metal-stack · majst01 · Sep 11, 2024 · Jul 5, 2024 · Jul 7, 2024 · Jul 12, 2024
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -40,7 +40,7 @@ jobs:
       run: sudo apt-get install -y libpcap-dev
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v4
+      uses: golangci/golangci-lint-action@v6
       with:
         args: --build-tags client -p bugs -p unused --timeout=3m
 

diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml
@@ -10,6 +10,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: release-drafter/release-drafter@v5
+    - uses: release-drafter/release-drafter@v6
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -73,8 +73,9 @@ func TestBuildSwitcherConfig(t *testing.T) {
 				Filter: types.Filter{
 					IPPrefixLists: []types.IPPrefixList{
 						{
-							Name: "vrf104001-in-prefixes",
-							Spec: "permit 10.240.0.0/12 le 32",
+							AddressFamily: "ip",
+							Name:          "vrf104001-in-prefixes",
+							Spec:          "permit 10.240.0.0/12 le 32",
 						},
 					},
 					RouteMaps: []types.RouteMap{

@@ -8,6 +8,7 @@ import (
 	"testing"
 	"text/template"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 
@@ -83,7 +84,9 @@ func TestCustomSonicFrrTemplate(t *testing.T) {
 func verifyTemplate(t *testing.T, tpl *template.Template, c *types.Conf, expectedFilename string) {
 	actual := renderToString(t, tpl, c)
 	expected := readExpected(t, expectedFilename)
-	require.Equal(t, expected, actual, "Wanted: %s\nGot: %s", expected, actual)
+	if diff := cmp.Diff(expected, actual); diff != "" {
+		t.Errorf("%s render differs:%s", expectedFilename, diff)
+	}
 }
 
 func renderToString(t *testing.T, tpl *template.Template, c *types.Conf) string {

@@ -36,6 +36,7 @@ ports:
       cidrs:
         - "100.127.131.0/24"
         - "212.17.234.17/32"
+        - "2001:db8:3::1/128"
 additionalbridgevids:
   - 201-256
   - 301-356

@@ -53,6 +53,13 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -93,16 +100,27 @@ router bgp 4200000010 vrf vrf104001
   neighbor MACHINE route-map vrf104001-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  neighbor MACHINE route-map vrf104001-in6 in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for vrf104001
 ip prefix-list vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list vrf104001-in-prefixes permit 212.17.234.17/32 le 32
 ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
+ip prefix-list vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
 route-map vrf104001-in permit 10
  match ip address prefix-list vrf104001-in-prefixes
+route-map vrf104001-in6 permit 10
+ match ipv6 address prefix-list vrf104001-in6-prefixes
 !
 line vty
 !
@@ -96,14 +96,18 @@ router bgp 4200000010 vrf vrf104001
  !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for vrf104001
 ip prefix-list vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list vrf104001-in-prefixes permit 212.17.234.17/32 le 32
 ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
+ip prefix-list vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
 route-map vrf104001-in permit 10
  match ip address prefix-list vrf104001-in-prefixes
+route-map vrf104001-in6 permit 10
+ match ipv6 address prefix-list vrf104001-in6-prefixes
 !
 line vty
 !
@@ -111,6 +111,7 @@ router bgp {{ $ASN }} vrf {{ $vrf }}
  !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 {{- if gt (len $t.IPPrefixLists) 0 }}

@@ -58,6 +58,13 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map DENY_MGMT
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -99,16 +106,27 @@ router bgp 4200000010 vrf Vrf104001
   neighbor MACHINE route-map Vrf104001-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  neighbor MACHINE route-map Vrf104001-in6 in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for Vrf104001
 ip prefix-list Vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list Vrf104001-in-prefixes permit 212.17.234.17/32 le 32
 ip prefix-list Vrf104001-in-prefixes permit 10.240.0.0/12 le 32
+ip prefix-list Vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
 route-map Vrf104001-in permit 10
  match ip address prefix-list Vrf104001-in-prefixes
+route-map Vrf104001-in6 permit 10
+ match ipv6 address prefix-list Vrf104001-in6-prefixes
 !
 line vty
 !
@@ -53,6 +53,13 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -93,8 +100,16 @@ router bgp 4200000010 vrf vrf104001
   neighbor MACHINE route-map vrf104001-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  neighbor MACHINE route-map vrf104001-in6 in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for vrf104001

@@ -58,6 +58,13 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map DENY_MGMT
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -99,8 +106,16 @@ router bgp 4200000010 vrf Vrf104001
   neighbor MACHINE route-map Vrf104001-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  neighbor MACHINE route-map Vrf104001-in6 in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for Vrf104001

@@ -35,6 +35,12 @@ router bgp 4200000010
   neighbor FIREWALL allowas-in 2
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate

@@ -40,6 +40,12 @@ router bgp 4200000010
   neighbor FIREWALL allowas-in 2
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map DENY_MGMT
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate

@@ -60,6 +60,15 @@ router bgp {{ $ASN }}
   {{- end }}
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  {{- range $k, $f := .Ports.Firewalls }}
+  neighbor {{ $f.Port }} route-map fw-{{ $k }}-in in
+  {{- end }}
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -108,8 +117,18 @@ router bgp {{ $ASN }} vrf {{ $vrf }}
   {{- end }}
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  {{- if gt (len $t.IPPrefixLists) 0 }}
+  neighbor MACHINE route-map {{ $vrf }}-in6 in
+  {{- end }}
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 {{- if gt (len $t.IPPrefixLists) 0 }}

@@ -65,6 +65,15 @@ router bgp {{ $ASN }}
   {{- end }}
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map DENY_MGMT
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  {{- range $k, $f := .Ports.Firewalls }}
+  neighbor {{ $f.Port }} route-map fw-{{ $k }}-in in
+  {{- end }}
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -116,8 +125,18 @@ router bgp {{ $ASN }} vrf {{ $vrf }}
   {{- end }}
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  {{- if gt (len $t.IPPrefixLists) 0 }}
+  neighbor MACHINE route-map {{ $vrf }}-in6 in
+  {{- end }}
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 {{- if gt (len $t.IPPrefixLists) 0 }}

@@ -34,6 +34,7 @@ func (c *Conf) FillRouteMapsAndIPPrefixLists() {
 		f.Assemble("fw-"+port, f.Vnis, f.Cidrs)
 	}
 	for vrf, t := range c.Ports.Vrfs {
+		// FIXME hardcoded and IPv6 missing
 		podCidr := "10.240.0.0/12"
 		t.Cidrs = append(t.Cidrs, podCidr)
 		t.Assemble(vrf, []string{}, t.Cidrs)