From 91130ca7c386ecba291694ff08e521438d352e78 Mon Sep 17 00:00:00 2001 From: Brandon Stepler Date: Wed, 10 Feb 2021 21:30:00 -0500 Subject: conntrack: T3290: remove references to removed GRE plugins --- src/migration-scripts/conntrack/1-to-2 | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100755 src/migration-scripts/conntrack/1-to-2 (limited to 'src/migration-scripts') diff --git a/src/migration-scripts/conntrack/1-to-2 b/src/migration-scripts/conntrack/1-to-2 new file mode 100755 index 000000000..4fc88a1ed --- /dev/null +++ b/src/migration-scripts/conntrack/1-to-2 @@ -0,0 +1,32 @@ +#!/usr/bin/env python3 + +# Delete "set system conntrack modules gre" option + +import sys + +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) + +if not config.exists(['system', 'conntrack', 'modules', 'gre']): + # Nothing to do + sys.exit(0) +else: + # Delete abandoned node + config.delete(['system', 'conntrack', 'modules', 'gre']) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From 8919e40a3c0b84053e422a8445a5fca829e5990f Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 11 Feb 2021 20:35:31 +0100 Subject: ripng: T3281: move interface specific options to "protocols ripng" --- interface-definitions/include/rip-interface.xml.i | 47 -------- interface-definitions/protocols-rip.xml.in | 51 +++++++++ smoketest/configs/rip-router | 129 ++++++++++++++++++++++ src/migration-scripts/interfaces/18-to-19 | 53 +++++++-- 4 files changed, 221 insertions(+), 59 deletions(-) (limited to 'src/migration-scripts') diff --git a/interface-definitions/include/rip-interface.xml.i b/interface-definitions/include/rip-interface.xml.i index 1d5e6f949..6279c16c8 100644 --- a/interface-definitions/include/rip-interface.xml.i +++ b/interface-definitions/include/rip-interface.xml.i @@ -14,53 +14,6 @@ - - - Authentication - - - - - MD5 key id - - u32:1-255 - OSPF key id - - - - - - - - - Authentication password - - txt - MD5 Key (16 characters or less) - - - ^[^[:space:]]{1,16}$ - - Password must be 16 characters or less - - - - - - - Plain text password - - txt - Plain text password (16 characters or less) - - - ^[^[:space:]]{1,16}$ - - Password must be 16 characters or less - - - - Split horizon parameters diff --git a/interface-definitions/protocols-rip.xml.in b/interface-definitions/protocols-rip.xml.in index 4ced26d8a..263350dc8 100644 --- a/interface-definitions/protocols-rip.xml.in +++ b/interface-definitions/protocols-rip.xml.in @@ -50,6 +50,57 @@ #include + + + + + Authentication + + + + + MD5 key id + + u32:1-255 + OSPF key id + + + + + + + + + Authentication password + + txt + MD5 Key (16 characters or less) + + + ^[^[:space:]]{1,16}$ + + Password must be 16 characters or less + + + + + + + Plain text password + + txt + Plain text password (16 characters or less) + + + ^[^[:space:]]{1,16}$ + + Password must be 16 characters or less + + + + + + Neighbor router diff --git a/smoketest/configs/rip-router b/smoketest/configs/rip-router index 0a3a41103..09cb11a45 100644 --- a/smoketest/configs/rip-router +++ b/smoketest/configs/rip-router @@ -16,6 +16,13 @@ interfaces { } } } + ipv6 { + ripng { + split-horizon { + poison-reverse + } + } + } smp-affinity auto speed auto address 172.18.202.10/24 @@ -35,6 +42,13 @@ interfaces { } } } + ipv6 { + ripng { + split-horizon { + disable + } + } + } } vif-s 200 { ip { @@ -49,6 +63,13 @@ interfaces { } } } + ipv6 { + ripng { + split-horizon { + poison-reverse + } + } + } vif-c 2000 { ip { rip { @@ -68,10 +89,52 @@ interfaces { } } } + ipv6 { + ripng { + split-horizon { + poison-reverse + } + } + } } } } } +policy { + access-list6 198 { + rule 10 { + action permit + source { + any + } + } + } + access-list6 199 { + rule 20 { + action deny + source { + any + } + } + } + prefix-list6 bar-prefix { + rule 200 { + action deny + prefix 2001:db8::/32 + } + } + prefix-list6 foo-prefix { + rule 100 { + action permit + prefix 2001:db8::/32 + } + } + route-map FooBar123 { + rule 10 { + action permit + } + } +} protocols { rip { default-distance 20 @@ -89,6 +152,72 @@ protocols { } } } + ripng { + aggregate-address 2001:db8:1000::/48 + default-information { + originate + } + default-metric 8 + distribute-list { + access-list { + in 198 + out 199 + } + interface eth0 { + access-list { + in 198 + out 199 + } + prefix-list { + in foo-prefix + out bar-prefix + } + } + interface eth1 { + access-list { + in 198 + out 199 + } + prefix-list { + in foo-prefix + out bar-prefix + } + } + interface eth2 { + access-list { + in 198 + out 199 + } + prefix-list { + in foo-prefix + out bar-prefix + } + } + prefix-list { + in foo-prefix + out bar-prefix + } + } + interface eth0 + interface eth1 + interface eth2 + network 2001:db8:1000::/64 + network 2001:db8:1001::/64 + network 2001:db8:2000::/64 + network 2001:db8:2001::/64 + passive-interface default + redistribute { + connected { + metric 8 + route-map FooBar123 + } + static { + metric 8 + route-map FooBar123 + } + } + route 2001:db8:1000::/64 + } } service { ssh { diff --git a/src/migration-scripts/interfaces/18-to-19 b/src/migration-scripts/interfaces/18-to-19 index 31e253098..460032602 100755 --- a/src/migration-scripts/interfaces/18-to-19 +++ b/src/migration-scripts/interfaces/18-to-19 @@ -46,6 +46,20 @@ def migrate_rip(config, path, interface): if len(config.list_nodes(path[:-1])) == 0: config.delete(path[:-1]) +def migrate_ripng(config, path, interface): + path = path + ['ripng'] + if config.exists(path): + new_base = ['protocols', 'ripng', 'interface'] + config.set(new_base) + config.set_tag(new_base) + config.copy(path, new_base + [interface]) + config.delete(path) + + # if "ipv6 ripng" was the only setting, we can clean out the empty + # ip node afterwards + if len(config.list_nodes(path[:-1])) == 0: + config.delete(path[:-1]) + if __name__ == '__main__': if (len(argv) < 1): print("Must specify file name!") @@ -62,33 +76,48 @@ if __name__ == '__main__': # for type in config.list_nodes(['interfaces']): for interface in config.list_nodes(['interfaces', type]): - if_base = ['interfaces', type, interface, 'ip'] - migrate_rip(config, if_base, interface) - migrate_ospf(config, if_base, interface) + ip_base = ['interfaces', type, interface, 'ip'] + ipv6_base = ['interfaces', type, interface, 'ipv6'] + migrate_rip(config, ip_base, interface) + migrate_ripng(config, ipv6_base, interface) + migrate_ospf(config, ip_base, interface) vif_path = ['interfaces', type, interface, 'vif'] if config.exists(vif_path): for vif in config.list_nodes(vif_path): - vif_if_base = vif_path + [vif, 'ip'] - migrate_rip(config, vif_if_base, f'{interface}.{vif}') - migrate_ospf(config, vif_if_base, f'{interface}.{vif}') + vif_ip_base = vif_path + [vif, 'ip'] + vif_ipv6_base = vif_path + [vif, 'ipv6'] + ifname = f'{interface}.{vif}' + + migrate_rip(config, vif_ip_base, ifname) + migrate_ripng(config, vif_ipv6_base, ifname) + migrate_ospf(config, vif_ip_base, ifname) + vif_s_path = ['interfaces', type, interface, 'vif-s'] if config.exists(vif_s_path): for vif_s in config.list_nodes(vif_s_path): - vif_s_if_base = vif_s_path + [vif_s, 'ip'] + vif_s_ip_base = vif_s_path + [vif_s, 'ip'] + vif_s_ipv6_base = vif_s_path + [vif_s, 'ipv6'] # vif-c interfaces MUST be migrated before their parent vif-s # interface as the migrate_*() functions delete the path! vif_c_path = ['interfaces', type, interface, 'vif-s', vif_s, 'vif-c'] if config.exists(vif_c_path): for vif_c in config.list_nodes(vif_c_path): - vif_c_if_base = vif_c_path + [vif_c, 'ip'] - migrate_rip(config, vif_c_if_base, f'{interface}.{vif_s}.{vif_c}') - migrate_ospf(config, vif_c_if_base, f'{interface}.{vif_s}.{vif_c}') + vif_c_ip_base = vif_c_path + [vif_c, 'ip'] + vif_c_ipv6_base = vif_c_path + [vif_c, 'ipv6'] + ifname = f'{interface}.{vif_s}.{vif_c}' + + migrate_rip(config, vif_c_ip_base, ifname) + migrate_ripng(config, vif_c_ipv6_base, ifname) + migrate_ospf(config, vif_c_ip_base, ifname) + - migrate_rip(config, vif_s_if_base, f'{interface}.{vif_s}') - migrate_ospf(config, vif_s_if_base, f'{interface}.{vif_s}') + ifname = f'{interface}.{vif_s}' + migrate_rip(config, vif_s_ip_base, ifname) + migrate_ripng(config, vif_s_ipv6_base, ifname) + migrate_ospf(config, vif_s_ip_base, ifname) try: with open(file_name, 'w') as f: -- cgit v1.2.3 From 8a39f15242ef0596a7d93001f7d413702f1ad7f5 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Thu, 11 Feb 2021 20:36:08 +0100 Subject: ospfv3: T3267: move interface specific options to "protocols ospfv3" --- Makefile | 9 ---- .../include/ospf-interface-common.xml.i | 39 ++++++++++++++ interface-definitions/protocols-ospf.xml.in | 38 +------------- interface-definitions/protocols-ospfv3.xml.in | 60 ++++++++++++++++++++-- smoketest/configs/ospf-small | 22 ++++++++ src/migration-scripts/interfaces/18-to-19 | 18 +++++++ 6 files changed, 137 insertions(+), 49 deletions(-) create mode 100644 interface-definitions/include/ospf-interface-common.xml.i (limited to 'src/migration-scripts') diff --git a/Makefile b/Makefile index abe4524d1..2adf385f9 100644 --- a/Makefile +++ b/Makefile @@ -46,15 +46,6 @@ interface_definitions: $(config_xml_obj) rm -f $(TMPL_DIR)/vpn/ipsec/node.def rm -rf $(TMPL_DIR)/vpn/nipsec - # XXX: required until OSPF and RIP is migrated from vyatta-cfg-quagga to vyos-1x - mkdir $(TMPL_DIR)/interfaces/loopback/node.tag/ipv6 - mkdir $(TMPL_DIR)/interfaces/dummy/node.tag/ipv6 - mkdir -p $(TMPL_DIR)/interfaces/vti/node.tag/ipv6 - cp $(TMPL_DIR)/interfaces/ethernet/node.tag/ipv6/node.def $(TMPL_DIR)/interfaces/loopback/node.tag/ipv6 - cp $(TMPL_DIR)/interfaces/ethernet/node.tag/ipv6/node.def $(TMPL_DIR)/interfaces/dummy/node.tag/ipv6 - - cp $(TMPL_DIR)/interfaces/ethernet/node.tag/ipv6/node.def $(TMPL_DIR)/interfaces/vti/node.tag/ipv6 - .PHONY: op_mode_definitions .ONESHELL: op_mode_definitions: $(op_xml_obj) diff --git a/interface-definitions/include/ospf-interface-common.xml.i b/interface-definitions/include/ospf-interface-common.xml.i new file mode 100644 index 000000000..c3493faa3 --- /dev/null +++ b/interface-definitions/include/ospf-interface-common.xml.i @@ -0,0 +1,39 @@ + + + + Enable Bidirectional Forwarding Detection (BFD) support + + + + + + Interface cost + + u32:1-65535 + OSPF interface cost + + + + + + + + + Disable Maximum Transmission Unit (MTU) mismatch detection + + + + + + Router priority (default: 1) + + u32:0-255 + OSPF router priority cost + + + + + + 1 + + diff --git a/interface-definitions/protocols-ospf.xml.in b/interface-definitions/protocols-ospf.xml.in index a616c0e60..d0cfa14b1 100644 --- a/interface-definitions/protocols-ospf.xml.in +++ b/interface-definitions/protocols-ospf.xml.in @@ -415,6 +415,7 @@ #include #include + #include Bandwidth of interface (Megabit/sec) @@ -427,24 +428,6 @@ - - - Enable Bidirectional Forwarding Detection (BFD) support - - - - - - Interface cost - - u32:1-65535 - OSPF interface cost - - - - - - Hello multiplier factor @@ -457,12 +440,6 @@ - - - Disable Maximum Transmission Unit (MTU) mismatch detection - - - Network type @@ -491,19 +468,6 @@ Must be broadcast, non-broadcast, point-to-multipoint or point-to-point - - - Router priority (default: 1) - - u32:0-255 - OSPF router priority cost - - - - - - 1 - diff --git a/interface-definitions/protocols-ospfv3.xml.in b/interface-definitions/protocols-ospfv3.xml.in index bd6a55b45..e28faa3cf 100644 --- a/interface-definitions/protocols-ospfv3.xml.in +++ b/interface-definitions/protocols-ospfv3.xml.in @@ -41,7 +41,7 @@ - + Enable routing on an IPv6 interface @@ -54,9 +54,63 @@ - - + + #include + #include + + + Interface MTU + + u32:1-65535 + Interface MTU + + + + + + + + + Instance Id (default: 0) + + u32:0-255 + Instance Id + + + + + + 0 + + + + Network type + + broadcast point-to-point + + + broadcast + Broadcast network type + + + point-to-point + Point-to-point network type + + + ^(broadcast|point-to-point)$ + + Must be broadcast or point-to-point + + + + + Disable forming of adjacency + + + + + Specify IPv6 prefix (border routers only) diff --git a/smoketest/configs/ospf-small b/smoketest/configs/ospf-small index fe313e4b0..d95ba4ea4 100644 --- a/smoketest/configs/ospf-small +++ b/smoketest/configs/ospf-small @@ -24,12 +24,27 @@ interfaces { transmit-delay 1 } } + ipv6 { + ospfv3 { + bfd + cost 40 + } + } } } ethernet eth1 { duplex auto smp-affinity auto speed auto + ipv6 { + ospfv3 { + bfd + cost 60 + mtu-ignore + network broadcast + priority 20 + } + } } } protocols { @@ -47,6 +62,13 @@ protocols { passive-interface default passive-interface-exclude eth0.201 } + ospfv3 { + area 0.0.0.0 { + interface eth0 + interface eth1 + interface eth2 + } + } static { route 0.0.0.0/0 { next-hop 172.18.201.254 { diff --git a/src/migration-scripts/interfaces/18-to-19 b/src/migration-scripts/interfaces/18-to-19 index 460032602..06e07572f 100755 --- a/src/migration-scripts/interfaces/18-to-19 +++ b/src/migration-scripts/interfaces/18-to-19 @@ -32,6 +32,20 @@ def migrate_ospf(config, path, interface): if len(config.list_nodes(path[:-1])) == 0: config.delete(path[:-1]) +def migrate_ospfv3(config, path, interface): + path = path + ['ospfv3'] + if config.exists(path): + new_base = ['protocols', 'ospfv3', 'interface'] + config.set(new_base) + config.set_tag(new_base) + config.copy(path, new_base + [interface]) + config.delete(path) + + # if "ipv6 ospfv3" was the only setting, we can clean out the empty + # ip node afterwards + if len(config.list_nodes(path[:-1])) == 0: + config.delete(path[:-1]) + def migrate_rip(config, path, interface): path = path + ['rip'] if config.exists(path): @@ -81,6 +95,7 @@ if __name__ == '__main__': migrate_rip(config, ip_base, interface) migrate_ripng(config, ipv6_base, interface) migrate_ospf(config, ip_base, interface) + migrate_ospfv3(config, ipv6_base, interface) vif_path = ['interfaces', type, interface, 'vif'] if config.exists(vif_path): @@ -92,6 +107,7 @@ if __name__ == '__main__': migrate_rip(config, vif_ip_base, ifname) migrate_ripng(config, vif_ipv6_base, ifname) migrate_ospf(config, vif_ip_base, ifname) + migrate_ospfv3(config, vif_ipv6_base, ifname) vif_s_path = ['interfaces', type, interface, 'vif-s'] @@ -112,12 +128,14 @@ if __name__ == '__main__': migrate_rip(config, vif_c_ip_base, ifname) migrate_ripng(config, vif_c_ipv6_base, ifname) migrate_ospf(config, vif_c_ip_base, ifname) + migrate_ospfv3(config, vif_c_ipv6_base, ifname) ifname = f'{interface}.{vif_s}' migrate_rip(config, vif_s_ip_base, ifname) migrate_ripng(config, vif_s_ipv6_base, ifname) migrate_ospf(config, vif_s_ip_base, ifname) + migrate_ospfv3(config, vif_s_ipv6_base, ifname) try: with open(file_name, 'w') as f: -- cgit v1.2.3 From 5868cbeba1bd9a4c3daaad7aa81af5c45e00cd16 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Sun, 14 Feb 2021 12:46:49 +0100 Subject: bgp: T2844: add IPv4 disable-send-community support --- data/templates/frr/bgp.frr.tmpl | 6 ++++++ interface-definitions/protocols-bgp.xml.in | 19 ------------------- smoketest/configs/bgp-small-as | 4 ++++ smoketest/scripts/cli/test_protocols_bgp.py | 18 +++++++++++++++++- src/migration-scripts/quagga/6-to-7 | 8 ++++++++ 5 files changed, 35 insertions(+), 20 deletions(-) (limited to 'src/migration-scripts') diff --git a/data/templates/frr/bgp.frr.tmpl b/data/templates/frr/bgp.frr.tmpl index 62c675291..ab0f94c33 100644 --- a/data/templates/frr/bgp.frr.tmpl +++ b/data/templates/frr/bgp.frr.tmpl @@ -154,6 +154,12 @@ {% endif %} {% if afi_config.unsuppress_map is defined and afi_config.unsuppress_map is not none %} neighbor {{ neighbor }} unsuppress-map {{ afi_config.unsuppress_map }} +{% endif %} +{% if afi_config.disable_send_community is defined and afi_config.disable_send_community.extended is defined %} + no neighbor {{ neighbor }} send-community extended +{% endif %} +{% if afi_config.disable_send_community is defined and afi_config.disable_send_community.standard is defined %} + no neighbor {{ neighbor }} send-community standard {% endif %} neighbor {{ neighbor }} activate exit-address-family diff --git a/interface-definitions/protocols-bgp.xml.in b/interface-definitions/protocols-bgp.xml.in index d7bc86aff..01463ed57 100644 --- a/interface-definitions/protocols-bgp.xml.in +++ b/interface-definitions/protocols-bgp.xml.in @@ -468,25 +468,6 @@ #include #include #include - - - Disable sending community attributes to this neighbor (IPv4) - - - - - Disable sending extended community attributes to this neighbor (IPv4) - - - - - - Disable sending standard community attributes to this neighbor (IPv4) - - - - - #include diff --git a/smoketest/configs/bgp-small-as b/smoketest/configs/bgp-small-as index 61286c324..6b953a3f6 100644 --- a/smoketest/configs/bgp-small-as +++ b/smoketest/configs/bgp-small-as @@ -345,6 +345,10 @@ protocols { } } neighbor 10.0.151.222 { + disable-send-community { + extended + standard + } address-family { ipv4-unicast { default-originate { diff --git a/smoketest/scripts/cli/test_protocols_bgp.py b/smoketest/scripts/cli/test_protocols_bgp.py index 4c4abc600..833ca8311 100755 --- a/smoketest/scripts/cli/test_protocols_bgp.py +++ b/smoketest/scripts/cli/test_protocols_bgp.py @@ -48,6 +48,7 @@ neighbor_config = { 'local_as' : '300', 'route_map_in' : route_map_in, 'route_map_out': route_map_out, + 'no_send_comm_ext' : '', }, '192.0.2.2' : { 'remote_as' : '200', @@ -57,6 +58,7 @@ neighbor_config = { 'cap_strict' : '', 'pfx_list_in' : prefix_list_in, 'pfx_list_out' : prefix_list_out, + 'no_send_comm_std' : '', }, '192.0.2.3' : { 'description' : 'foo bar baz', @@ -78,6 +80,7 @@ neighbor_config = { 'local_as' : '300', 'route_map_in' : route_map_in, 'route_map_out': route_map_out, + 'no_send_comm_std' : '', }, '2001:db8::2' : { 'remote_as' : '456', @@ -87,6 +90,7 @@ neighbor_config = { 'cap_strict' : '', 'pfx_list_in' : prefix_list_in6, 'pfx_list_out' : prefix_list_out6, + 'no_send_comm_ext' : '', }, } @@ -108,6 +112,7 @@ peer_group_config = { 'local_as' : '300', 'pfx_list_in' : prefix_list_in, 'pfx_list_out' : prefix_list_out, + 'no_send_comm_ext' : '', }, 'baz' : { 'cap_dynamic' : '', @@ -194,7 +199,10 @@ class TestProtocolsBGP(unittest.TestCase): self.assertIn(f' neighbor {peer} prefix-list {peer_config["pfx_list_in"]} in', frrconfig) if 'pfx_list_out' in peer_config: self.assertIn(f' neighbor {peer} prefix-list {peer_config["pfx_list_out"]} out', frrconfig) - + if 'no_send_comm_std' in peer_config: + self.assertIn(f' no neighbor {peer} send-community', frrconfig) + if 'no_send_comm_ext' in peer_config: + self.assertIn(f' no neighbor {peer} send-community extended', frrconfig) def test_bgp_01_simple(self): router_id = '127.0.0.1' @@ -272,6 +280,10 @@ class TestProtocolsBGP(unittest.TestCase): self.session.set(base_path + ['neighbor', peer, 'address-family', afi, 'prefix-list', 'import', peer_config["pfx_list_in"]]) if 'pfx_list_out' in peer_config: self.session.set(base_path + ['neighbor', peer, 'address-family', afi, 'prefix-list', 'export', peer_config["pfx_list_out"]]) + if 'no_send_comm_std' in peer_config: + self.session.set(base_path + ['neighbor', peer, 'address-family', afi, 'disable-send-community', 'standard']) + if 'no_send_comm_ext' in peer_config: + self.session.set(base_path + ['neighbor', peer, 'address-family', afi, 'disable-send-community', 'extended']) # commit changes self.session.commit() @@ -327,6 +339,10 @@ class TestProtocolsBGP(unittest.TestCase): self.session.set(base_path + ['peer-group', peer_group, 'address-family', 'ipv4-unicast', 'prefix-list', 'import', config["pfx_list_in"]]) if 'pfx_list_out' in config: self.session.set(base_path + ['peer-group', peer_group, 'address-family', 'ipv4-unicast', 'prefix-list', 'export', config["pfx_list_out"]]) + if 'no_send_comm_std' in config: + self.session.set(base_path + ['peer-group', peer_group, 'address-family', 'ipv4-unicast', 'disable-send-community', 'standard']) + if 'no_send_comm_ext' in config: + self.session.set(base_path + ['peer-group', peer_group, 'address-family', 'ipv4-unicast', 'disable-send-community', 'extended']) # commit changes self.session.commit() diff --git a/src/migration-scripts/quagga/6-to-7 b/src/migration-scripts/quagga/6-to-7 index 3a229b5df..f7aca0d2b 100755 --- a/src/migration-scripts/quagga/6-to-7 +++ b/src/migration-scripts/quagga/6-to-7 @@ -46,6 +46,14 @@ if asn_list: if not config.exists(bgp_base + [neighbor_type]): continue for neighbor in config.list_nodes(bgp_base + [neighbor_type]): + # T2844 - add IPv4 AFI disable-send-community support + send_comm_path = bgp_base + [neighbor_type, neighbor, 'disable-send-community'] + if config.exists(send_comm_path): + new_base = bgp_base + [neighbor_type, neighbor, 'address-family', 'ipv4-unicast'] + config.set(new_base) + config.copy(send_comm_path, new_base + ['disable-send-community']) + config.delete(send_comm_path) + cap_dynamic = False for afi in ['ipv4-unicast', 'ipv6-unicast']: afi_path = bgp_base + [neighbor_type, neighbor, 'address-family', afi, 'capability', 'dynamic'] -- cgit v1.2.3 From dd291b2312f0fca49ae8ad6876e280bc46f45d2e Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Mon, 15 Feb 2021 17:23:33 +0100 Subject: bgp: T3311: remove remote-as from address-family When moving from Quagga to FRR the BGP address-family was extended by an invalid peer-group statement. FRR always moved a configured peer-group from the AFI level down to the neighbor level. With the migration to FRR reload we must take care about this by ourselves. --- .../include/bgp-afi-peer-group.xml.i | 7 - .../include/bgp-neighbor-afi-ipv4-unicast.xml.i | 1 - .../include/bgp-neighbor-afi-ipv6-unicast.xml.i | 1 - interface-definitions/include/bgp-shutdown.xml.i | 2 +- smoketest/configs/bgp-bfd-communities | 533 +++++++++++++++++++++ src/conf_mode/protocols_bgp.py | 33 +- src/migration-scripts/quagga/6-to-7 | 64 ++- 7 files changed, 606 insertions(+), 35 deletions(-) delete mode 100644 interface-definitions/include/bgp-afi-peer-group.xml.i create mode 100644 smoketest/configs/bgp-bfd-communities (limited to 'src/migration-scripts') diff --git a/interface-definitions/include/bgp-afi-peer-group.xml.i b/interface-definitions/include/bgp-afi-peer-group.xml.i deleted file mode 100644 index c98a91030..000000000 --- a/interface-definitions/include/bgp-afi-peer-group.xml.i +++ /dev/null @@ -1,7 +0,0 @@ - - - - Peer group used for this neighbor - - - diff --git a/interface-definitions/include/bgp-neighbor-afi-ipv4-unicast.xml.i b/interface-definitions/include/bgp-neighbor-afi-ipv4-unicast.xml.i index 8f6cf06b1..ece277fbf 100644 --- a/interface-definitions/include/bgp-neighbor-afi-ipv4-unicast.xml.i +++ b/interface-definitions/include/bgp-neighbor-afi-ipv4-unicast.xml.i @@ -12,7 +12,6 @@ #include - #include #include #include diff --git a/interface-definitions/include/bgp-neighbor-afi-ipv6-unicast.xml.i b/interface-definitions/include/bgp-neighbor-afi-ipv6-unicast.xml.i index aea10c20c..e43c34113 100644 --- a/interface-definitions/include/bgp-neighbor-afi-ipv6-unicast.xml.i +++ b/interface-definitions/include/bgp-neighbor-afi-ipv6-unicast.xml.i @@ -12,7 +12,6 @@ #include - #include #include #include #include diff --git a/interface-definitions/include/bgp-shutdown.xml.i b/interface-definitions/include/bgp-shutdown.xml.i index 330120bba..fefbfcebb 100644 --- a/interface-definitions/include/bgp-shutdown.xml.i +++ b/interface-definitions/include/bgp-shutdown.xml.i @@ -1,7 +1,7 @@ - Administratively shut down peer-group + Administratively shut down this neighbor diff --git a/smoketest/configs/bgp-bfd-communities b/smoketest/configs/bgp-bfd-communities new file mode 100644 index 000000000..3b3056a51 --- /dev/null +++ b/smoketest/configs/bgp-bfd-communities @@ -0,0 +1,533 @@ +interfaces { + ethernet eth0 { + address 192.0.2.100/25 + address 2001:db8::ffff/64 + } + loopback lo { + } +} +policy { + large-community-list ANYCAST_ALL { + rule 10 { + action permit + description "Allow all anycast from anywhere" + regex "4242420696:100:.*" + } + } + large-community-list ANYCAST_INT { + rule 10 { + action permit + description "Allow all anycast from int" + regex 4242420696:100:1 + } + } + prefix-list BGP-BACKBONE-IN { + description "Inbound backbone routes from other sites" + rule 10 { + action deny + description "Block default route" + prefix 0.0.0.0/0 + } + rule 20 { + action deny + description "Block int primary" + ge 21 + prefix 192.168.0.0/20 + } + rule 30 { + action deny + description "Block loopbacks" + ge 25 + prefix 192.168.253.0/24 + } + rule 40 { + action deny + description "Block backbone peering" + ge 25 + prefix 192.168.254.0/24 + } + rule 999 { + action permit + description "Allow everything else" + ge 1 + prefix 0.0.0.0/0 + } + } + prefix-list BGP-BACKBONE-OUT { + description "Outbound backbone routes to other sites" + rule 10 { + action permit + description "Int primary" + ge 23 + prefix 192.168.0.0/20 + } + } + prefix-list GLOBAL { + description "Globally redistributed routes" + rule 10 { + action permit + prefix 192.168.100.1/32 + } + rule 20 { + action permit + prefix 192.168.7.128/25 + } + } + prefix-list6 BGP-BACKBONE-IN-V6 { + description "Inbound backbone routes from other sites" + rule 10 { + action deny + description "Block default route" + prefix ::/0 + } + rule 20 { + action deny + description "Block int primary" + ge 53 + prefix fd52:d62e:8011::/52 + } + rule 30 { + action deny + description "Block peering and stuff" + ge 53 + prefix fd52:d62e:8011:f000::/52 + } + rule 999 { + action permit + description "Allow everything else" + ge 1 + prefix ::/0 + } + } + prefix-list6 BGP-BACKBONE-OUT-V6 { + description "Outbound backbone routes to other sites" + rule 10 { + action permit + ge 64 + prefix fd52:d62e:8011::/52 + } + } + prefix-list6 GLOBAL-V6 { + description "Globally redistributed routes" + rule 10 { + action permit + ge 64 + prefix fd52:d62e:8011:2::/63 + } + } + route-map BGP-REDISTRIBUTE { + rule 10 { + action permit + description "Prepend AS and allow VPN and modem" + match { + ip { + address { + prefix-list GLOBAL + } + } + } + set { + as-path-prepend 4242420666 + } + } + rule 20 { + action permit + description "Allow VPN" + match { + ipv6 { + address { + prefix-list GLOBAL-V6 + } + } + } + } + } + route-map BGP-BACKBONE-IN { + rule 10 { + action permit + match { + ip { + address { + prefix-list BGP-BACKBONE-IN + } + } + } + } + rule 20 { + action permit + match { + ipv6 { + address { + prefix-list BGP-BACKBONE-IN-V6 + } + } + } + } + rule 30 { + action permit + match { + large-community { + large-community-list ANYCAST_ALL + } + } + } + } + route-map BGP-BACKBONE-OUT { + rule 10 { + action permit + match { + ip { + address { + prefix-list BGP-BACKBONE-OUT + } + } + } + } + rule 20 { + action permit + match { + ipv6 { + address { + prefix-list BGP-BACKBONE-OUT-V6 + } + } + } + } + rule 30 { + action permit + match { + large-community { + large-community-list ANYCAST_INT + } + } + set { + as-path-prepend 4242420666 + } + } + } +} +protocols { + bfd { + peer 192.168.253.1 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address 192.168.253.3 + } + } + peer 192.168.253.2 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address 192.168.253.3 + } + } + peer 192.168.253.6 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address 192.168.253.3 + } + } + peer 192.168.253.7 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address 192.168.253.3 + } + } + peer 192.168.253.12 { + interval { + receive 100 + transmit 100 + } + multihop + source { + address 192.168.253.3 + } + } + peer fd52:d62e:8011:fffe:192:168:253:1 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address fd52:d62e:8011:fffe:192:168:253:3 + } + } + peer fd52:d62e:8011:fffe:192:168:253:2 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address fd52:d62e:8011:fffe:192:168:253:3 + } + } + peer fd52:d62e:8011:fffe:192:168:253:6 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address fd52:d62e:8011:fffe:192:168:253:3 + } + } + peer fd52:d62e:8011:fffe:192:168:253:7 { + interval { + receive 50 + transmit 50 + } + multihop + source { + address fd52:d62e:8011:fffe:192:168:253:3 + } + } + peer fd52:d62e:8011:fffe:192:168:253:12 { + interval { + receive 100 + transmit 100 + } + multihop + source { + address fd52:d62e:8011:fffe:192:168:253:3 + } + } + } + bgp 4242420666 { + address-family { + ipv4-unicast { + redistribute { + connected { + route-map BGP-REDISTRIBUTE + } + static { + route-map BGP-REDISTRIBUTE + } + } + } + ipv6-unicast { + redistribute { + connected { + route-map BGP-REDISTRIBUTE + } + } + } + } + neighbor 192.168.253.1 { + peer-group INT + } + neighbor 192.168.253.2 { + peer-group INT + } + neighbor 192.168.253.6 { + peer-group DAL13 + } + neighbor 192.168.253.7 { + peer-group DAL13 + } + neighbor 192.168.253.12 { + address-family { + ipv4-unicast { + route-map { + export BGP-BACKBONE-OUT + import BGP-BACKBONE-IN + } + soft-reconfiguration { + inbound + } + } + } + bfd { + } + ebgp-multihop 2 + remote-as 4242420669 + update-source dum0 + } + neighbor fd52:d62e:8011:fffe:192:168:253:1 { + address-family { + ipv6-unicast { + peer-group INTv6 + } + } + } + neighbor fd52:d62e:8011:fffe:192:168:253:2 { + address-family { + ipv6-unicast { + peer-group INTv6 + } + } + } + neighbor fd52:d62e:8011:fffe:192:168:253:6 { + address-family { + ipv6-unicast { + peer-group DAL13v6 + } + } + } + neighbor fd52:d62e:8011:fffe:192:168:253:7 { + address-family { + ipv6-unicast { + peer-group DAL13v6 + } + } + } + neighbor fd52:d62e:8011:fffe:192:168:253:12 { + address-family { + ipv6-unicast { + route-map { + export BGP-BACKBONE-OUT + import BGP-BACKBONE-IN + } + soft-reconfiguration { + inbound + } + } + } + bfd { + } + ebgp-multihop 2 + remote-as 4242420669 + update-source dum0 + } + parameters { + confederation { + identifier 4242420696 + peers 4242420668 + peers 4242420669 + } + default { + no-ipv4-unicast + } + distance { + global { + external 220 + internal 220 + local 220 + } + } + graceful-restart { + } + } + peer-group DAL13 { + address-family { + ipv4-unicast { + route-map { + export BGP-BACKBONE-OUT + import BGP-BACKBONE-IN + } + soft-reconfiguration { + inbound + } + } + } + bfd + ebgp-multihop 2 + remote-as 4242420668 + update-source dum0 + } + peer-group DAL13v6 { + address-family { + ipv6-unicast { + route-map { + export BGP-BACKBONE-OUT + import BGP-BACKBONE-IN + } + soft-reconfiguration { + inbound + } + } + } + bfd + ebgp-multihop 2 + remote-as 4242420668 + update-source dum0 + } + peer-group INT { + address-family { + ipv4-unicast { + default-originate { + } + soft-reconfiguration { + inbound + } + } + } + bfd + remote-as 4242420666 + update-source dum0 + } + peer-group INTv6 { + address-family { + ipv6-unicast { + default-originate { + } + soft-reconfiguration { + inbound + } + } + } + bfd + remote-as 4242420666 + update-source dum0 + } + } +} +system { + config-management { + commit-revisions 200 + } + console { + device ttyS0 { + speed 115200 + } + } + host-name vyos + login { + user vyos { + authentication { + encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/ + plaintext-password "" + } + level admin + } + } + ntp { + server 0.pool.ntp.org { + } + server 1.pool.ntp.org { + } + server 2.pool.ntp.org { + } + } + syslog { + global { + facility all { + level info + } + facility protocols { + level debug + } + } + } + time-zone Europe/Berlin +} + +/* Warning: Do not remove the following line. */ +/* === vyatta-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack-sync@1:conntrack@1:dhcp-relay@2:dhcp-server@5:dns-forwarding@1:firewall@5:ipsec@5:l2tp@1:mdns@1:nat@4:ntp@1:pptp@1:qos@1:quagga@6:snmp@1:ssh@1:system@10:vrrp@2:wanloadbalance@3:webgui@1:webproxy@1:webproxy@2:zone-policy@1" === */ +/* Release version: 1.2.6-S1 */ diff --git a/src/conf_mode/protocols_bgp.py b/src/conf_mode/protocols_bgp.py index 54352460c..b5bb018ae 100755 --- a/src/conf_mode/protocols_bgp.py +++ b/src/conf_mode/protocols_bgp.py @@ -54,6 +54,26 @@ def get_config(config=None): return bgp +def verify_remote_as(peer_config, asn_config): + if 'remote_as' in peer_config: + return peer_config['remote_as'] + + if 'peer_group' in peer_config: + peer_group_name = peer_config['peer_group'] + tmp = dict_search(f'peer_group.{peer_group_name}.remote_as', asn_config) + if tmp: return tmp + + if 'interface' in peer_config: + if 'remote_as' in peer_config['interface']: + return peer_config['interface']['remote_as'] + + if 'peer_group' in peer_config['interface']: + peer_group_name = peer_config['interface']['peer_group'] + tmp = dict_search(f'peer_group.{peer_group_name}.remote_as', asn_config) + if tmp: return tmp + + return None + def verify(bgp): if not bgp: return None @@ -79,18 +99,13 @@ def verify(bgp): raise ConfigError(f'Specified peer-group "{peer_group}" for '\ f'neighbor "{neighbor}" does not exist!') - # Some checks can/must only be done on a neighbor and nor a peer-group + + # Some checks can/must only be done on a neighbor and not a peer-group if neighbor == 'neighbor': # remote-as must be either set explicitly for the neighbor # or for the entire peer-group - if 'interface' in peer_config: - if 'remote_as' not in peer_config['interface']: - if 'peer_group' not in peer_config['interface'] or 'remote_as' not in asn_config['peer_group'][ peer_config['interface']['peer_group'] ]: - raise ConfigError('Remote AS must be set for neighbor or peer-group!') - - elif 'remote_as' not in peer_config: - if 'peer_group' not in peer_config or 'remote_as' not in asn_config['peer_group'][ peer_config['peer_group'] ]: - raise ConfigError('Remote AS must be set for neighbor or peer-group!') + if not verify_remote_as(peer_config, asn_config): + raise ConfigError(f'Neighbor "{peer}" remote-as must be set!') for afi in ['ipv4_unicast', 'ipv6_unicast', 'l2vpn_evpn']: # Bail out early if address family is not configured diff --git a/src/migration-scripts/quagga/6-to-7 b/src/migration-scripts/quagga/6-to-7 index f7aca0d2b..25cf5eebd 100755 --- a/src/migration-scripts/quagga/6-to-7 +++ b/src/migration-scripts/quagga/6-to-7 @@ -17,14 +17,17 @@ # - T3037, BGP address-family ipv6-unicast capability dynamic does not exist in # FRR, there is only a base, per neighbor dynamic capability, migrate config -import sys +from sys import argv +from sys import exit from vyos.configtree import ConfigTree +from vyos.template import is_ipv4 +from vyos.template import is_ipv6 -if (len(sys.argv) < 2): +if (len(argv) < 2): print("Must specify file name!") - sys.exit(1) + exit(1) -file_name = sys.argv[1] +file_name = argv[1] with open(file_name, 'r') as f: config_file = f.read() @@ -34,7 +37,7 @@ config = ConfigTree(config_file) if not config.exists(base): # Nothing to do - sys.exit(0) + exit(0) # Check if BGP is actually configured and obtain the ASN asn_list = config.list_nodes(base) @@ -55,30 +58,59 @@ if asn_list: config.delete(send_comm_path) cap_dynamic = False + peer_group = None for afi in ['ipv4-unicast', 'ipv6-unicast']: - afi_path = bgp_base + [neighbor_type, neighbor, 'address-family', afi, 'capability', 'dynamic'] - if config.exists(afi_path): + afi_path = bgp_base + [neighbor_type, neighbor, 'address-family', afi] + # Exit loop early if AFI does not exist + if not config.exists(afi_path): + continue + + cap_path = afi_path + ['capability', 'dynamic'] + if config.exists(cap_path): cap_dynamic = True - config.delete(afi_path) + config.delete(cap_path) + + # We have now successfully migrated the address-family + # specific dynamic capability to the neighbor/peer-group + # level. If this has been the only option under the + # address-family nodes, we can clean them up by checking if + # no other nodes are left under that tree and if so, delete + # the parent. + # + # We walk from the most inner node to the most outer one. + cleanup = -1 + while len(config.list_nodes(cap_path[:cleanup])) == 0: + config.delete(cap_path[:cleanup]) + cleanup -= 1 + + peer_group_path = afi_path + ['peer-group'] + if config.exists(peer_group_path): + if ((is_ipv4(neighbor) and afi == 'ipv4-unicast') or + (is_ipv6(neighbor) and afi == 'ipv6-unicast')): + peer_group = config.return_value(peer_group_path) + + config.delete(peer_group_path) - # We have now successfully migrated the address-family specific - # dynamic capability to the neighbor/peer-group level. If this - # has been the only option under the address-family nodes, we - # can clean them up by checking if no other nodes are left under - # that tree and if so, delete the parent. + # We have now successfully migrated the address-family + # specific peer-group to the neighbor level. If this has + # been the only option under the address-family nodes, we + # can clean them up by checking if no other nodes are left + # under that tree and if so, delete the parent. # # We walk from the most inner node to the most outer one. cleanup = -1 - while len(config.list_nodes(afi_path[:cleanup])) == 0: - config.delete(afi_path[:cleanup]) + while len(config.list_nodes(peer_group_path[:cleanup])) == 0: + config.delete(peer_group_path[:cleanup]) cleanup -= 1 if cap_dynamic: config.set(bgp_base + [neighbor_type, neighbor, 'capability', 'dynamic']) + if peer_group: + config.set(bgp_base + [neighbor_type, neighbor, 'peer-group'], value=peer_group) try: with open(file_name, 'w') as f: f.write(config.to_string()) except OSError as e: print("Failed to save the modified config: {}".format(e)) - sys.exit(1) + exit(1) -- cgit v1.2.3