confd: prevent IP addresses on bridge ports

troglobit · troglobit · commit 7e37fc49a300 · 2025-10-28T19:35:32.000+01:00
Bridge ports should not have IP addresses configured. The IP address should be configured on the bridge interface itself, not its member ports. Add YANG must expression to enforce this rule at configuration time. Fixes #1122 Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
diff --git a/doc/ChangeLog.md b/doc/ChangeLog.md
@@ -35,6 +35,9 @@ All notable changes to the project are documented in this file.
   change infers a pool range (only) for /24 networks, and only when a pool is
   enabled.  YANG validation for this and other use-cases is also included.  As
   an unforeseen bonus, Infix now also support non-pool (static lease) setups
+- Fix #1122: Add YANG validation for consistency, IP addresses are not allowed
+  on bridge port (interfaces).  Even though Infix previously allowed this, but
+  disregarded it operationally, it is no longer supported in the configuration
 - Fix #1146: Possible to set longer containers names than the system supports.
   Root cause, a limit of 15 characters implicitly imposed by the service mgmt
   daemon, Finit.  The length has not been increased to 64 characters (min: 2)
diff --git a/src/confd/yang/confd/infix-if-bridge.yang b/src/confd/yang/confd/infix-if-bridge.yang
@@ -15,6 +15,9 @@ submodule infix-if-bridge {
   import ietf-interfaces {
     prefix if;
   }
+  import ietf-ip {
+    prefix ip;
+  }
   import ieee802-dot1q-types {
     prefix dot1q-types;
   }
@@ -26,6 +29,10 @@ submodule infix-if-bridge {
   contact      "kernelkit@googlegroups.com";
   description  "Linux bridge extension for ietf-interfaces.";
 
+  revision 2025-10-28 {
+    description "Prevent IP addresses on bridge ports.";
+    reference "internal";
+  }
 
   revision 2025-10-23 {
     description "Add WiFi interfaces to be able to be added to a bridge.";
@@ -918,6 +925,9 @@ submodule infix-if-bridge {
       description "Extension of the IETF Interfaces model (RFC7223).";
 
       container bridge-port {
+        must "not(../ip:ipv4/ip:address or ../ip:ipv6/ip:address)" {
+          error-message "Bridge ports cannot have IP addresses configured.";
+        }
         description "Bridge association and port specific settings.";
         uses bridge-port-common;
         uses bridge-port-lower {
diff --git a/src/confd/yang/confd/infix-if-bridge@2025-10-28.yang b/src/confd/yang/confd/infix-if-bridge@2025-10-28.yang
