Will using netlink interface to add/remove ports to VLANs update the HW ?

Userlevel 1
I need to dynamically add / remove switch ports from vlan, change their PVID and all of that dynamically.

I was planning to use pyroute2 for this (which essentially uses netlink like the 'ip' and 'bridge' CLI utilities), but I need to know if this will dynamically update the hardware fabric.

Modifying the /etc/network/interface file each time and calling ifreload -a seems like a very heavy operation, so I'd like to avoid that ...

To give a bit of background, I'm thinking about impementing a 802.1x daemon myself and so I would put all interfaces in a default guest vlan on boot, then for each port, dynamically switch it's vlan depending on the RADIUS attribute I get back after auth (and potentially also enabling some tagged vlan).

6 replies

Userlevel 5
In this case, it is possible that pyroute2 may work, but do not fear the code behind ifreload as all that does is take a diff and load the changes. If you would like to post a sample of your code, we can give it a test.
Userlevel 4
To answer your other question, "does using Netlink update the hardware?" Yes it does. The ip, brctl commands used by ifupdown2 are eventually going to be shifted to direct calls via netlink someday anyways. For more info see the recent presentation from one of our IFUPDOWN2 devs --> https://wiki.cumulusnetworks.com/display/SAL/Ansible+-+Host+Specific
Userlevel 1
@Scott : No real code atm, I'm just evaluating feasibility. I don't have the hw to try yet (ordered ... just need to wait 2 weeks now arghh :p)

@Eric : Ok great. Then it should "just work".

I can't see that presentation, btw, it asks for a login / password and the credentials I use to login to this forum don't seem to work.
Userlevel 4
Try this link... here is direct video from the conference --> https://debconf16.debconf.org/talks/114/ still trying to track down where the slides are publicly posted.
Eric Pulvino wrote:

Try this link... here is direct video from the conference --> https://debconf16.debconf.org/talks...

This is the link Julien shared:
Userlevel 1
To give a bit of a status update :

I finally got a real hw switch and did some testing and so far everything is working as expected. I did a "proof of concept".

* I use RAW socket interface directly on the swp interface and this worked fine to speak _only_ to that port and not any other.
* I did all the EAPOL wrapping/unwrapping into RADIUS packet to the authentication backend in python using py-radius
* I change the 'master' of the swp interface depending on auth results between a guest vlan and auth vlan

And this gives me a minimal 802.1x support 🙂

Currently it's just a hack and not even close to production ready, but I'll be cleaning it up in my spare time to hopefully get something much more usable and that respect the real 802.1x-2010 PAE/PACP state machine.

But all in all, I'm very happy that the openness pays off : when something isn't supported natively, you can just add it !