Netplan does not provide "key" parameter to GRE tunnel configuration via systemd-networkd

Bug #1966476 reported by Thomas Dreibholz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
netplan
Fix Committed
Medium
Unassigned
systemd
Fix Released
Unknown

Bug Description

The following example should configure a GRE tunnel between 172.16.4.2 and 172.16.1.2, with key 33490175. The effect should be like manually configured with: sudo ip tunnel add test1 mode gre local 172.16.4.2 remote 172.16.1.2 key 33490175.

However, the following Netplan configuration fails under Ubuntu 22.04 (latest development version, March 25, 2022):

network:
  version: 2
  renderer: networkd
  tunnels:
    gre1-255-255:
      mode: gre
      ttl: 255
      local: 172.16.4.2
      remote: 172.16.1.2
      key: 33490175
      addresses:
        - 172.20.82.94/30

Result of "sudo netplan generate": Error in network definition: gre1-255-255: 'input-key' is not required for this tunnel type

Note: There should be no input and output keys. There is just one single key!

Trying to change the configuration:
     keys:
        input: 33490175
     # key: 33490175

Result of "sudo netplan generate": Error in network definition: gre1-255-255: 'input-key' is not required for this tunnel type

Some investigation into the sources of Netplan (src/validation.c -> https://github.com/canonical/netplan/blob/main/src/validation.c):

static gboolean
validate_tunnel_backend_rules(NetplanNetDefinition* nd, yaml_node_t* node, GError** error)
{
    /* Backend-specific validation rules for tunnels */
    switch (nd->backend) {
        case NETPLAN_BACKEND_NETWORKD:
            switch (nd->tunnel.mode) {
                case NETPLAN_TUNNEL_MODE_VTI:
                case NETPLAN_TUNNEL_MODE_VTI6:
                case NETPLAN_TUNNEL_MODE_WIREGUARD:
                    break;

                /* TODO: Remove this exception and fix ISATAP handling with the
                 * networkd backend.
                 * systemd-networkd has grown ISATAP support in 918049a.
                 */
                case NETPLAN_TUNNEL_MODE_ISATAP:
                    return yaml_error(node, error,
                                      "%s: %s tunnel mode is not supported by networkd",
                                      nd->id,
                                      g_ascii_strup(tunnel_mode_to_string(nd->tunnel.mode), -1));
                    break;

                default:
                    if (nd->tunnel.input_key)
                        return yaml_error(node, error, "%s: 'input-key' is not required for this tunnel type", nd->id);
                    if (nd->tunnel.output_key)
                        return yaml_error(node, error, "%s: 'output-key' is not required for this tunnel type", nd->id);
                    break;
            }
            break;

It seems that the cases NETPLAN_TUNNEL_MODE_GRE and NETPLAN_TUNNEL_MODE_IP6GRE are missing for systemd-networkd. According to https://github.com/systemd/systemd/issues/12144, systemd-networkd should support configuration with keys since ca. 2 years.

Changed in systemd:
status: Unknown → Fix Released
Revision history for this message
Lukas Märdian (slyon) wrote :

Thank you for this bug report. I agree the validation should be less restrictive here and netplan should be adopted to support those newer systemd-networkd features.

I've drafted a potential fix in this PR: https://github.com/canonical/netplan/pull/274

no longer affects: ubuntu
Changed in netplan:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Thomas Dreibholz (dreibh) wrote :

The proposed fix in https://github.com/canonical/netplan/pull/274 solves the problem. It would be nice to see this fix included in Ubuntu Jammy and Focal.

Lukas Märdian (slyon)
Changed in netplan:
status: Triaged → In Progress
Lukas Märdian (slyon)
Changed in netplan:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.