From: claudio Date: Tue, 9 Apr 2024 09:35:57 +0000 (+0000) Subject: Add a capability enforcement integration test. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0149d23fabe9f9c51b4d118ce9015166eda2bbe6;p=openbsd Add a capability enforcement integration test. This should ensure that no / yes and enforce work the way we want. --- diff --git a/regress/usr.sbin/bgpd/integrationtests/Makefile b/regress/usr.sbin/bgpd/integrationtests/Makefile index 10e36ac401a..5208dc2d268 100644 --- a/regress/usr.sbin/bgpd/integrationtests/Makefile +++ b/regress/usr.sbin/bgpd/integrationtests/Makefile @@ -1,6 +1,6 @@ -# $OpenBSD: Makefile,v 1.23 2023/10/16 10:26:51 claudio Exp $ +# $OpenBSD: Makefile,v 1.24 2024/04/09 09:35:57 claudio Exp $ -REGRESS_TARGETS = network_statement md5 ovs policy pftable \ +REGRESS_TARGETS = network_statement md5 ovs capa policy pftable \ mrt maxprefix maxprefixout maxcomm l3vpn \ ixp lladdr \ as0 med eval_all attr @@ -21,6 +21,9 @@ md5: ovs: ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 +capa: + ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 + policy: ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.client.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.client.conf new file mode 100644 index 00000000000..ed8421fd691 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.client.conf @@ -0,0 +1,20 @@ +AS 65001 + +IP=10.12.57.$NUM + +router-id $IP +listen on $IP +fib-update no + +socket $SOCK + +neighbor 10.12.57.254 { + remote-as 65000 + local-address $IP + descr "MASTER" + + announce $CAPA +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.master.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.master.conf new file mode 100644 index 00000000000..9d2a14ab954 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.capa.master.conf @@ -0,0 +1,40 @@ +AS 65000 +router-id 10.12.57.254 +listen on 10.12.57.254 +fib-update no + +# announce policy tested in own regress test + +group TEST { + remote-as 65001 + local-address 10.12.57.254 + + neighbor 10.12.57.1 { + descr "PEER1" + announce as-4byte enforce + } + neighbor 10.12.57.2 { + descr "PEER2" + announce enhanced refresh enforce + } + neighbor 10.12.57.3 { + descr "PEER3" + announce refresh enforce + } + neighbor 10.12.57.4 { + descr "PEER4" + announce restart enforce + } + neighbor 10.12.57.5 { + descr "PEER5" + announce inet vpn enforce + } + neighbor 10.12.57.6 { + descr "PEER6" + announce add-path recv enforce + } + neighbor 10.12.57.7 { + descr "PEER7" + announce add-path send best plus 3 enforce + } +} diff --git a/regress/usr.sbin/bgpd/integrationtests/capa.sh b/regress/usr.sbin/bgpd/integrationtests/capa.sh new file mode 100644 index 00000000000..f861c9b5f48 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/capa.sh @@ -0,0 +1,140 @@ +#!/bin/ksh +# $OpenBSD: capa.sh,v 1.1 2024/04/09 09:35:57 claudio Exp $ + +set -e + +BGPD=$1 +BGPDCONFIGDIR=$2 +RDOMAIN1=$3 +RDOMAIN2=$4 +PAIR1=$5 +PAIR2=$6 + +RDOMAINS="${RDOMAIN1} ${RDOMAIN2}" +PAIRS="${PAIR1} ${PAIR2}" +PAIR1IP=10.12.57.254 +PAIR2IP1=10.12.57.1 +PAIR2IP2=10.12.57.2 +PAIR2IP3=10.12.57.3 +PAIR2IP4=10.12.57.4 +PAIR2IP5=10.12.57.5 +PAIR2IP6=10.12.57.6 +PAIR2IP7=10.12.57.7 + +error_notify() { + echo cleanup + pkill -T ${RDOMAIN1} bgpd || true + pkill -T ${RDOMAIN2} bgpd || true + sleep 1 + ifconfig ${PAIR2} destroy || true + ifconfig ${PAIR1} destroy || true + route -qn -T ${RDOMAIN1} flush || true + route -qn -T ${RDOMAIN2} flush || true + ifconfig lo${RDOMAIN1} destroy || true + ifconfig lo${RDOMAIN2} destroy || true + if [ $1 -ne 0 ]; then + echo FAILED + exit 1 + else + echo SUCCESS + fi +} + +test_bgpd() { + + local e=$1 + local p=$2 + + case $p in + no) + local mpopt=none + local apopt=no + ;; + yes) + local mpopt=vpn + local apopt="best max 3" + ;; + enforce) + local mpopt="vpn enforce" + local apopt="best max 3 enforce" + ;; + esac + + set -A CAPA "as-4byte $p" \ + "enhanced refresh $p" \ + "refresh $p" "restart $p" \ + "inet $mpopt" \ + "add-path send $apopt" \ + "add-path recv $p" + + set -x + + route -T ${RDOMAIN1} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.capa.master.conf + + for i in 1 2 3 4 5 6 7; do + route -T ${RDOMAIN2} exec ${BGPD} -DNUM=$i \ + -DCAPA="${CAPA[$(($i - 1))]}" \ + -DSOCK=\"/var/run/bgpd.sock.c$i\" \ + -v -f ${BGPDCONFIGDIR}/bgpd.capa.client.conf + done + + sleep 1 + route -T ${RDOMAIN1} exec bgpctl nei group TEST up + sleep 1 + + for i in 1 2 3 4 5 6 7; do + route -T ${RDOMAIN1} exec bgpctl show nei PEER$i | \ + grep "$e" + done + + pkill -T ${RDOMAIN1} bgpd || true + pkill -T ${RDOMAIN2} bgpd || true + + sleep 1 +} + +if [ "$(id -u)" -ne 0 ]; then + echo need root privileges >&2 + exit 1 +fi + +trap 'error_notify $?' EXIT + +echo check if rdomains are busy +for n in ${RDOMAINS}; do + if /sbin/ifconfig | grep -v "^lo${n}:" | grep " rdomain ${n} "; then + echo routing domain ${n} is already used >&2 + exit 1 + fi +done + +echo check if interfaces are busy +for n in ${PAIRS}; do + /sbin/ifconfig "${n}" >/dev/null 2>&1 && \ + ( echo interface ${n} is already used >&2; exit 1 ) +done + +set -x + +echo setup +ifconfig ${PAIR1} rdomain ${RDOMAIN1} ${PAIR1IP}/24 up +ifconfig ${PAIR2} rdomain ${RDOMAIN2} ${PAIR2IP1}/24 up +ifconfig ${PAIR2} alias ${PAIR2IP2}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP3}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP4}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP5}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP6}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP7}/32 up +ifconfig ${PAIR1} patch ${PAIR2} +ifconfig lo${RDOMAIN1} inet 127.0.0.1/8 +ifconfig lo${RDOMAIN2} inet 127.0.0.1/8 + +echo test1: no capability +test_bgpd "Last error sent: error in OPEN message, unsupported capability" "no" + +echo test2: ok capability +test_bgpd "BGP state = Established, up" "yes" + +echo test3: enforce capability +test_bgpd "BGP state = Established, up" "enforce"