1 files changed, 42 insertions, 13 deletions

diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py
index 54352460c..7dede74a1 100755
--- a/src/conf_mode/protocols_bgp.py
+++ b/src/conf_mode/protocols_bgp.py
@@ -20,9 +20,11 @@ from sys import exit
 
 from vyos.config import Config
 from vyos.configdict import dict_merge
+from vyos.template import is_ip
 from vyos.template import render_to_string
 from vyos.util import call
 from vyos.util import dict_search
+from vyos.validate import is_addr_assigned
 from vyos import ConfigError
 from vyos import frr
 from vyos import airbag
@@ -54,6 +56,26 @@ def get_config(config=None):
 
     return bgp
 
+def verify_remote_as(peer_config, asn_config):
+    if 'remote_as' in peer_config:
+        return peer_config['remote_as']
+
+    if 'peer_group' in peer_config:
+        peer_group_name = peer_config['peer_group']
+        tmp = dict_search(f'peer_group.{peer_group_name}.remote_as', asn_config)
+        if tmp: return tmp
+
+    if 'interface' in peer_config:
+        if 'remote_as' in peer_config['interface']:
+            return peer_config['interface']['remote_as']
+
+        if 'peer_group' in peer_config['interface']:
+            peer_group_name = peer_config['interface']['peer_group']
+            tmp = dict_search(f'peer_group.{peer_group_name}.remote_as', asn_config)
+            if tmp: return tmp
+
+    return None
+
 def verify(bgp):
     if not bgp:
         return None
@@ -75,22 +97,29 @@ def verify(bgp):
                 # Check if the configure peer-group exists
                 if 'peer_group' in peer_config:
                     peer_group = peer_config['peer_group']
-                    if peer_group not in asn_config['peer_group']:
+                    if 'peer_group' not in asn_config or peer_group not in asn_config['peer_group']:
                         raise ConfigError(f'Specified peer-group "{peer_group}" for '\
                                           f'neighbor "{neighbor}" does not exist!')
 
-                # Some checks can/must only be done on a neighbor and nor a peer-group
+                # ttl-security and ebgp-multihop can't be used in the same configration
+                if 'ebgp_multihop' in peer_config and 'ttl_security' in peer_config:
+                    raise ConfigError('You can\'t set both ebgp-multihop and ttl-security hops')
+
+                # Check spaces in the password
+                if 'password' in peer_config and ' ' in peer_config['password']:
+                    raise ConfigError('You can\'t use spaces in the password')
+
+                # Some checks can/must only be done on a neighbor and not a peer-group
                 if neighbor == 'neighbor':
                     # remote-as must be either set explicitly for the neighbor
                     # or for the entire peer-group
-                    if 'interface' in peer_config:
-                        if 'remote_as' not in peer_config['interface']:
-                            if 'peer_group' not in peer_config['interface'] or 'remote_as' not in asn_config['peer_group'][ peer_config['interface']['peer_group'] ]:
-                                raise ConfigError('Remote AS must be set for neighbor or peer-group!')
+                    if not verify_remote_as(peer_config, asn_config):
+                        raise ConfigError(f'Neighbor "{peer}" remote-as must be set!')
 
-                    elif 'remote_as' not in peer_config:
-                        if 'peer_group' not in peer_config or 'remote_as' not in asn_config['peer_group'][ peer_config['peer_group'] ]:
-                            raise ConfigError('Remote AS must be set for neighbor or peer-group!')
+                    # Only checks for ipv4 and ipv6 neighbors
+                    # Check if neighbor address is assigned as system interface address
+                    if is_ip(peer) and is_addr_assigned(peer):
+                        raise ConfigError(f'Can\'t configure local address as neighbor "{peer}"')
 
                 for afi in ['ipv4_unicast', 'ipv6_unicast', 'l2vpn_evpn']:
                     # Bail out early if address family is not configured
@@ -127,10 +156,10 @@ def verify(bgp):
                         if 'remote_as' in peer_config and asn != peer_config['remote_as']:
                             raise ConfigError('route-reflector-client only supported for iBGP peers')
                         else:
-                            peer_group_as = dict_search(f'peer_group.{peer_group}.remote_as', asn_config)
-                            if 'peer_group' in peer_config and peer_group_as != None and peer_group_as != asn:
-                                raise ConfigError('route-reflector-client only supported for iBGP peers')
-
+                            if 'peer_group' in peer_config:
+                                peer_group_as = dict_search(f'peer_group.{peer_group}.remote_as', asn_config)
+                                if peer_group_as != None and peer_group_as != asn:
+                                    raise ConfigError('route-reflector-client only supported for iBGP peers')
 
         # Throw an error if a peer group is not configured for allow range
         for prefix in dict_search('listen.range', asn_config) or []: