From dff43623573620d5b84f3aeee5c032768e548412 Mon Sep 17 00:00:00 2001 From: Stefan Majer Date: Wed, 15 Jan 2025 09:21:20 +0100 Subject: [PATCH] Only add no bgp enforce-first-as for frr >= 10 --- go.mod | 1 + go.sum | 2 + pkg/netconf/configurator.go | 2 +- pkg/netconf/frr.go | 37 ++- pkg/netconf/frr_test.go | 52 ++++- pkg/netconf/netobjects.go | 11 +- pkg/netconf/testdata/frr.conf.firewall | 4 - pkg/netconf/testdata/frr.conf.firewall_dmz | 3 - .../testdata/frr.conf.firewall_dmz_app | 2 - .../frr.conf.firewall_dmz_app_storage | 3 - .../testdata/frr.conf.firewall_dualstack | 4 - pkg/netconf/testdata/frr.conf.firewall_frr-10 | 212 ++++++++++++++++++ pkg/netconf/testdata/frr.conf.firewall_frr-9 | 208 +++++++++++++++++ pkg/netconf/testdata/frr.conf.firewall_ipv6 | 4 - pkg/netconf/testdata/frr.conf.firewall_shared | 2 - pkg/netconf/tpl/frr.firewall.tpl | 2 + 16 files changed, 513 insertions(+), 36 deletions(-) create mode 100644 pkg/netconf/testdata/frr.conf.firewall_frr-10 create mode 100644 pkg/netconf/testdata/frr.conf.firewall_frr-9 diff --git a/go.mod b/go.mod index 71d8341..22b0e57 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/metal-stack/metal-networker go 1.23.0 require ( + github.com/Masterminds/semver/v3 v3.3.0 github.com/coreos/go-systemd/v22 v22.5.0 github.com/google/go-cmp v0.6.0 github.com/metal-stack/metal-go v0.39.4 diff --git a/go.sum b/go.sum index 66b97f7..09cac86 100644 --- a/go.sum +++ b/go.sum @@ -1,3 +1,5 @@ +github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0= +github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= diff --git a/pkg/netconf/configurator.go b/pkg/netconf/configurator.go index f090aab..a8db3e0 100644 --- a/pkg/netconf/configurator.go +++ b/pkg/netconf/configurator.go @@ -240,7 +240,7 @@ func applyCommonConfiguration(log *slog.Logger, kind BareMetalType, kb config) { applyAndCleanUp(log, applier, tplHostname, src, "/etc/hostname", fileModeSixFourFour, false) src = mustTmpFile("frr_") - applier = NewFrrConfigApplier(kind, kb, src) + applier = NewFrrConfigApplier(kind, kb, src, nil) tpl := TplFirewallFRR if kind == Machine { diff --git a/pkg/netconf/frr.go b/pkg/netconf/frr.go index c5429fa..bbfa78f 100644 --- a/pkg/netconf/frr.go +++ b/pkg/netconf/frr.go @@ -5,6 +5,7 @@ import ( "log/slog" "net/netip" + "github.com/Masterminds/semver/v3" "github.com/metal-stack/metal-go/api/models" mn "github.com/metal-stack/metal-lib/pkg/net" "github.com/metal-stack/metal-networker/pkg/exec" @@ -62,9 +63,16 @@ type ( ) // NewFrrConfigApplier constructs a new Applier of the given type of Bare Metal. -func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string) net.Applier { +func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string, frrVersion *semver.Version) net.Applier { var data any + enableNoBGPEnforceFirstAS, err := enableNoBGPEnforceFirstAS(frrVersion) + if err != nil { + c.log.Error("unable to parse frr version", "error", err) + panic(err) + } + c.log.Info("enableNoBGPEnforceFirstAS", "value", enableNoBGPEnforceFirstAS) + switch kind { case Firewall: net := c.getUnderlayNetwork() @@ -76,7 +84,7 @@ func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string) net.Appli ASN: *net.Asn, RouterID: routerID(net), }, - VRFs: assembleVRFs(c), + VRFs: assembleVRFs(c, enableNoBGPEnforceFirstAS), } case Machine: net := c.getPrivatePrimaryNetwork() @@ -102,6 +110,20 @@ func NewFrrConfigApplier(kind BareMetalType, c config, tmpFile string) net.Appli return net.NewNetworkApplier(data, validator, net.NewDBusReloader("frr.service")) } +func enableNoBGPEnforceFirstAS(frrVersion *semver.Version) (bool, error) { + if frrVersion == nil { + return false, nil + } + frrVersionGreaterOrEqual10, err := semver.NewConstraint(">= 10.0.0") + if err != nil { + return false, err + } + if frrVersionGreaterOrEqual10.Check(frrVersion) { + return true, nil + } + return false, nil +} + // routerID will calculate the bgp router-id which must only be specified in the ipv6 range. // returns 0.0.0.0 for erroneous ip addresses and 169.254.255.255 for ipv6 // TODO prepare machine allocations with ipv6 primary address and tests @@ -127,7 +149,7 @@ func (v frrValidator) Validate() error { return exec.NewVerboseCmd("bash", "-c", vtysh, v.path).Run() } -func assembleVRFs(kb config) []VRF { +func assembleVRFs(kb config, enableNoBGPenforceFirstAs bool) []VRF { var result []VRF networks := kb.GetNetworks(mn.PrivatePrimaryUnshared, mn.PrivatePrimaryShared, mn.PrivateSecondaryShared, mn.External) @@ -141,10 +163,11 @@ func assembleVRFs(kb config) []VRF { Identity: Identity{ ID: int(*network.Vrf), }, - VNI: int(*network.Vrf), - ImportVRFNames: i.ImportVRFs, - IPPrefixLists: i.prefixLists(), - RouteMaps: i.routeMaps(), + VNI: int(*network.Vrf), + ImportVRFNames: i.ImportVRFs, + IPPrefixLists: i.prefixLists(), + RouteMaps: i.routeMaps(), + NoEnforceFirstAS: enableNoBGPenforceFirstAs, } result = append(result, vrf) } diff --git a/pkg/netconf/frr_test.go b/pkg/netconf/frr_test.go index 704c0d6..0fcb191 100644 --- a/pkg/netconf/frr_test.go +++ b/pkg/netconf/frr_test.go @@ -6,6 +6,7 @@ import ( "os" "testing" + "github.com/Masterminds/semver/v3" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) @@ -14,6 +15,7 @@ func TestFrrConfigApplier(t *testing.T) { tests := []struct { name string input string + frrVersion *semver.Version expectedOutput string configuratorType BareMetalType tpl string @@ -74,6 +76,22 @@ func TestFrrConfigApplier(t *testing.T) { configuratorType: Machine, tpl: TplMachineFRR, }, + { + name: "standard firewall with lower frr version", + input: "testdata/firewall.yaml", + frrVersion: semver.MustParse("9.0.5-0"), + expectedOutput: "testdata/frr.conf.firewall_frr-9", + configuratorType: Firewall, + tpl: TplFirewallFRR, + }, + { + name: "standard firewall with higher frr version", + input: "testdata/firewall.yaml", + frrVersion: semver.MustParse("10.1.5"), + expectedOutput: "testdata/frr.conf.firewall_frr-10", + configuratorType: Firewall, + tpl: TplFirewallFRR, + }, } for _, test := range tests { test := test @@ -81,7 +99,7 @@ func TestFrrConfigApplier(t *testing.T) { log := slog.Default() kb, err := New(log, test.input) require.NoError(t, err) - a := NewFrrConfigApplier(test.configuratorType, *kb, "") + a := NewFrrConfigApplier(test.configuratorType, *kb, "", test.frrVersion) b := bytes.Buffer{} tpl := MustParseTpl(test.tpl) @@ -112,3 +130,35 @@ func TestFRRValidator_Validate(t *testing.T) { actual := validator.Validate() require.Error(t, actual) } + +func Test_enableNoBGPEnforceFirstAS(t *testing.T) { + tests := []struct { + name string + frrVersion *semver.Version + want bool + wantErr bool + }{ + { + name: "lower than 10", + frrVersion: semver.MustParse("9.0.1"), + want: false, + }, + { + name: "higher than 10", + frrVersion: semver.MustParse("10.1.5"), + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, err := enableNoBGPEnforceFirstAS(tt.frrVersion) + if (err != nil) != tt.wantErr { + t.Errorf("enableNoBGPEnforceFirstAS() error = %v, wantErr %v", err, tt.wantErr) + return + } + if got != tt.want { + t.Errorf("enableNoBGPEnforceFirstAS() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/pkg/netconf/netobjects.go b/pkg/netconf/netobjects.go index d0e8760..c65f897 100644 --- a/pkg/netconf/netobjects.go +++ b/pkg/netconf/netobjects.go @@ -31,11 +31,12 @@ type ( // VRF represents data required to render VRF information into frr.conf. VRF struct { Identity - Table int - VNI int - ImportVRFNames []string - IPPrefixLists []IPPrefixList - RouteMaps []RouteMap + Table int + VNI int + ImportVRFNames []string + IPPrefixLists []IPPrefixList + RouteMaps []RouteMap + NoEnforceFirstAS bool } // RouteMap represents a route-map to permit or deny routes. diff --git a/pkg/netconf/testdata/frr.conf.firewall b/pkg/netconf/testdata/frr.conf.firewall index 45a2e01..e684dba 100644 --- a/pkg/netconf/testdata/frr.conf.firewall +++ b/pkg/netconf/testdata/frr.conf.firewall @@ -61,7 +61,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3981 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -87,7 +86,6 @@ router bgp 4200003073 vrf vrf3981 ! router bgp 4200003073 vrf vrf3982 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -109,7 +107,6 @@ router bgp 4200003073 vrf vrf3982 ! router bgp 4200003073 vrf vrf104009 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -131,7 +128,6 @@ router bgp 4200003073 vrf vrf104009 ! router bgp 4200003073 vrf vrf104010 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz b/pkg/netconf/testdata/frr.conf.firewall_dmz index 4900f13..35fdfc8 100644 --- a/pkg/netconf/testdata/frr.conf.firewall_dmz +++ b/pkg/netconf/testdata/frr.conf.firewall_dmz @@ -57,7 +57,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3981 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -81,7 +80,6 @@ router bgp 4200003073 vrf vrf3981 ! router bgp 4200003073 vrf vrf3983 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -105,7 +103,6 @@ router bgp 4200003073 vrf vrf3983 ! router bgp 4200003073 vrf vrf104009 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz_app b/pkg/netconf/testdata/frr.conf.firewall_dmz_app index d3d8063..0c6c82c 100644 --- a/pkg/netconf/testdata/frr.conf.firewall_dmz_app +++ b/pkg/netconf/testdata/frr.conf.firewall_dmz_app @@ -53,7 +53,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3981 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -75,7 +74,6 @@ router bgp 4200003073 vrf vrf3981 ! router bgp 4200003073 vrf vrf3983 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage b/pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage index 2e65320..a9c951d 100644 --- a/pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage +++ b/pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage @@ -57,7 +57,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3981 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -81,7 +80,6 @@ router bgp 4200003073 vrf vrf3981 ! router bgp 4200003073 vrf vrf3983 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -103,7 +101,6 @@ router bgp 4200003073 vrf vrf3983 ! router bgp 4200003073 vrf vrf3982 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/testdata/frr.conf.firewall_dualstack b/pkg/netconf/testdata/frr.conf.firewall_dualstack index 70abc23..3a2c140 100644 --- a/pkg/netconf/testdata/frr.conf.firewall_dualstack +++ b/pkg/netconf/testdata/frr.conf.firewall_dualstack @@ -61,7 +61,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3981 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -87,7 +86,6 @@ router bgp 4200003073 vrf vrf3981 ! router bgp 4200003073 vrf vrf3982 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -109,7 +107,6 @@ router bgp 4200003073 vrf vrf3982 ! router bgp 4200003073 vrf vrf104009 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -131,7 +128,6 @@ router bgp 4200003073 vrf vrf104009 ! router bgp 4200003073 vrf vrf104010 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/testdata/frr.conf.firewall_frr-10 b/pkg/netconf/testdata/frr.conf.firewall_frr-10 new file mode 100644 index 0000000..45a2e01 --- /dev/null +++ b/pkg/netconf/testdata/frr.conf.firewall_frr-10 @@ -0,0 +1,212 @@ +# This file was auto generated for machine: 'e0ab02d2-27cd-5a5e-8efc-080ba80cf258' by app version . +# Do not edit. +frr version 8.5 +frr defaults datacenter +hostname firewall +! +log syslog debugging +debug bgp updates +debug bgp nht +debug bgp update-groups +debug bgp zebra +! +vrf vrf3981 + vni 3981 + exit-vrf +! +vrf vrf3982 + vni 3982 + exit-vrf +! +vrf vrf104009 + vni 104009 + exit-vrf +! +vrf vrf104010 + vni 104010 + exit-vrf +! +interface lan0 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +interface lan1 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +router bgp 4200003073 + bgp router-id 10.1.0.1 + bgp bestpath as-path multipath-relax + neighbor FABRIC peer-group + neighbor FABRIC remote-as external + neighbor FABRIC timers 2 8 + neighbor lan0 interface peer-group FABRIC + neighbor lan1 interface peer-group FABRIC + ! + address-family ipv4 unicast + redistribute connected route-map LOOPBACKS + neighbor FABRIC route-map only-self-out out + exit-address-family + ! + address-family ipv6 unicast + redistribute connected route-map LOOPBACKS + neighbor FABRIC route-map only-self-out out + neighbor FABRIC activate + exit-address-family + ! + address-family l2vpn evpn + neighbor FABRIC activate + advertise-all-vni + exit-address-family +! +router bgp 4200003073 vrf vrf3981 + bgp router-id 10.1.0.1 + no bgp enforce-first-as + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf104009 + import vrf vrf104010 + import vrf vrf3982 + import vrf route-map vrf3981-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf104009 + import vrf vrf104010 + import vrf vrf3982 + import vrf route-map vrf3981-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +router bgp 4200003073 vrf vrf3982 + bgp router-id 10.1.0.1 + no bgp enforce-first-as + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf3982-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf3982-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +router bgp 4200003073 vrf vrf104009 + bgp router-id 10.1.0.1 + no bgp enforce-first-as + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104009-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104009-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +router bgp 4200003073 vrf vrf104010 + bgp router-id 10.1.0.1 + no bgp enforce-first-as + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104010-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104010-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +ip prefix-list vrf3981-import-from-vrf104009 permit 0.0.0.0/0 +ip prefix-list vrf3981-import-from-vrf104010 seq 101 permit 100.127.1.0/24 le 32 +ip prefix-list vrf3981-import-from-vrf104009 seq 102 deny 185.1.2.3/32 le 32 +ip prefix-list vrf3981-import-from-vrf104009 seq 103 permit 185.1.2.0/24 le 32 +ip prefix-list vrf3981-import-from-vrf104009 seq 104 permit 185.27.0.0/22 le 32 +ip prefix-list vrf3981-import-from-vrf104010 seq 105 permit 100.127.129.0/24 le 32 +ip prefix-list vrf3981-import-from-vrf3982 seq 106 permit 10.0.18.0/22 le 32 +route-map vrf3981-import-map permit 10 + match source-vrf vrf3982 + match ip address prefix-list vrf3981-import-from-vrf3982 +route-map vrf3981-import-map permit 20 + match source-vrf vrf104010 + match ip address prefix-list vrf3981-import-from-vrf104010 +route-map vrf3981-import-map permit 30 + match source-vrf vrf104009 + match ip address prefix-list vrf3981-import-from-vrf104009 +route-map vrf3981-import-map deny 40 +! +ip prefix-list vrf3982-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32 +ip prefix-list vrf3982-import-from-vrf3981 seq 101 permit 10.0.18.0/22 le 32 +route-map vrf3982-import-map permit 10 + match source-vrf vrf3981 + match ip address prefix-list vrf3982-import-from-vrf3981 +route-map vrf3982-import-map deny 20 +! +ip prefix-list vrf104009-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32 +ip prefix-list vrf104009-import-from-vrf3981 seq 101 permit 185.1.2.0/24 le 32 +ip prefix-list vrf104009-import-from-vrf3981 seq 102 permit 185.27.0.0/22 le 32 +route-map vrf104009-import-map permit 10 + match source-vrf vrf3981 + match ip address prefix-list vrf104009-import-from-vrf3981-no-export + set community additive no-export +route-map vrf104009-import-map permit 20 + match source-vrf vrf3981 + match ip address prefix-list vrf104009-import-from-vrf3981 +route-map vrf104009-import-map deny 30 +! +ip prefix-list vrf104010-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32 +ip prefix-list vrf104010-import-from-vrf3981 seq 101 permit 100.127.129.0/24 le 32 +route-map vrf104010-import-map permit 10 + match source-vrf vrf3981 + match ip address prefix-list vrf104010-import-from-vrf3981-no-export + set community additive no-export +route-map vrf104010-import-map permit 20 + match source-vrf vrf3981 + match ip address prefix-list vrf104010-import-from-vrf3981 +route-map vrf104010-import-map deny 30 +! +route-map only-self-out permit 10 + match as-path SELF +route-map only-self-out deny 20 +! +route-map LOOPBACKS permit 10 + match interface lo +! +bgp as-path access-list SELF permit ^$ +! +line vty +! \ No newline at end of file diff --git a/pkg/netconf/testdata/frr.conf.firewall_frr-9 b/pkg/netconf/testdata/frr.conf.firewall_frr-9 new file mode 100644 index 0000000..e684dba --- /dev/null +++ b/pkg/netconf/testdata/frr.conf.firewall_frr-9 @@ -0,0 +1,208 @@ +# This file was auto generated for machine: 'e0ab02d2-27cd-5a5e-8efc-080ba80cf258' by app version . +# Do not edit. +frr version 8.5 +frr defaults datacenter +hostname firewall +! +log syslog debugging +debug bgp updates +debug bgp nht +debug bgp update-groups +debug bgp zebra +! +vrf vrf3981 + vni 3981 + exit-vrf +! +vrf vrf3982 + vni 3982 + exit-vrf +! +vrf vrf104009 + vni 104009 + exit-vrf +! +vrf vrf104010 + vni 104010 + exit-vrf +! +interface lan0 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +interface lan1 + ipv6 nd ra-interval 6 + no ipv6 nd suppress-ra +! +router bgp 4200003073 + bgp router-id 10.1.0.1 + bgp bestpath as-path multipath-relax + neighbor FABRIC peer-group + neighbor FABRIC remote-as external + neighbor FABRIC timers 2 8 + neighbor lan0 interface peer-group FABRIC + neighbor lan1 interface peer-group FABRIC + ! + address-family ipv4 unicast + redistribute connected route-map LOOPBACKS + neighbor FABRIC route-map only-self-out out + exit-address-family + ! + address-family ipv6 unicast + redistribute connected route-map LOOPBACKS + neighbor FABRIC route-map only-self-out out + neighbor FABRIC activate + exit-address-family + ! + address-family l2vpn evpn + neighbor FABRIC activate + advertise-all-vni + exit-address-family +! +router bgp 4200003073 vrf vrf3981 + bgp router-id 10.1.0.1 + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf104009 + import vrf vrf104010 + import vrf vrf3982 + import vrf route-map vrf3981-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf104009 + import vrf vrf104010 + import vrf vrf3982 + import vrf route-map vrf3981-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +router bgp 4200003073 vrf vrf3982 + bgp router-id 10.1.0.1 + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf3982-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf3982-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +router bgp 4200003073 vrf vrf104009 + bgp router-id 10.1.0.1 + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104009-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104009-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +router bgp 4200003073 vrf vrf104010 + bgp router-id 10.1.0.1 + bgp bestpath as-path multipath-relax + ! + address-family ipv4 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104010-import-map + exit-address-family + ! + address-family ipv6 unicast + redistribute connected + import vrf vrf3981 + import vrf route-map vrf104010-import-map + exit-address-family + ! + address-family l2vpn evpn + advertise ipv4 unicast + advertise ipv6 unicast + exit-address-family +! +ip prefix-list vrf3981-import-from-vrf104009 permit 0.0.0.0/0 +ip prefix-list vrf3981-import-from-vrf104010 seq 101 permit 100.127.1.0/24 le 32 +ip prefix-list vrf3981-import-from-vrf104009 seq 102 deny 185.1.2.3/32 le 32 +ip prefix-list vrf3981-import-from-vrf104009 seq 103 permit 185.1.2.0/24 le 32 +ip prefix-list vrf3981-import-from-vrf104009 seq 104 permit 185.27.0.0/22 le 32 +ip prefix-list vrf3981-import-from-vrf104010 seq 105 permit 100.127.129.0/24 le 32 +ip prefix-list vrf3981-import-from-vrf3982 seq 106 permit 10.0.18.0/22 le 32 +route-map vrf3981-import-map permit 10 + match source-vrf vrf3982 + match ip address prefix-list vrf3981-import-from-vrf3982 +route-map vrf3981-import-map permit 20 + match source-vrf vrf104010 + match ip address prefix-list vrf3981-import-from-vrf104010 +route-map vrf3981-import-map permit 30 + match source-vrf vrf104009 + match ip address prefix-list vrf3981-import-from-vrf104009 +route-map vrf3981-import-map deny 40 +! +ip prefix-list vrf3982-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32 +ip prefix-list vrf3982-import-from-vrf3981 seq 101 permit 10.0.18.0/22 le 32 +route-map vrf3982-import-map permit 10 + match source-vrf vrf3981 + match ip address prefix-list vrf3982-import-from-vrf3981 +route-map vrf3982-import-map deny 20 +! +ip prefix-list vrf104009-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32 +ip prefix-list vrf104009-import-from-vrf3981 seq 101 permit 185.1.2.0/24 le 32 +ip prefix-list vrf104009-import-from-vrf3981 seq 102 permit 185.27.0.0/22 le 32 +route-map vrf104009-import-map permit 10 + match source-vrf vrf3981 + match ip address prefix-list vrf104009-import-from-vrf3981-no-export + set community additive no-export +route-map vrf104009-import-map permit 20 + match source-vrf vrf3981 + match ip address prefix-list vrf104009-import-from-vrf3981 +route-map vrf104009-import-map deny 30 +! +ip prefix-list vrf104010-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32 +ip prefix-list vrf104010-import-from-vrf3981 seq 101 permit 100.127.129.0/24 le 32 +route-map vrf104010-import-map permit 10 + match source-vrf vrf3981 + match ip address prefix-list vrf104010-import-from-vrf3981-no-export + set community additive no-export +route-map vrf104010-import-map permit 20 + match source-vrf vrf3981 + match ip address prefix-list vrf104010-import-from-vrf3981 +route-map vrf104010-import-map deny 30 +! +route-map only-self-out permit 10 + match as-path SELF +route-map only-self-out deny 20 +! +route-map LOOPBACKS permit 10 + match interface lo +! +bgp as-path access-list SELF permit ^$ +! +line vty +! \ No newline at end of file diff --git a/pkg/netconf/testdata/frr.conf.firewall_ipv6 b/pkg/netconf/testdata/frr.conf.firewall_ipv6 index 5268f1b..984ffed 100644 --- a/pkg/netconf/testdata/frr.conf.firewall_ipv6 +++ b/pkg/netconf/testdata/frr.conf.firewall_ipv6 @@ -61,7 +61,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3981 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -87,7 +86,6 @@ router bgp 4200003073 vrf vrf3981 ! router bgp 4200003073 vrf vrf3982 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -109,7 +107,6 @@ router bgp 4200003073 vrf vrf3982 ! router bgp 4200003073 vrf vrf104009 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -131,7 +128,6 @@ router bgp 4200003073 vrf vrf104009 ! router bgp 4200003073 vrf vrf104010 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/testdata/frr.conf.firewall_shared b/pkg/netconf/testdata/frr.conf.firewall_shared index 1a4c62b..67cead6 100644 --- a/pkg/netconf/testdata/frr.conf.firewall_shared +++ b/pkg/netconf/testdata/frr.conf.firewall_shared @@ -53,7 +53,6 @@ router bgp 4200003073 ! router bgp 4200003073 vrf vrf3982 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast @@ -75,7 +74,6 @@ router bgp 4200003073 vrf vrf3982 ! router bgp 4200003073 vrf vrf104009 bgp router-id 10.1.0.1 - no bgp enforce-first-as bgp bestpath as-path multipath-relax ! address-family ipv4 unicast diff --git a/pkg/netconf/tpl/frr.firewall.tpl b/pkg/netconf/tpl/frr.firewall.tpl index cbf2f25..586c880 100644 --- a/pkg/netconf/tpl/frr.firewall.tpl +++ b/pkg/netconf/tpl/frr.firewall.tpl @@ -54,7 +54,9 @@ router bgp {{ .ASN }} {{- range .VRFs }} router bgp {{ $ASN }} vrf vrf{{ .ID }} bgp router-id {{ $RouterId }} +{{- if .NoEnforceFirstAS }} no bgp enforce-first-as +{{- end }} bgp bestpath as-path multipath-relax ! address-family ipv4 unicast