vrf: T4419: support to disable IP forwarding within a given VRF

3 files changed, 52 insertions, 2 deletions

diff --git a/interface-definitions/vrf.xml.in b/interface-definitions/vrf.xml.in
index 14c31fa8a..25a573887 100644
--- a/interface-definitions/vrf.xml.in
+++ b/interface-definitions/vrf.xml.in
@@ -28,6 +28,22 @@
         <children>
           #include <include/interface/description.xml.i>
           #include <include/interface/disable.xml.i>
+          <node name="ip">
+            <properties>
+              <help>IPv4 routing parameters</help>
+            </properties>
+            <children>
+              #include <include/interface/disable-forwarding.xml.i>
+            </children>
+          </node>
+          <node name="ipv6">
+            <properties>
+              <help>IPv6 routing parameters</help>
+            </properties>
+            <children>
+              #include <include/interface/disable-forwarding.xml.i>
+            </children>
+          </node>
           <node name="protocols">
             <properties>
               <help>Routing protocol parameters</help>
diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py
index ff18f7261..176c095fb 100755
--- a/smoketest/scripts/cli/test_vrf.py
+++ b/smoketest/scripts/cli/test_vrf.py
@@ -127,6 +127,9 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
         for vrf in vrfs:
             # Ensure VRF was created
             self.assertIn(vrf, interfaces())
+            # Verify IP forwarding is 1 (enabled)
+            self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '1')
+            self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '1')
             # Test for proper loopback IP assignment
             for addr in loopbacks:
                 self.assertTrue(is_intf_addr_assigned(vrf, addr))
@@ -267,5 +270,26 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
         self.cli_delete(['interfaces', 'dummy', interface])
         self.cli_commit()
 
+    def test_vrf_disable_forwarding(self):
+        table = '2000'
+        for vrf in vrfs:
+            base = base_path + ['name', vrf]
+            self.cli_set(base + ['table', table])
+            self.cli_set(base + ['ip', 'disable-forwarding'])
+            self.cli_set(base + ['ipv6', 'disable-forwarding'])
+            table = str(int(table) + 1)
+
+        # commit changes
+        self.cli_commit()
+
+        # Verify VRF configuration
+        loopbacks = ['127.0.0.1', '::1']
+        for vrf in vrfs:
+            # Ensure VRF was created
+            self.assertIn(vrf, interfaces())
+            # Verify IP forwarding is 0 (disabled)
+            self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '0')
+            self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '0')
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/src/conf_mode/vrf.py b/src/conf_mode/vrf.py
index f2d041083..972d0289b 100755
--- a/src/conf_mode/vrf.py
+++ b/src/conf_mode/vrf.py
@@ -83,7 +83,8 @@ def get_config(config=None):
         conf = Config()
 
     base = ['vrf']
-    vrf = conf.get_config_dict(base, get_first_key=True)
+    vrf = conf.get_config_dict(base, key_mangling=('-', '_'),
+                               no_tag_node_value_mangle=True, get_first_key=True)
 
     # determine which VRF has been removed
     for name in node_changed(conf, base + ['name']):
@@ -152,7 +153,7 @@ def apply(vrf):
 
     # set the default VRF global behaviour
     bind_all = '0'
-    if 'bind-to-all' in vrf:
+    if 'bind_to_all' in vrf:
         bind_all = '1'
     sysctl_write('net.ipv4.tcp_l3mdev_accept', bind_all)
     sysctl_write('net.ipv4.udp_l3mdev_accept', bind_all)
@@ -222,6 +223,15 @@ def apply(vrf):
             # add VRF description if available
             vrf_if.set_alias(config.get('description', ''))
 
+            # Enable/Disable IPv4 forwarding
+            tmp = dict_search('ip.disable_forwarding', config)
+            value = '0' if (tmp != None) else '1'
+            vrf_if.set_ipv4_forwarding(value)
+            # Enable/Disable IPv6 forwarding
+            tmp = dict_search('ipv6.disable_forwarding', config)
+            value = '0' if (tmp != None) else '1'
+            vrf_if.set_ipv6_forwarding(value)
+
             # Enable/Disable of an interface must always be done at the end of the
             # derived class to make use of the ref-counting set_admin_state()
             # function. We will only enable the interface if 'up' was called as