1 files changed, 32 insertions, 6 deletions

diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index cd46cbcb4..ff568d470 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -19,6 +19,7 @@ import os
 from sys import exit
 from sys import argv
 
+from vyos.base import Warning
 from vyos.config import Config
 from vyos.configdict import dict_merge
 from vyos.configverify import verify_prefix_list
@@ -100,6 +101,17 @@ def verify_remote_as(peer_config, bgp_config):
 
     return None
 
+def verify_afi(peer_config, bgp_config):
+    if 'address_family' in peer_config:
+        return True
+
+    if 'peer_group' in peer_config:
+        peer_group_name = peer_config['peer_group']
+        tmp = dict_search(f'peer_group.{peer_group_name}.address_family', bgp_config)
+        if tmp: return True
+
+    return False
+
 def verify(bgp):
     if not bgp or 'deleted' in bgp:
         if 'dependent_vrfs' in bgp:
@@ -109,8 +121,8 @@ def verify(bgp):
                                       'dependent VRF instance(s) exist!')
         return None
 
-    if 'local_as' not in bgp:
-        raise ConfigError('BGP local-as number must be defined!')
+    if 'system_as' not in bgp:
+        raise ConfigError('BGP system-as number must be defined!')
 
     # Common verification for both peer-group and neighbor statements
     for neighbor in ['neighbor', 'peer_group']:
@@ -135,8 +147,8 @@ def verify(bgp):
                 # Neighbor local-as override can not be the same as the local-as
                 # we use for this BGP instane!
                 asn = list(peer_config['local_as'].keys())[0]
-                if asn == bgp['local_as']:
-                    raise ConfigError('Cannot have local-as same as BGP AS number')
+                if asn == bgp['system_as']:
+                    raise ConfigError('Cannot have local-as same as system-as number')
 
                 # Neighbor AS specified for local-as and remote-as can not be the same
                 if dict_search('remote_as', peer_config) == asn:
@@ -147,6 +159,11 @@ def verify(bgp):
             if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config:
                 raise ConfigError('You can not set both ebgp-multihop and ttl-security hops')
 
+            # interface and ebgp-multihop can't be used in the same configration
+            if 'ebgp_multihop' in peer_config and 'interface' in peer_config:
+                raise ConfigError(f'Ebgp-multihop can not be used with directly connected '\
+                                  f'neighbor "{peer}"')
+
             # Check if neighbor has both override capability and strict capability match
             # configured at the same time.
             if 'override_capability' in peer_config and 'strict_capability_match' in peer_config:
@@ -164,6 +181,9 @@ def verify(bgp):
                 if not verify_remote_as(peer_config, bgp):
                     raise ConfigError(f'Neighbor "{peer}" remote-as must be set!')
 
+                if not verify_afi(peer_config, bgp):
+                    Warning(f'BGP neighbor "{peer}" requires address-family!')
+
                 # Peer-group member cannot override remote-as of peer-group
                 if 'peer_group' in peer_config:
                     peer_group = peer_config['peer_group']
@@ -198,6 +218,12 @@ def verify(bgp):
                     if 'source_interface' in peer_config['interface']:
                         raise ConfigError(f'"source-interface" option not allowed for neighbor "{peer}"')
 
+            # Local-AS allowed only for EBGP peers
+            if 'local_as' in peer_config:
+                remote_as = verify_remote_as(peer_config, bgp)
+                if remote_as == bgp['system_as']:
+                    raise ConfigError(f'local-as configured for "{peer}", allowed only for eBGP peers!')
+
             for afi in ['ipv4_unicast', 'ipv4_multicast', 'ipv4_labeled_unicast', 'ipv4_flowspec',
                         'ipv6_unicast', 'ipv6_multicast', 'ipv6_labeled_unicast', 'ipv6_flowspec',
                         'l2vpn_evpn']:
@@ -258,12 +284,12 @@ def verify(bgp):
                             verify_route_map(afi_config['route_map'][tmp], bgp)
 
                 if 'route_reflector_client' in afi_config:
-                    if 'remote_as' in peer_config and peer_config['remote_as'] != 'internal' and peer_config['remote_as'] != bgp['local_as']:
+                    if 'remote_as' in peer_config and peer_config['remote_as'] != 'internal' and peer_config['remote_as'] != bgp['system_as']:
                         raise ConfigError('route-reflector-client only supported for iBGP peers')
                     else:
                         if 'peer_group' in peer_config:
                             peer_group_as = dict_search(f'peer_group.{peer_group}.remote_as', bgp)
-                            if peer_group_as != None and peer_group_as != 'internal' and peer_group_as != bgp['local_as']:
+                            if peer_group_as != None and peer_group_as != 'internal' and peer_group_as != bgp['system_as']:
                                 raise ConfigError('route-reflector-client only supported for iBGP peers')
 
     # Throw an error if a peer group is not configured for allow range