confd: add tunnel ttl, tos, and pmtu-discovery settings

Adds support for configuring TTL, ToS/DSCP, and Path MTU Discovery
on GRE and VXLAN tunnels. TTL defaults to 64 instead of inherit to
prevent issues with routing protocols like OSPF that use TTL=1.

Refactors tunnel YANG models by merging local-remote into a unified
tunnel-common grouping for cleaner organization.

Signed-off-by: Joachim Wiberg <[email protected]>

Author: troglobit

doc/tunnels.md

@@ -106,6 +106,60 @@ configuration, see [Routing Configuration](routing.md).
 > overhead (typically 24 bytes for IPv4, 44 bytes for IPv6) to avoid
 > fragmentation issues.
 
+
+### Advanced Tunnel Settings
+
+All tunnel types support common parameters for controlling tunnel behavior
+and performance.
+
+#### Time To Live (TTL)
+
+The TTL setting controls the Time To Live value for the outer tunnel packets.
+By default, tunnels use a fixed TTL of 64, which allows packets to traverse
+multiple hops between tunnel endpoints.
+
+```
+admin@example:/config/> edit interface gre0
+admin@example:/config/interface/gre0/> set gre ttl 255
+admin@example:/config/interface/gre0/> leave
+```
+
+Valid values are 1-255, or the special value `inherit` which copies the TTL
+from the encapsulated packet.
+
+> [!IMPORTANT]
+> The `inherit` mode can cause problems with routing protocols like OSPF
+> that use TTL=1 for their packets.  For tunnels carrying routing protocols,
+> always use a fixed TTL value (typically 64 or 255).
+
+#### Type of Service (ToS)
+
+The ToS setting controls QoS marking for tunnel traffic:
+
+```
+admin@example:/config/> edit interface gre0
+admin@example:/config/interface/gre0/> set gre tos 0x10
+admin@example:/config/interface/gre0/> leave
+```
+
+Valid values are 0-255 for fixed ToS/DSCP marking, or `inherit` (default)
+to copy the ToS value from the encapsulated packet.
+
+#### Path MTU Discovery (GRE only)
+
+The `pmtu-discovery` setting can be used to control the Path MTU Discovery on
+GRE tunnels.  When enabled (default), the tunnel respects the Don't Fragment
+(DF) bit and performs PMTU discovery:
+
+```
+admin@example:/config/> edit interface gre0
+admin@example:/config/interface/gre0/> set gre pmtudisc false
+admin@example:/config/interface/gre0/> leave
+```
+
+Disabling PMTU discovery may be necessary in networks with broken ICMP
+filtering but can lead to suboptimal performance and fragmentation.
+
 ## Virtual eXtensible Local Area Network (VXLAN)
 
 VXLAN is a network virtualization technology that encapsulates Layer 2
@@ -117,6 +171,10 @@ Infix supports both IPv4 and IPv6 for VXLAN tunnel endpoints.
 
 ### Basic VXLAN Configuration
 
+> [!TIP]
+> If you name your VXLAN interface `vxlanN`, where `N` is a number, the
+> CLI infers the interface type automatically.
+
 ```
 admin@example:/> configure
 admin@example:/config/> edit interface vxlan100
@@ -149,6 +207,6 @@ admin@example:/>
 The remote-port setting allows interoperability with systems using
 non-standard VXLAN ports.
 
-> [!TIP]
-> If you name your VXLAN interface `vxlanN`, where `N` is a number, the
-> CLI infers the interface type automatically.
+> [!NOTE]
+> VXLAN tunnels also support the `ttl` and `tos` settings described in
+> the [Advanced Tunnel Settings](#advanced-tunnel-settings) section above.

src/confd/src/infix-if-gre.c

@@ -5,7 +5,7 @@
 
 int gre_gen(struct lyd_node *dif, struct lyd_node *cif, FILE *ip)
 {
-	const char *local, *remote;
+	const char *local, *remote, *ttl, *tos, *pmtudisc;
 	struct lyd_node *gre;
 	int ipv6;
 
@@ -30,6 +30,20 @@ int gre_gen(struct lyd_node *dif, struct lyd_node *cif, FILE *ip)
 		return -EINVAL;
 	}
 
-	fprintf(ip, " local %s remote %s\n", local, remote);
+	fprintf(ip, " local %s remote %s", local, remote);
+
+	ttl = lydx_get_cattr(gre, "ttl");
+	if (ttl)
+		fprintf(ip, " ttl %s", ttl);
+
+	tos = lydx_get_cattr(gre, "tos");
+	if (tos)
+		fprintf(ip, " tos %s", tos);
+
+	pmtudisc = lydx_get_cattr(gre, "pmtu-discovery");
+	if (pmtudisc && !strcmp(pmtudisc, "false"))
+		fprintf(ip, " nopmtudisc");
+
+	fputc('\n', ip);
 	return 0;
 }

src/confd/src/infix-if-vxlan.c

@@ -6,6 +6,7 @@
 int vxlan_gen(struct lyd_node *dif, struct lyd_node *cif, FILE *ip)
 {
 	struct lyd_node *vxlan = NULL;
+	const char *ttl, *tos;
 
 	vxlan = lydx_get_descendant(lyd_child(cif), "vxlan", NULL);
 	if (!vxlan)
@@ -18,6 +19,14 @@ int vxlan_gen(struct lyd_node *dif, struct lyd_node *cif, FILE *ip)
 		lydx_get_cattr(vxlan, "remote"),
 		lydx_get_cattr(vxlan, "remote-port"));
 
+	ttl = lydx_get_cattr(vxlan, "ttl");
+	if (ttl)
+		fprintf(ip, " ttl %s", ttl);
+
+	tos = lydx_get_cattr(vxlan, "tos");
+	if (tos)
+		fprintf(ip, " tos %s", tos);
+
 	link_gen_address(cif, ip);
 
 	fputc('\n', ip);

src/confd/yang/confd.inc

@@ -37,7 +37,7 @@ MODULES=(
 	"[email protected]"
 	"[email protected]"
 	"[email protected]"
-	"infix-interfaces@2025-06-17.yang -e vlan-filtering"
+	"infix-interfaces@2025-11-06.yang -e vlan-filtering"
 	"ietf-crypto-types -e cleartext-symmetric-keys"
 	"[email protected]"
 	"ietf-keystore -e symmetric-keys"

src/confd/yang/confd/infix-if-gre.yang

@@ -16,6 +16,12 @@ submodule infix-if-gre {
   contact      "[email protected]";
   description  "GRE and GRETAP tunnel extension for ietf-interfaces";
 
+  revision 2025-11-06 {
+    description "Use tunnel-common grouping for local, remote, TTL, and TOS/DSCP.
+                 Add GRE-specific pmtu-discovery setting.";
+    reference "internal";
+  }
+
   revision 2024-12-20 {
    description "Initial revision.";
     reference "internal";
@@ -29,7 +35,21 @@ submodule infix-if-gre {
 
     description "Augments the interface model with GRE tunnels.";
     container gre {
-      uses local-remote;
+      uses tunnel-common;
+
+      leaf pmtu-discovery {
+        type boolean;
+        default true;
+        description
+          "Enable or disable Path MTU Discovery on the tunnel.
+
+           When enabled (default), the tunnel respects the Don't Fragment (DF)
+           bit and performs PMTU discovery. When disabled, the tunnel will
+           fragment packets as needed.
+
+           Disabling PMTU discovery may be necessary in networks with broken
+           ICMP filtering but can lead to suboptimal performance.";
+      }
     }
   }
 }

…/yang/confd/[email protected] …/yang/confd/[email protected]src/confd/yang/confd/[email protected] renamed to src/confd/yang/confd/[email protected] src/confd/yang/confd/[email protected] renamed to src/confd/yang/confd/[email protected]

@@ -20,6 +20,11 @@ submodule infix-if-vxlan {
   contact      "[email protected]";
   description  "VXLAN tunnel extension for ietf-interfaces";
 
+  revision 2025-11-06 {
+    description "Use new tunnel-common grouping for local, remote, ttl, and tos.";
+    reference "internal";
+  }
+
   revision 2025-01-13 {
    description "Initial revision.";
     reference "internal";
@@ -36,18 +41,19 @@ submodule infix-if-vxlan {
     }
     description "Augments the interface model with VXLAN tunnels.";
     container vxlan {
-      uses local-remote;
+      uses tunnel-common;
+
       leaf remote-port {
         type inet-types:port-number;
         default 4789;
         description
-          "VXLAN destination UDP port. Valid range: 0..65535. Default is 4789 (IANA-assigned VXLAN UDP port).";
+          "VXLAN destination UDP port, valid range: 0..65535.";
       }
       leaf vni {
         type vni;
         mandatory true;
         description
-          "VXLAN Network Identifier (VNI), valid values are 0 to 16777215.";
+          "VXLAN Network Identifier (VNI), valid range: 0..16777215.";
       }
     }
   }

src/confd/yang/confd/infix-if-vxlan.yang

@@ -33,6 +33,11 @@ module infix-interfaces {
   contact      "[email protected]";
   description  "Linux bridge and lag extensions for ietf-interfaces.";
 
+  revision 2025-11-06 {
+    description "Use new tunnel-common grouping for local, remote, ttl, and tos.";
+    reference "internal";
+  }
+
   revision 2025-06-17 {
     description "Add support for Wi-Fi client.";
     reference "internal";
@@ -106,21 +111,65 @@ module infix-interfaces {
     reference "internal";
   }
 
-  grouping local-remote {
-    description "Local address to use as source address";
+  grouping tunnel-common {
+    description "Common tunnel parameters applicable to all tunnel types.";
+
     leaf local {
       type inet:ip-address;
       mandatory true;
+      description "Local address to use as source address for the tunnel.";
     }
+
     leaf remote {
-      description "Peer address";
       type inet:ip-address;
       must "(contains(../local, ':') and contains(., ':'))
             or (not(contains(../local, ':')) and not(contains(., ':')))" {
         error-message
           "Local and remote must be both IPv4 or both IPv6 addresses.";
       }
       mandatory true;
+      description "Remote peer address for the tunnel.";
+    }
+
+    leaf ttl {
+      type union {
+        type uint8 {
+          range "1..255";
+        }
+        type enumeration {
+          enum inherit {
+            description
+              "Copy TTL from inner packet (default kernel behavior).
+               WARNING: This can cause issues with protocols like OSPF
+               that use TTL=1 for their packets.";
+          }
+        }
+      }
+      default 64;
+      description
+        "Time To Live (TTL) for IPv4 or Hop Limit for IPv6 tunnel packets.
+         A fixed value (1-255) sets the outer packet TTL regardless of inner
+         packet TTL. The 'inherit' mode copies TTL from the encapsulated packet.
+
+         For OSPF and other routing protocols over tunnels, a fixed value
+         (typically 64 or 255) should be used to ensure packets can traverse
+         multiple hops between tunnel endpoints.";
+    }
+
+    leaf tos {
+      type union {
+        type uint8;
+        type enumeration {
+          enum inherit {
+            description "Copy ToS/DSCP from inner packet.";
+          }
+        }
+      }
+      default "inherit";
+      description
+        "Type of Service (IPv4) or Traffic Class (IPv6) for tunnel packets.
+         Can be a fixed value (0-255) for QoS marking, or 'inherit' to copy
+         from the encapsulated packet.";
     }
   }