Merge pull request #2674 from vyos/mergify/bp/sagitta/pr-2663

srv6: T591: enable SR enabled packet processing on defined interfaces (backport #2663)
author: Daniil Baturin <daniil@vyos.io> 2023-12-21 15:32:36 +0000
committer: GitHub <noreply@github.com> 2023-12-21 15:32:36 +0000
commit: c9b71b0669924da41dc50632bdcaed710f03d4d7 (patch)
tree: 30a3eada0c894fb0ff07f83b360f9535c5d43627 /smoketest
parent: 5c91424daafbee512f7c87caa418cd05f0bc4633 (diff)
parent: 0ee2f8285c81878687a9f92e6a3b0f10c4d75584 (diff)
download: vyos-1x-c9b71b0669924da41dc50632bdcaed710f03d4d7.tar.gz
vyos-1x-c9b71b0669924da41dc50632bdcaed710f03d4d7.zip
2 files changed, 55 insertions, 8 deletions
diff --git a/smoketest/scripts/cli/test_protocols_segment_routing.py b/smoketest/scripts/cli/test_protocols_segment_routing.py
index 81d42b925..403c05924 100755
--- a/smoketest/scripts/cli/test_protocols_segment_routing.py
+++ b/smoketest/scripts/cli/test_protocols_segment_routing.py
@@ -20,8 +20,10 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.configsession import ConfigSessionError
+from vyos.ifconfig import Section
 from vyos.utils.process import cmd
 from vyos.utils.process import process_named_running
+from vyos.utils.system import sysctl_read
 
 base_path = ['protocols', 'segment-routing']
 PROCESS_NAME = 'zebra'
@@ -45,6 +47,7 @@ class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
         self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
 
     def test_srv6(self):
+        interfaces = Section.interfaces('ethernet', vlan=False)
         locators = {
             'foo' : { 'prefix' : '2001:a::/64' },
             'foo' : { 'prefix' : '2001:b::/64', 'usid' : {} },
@@ -55,8 +58,18 @@ class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
             if 'usid' in locator_config:
                 self.cli_set(base_path + ['srv6', 'locator', locator, 'behavior-usid'])
 
+        # verify() - SRv6 should be enabled on at least one interface!
+        with self.assertRaises(ConfigSessionError):
+            self.cli_commit()
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+
         self.cli_commit()
 
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '0') # default
+
         frrconfig = self.getFRRconfig(f'segment-routing', daemon='zebra')
         self.assertIn(f'segment-routing', frrconfig)
         self.assertIn(f' srv6', frrconfig)
@@ -65,6 +78,35 @@ class TestProtocolsSegmentRouting(VyOSUnitTestSHIM.TestCase):
             self.assertIn(f'   locator {locator}', frrconfig)
             self.assertIn(f'    prefix {locator_config["prefix"]} block-len 40 node-len 24 func-bits 16', frrconfig)
 
+    def test_srv6_sysctl(self):
+        interfaces = Section.interfaces('ethernet', vlan=False)
+
+        # HMAC accept
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+            self.cli_set(base_path + ['interface', interface, 'srv6', 'hmac', 'ignore'])
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '-1') # ignore
+
+        # HMAC drop
+        for interface in interfaces:
+            self.cli_set(base_path + ['interface', interface, 'srv6'])
+            self.cli_set(base_path + ['interface', interface, 'srv6', 'hmac', 'drop'])
+        self.cli_commit()
+
+        for interface in interfaces:
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_enabled'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{interface}.seg6_require_hmac'), '1') # drop
+
+        # Disable SRv6 on first interface
+        first_if = interfaces[-1]
+        self.cli_delete(base_path + ['interface', first_if])
+        self.cli_commit()
+
+        self.assertEqual(sysctl_read(f'net.ipv6.conf.{first_if}.seg6_enabled'), '0')
 
 if __name__ == '__main__':
     unittest.main(verbosity=2)
diff --git a/smoketest/scripts/cli/test_vrf.py b/smoketest/scripts/cli/test_vrf.py
index bb91eddea..6207a1b41 100755
--- a/smoketest/scripts/cli/test_vrf.py
+++ b/smoketest/scripts/cli/test_vrf.py
@@ -30,6 +30,7 @@ from vyos.utils.process import cmd
 from vyos.utils.file import read_file
 from vyos.utils.network import get_interface_config
 from vyos.utils.network import is_intf_addr_assigned
+from vyos.utils.system import sysctl_read
 
 base_path = ['vrf']
 vrfs = ['red', 'green', 'blue', 'foo-bar', 'baz_foo']
@@ -58,6 +59,8 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
         for vrf in vrfs:
             self.assertNotIn(vrf, interfaces())
+        # If there is no VRF defined, strict_mode should be off
+        self.assertEqual(sysctl_read('net.vrf.strict_mode'), '0')
 
     def test_vrf_vni_and_table_id(self):
         base_table = '1000'
@@ -130,8 +133,9 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
             # Ensure VRF was created
             self.assertIn(vrf, interfaces())
             # Verify IP forwarding is 1 (enabled)
-            self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '1')
-            self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv4.conf.{vrf}.forwarding'), '1')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{vrf}.forwarding'), '1')
+
             # Test for proper loopback IP assignment
             for addr in loopbacks:
                 self.assertTrue(is_intf_addr_assigned(vrf, addr))
@@ -149,10 +153,11 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
         self.cli_commit()
 
         # Verify VRF configuration
-        tmp = read_file('/proc/sys/net/ipv4/tcp_l3mdev_accept')
-        self.assertIn(tmp, '1')
-        tmp = read_file('/proc/sys/net/ipv4/udp_l3mdev_accept')
-        self.assertIn(tmp, '1')
+        self.assertEqual(sysctl_read('net.ipv4.tcp_l3mdev_accept'), '1')
+        self.assertEqual(sysctl_read('net.ipv4.udp_l3mdev_accept'), '1')
+
+        # If there is any VRF defined, strict_mode should be on
+        self.assertEqual(sysctl_read('net.vrf.strict_mode'), '1')
 
     def test_vrf_table_id_is_unalterable(self):
         # Linux Kernel prohibits the change of a VRF table  on the fly.
@@ -290,8 +295,8 @@ class VRFTest(VyOSUnitTestSHIM.TestCase):
             # Ensure VRF was created
             self.assertIn(vrf, interfaces())
             # Verify IP forwarding is 0 (disabled)
-            self.assertEqual(read_file(f'/proc/sys/net/ipv4/conf/{vrf}/forwarding'), '0')
-            self.assertEqual(read_file(f'/proc/sys/net/ipv6/conf/{vrf}/forwarding'), '0')
+            self.assertEqual(sysctl_read(f'net.ipv4.conf.{vrf}.forwarding'), '0')
+            self.assertEqual(sysctl_read(f'net.ipv6.conf.{vrf}.forwarding'), '0')
 
     def test_vrf_ip_protocol_route_map(self):
         table = '6000'
author	Daniil Baturin <daniil@vyos.io>	2023-12-21 15:32:36 +0000
committer	GitHub <noreply@github.com>	2023-12-21 15:32:36 +0000
commit	c9b71b0669924da41dc50632bdcaed710f03d4d7 (patch)
tree	30a3eada0c894fb0ff07f83b360f9535c5d43627 /smoketest
parent	5c91424daafbee512f7c87caa418cd05f0bc4633 (diff)
parent	0ee2f8285c81878687a9f92e6a3b0f10c4d75584 (diff)
download	vyos-1x-c9b71b0669924da41dc50632bdcaed710f03d4d7.tar.gz vyos-1x-c9b71b0669924da41dc50632bdcaed710f03d4d7.zip