preserved for specified interface, once defined,
nmstate will override all VLAN filter settings of specified interface with
desired without merging from current.
The bridge section of could hold parameters of
OpenvSwitch(Short to OVS below) Bridge specific configurations. For example:
interfaces:
- name: br0
type: ovs-bridge
state: up
wait-ip: any
bridge:
options:
stp: false
rstp: false
mcast-snooping-enable: false
port:
- name: ovs0
- name: eth1The options subsection of OVS bridge interface bridge section holds these
options:
stp: Boolean.rstp: Boolean.mcast-snooping-enable: String.fail-mode: String.datapath: String. Only for DPDK.
The port subsection of bridge section defines a list of OVS bridge
interfaces.
There are three type of OVS interfaces:
internal: Represent the bridge itself in kernel.system: Interface exists in kernel and attached to this bridge.bond: OVS bond interface.
This is the example YAML contains these three OVS interface types.
- name: br0
type: ovs-bridge
state: up
bridge:
port:
- name: veth1
- name: ovs0
- name: bond1
link-aggregation:
mode: balance-slb
port:
- name: eth2
- name: eth1
vlan:
mode: access
tag: 100Each OVS interface config could have:
name: Stringlink-aggregation: Bond config.vlan: Vlan config. Please checkLinux Bridge Port VLANsection.
Below yaml could be used to enable DPDK using PCI device 0000:af:00.1:
---
interfaces:
- name: ovs0
type: ovs-interface
state: up
dpdk:
devargs: "0000:af:00.1"
rx-queue: 100
- name: br0
type: ovs-bridge
state: up
bridge:
options:
datapath: "netdev"
port:
- name: ovs0
ovs-db:
other_config:
dpdk-init: "true"Please refer to OpenvSwitch document for technical details.
The OVS internal interface is the virtual interface representing the OVS bridge in kernel. For example:
- name: ovs0
type: ovs-interface
state: up
mac-address: 92:7C:8B:BF:AA:D8
mtu: 1500
min-mtu: 68
max-mtu: 65535
wait-ip: any
ipv4:
enabled: false
ipv6:
enabled: falseThere is no special config for OVS internal interface.
The patch section of ovs-interface could be used for OVS bridge patching.
This is the example on using OVS patch interface to connect two OVS bridges:
---
interfaces:
- name: patch0
type: ovs-interface
state: up
patch:
peer: patch1
- name: ovs-br0
type: ovs-bridge
state: up
bridge:
port:
- name: patch0
- name: patch1
type: ovs-interface
state: up
patch:
peer: patch0
- name: ovs-br1
type: ovs-bridge
state: up
bridge:
port:
- name: patch1The mac-vtap section of mac-vtap interface defines configurations of
MAC VTAP interface.
For example:
interfaces:
- name: mac0
type: mac-vtap
state: up
mac-vtap:
base-iface: eth1
mode: passthru
promiscuous: trueThe mac-vtap section contains these parameters:
base-iface: String. Parent interface name.mode: String. Should bevepa,bridge,private,passthruorsource.promiscuous: Boolean.
The mac-vlan section of mac-vlan interface defines configurations of
MAC VLAN interface.
For example:
interfaces:
- name: mac0
type: mac-vlan
state: up
mac-vlan:
base-iface: eth1
mode: passthru
promiscuous: trueThe mac-vlan section contains these parameters:
base-iface: String. Parent interface name.mode: String. Should bevepa,bridge,private,passthruorsource.promiscuous: Boolean.
The infiniband section of infiniband interface defines configurations of
IP over InfiniBand Interface.
For example:
---
interfaces:
- name: ib2.8001
type: infiniband
state: up
mtu: 1280
infiniband:
pkey: "0x8001"
mode: "connected"
base-iface: "ib2"The infiniband sections contains these parameters:
pkey: String or integer. P-key of sub-interface. None and0xffffboth indicate the base interface.base-iface: Base interface name. Empty for base interface itself.mode:connectedordatagram.
The vrf section of vrf interface contains configurations of Linux kernel
Virtual Routing and Forwarding(VRF) interface. For example:
- name: vrf0
type: vrf
state: up
vrf:
port:
- eth1
- eth2
route-table-id: 100The vrf section contains:
port: List of String. VRF Ports.route-table-id: Which route table ID should this VRF attach to.
Besides holding configurations of Ethernet interface, the veth interface
could also hold veth section. For example:
---
interfaces:
- name: veth1
type: veth
state: up
veth:
peer: veth1peerNew feature in 2.2.21
Nmstate is using Libreswan daemon and
NetworkManager-libreswan for IPsec encryption communication.
This is an example of X509 based authentication IPsec connection:
---
interfaces:
- name: hosta_conn
type: ipsec
ipv4:
enabled: true
dhcp: true
libreswan:
right: 192.0.2.252
rightid: '@hostb.example.org'
left: 192.0.2.251
leftid: '%fromcert'
leftcert: hosta.example.org
ikev2: insistThe libreswan section, nmstate provides these properties:
ipsec-interface: String 'yes' or 'no' or unsigned integer.authby: Authentication method. Normally you don't need to set it.dpddelay: Integer.dpdtimeout: Integer.dpdaction: String.ikelifetime: String.salifetime: String.ikev2: String.ike: String.esp: String.right: String.rightid: String.rightrsasigkey: String.left: String.leftid: String.leftrsasigkey: String.leftcert: String.ikev2: String.psk: String. The Pre-Shared-Key. Please consider to use x509/PKI authentication in production system. In query, this property will be shown as<_password_hid_by_nmstate>for security concern.rightsubnet: String. Please explicitly set it when using in host-to-host mode.leftmodecfgclient: yes|no. Please explicitly set it tonowhen using in host-to-host mode.type:transportortunnel. Thetunnelis the default value if not defined.
Except the psk property, all other properties are libreswan specific options,
please refer to the manpage of ipsec.conf for detail meaning of them.
By default, nmstate will not create any virtual NIC representing the encrypted
communication, they can be check via ip xfrm policy command. The IP provided
by IPsec remote will be assigned the interface hosting the underneath network
flow.
If you prefer a logical interface holding encrypted communication, please set
ipsec-interface to 'yes' or a unsigned integer number, then a xfrm logical
interface named ipsec<number> will be created holding the IP retrieved from
IPsec remote.
You may also check IPsec example page for use cases.
The routes top section of network state contains two type routes:
-
running: Running effected routes containing route from universe or link scope, and only from these protocols:- boot (often used by
iproutecommand) - static
- ra
- dhcp
- mrouted
- keepalived
- babel
- boot (often used by
-
config: Static routes containing route from universe or link scope, and only from these protocols:- boot (often used by
iproutecommand) - static
- boot (often used by
For example:
routes:
running:
- destination: 0.0.0.0/0
next-hop-interface: eth1
next-hop-address: 192.0.2.1
table-id: 254
config:
- destination: 0.0.0.0/0
next-hop-interface: eth1
next-hop-address: 192.0.2.1
table-id: 254When applying, the running routes are ignored, the config routes in desire
state is appended to existing routes. To change or override existing
routes, you need to delete old route entry and add new one(could in single
desire state). For example, to change default gateway of eth1:
routes:
config:
- destination: 0.0.0.0/0
next-hop-interface: eth1
state: absent
- destination: 0.0.0.0/0
next-hop-address: 192.0.2.1
next-hop-interface: eth1The state: absent is used to delete all matching route entry. Below route
will delete all routes with next-hop-interface: eth1:
routes:
config:
- destination: 0.0.0.0/0
next-hop-interface: eth1
state: absentEach route entry could have these parameters:
state: Only set toabsentfor deleting matching routes when applying.destination: String. Mandatory for every non-absent routes.next-hop-interface: String. Mandatory for every non-absent routesnext-hop-address: String. When setting this as empty string for absent route, it will only delete routes withoutnext-hop-address.metric: Integer. Set to -1 for let backend decide.table-id: Integer. Set to 0 for main table id 254.cwnd: Integer. TCP congestion window. According to linux kernel, Thecwndproperty of route requires thelock cwndflag been set at the same time, otherwise thecwndwill take effect. Hence, on querying, nmstate treat routes withoutlock cwndflag as emptycwnd. When applying, nmstate backend always setlock cwnd. If you want to modify existingcwnd, like modifying other route properties, you need to mark old route asstate: absnetand append new route.
This is the example of IP route rule:
route-rules:
config:
- ip-from: 192.168.3.2/32
priority: 1000
route-table: 200
- ip-from: 2001:db8:b::/64
priority: 1000
route-table: 200
routes:
config:
- destination: 192.168.2.0/24
next-hop-interface: eth1
next-hop-address: 192.168.1.3
metric: 108
table-id: 200
- destination: 2001:db8:a::/64
next-hop-interface: eth1
next-hop-address: 2001:db8:1::2
metric: 108
table-id: 200Like routes, the route-rules is also using state: absent for partial
editing. For example:
---
route-rules:
config:
- ip-from: 192.168.3.2/32
route-table: 200
state: absentEach route rule entry could contains these parameters:
family:ipv4oripv6. Only used when you would like to dofrom any to anymatching.state: Only set toabsentfor deleting matching route rules.ip-from: String. When setting to empty string in absent route rule, it will only delete route rule withoutip-from.ip-to: String. When setting to empty string in absent route rule, it will only delete route rule withoutip-to.priority: Integer. Strongly suggested user to manually set priority to make sure route rule acting in desired order. If not defined, nmstate will add desired routes after existing route rules.route-table: Integer. Redirect matching packages to route table ID. Unset or 0 will be changed to main table ID 254.fwmark: Integer or hex string. Select thefwmarkvalue to match.fwmask: Integer or hex string. Select thefwmaskvalue to match.iif: String. New in version 2.2.2. Incoming interface name.action: New in version 2.2.2.blackholeorunreachableorprohibitor undefined.
The dns-resolver sections contains two sub-sections:
running: The running effective state. The DNS server might be from DHCP(IPv6 autoconf) or manual setup.config: The static saved DNS resolver config. When applying, if this not mentioned, current static DNS config will be preserved as it was. If defined, will override current static DNS config.
For example:
dns-resolver:
running:
server:
- 2001:4860:4860::8888
- 2001:4860:4860::8844
- 8.8.4.4
search:
- example.com
- example.org
config:
server:
- 2001:4860:4860::8888
- 2001:4860:4860::8844
- 8.8.4.4
search:
- example.com
- example.orgNetworkManager backend has two set of DNS configurations:
- Global DNS set by D-BUS interface or NetworkManager.conf.
- Interface DNS stored in NetworkManager connection as
ipv4.dnsoripv6.dns.
Nmstate will try to use global DNS via D-BUS interface call, and only use interface level DNS for any of these use case:
- Has IPv6 link-local address as name server: e.g.
fe80::deef:1%eth1 - User want static DNS server appended before dynamic one. In this case,
user should define
auto-dns: trueexplicitly along with static DNS. - User want to force DNS server stored in interface for static IP interface. This case, user need to state static DNS config along with static IP config.
To purge the static DNS configure, please use
dns-resolver:
config: {}Please check DNS feature page for YAML examples.
Only available on nmstate version 2.1.1+.
The hostname section contains these parameters:
running: The running active hostname.config: The saved static hostname.
For example:
hostname:
running: "c9sr"
config: "c9ss"To remove static hostname, please set running or config as empty string.
Nmstate supports two types of OpenvSwitch Database modification:
- Interface level
- Global level.
For Interface level, only external_ids is supported. For example:
---
interfaces:
- name: br0
type: ovs-bridge
state: up
bridge:
port:
- name: ovs0
- name: eth1
ovs-db:
external_ids:
gris: 10
- name: ovs0
type: ovs-interface
state: up
ovs-db:
external_ids:
gris: abc
- name: eth1
ovs-db:
external_ids:
gris: xyzFor global config, both external_ids and other_config are supported.
For example:
ovs-db:
other_config:
stats-update-interval: "1000"
external_ids:
ovn-localnet-bridge-mappings: "ovn-external:breth0"