srv6: T591: enable SR enabled packet processing on defined interfaces

The Linux Kernel needs to be told if IPv6 SR enabled packets whether should be processed or not. This is done using /proc/sys/net/conf/<iface>/seg6_* variables: seg6_enabled - BOOL Accept or drop SR-enabled IPv6 packets on this interface. Relevant packets are those with SRH present and DA = local. 0 - disabled (default) not 0 - enabled Or the VyOS CLI command: * set protocols segment-routing interface eth0 srv6
author: Christian Breunig <christian@breunig.cc> 2023-12-20 22:38:52 +0100
committer: Christian Breunig <christian@breunig.cc> 2023-12-20 22:38:52 +0100
commit: 774cc97eda61eb0b91df820797fb3c705d0073d5 (patch)
tree: 84d94d5132b3f184bcc62f34541c05f0c4652745 /smoketest/scripts
parent: 10701108fecb36f7be7eb7ef5f1e54e63da5fb4e (diff)
download: vyos-1x-774cc97eda61eb0b91df820797fb3c705d0073d5.tar.gz
vyos-1x-774cc97eda61eb0b91df820797fb3c705d0073d5.zip
1 files changed, 42 insertions, 0 deletions
diff --git a/smoketest/scripts/cli/test_protocols_segment_routing.py b/smoketest/scripts/cli/test_protocols_segment_routing.py
index 81d42b925..403c05924 100755
--- a/smoketest/scripts/cli/test_protocols_segment_routing.py
+++ b/smoketest/scripts/cli/test_protocols_segment_routing.py
@@ -20,8 +20,10 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
 from vyos.utils.process import cmd
 from vyos.utils.process import process_named_running
+from vyos.utils.system import sysctl_read
 
 base_path = ['protocols', 'segment-routing']
 PROCESS_NAME = 'zebra'
@@ -45,6 +47,7 @@ class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
         self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_srv6(self):
+        interfaces = Section.interfaces('ethernet', vlan=False)
         locators = {
             'foo' : { 'prefix' : '2001:a::/64' },
             'foo' : { 'prefix' : '2001:b::/64', 'usid' : {} },
@@ -55,8 +58,18 @@ class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
             if 'usid' in locator_config:
                 self.cli_set(base_path + ['srv6', 'locator', locator, 'behavior-usid'])
 
+        # verify() - SRv6 should be enabled on at least one interface!
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+
         self.cli_commit()
 
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '0') # default
+
         frrconfig = self.getFRRconfig(f'segment-routing', daemon='zebra')
         self.assertIn(f'segment-routing', frrconfig)
         self.assertIn(f' srv6', frrconfig)
@@ -65,6 +78,35 @@ class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f'   locator {locator}', frrconfig)
             self.assertIn(f'    prefix {locator_config["prefix"]} block-len 40 node-len 24 func-bits 16', frrconfig)
 
+    def test_srv6_sysctl(self):
+        interfaces = Section.interfaces('ethernet', vlan=False)
+
+        # HMAC accept
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+            self.cli_set(base_path + ['interface', interface, 'srv6', 'hmac', 'ignore'])
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '-1') # ignore
+
+        # HMAC drop
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+            self.cli_set(base_path + ['interface', interface, 'srv6', 'hmac', 'drop'])
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '1') # drop
+
+        # Disable SRv6 on first interface
+        first_if = interfaces[-1]
+        self.cli_delete(base_path + ['interface', first_if])
+        self.cli_commit()
+
+        self.assertEqual(sysctl_read(f'net.ipv6.conf.{first_if}.seg6_enabled'), '0')
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
author	Christian Breunig <christian@breunig.cc>	2023-12-20 22:38:52 +0100
committer	Christian Breunig <christian@breunig.cc>	2023-12-20 22:38:52 +0100
commit	774cc97eda61eb0b91df820797fb3c705d0073d5 (patch)
tree	84d94d5132b3f184bcc62f34541c05f0c4652745 /smoketest/scripts
parent	10701108fecb36f7be7eb7ef5f1e54e63da5fb4e (diff)
download	vyos-1x-774cc97eda61eb0b91df820797fb3c705d0073d5.tar.gz vyos-1x-774cc97eda61eb0b91df820797fb3c705d0073d5.zip