tests: Check if BGP SoO extended community filtering works

Whn using as-override, we should be able to deny outgoing updates from
being propogated when `neighbor soo` is configured.

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>

14 files changed, 343 insertions, 0 deletions

diff --git a/tests/topotests/bgp_soo/__init__.py b/tests/topotests/bgp_soo/__init__.py
new file mode 100644
index 000000000..e69de29bb
--- /dev/null
+++ b/tests/topotests/bgp_soo/__init__.py
diff --git a/tests/topotests/bgp_soo/cpe1/bgpd.conf b/tests/topotests/bgp_soo/cpe1/bgpd.conf
new file mode 100644
index 000000000..a8984d4e8
--- /dev/null
+++ b/tests/topotests/bgp_soo/cpe1/bgpd.conf
@@ -0,0 +1,10 @@
+router bgp 65000
+ no bgp ebgp-requires-policy
+ neighbor 192.168.1.2 remote-as external
+ neighbor 192.168.1.2 timers 1 3
+ neighbor 192.168.1.2 timers connect 1
+ neighbor 10.0.0.2 remote-as internal
+ address-family ipv4 unicast
+  redistribute connected
+ exit-address-family
+!
diff --git a/tests/topotests/bgp_soo/cpe1/zebra.conf b/tests/topotests/bgp_soo/cpe1/zebra.conf
new file mode 100644
index 000000000..669cb9129
--- /dev/null
+++ b/tests/topotests/bgp_soo/cpe1/zebra.conf
@@ -0,0 +1,12 @@
+!
+interface lo
+ ip address 172.16.255.1/32
+!
+interface cpe1-eth0
+ ip address 192.168.1.1/24
+!
+interface cpe1-eth1
+ ip address 10.0.0.1/24
+!
+ip forwarding
+!
diff --git a/tests/topotests/bgp_soo/cpe2/bgpd.conf b/tests/topotests/bgp_soo/cpe2/bgpd.conf
new file mode 100644
index 000000000..19f7a24e2
--- /dev/null
+++ b/tests/topotests/bgp_soo/cpe2/bgpd.conf
@@ -0,0 +1,10 @@
+router bgp 65000
+ no bgp ebgp-requires-policy
+ neighbor 192.168.2.2 remote-as external
+ neighbor 192.168.2.2 timers 1 3
+ neighbor 192.168.2.2 timers connect 1
+ neighbor 10.0.0.1 remote-as internal
+ address-family ipv4 unicast
+  redistribute connected
+ exit-address-family
+!
diff --git a/tests/topotests/bgp_soo/cpe2/zebra.conf b/tests/topotests/bgp_soo/cpe2/zebra.conf
new file mode 100644
index 000000000..52f36c06e
--- /dev/null
+++ b/tests/topotests/bgp_soo/cpe2/zebra.conf
@@ -0,0 +1,9 @@
+!
+interface cpe2-eth0
+ ip address 192.168.2.1/24
+!
+interface cpe2-eth1
+ ip address 10.0.0.2/24
+!
+ip forwarding
+!
diff --git a/tests/topotests/bgp_soo/pe1/bgpd.conf b/tests/topotests/bgp_soo/pe1/bgpd.conf
new file mode 100644
index 000000000..04a6857c7
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe1/bgpd.conf
@@ -0,0 +1,27 @@
+router bgp 65001
+ bgp router-id 10.10.10.10
+ no bgp ebgp-requires-policy
+ no bgp default ipv4-unicast
+ neighbor 10.10.10.20 remote-as internal
+ neighbor 10.10.10.20 update-source 10.10.10.10
+ address-family ipv4 vpn
+  neighbor 10.10.10.20 activate
+ exit-address-family
+!
+router bgp 65001 vrf RED
+ bgp router-id 192.168.1.2
+ no bgp ebgp-requires-policy
+ neighbor 192.168.1.1 remote-as external
+ neighbor 192.168.1.1 timers 1 3
+ neighbor 192.168.1.1 timers connect 1
+ address-family ipv4 unicast
+  neighbor 192.168.1.1 as-override
+  neighbor 192.168.1.1 soo 65000:1
+  label vpn export 1111
+  rd vpn export 192.168.1.2:2
+  rt vpn import 192.168.2.2:2 192.168.1.2:2
+  rt vpn export 192.168.1.2:2
+  export vpn
+  import vpn
+ exit-address-family
+!
diff --git a/tests/topotests/bgp_soo/pe1/ldpd.conf b/tests/topotests/bgp_soo/pe1/ldpd.conf
new file mode 100644
index 000000000..fb40f06fa
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe1/ldpd.conf
@@ -0,0 +1,10 @@
+mpls ldp
+ router-id 10.10.10.10
+ !
+ address-family ipv4
+  discovery transport-address 10.10.10.10
+  !
+  interface pe1-eth1
+  !
+ !
+!
diff --git a/tests/topotests/bgp_soo/pe1/ospfd.conf b/tests/topotests/bgp_soo/pe1/ospfd.conf
new file mode 100644
index 000000000..34f0899c9
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe1/ospfd.conf
@@ -0,0 +1,7 @@
+interface pe1-eth1
+ ip ospf dead-interval 4
+ ip ospf hello-interval 1
+!
+router ospf
+ router-id 10.10.10.10
+ network 0.0.0.0/0 area 0
diff --git a/tests/topotests/bgp_soo/pe1/zebra.conf b/tests/topotests/bgp_soo/pe1/zebra.conf
new file mode 100644
index 000000000..cc8ff1983
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe1/zebra.conf
@@ -0,0 +1,12 @@
+!
+interface lo
+ ip address 10.10.10.10/32
+!
+interface pe1-eth0 vrf RED
+ ip address 192.168.1.2/24
+!
+interface pe1-eth1
+ ip address 10.0.1.1/24
+!
+ip forwarding
+!
diff --git a/tests/topotests/bgp_soo/pe2/bgpd.conf b/tests/topotests/bgp_soo/pe2/bgpd.conf
new file mode 100644
index 000000000..efebc02f2
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe2/bgpd.conf
@@ -0,0 +1,31 @@
+router bgp 65001
+ bgp router-id 10.10.10.20
+ no bgp ebgp-requires-policy
+ no bgp default ipv4-unicast
+ neighbor 10.10.10.10 remote-as internal
+ neighbor 10.10.10.10 update-source 10.10.10.20
+ address-family ipv4 vpn
+  neighbor 10.10.10.10 activate
+ exit-address-family
+!
+router bgp 65001 vrf RED
+ bgp router-id 192.168.2.2
+ no bgp ebgp-requires-policy
+ neighbor 192.168.2.1 remote-as external
+ neighbor 192.168.2.1 timers 1 3
+ neighbor 192.168.2.1 timers connect 1
+ address-family ipv4 unicast
+  neighbor 192.168.2.1 as-override
+  neighbor 192.168.2.1 route-map cpe2-in in
+  label vpn export 2222
+  rd vpn export 192.168.2.2:2
+  rt vpn import 192.168.2.2:2 192.168.1.2:2
+  rt vpn export 192.168.2.2:2
+  export vpn
+  import vpn
+ exit-address-family
+!
+! To prefer internal MPLS route over eBGP
+route-map cpe2-in permit 10
+ set local-preference 50
+exit
diff --git a/tests/topotests/bgp_soo/pe2/ldpd.conf b/tests/topotests/bgp_soo/pe2/ldpd.conf
new file mode 100644
index 000000000..e2b535999
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe2/ldpd.conf
@@ -0,0 +1,10 @@
+mpls ldp
+ router-id 10.10.10.20
+ !
+ address-family ipv4
+  discovery transport-address 10.10.10.20
+  !
+  interface pe2-eth0
+  !
+ !
+!
diff --git a/tests/topotests/bgp_soo/pe2/ospfd.conf b/tests/topotests/bgp_soo/pe2/ospfd.conf
new file mode 100644
index 000000000..4c4b1374d
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe2/ospfd.conf
@@ -0,0 +1,7 @@
+interface pe2-eth0
+ ip ospf dead-interval 4
+ ip ospf hello-interval 1
+!
+router ospf
+ router-id 10.10.10.20
+ network 0.0.0.0/0 area 0
diff --git a/tests/topotests/bgp_soo/pe2/zebra.conf b/tests/topotests/bgp_soo/pe2/zebra.conf
new file mode 100644
index 000000000..8049a7460
--- /dev/null
+++ b/tests/topotests/bgp_soo/pe2/zebra.conf
@@ -0,0 +1,12 @@
+!
+interface lo
+ ip address 10.10.10.20/32
+!
+interface pe2-eth1 vrf RED
+ ip address 192.168.2.2/24
+!
+interface pe2-eth0
+ ip address 10.0.1.2/24
+!
+ip forwarding
+!
diff --git a/tests/topotests/bgp_soo/test_bgp_soo.py b/tests/topotests/bgp_soo/test_bgp_soo.py
new file mode 100644
index 000000000..e3a7334c6
--- /dev/null
+++ b/tests/topotests/bgp_soo/test_bgp_soo.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python
+
+#
+# Copyright (c) 2022 by
+# Donatas Abraitis <donatas@opensourcerouting.org>
+#
+# Permission to use, copy, modify, and/or distribute this software
+# for any purpose with or without fee is hereby granted, provided
+# that the above copyright notice and this permission notice appear
+# in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND NETDEF DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NETDEF BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY
+# DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
+# WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+# ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
+# OF THIS SOFTWARE.
+#
+
+"""
+Test if BGP SoO per neighbor works correctly. Routes having SoO
+extended community MUST be rejected if the neighbor is configured
+with soo (neighbor soo).
+"""
+
+import os
+import sys
+import json
+import pytest
+import functools
+
+CWD = os.path.dirname(os.path.realpath(__file__))
+sys.path.append(os.path.join(CWD, "../"))
+
+# pylint: disable=C0413
+from lib import topotest
+from lib.topogen import Topogen, TopoRouter, get_topogen
+from lib.common_config import step
+
+pytestmark = [pytest.mark.bgpd]
+
+
+def build_topo(tgen):
+    tgen.add_router("cpe1")
+    tgen.add_router("cpe2")
+    tgen.add_router("pe1")
+    tgen.add_router("pe2")
+
+    switch = tgen.add_switch("s1")
+    switch.add_link(tgen.gears["cpe1"])
+    switch.add_link(tgen.gears["pe1"])
+
+    switch = tgen.add_switch("s2")
+    switch.add_link(tgen.gears["pe1"])
+    switch.add_link(tgen.gears["pe2"])
+
+    switch = tgen.add_switch("s3")
+    switch.add_link(tgen.gears["pe2"])
+    switch.add_link(tgen.gears["cpe2"])
+
+    switch = tgen.add_switch("s4")
+    switch.add_link(tgen.gears["cpe2"])
+    switch.add_link(tgen.gears["cpe1"])
+
+
+def setup_module(mod):
+    tgen = Topogen(build_topo, mod.__name__)
+    tgen.start_topology()
+
+    pe1 = tgen.gears["pe1"]
+    pe2 = tgen.gears["pe2"]
+
+    pe1.run("ip link add RED type vrf table 1001")
+    pe1.run("ip link set up dev RED")
+    pe2.run("ip link add RED type vrf table 1001")
+    pe2.run("ip link set up dev RED")
+    pe1.run("ip link set pe1-eth0 master RED")
+    pe2.run("ip link set pe2-eth1 master RED")
+
+    pe1.run("sysctl -w net.ipv4.ip_forward=1")
+    pe2.run("sysctl -w net.ipv4.ip_forward=1")
+    pe1.run("sysctl -w net.mpls.conf.pe1-eth0.input=1")
+    pe2.run("sysctl -w net.mpls.conf.pe2-eth1.input=1")
+
+    router_list = tgen.routers()
+
+    for i, (rname, router) in enumerate(router_list.items(), 1):
+        router.load_config(
+            TopoRouter.RD_ZEBRA, os.path.join(CWD, "{}/zebra.conf".format(rname))
+        )
+        router.load_config(
+            TopoRouter.RD_BGP, os.path.join(CWD, "{}/bgpd.conf".format(rname))
+        )
+        router.load_config(
+            TopoRouter.RD_OSPF, os.path.join(CWD, "{}/ospfd.conf".format(rname))
+        )
+        router.load_config(
+            TopoRouter.RD_LDP, os.path.join(CWD, "{}/ldpd.conf".format(rname))
+        )
+
+    tgen.start_router()
+
+
+def teardown_module(mod):
+    tgen = get_topogen()
+    tgen.stop_topology()
+
+
+def test_bgp_soo():
+    tgen = get_topogen()
+
+    pe2 = tgen.gears["pe2"]
+
+    if tgen.routers_have_failure():
+        pytest.skip(tgen.errors)
+
+    def _bgp_soo_unconfigured():
+        output = json.loads(
+            pe2.vtysh_cmd(
+                "show bgp vrf RED ipv4 unicast neighbors 192.168.2.1 advertised-routes json"
+            )
+        )
+        expected = {"advertisedRoutes": {"172.16.255.1/32": {"path": "65001"}}}
+        return topotest.json_cmp(output, expected)
+
+    test_func = functools.partial(_bgp_soo_unconfigured)
+    _, result = topotest.run_and_expect(test_func, None, count=30, wait=0.5)
+    assert result is None, "Failed to see BGP convergence in pe2"
+
+    step("Configure SoO (65000:1) for PE2 -- CPE2 session")
+    pe2.vtysh_cmd(
+        """
+    configure terminal
+    router bgp 65001 vrf RED
+     address-family ipv4 unicast
+      neighbor 192.168.2.1 soo 65000:1
+    """
+    )
+
+    def _bgp_soo_configured():
+        output = json.loads(
+            pe2.vtysh_cmd(
+                "show bgp vrf RED ipv4 unicast neighbors 192.168.2.1 advertised-routes json"
+            )
+        )
+        expected = {"advertisedRoutes": {"172.16.255.1/32": None}}
+        return topotest.json_cmp(output, expected)
+
+    test_func = functools.partial(_bgp_soo_configured)
+    _, result = topotest.run_and_expect(test_func, None, count=30, wait=0.5)
+    assert result is None, "SoO filtering does not work from pe2"
+
+    step("Configure SoO (65000:2) for PE2 -- CPE2 session")
+    pe2.vtysh_cmd(
+        """
+    configure terminal
+    router bgp 65001 vrf RED
+     address-family ipv4 unicast
+      neighbor 192.168.2.1 soo 65000:2
+    """
+    )
+
+    test_func = functools.partial(_bgp_soo_unconfigured)
+    _, result = topotest.run_and_expect(test_func, None, count=30, wait=0.5)
+    assert result is None, "SoO filtering does not work from pe2"
+
+    step("Unconfigure SoO for PE2 -- CPE2 session")
+    pe2.vtysh_cmd(
+        """
+    configure terminal
+    router bgp 65001 vrf RED
+     address-family ipv4 unicast
+      no neighbor 192.168.2.1 soo
+    """
+    )
+
+    test_func = functools.partial(_bgp_soo_unconfigured)
+    _, result = topotest.run_and_expect(test_func, None, count=30, wait=0.5)
+    assert result is None, "SoO filtering does not work from pe2"
+
+
+if __name__ == "__main__":
+    args = ["-s"] + sys.argv[1:]
+    sys.exit(pytest.main(args))