Add a capability enforcement integration test.

This should ensure that no / yes and enforce work the way we want.

diff --git a/regress/usr.sbin/bgpd/integrationtests/Makefile b/regress/usr.sbin/bgpd/integrationtests/Makefile
index 10e36ac..5208dc2 100644 (file)
--- a/regress/usr.sbin/bgpd/integrationtests/Makefile
+++ b/regress/usr.sbin/bgpd/integrationtests/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.23 2023/10/16 10:26:51 claudio Exp $
+# $OpenBSD: Makefile,v 1.24 2024/04/09 09:35:57 claudio Exp $
 
-REGRESS_TARGETS        =       network_statement md5 ovs policy pftable \
+REGRESS_TARGETS        =       network_statement md5 ovs capa policy pftable \
                        mrt maxprefix maxprefixout maxcomm l3vpn \
                        ixp lladdr \
                        as0 med eval_all attr
@@ -21,6 +21,9 @@ md5:
 ovs:
        ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12
 
+capa:
+       ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12
+
 policy:
        ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12
 

diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.client.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.client.conf
new file mode 100644 (file)
index 0000000..ed8421f
--- /dev/null
+++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.client.conf
@@ -0,0 +1,20 @@
+AS 65001
+
+IP=10.12.57.$NUM
+
+router-id $IP
+listen on $IP
+fib-update no
+
+socket $SOCK
+
+neighbor 10.12.57.254 {
+       remote-as       65000
+       local-address   $IP
+       descr           "MASTER"
+
+       announce $CAPA
+}
+
+allow from any
+allow to any

diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.master.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.master.conf
new file mode 100644 (file)
index 0000000..9d2a14a
--- /dev/null
+++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.master.conf
@@ -0,0 +1,40 @@
+AS 65000
+router-id 10.12.57.254
+listen on 10.12.57.254
+fib-update no
+
+# announce policy tested in own regress test
+
+group TEST {
+       remote-as       65001
+       local-address   10.12.57.254
+
+       neighbor 10.12.57.1 {
+               descr           "PEER1"
+               announce as-4byte enforce
+       }
+       neighbor 10.12.57.2 {
+               descr           "PEER2"
+               announce enhanced refresh enforce
+       }
+       neighbor 10.12.57.3 {
+               descr           "PEER3"
+               announce refresh enforce
+       }
+       neighbor 10.12.57.4 {
+               descr           "PEER4"
+               announce restart enforce
+       }
+       neighbor 10.12.57.5 {
+               descr           "PEER5"
+               announce inet vpn enforce
+       }
+       neighbor 10.12.57.6 {
+               descr           "PEER6"
+               announce add-path recv enforce
+       }
+       neighbor 10.12.57.7 {
+               descr           "PEER7"
+               announce add-path send best plus 3 enforce
+       }
+}

diff --git a/regress/usr.sbin/bgpd/integrationtests/capa.sh b/regress/usr.sbin/bgpd/integrationtests/capa.sh
new file mode 100644 (file)
index 0000000..f861c9b
--- /dev/null
+++ b/regress/usr.sbin/bgpd/integrationtests/capa.sh
@@ -0,0 +1,140 @@
+#!/bin/ksh
+#      $OpenBSD: capa.sh,v 1.1 2024/04/09 09:35:57 claudio Exp $
+
+set -e
+
+BGPD=$1
+BGPDCONFIGDIR=$2
+RDOMAIN1=$3
+RDOMAIN2=$4
+PAIR1=$5
+PAIR2=$6
+
+RDOMAINS="${RDOMAIN1} ${RDOMAIN2}"
+PAIRS="${PAIR1} ${PAIR2}"
+PAIR1IP=10.12.57.254
+PAIR2IP1=10.12.57.1
+PAIR2IP2=10.12.57.2
+PAIR2IP3=10.12.57.3
+PAIR2IP4=10.12.57.4
+PAIR2IP5=10.12.57.5
+PAIR2IP6=10.12.57.6
+PAIR2IP7=10.12.57.7
+
+error_notify() {
+       echo cleanup
+       pkill -T ${RDOMAIN1} bgpd || true
+       pkill -T ${RDOMAIN2} bgpd || true
+       sleep 1
+       ifconfig ${PAIR2} destroy || true
+       ifconfig ${PAIR1} destroy || true
+       route -qn -T ${RDOMAIN1} flush || true
+       route -qn -T ${RDOMAIN2} flush || true
+       ifconfig lo${RDOMAIN1} destroy || true
+       ifconfig lo${RDOMAIN2} destroy || true
+       if [ $1 -ne 0 ]; then
+               echo FAILED
+               exit 1
+       else
+               echo SUCCESS
+       fi
+}
+
+test_bgpd() {
+
+       local e=$1
+       local p=$2
+
+       case $p in
+       no)
+               local mpopt=none
+               local apopt=no
+               ;;
+       yes)
+               local mpopt=vpn
+               local apopt="best max 3"
+               ;;
+       enforce)
+               local mpopt="vpn enforce"
+               local apopt="best max 3 enforce"
+               ;;
+       esac
+
+       set -A CAPA "as-4byte $p" \
+               "enhanced refresh $p" \
+               "refresh $p" "restart $p" \
+               "inet $mpopt" \
+               "add-path send $apopt" \
+               "add-path recv $p"
+
+       set -x
+
+       route -T ${RDOMAIN1} exec ${BGPD} \
+               -v -f ${BGPDCONFIGDIR}/bgpd.capa.master.conf
+
+       for i in 1 2 3 4 5 6 7; do
+               route -T ${RDOMAIN2} exec ${BGPD} -DNUM=$i \
+                       -DCAPA="${CAPA[$(($i - 1))]}" \
+                       -DSOCK=\"/var/run/bgpd.sock.c$i\" \
+                       -v -f ${BGPDCONFIGDIR}/bgpd.capa.client.conf
+       done
+
+       sleep 1
+       route -T ${RDOMAIN1} exec bgpctl nei group TEST up
+       sleep 1
+
+       for i in 1 2 3 4 5 6 7; do
+               route -T ${RDOMAIN1} exec bgpctl show nei PEER$i | \
+               grep "$e"
+       done
+
+       pkill -T ${RDOMAIN1} bgpd || true
+       pkill -T ${RDOMAIN2} bgpd || true
+
+       sleep 1
+}
+
+if [ "$(id -u)" -ne 0 ]; then 
+       echo need root privileges >&2
+       exit 1
+fi
+
+trap 'error_notify $?' EXIT
+
+echo check if rdomains are busy
+for n in ${RDOMAINS}; do
+       if /sbin/ifconfig | grep -v "^lo${n}:" | grep " rdomain ${n} "; then
+               echo routing domain ${n} is already used >&2
+               exit 1
+       fi
+done
+
+echo check if interfaces are busy
+for n in ${PAIRS}; do
+       /sbin/ifconfig "${n}" >/dev/null 2>&1 && \
+           ( echo interface ${n} is already used >&2; exit 1 )
+done
+
+set -x
+
+echo setup
+ifconfig ${PAIR1} rdomain ${RDOMAIN1} ${PAIR1IP}/24 up
+ifconfig ${PAIR2} rdomain ${RDOMAIN2} ${PAIR2IP1}/24 up
+ifconfig ${PAIR2} alias ${PAIR2IP2}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP3}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP4}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP5}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP6}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP7}/32 up
+ifconfig ${PAIR1} patch ${PAIR2}
+ifconfig lo${RDOMAIN1} inet 127.0.0.1/8
+ifconfig lo${RDOMAIN2} inet 127.0.0.1/8
+
+echo test1: no capability
+test_bgpd "Last error sent: error in OPEN message, unsupported capability" "no"
+
+echo test2: ok capability
+test_bgpd "BGP state = Established, up" "yes"
+
+echo test3: enforce capability
+test_bgpd "BGP state = Established, up" "enforce"