Only add no bgp enforce-first-as for frr >= 10

metal-stack · Jan 15, 2025 · dff4362 · dff4362
1 parent 7879d87
commit dff4362
Show file tree

Hide file tree

Showing 16 changed files with 513 additions and 36 deletions.
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/metal-stack/metal-networker
 go 1.23.0
 
 require (
+	github.com/Masterminds/semver/v3 v3.3.0
 	github.com/coreos/go-systemd/v22 v22.5.0
 	github.com/google/go-cmp v0.6.0
 	github.com/metal-stack/metal-go v0.39.4

diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=

diff --git a/pkg/netconf/configurator.go b/pkg/netconf/configurator.go
@@ -240,7 +240,7 @@ func applyCommonConfiguration(log *slog.Logger, kind BareMetalType, kb config) {
 	applyAndCleanUp(log, applier, tplHostname, src, "/etc/hostname", fileModeSixFourFour, false)
 
 	src = mustTmpFile("frr_")
-	applier = NewFrrConfigApplier(kind, kb, src)
+	applier = NewFrrConfigApplier(kind, kb, src, nil)
 	tpl := TplFirewallFRR
 
 	if kind == Machine {

diff --git a/pkg/netconf/frr.go b/pkg/netconf/frr.go
@@ -5,6 +5,7 @@ import (
 	"log/slog"
 	"net/netip"
 
+	"github.com/Masterminds/semver/v3"
 	"github.com/metal-stack/metal-go/api/models"
 	mn "github.com/metal-stack/metal-lib/pkg/net"
 	"github.com/metal-stack/metal-networker/pkg/exec"
@@ -62,9 +63,16 @@ type (
 )
 
 // NewFrrConfigApplier constructs a new Applier of the given type of Bare Metal.
-func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string) net.Applier {
+func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string, frrVersion *semver.Version) net.Applier {
 	var data any
 
+	enableNoBGPEnforceFirstAS, err := enableNoBGPEnforceFirstAS(frrVersion)
+	if err != nil {
+		c.log.Error("unable to parse frr version", "error", err)
+		panic(err)
+	}
+	c.log.Info("enableNoBGPEnforceFirstAS", "value", enableNoBGPEnforceFirstAS)
+
 	switch kind {
 	case Firewall:
 		net := c.getUnderlayNetwork()
@@ -76,7 +84,7 @@ func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string) net.Appli
 				ASN:        *net.Asn,
 				RouterID:   routerID(net),
 			},
-			VRFs: assembleVRFs(c),
+			VRFs: assembleVRFs(c, enableNoBGPEnforceFirstAS),
 		}
 	case Machine:
 		net := c.getPrivatePrimaryNetwork()
@@ -102,6 +110,20 @@ func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string) net.Appli
 	return net.NewNetworkApplier(data, validator, net.NewDBusReloader("frr.service"))
 }
 
+func enableNoBGPEnforceFirstAS(frrVersion *semver.Version) (bool, error) {
+	if frrVersion == nil {
+		return false, nil
+	}
+	frrVersionGreaterOrEqual10, err := semver.NewConstraint(">= 10.0.0")
+	if err != nil {
+		return false, err
+	}
+	if frrVersionGreaterOrEqual10.Check(frrVersion) {
+		return true, nil
+	}
+	return false, nil
+}
+
 // routerID will calculate the bgp router-id which must only be specified in the ipv6 range.
 // returns 0.0.0.0 for erroneous ip addresses and 169.254.255.255 for ipv6
 // TODO prepare machine allocations with ipv6 primary address and tests
@@ -127,7 +149,7 @@ func (v frrValidator) Validate() error {
 	return exec.NewVerboseCmd("bash", "-c", vtysh, v.path).Run()
 }
 
-func assembleVRFs(kb config) []VRF {
+func assembleVRFs(kb config, enableNoBGPenforceFirstAs bool) []VRF {
 	var result []VRF
 
 	networks := kb.GetNetworks(mn.PrivatePrimaryUnshared, mn.PrivatePrimaryShared, mn.PrivateSecondaryShared, mn.External)
@@ -141,10 +163,11 @@ func assembleVRFs(kb config) []VRF {
 			Identity: Identity{
 				ID: int(*network.Vrf),
 			},
-			VNI:            int(*network.Vrf),
-			ImportVRFNames: i.ImportVRFs,
-			IPPrefixLists:  i.prefixLists(),
-			RouteMaps:      i.routeMaps(),
+			VNI:              int(*network.Vrf),
+			ImportVRFNames:   i.ImportVRFs,
+			IPPrefixLists:    i.prefixLists(),
+			RouteMaps:        i.routeMaps(),
+			NoEnforceFirstAS: enableNoBGPenforceFirstAs,
 		}
 		result = append(result, vrf)
 	}

diff --git a/pkg/netconf/frr_test.go b/pkg/netconf/frr_test.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"testing"
 
+	"github.com/Masterminds/semver/v3"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -14,6 +15,7 @@ func TestFrrConfigApplier(t *testing.T) {
 	tests := []struct {
 		name             string
 		input            string
+		frrVersion       *semver.Version
 		expectedOutput   string
 		configuratorType BareMetalType
 		tpl              string
@@ -74,14 +76,30 @@ func TestFrrConfigApplier(t *testing.T) {
 			configuratorType: Machine,
 			tpl:              TplMachineFRR,
 		},
+		{
+			name:             "standard firewall with lower frr version",
+			input:            "testdata/firewall.yaml",
+			frrVersion:       semver.MustParse("9.0.5-0"),
+			expectedOutput:   "testdata/frr.conf.firewall_frr-9",
+			configuratorType: Firewall,
+			tpl:              TplFirewallFRR,
+		},
+		{
+			name:             "standard firewall with higher frr version",
+			input:            "testdata/firewall.yaml",
+			frrVersion:       semver.MustParse("10.1.5"),
+			expectedOutput:   "testdata/frr.conf.firewall_frr-10",
+			configuratorType: Firewall,
+			tpl:              TplFirewallFRR,
+		},
 	}
 	for _, test := range tests {
 		test := test
 		t.Run(test.name, func(t *testing.T) {
 			log := slog.Default()
 			kb, err := New(log, test.input)
 			require.NoError(t, err)
-			a := NewFrrConfigApplier(test.configuratorType, *kb, "")
+			a := NewFrrConfigApplier(test.configuratorType, *kb, "", test.frrVersion)
 			b := bytes.Buffer{}
 
 			tpl := MustParseTpl(test.tpl)
@@ -112,3 +130,35 @@ func TestFRRValidator_Validate(t *testing.T) {
 	actual := validator.Validate()
 	require.Error(t, actual)
 }
+
+func Test_enableNoBGPEnforceFirstAS(t *testing.T) {
+	tests := []struct {
+		name       string
+		frrVersion *semver.Version
+		want       bool
+		wantErr    bool
+	}{
+		{
+			name:       "lower than 10",
+			frrVersion: semver.MustParse("9.0.1"),
+			want:       false,
+		},
+		{
+			name:       "higher than 10",
+			frrVersion: semver.MustParse("10.1.5"),
+			want:       true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := enableNoBGPEnforceFirstAS(tt.frrVersion)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("enableNoBGPEnforceFirstAS() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("enableNoBGPEnforceFirstAS() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/pkg/netconf/netobjects.go b/pkg/netconf/netobjects.go
@@ -31,11 +31,12 @@ type (
 	// VRF represents data required to render VRF information into frr.conf.
 	VRF struct {
 		Identity
-		Table          int
-		VNI            int
-		ImportVRFNames []string
-		IPPrefixLists  []IPPrefixList
-		RouteMaps      []RouteMap
+		Table            int
+		VNI              int
+		ImportVRFNames   []string
+		IPPrefixLists    []IPPrefixList
+		RouteMaps        []RouteMap
+		NoEnforceFirstAS bool
 	}
 
 	// RouteMap represents a route-map to permit or deny routes.

diff --git a/pkg/netconf/testdata/frr.conf.firewall b/pkg/netconf/testdata/frr.conf.firewall
@@ -61,7 +61,6 @@ router bgp 4200003073
 !
 router bgp 4200003073 vrf vrf3981
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -87,7 +86,6 @@ router bgp 4200003073 vrf vrf3981
 !
 router bgp 4200003073 vrf vrf3982
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -109,7 +107,6 @@ router bgp 4200003073 vrf vrf3982
 !
 router bgp 4200003073 vrf vrf104009
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -131,7 +128,6 @@ router bgp 4200003073 vrf vrf104009
 !
 router bgp 4200003073 vrf vrf104010
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast

diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz b/pkg/netconf/testdata/frr.conf.firewall_dmz
@@ -57,7 +57,6 @@ router bgp 4200003073
 !
 router bgp 4200003073 vrf vrf3981
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -81,7 +80,6 @@ router bgp 4200003073 vrf vrf3981
 !
 router bgp 4200003073 vrf vrf3983
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -105,7 +103,6 @@ router bgp 4200003073 vrf vrf3983
 !
 router bgp 4200003073 vrf vrf104009
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast

diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz_app b/pkg/netconf/testdata/frr.conf.firewall_dmz_app
@@ -53,7 +53,6 @@ router bgp 4200003073
 !
 router bgp 4200003073 vrf vrf3981
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -75,7 +74,6 @@ router bgp 4200003073 vrf vrf3981
 !
 router bgp 4200003073 vrf vrf3983
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast

diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage b/pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage
@@ -57,7 +57,6 @@ router bgp 4200003073
 !
 router bgp 4200003073 vrf vrf3981
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -81,7 +80,6 @@ router bgp 4200003073 vrf vrf3981
 !
 router bgp 4200003073 vrf vrf3983
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -103,7 +101,6 @@ router bgp 4200003073 vrf vrf3983
 !
 router bgp 4200003073 vrf vrf3982
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast

diff --git a/pkg/netconf/testdata/frr.conf.firewall_dualstack b/pkg/netconf/testdata/frr.conf.firewall_dualstack
@@ -61,7 +61,6 @@ router bgp 4200003073
 !
 router bgp 4200003073 vrf vrf3981
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -87,7 +86,6 @@ router bgp 4200003073 vrf vrf3981
 !
 router bgp 4200003073 vrf vrf3982
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -109,7 +107,6 @@ router bgp 4200003073 vrf vrf3982
 !
 router bgp 4200003073 vrf vrf104009
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast
@@ -131,7 +128,6 @@ router bgp 4200003073 vrf vrf104009
 !
 router bgp 4200003073 vrf vrf104010
  bgp router-id 10.1.0.1
- no bgp enforce-first-as
  bgp bestpath as-path multipath-relax
  !
  address-family ipv4 unicast