[bgp] Add 'allow list' manager feature #5309

pavel-shirshov · 2020-09-03T18:15:32Z

This PR implements a new feature: "BGP Allow list."

This feature allows us to control which IP prefixes are going to be advertised via ebgp from the routes received from EBGP neighbors.

The feature can be enabled or disabled using "allow_list_enabled" flag in the /etc/sonic/deployment_id_asn_map.yml`

There is another flag for the feature: default_action. When this flag is equal "permit", this feature will not drop any BGP prefixes. The prefixes will be marked with drop_community. It is useful for debugging. But when the flag is equal to "deny", all prefixes, which are not explicitly listed as "Allowed" will be marked with no-export community which prevent them from being exported to ebgp neighbors.

We use prefix-lists for each list of filtered prefixes. You can add default entries which are going to be inserted to the prefix-list to default_pl_rules

We can control the feature by using the following schema:

{
    "BGP_ALLOWED_PREFIXES": {
        "DEPLOYMENT_ID|0|1010:1010": {
            "prefixes_v4": [
                "10.20.0.0/16",
                "10.50.1.0/29"
            ],
            "prefixes_v6": [
                "fc01:10::/64",
                "fc02:20::/64"
            ]
        },
        "DEPLOYMENT_ID|0": {
            "prefixes_v4": [
                "10.20.0.0/16",
                "10.50.1.0/29"
            ],
            "prefixes_v6": [
                "fc01:10::/64",
                "fc02:20::/64"
            ]
        }
    }
}

The schema above means the following:

For BGP neighbors with deployment_id 0 (currently we have all our neighbors under deployment_id 0 in this repo) do the following:
a. Import IPv4 prefixes "10.20.0.0/16" and "10.50.1.0/29" only if they have associated BGP community "1010:1010".
b. Import IPv6 prefixes "fc01:10::/64" and "fc02:20::/64" only if they have associated BGP community "1010:1010".
c. Import IPv4 prefixes "10.20.0.0/16" and "10.50.1.0/29". The community is not required.
d. Import IPv6 prefixes "fc01:10::/64" and "fc02:20::/64". The community is not required.

All other prefixes will be either marked or dropped (depends on the "default_action" flag. see above for "allow_list_default_action").

When BGP starts and this feature is enabled, all prefixes are going to be either marked with the community or marked with "no-export" community. That depends on "default_action" flag.

The following BGP configuration is generated by default:

!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V4 permit 65535
 set community 5060:12345 additive
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V6 permit 65535
 set community 5060:12345 additive
!
!
!
route-map FROM_BGP_PEER_V4 permit 2
 call ALLOW_LIST_DEPLOYMENT_ID_0_V4
 on-match next
!
route-map FROM_BGP_PEER_V4 permit 100
!
!
!
route-map FROM_BGP_PEER_V6 permit 1
 set ipv6 next-hop prefer-global 
!
route-map FROM_BGP_PEER_V6 permit 2
 call ALLOW_LIST_DEPLOYMENT_ID_0_V6
 on-match next
!
route-map FROM_BGP_PEER_V6 permit 100
!

When we apply the configuration you can find on the top of this PR description, the following BGP configuration will be generated.

!
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4 seq 10 deny 0.0.0.0/0 le 17
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4 seq 20 permit 127.0.0.1/32
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4 seq 30 permit 10.20.0.0/16 ge 17
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4 seq 40 permit 10.50.1.0/29 ge 30
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4 seq 10 deny 0.0.0.0/0 le 17
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4 seq 20 permit 127.0.0.1/32
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4 seq 30 permit 10.20.0.0/16 ge 17
ip prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4 seq 40 permit 10.50.1.0/29 ge 30
!
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6 seq 10 deny ::/0 le 59
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6 seq 20 deny ::/0 ge 65
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6 seq 30 permit fe80::/64
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6 seq 40 permit fc01:10::/64 ge 65
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6 seq 50 permit fc02:20::/64 ge 65
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6 seq 10 deny ::/0 le 59
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6 seq 20 deny ::/0 ge 65
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6 seq 30 permit fe80::/64
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6 seq 40 permit fc01:10::/64 ge 65
ipv6 prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6 seq 50 permit fc02:20::/64 ge 65
!
bgp community-list standard COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010 permit 1010:1010
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V4 permit 10
 match community COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010
 match ip address prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V4 permit 30000
 match ip address prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V4 permit 65535
 set community 5060:12345 additive
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V6 permit 10
 match community COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010
 match ipv6 address prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V6 permit 30000
 match ipv6 address prefix-list PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6
!
route-map ALLOW_LIST_DEPLOYMENT_ID_0_V6 permit 65535
 set community 5060:12345 additive
!
route-map FROM_BGP_PEER_V4 permit 100
!
route-map FROM_BGP_PEER_V4 permit 2
 call ALLOW_LIST_DEPLOYMENT_ID_0_V4
 on-match next
!
route-map FROM_BGP_PEER_V6 permit 1
 set ipv6 next-hop prefer-global 
!
route-map FROM_BGP_PEER_V6 permit 100
!
route-map FROM_BGP_PEER_V6 permit 2
 call ALLOW_LIST_DEPLOYMENT_ID_0_V6
 on-match next
!

As you can see from the output above the feature is isolated inside of "ALLOW_LIST_DEPLOYMENT_ID_0_V4" and "ALLOW_LIST_DEPLOYMENT_ID_0_V6" route-maps. We call the route-maps on top of each "FROM" route-map for each deployment_id. When the "ALLOW_LIST_DEPLOYMENT_ID_0_V*" route-map evaluation returns "deny", the "FROM" route-map will return deny. But when "ALLOW_LIST_DEPLOYMENT_ID_0_V*" route-map evaluation returns "permit", the next "FROM" route-map entry will be evaluated.

After each change of configuration the feature "restart" all bgp neighbors. Both IPv4 and IPv6 neighbors restart in the soft mode.

To change a list of prefixes inside of each record, you can apply the new list of prefixes with the same key. bgpcfgd will update corresponding prefix-lists automatically.

- Why I did it
I implemented the new feature. See the description above.

- How I did it
I introduced a new functionality into bgpcfgd. All code mostly isolated inside of BGPAllowListMgr class. Also I made some changes inside of bgp jinja2 templates.

- How to verify it

You can save the schema example in the file and then load the file into ConfigDB using the following command: sonic-cfggen -j test_schema.conf --write-to-db. After that you can use show runningconfiguration bgp to check the changed configuration. Also take a look into /var/log/syslog. There you can find the following output:

Sep 10 00:12:36.820482 str-s6100-acs-1 DEBUG bgp#bgpcfgd: Received message : '('DEPLOYMENT_ID|0|1010:1010', 'SET', (('prefixes_v6', 'fc01:10::/64,fc02:20::/64'), ('prefixes_v4', '10.20.0.0/16,10.50.1.0/29')))'
Sep 10 00:12:36.821465 str-s6100-acs-1 INFO bgp#bgpcfgd: BGPAllowListMgr::Updating 'Allow list' policy. deployment_id '0'. community: '1010:1010' prefix_v4 '['10.20.0.0/16', '10.50.1.0/29']'. prefix_v6: '['fc01:10::/64', 'fc02:20::/64']'
Sep 10 00:12:36.821866 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__generate_names. deployment_id: 0, community: 1010:1010. names: {'community': 'COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010', 'pl_v4': 'PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4', 'rm_v4': 'ALLOW_LIST_DEPLOYMENT_ID_0_V4', 'pl_v6': 'PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6', 'rm_v6': 'ALLOW_LIST_DEPLOYMENT_ID_0_V6'}
Sep 10 00:12:36.822221 str-s6100-acs-1 DEBUG bgp#bgpcfgd: execute command '['vtysh', '-c', 'show running-config']'.
Sep 10 00:12:37.052250 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_prefix_list. af='v4' prefix-list name=PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4
Sep 10 00:12:37.052250 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_prefix_list. af='v6' prefix-list name=PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6
Sep 10 00:12:37.052250 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_community. community_name='COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010' community='1010:1010'
Sep 10 00:12:37.052250 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__is_community_presented. community='COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010'
Sep 10 00:12:37.052250 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v4' Allow rm='ALLOW_LIST_DEPLOYMENT_ID_0_V4' pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4' cl='COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010'
Sep 10 00:12:37.052250 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__parse_allow_route_map_entries. af='v4', rm='ALLOW_LIST_DEPLOYMENT_ID_0_V4'
Sep 10 00:12:37.052341 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__find_next_seq_number '10' has_community='yes'
Sep 10 00:12:37.052341 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v4' seqno='10' Allow pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V4' cl='COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010'
Sep 10 00:12:37.052341 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v6' Allow rm='ALLOW_LIST_DEPLOYMENT_ID_0_V6' pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6' cl='COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010'
Sep 10 00:12:37.052370 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__parse_allow_route_map_entries. af='v6', rm='ALLOW_LIST_DEPLOYMENT_ID_0_V6'
Sep 10 00:12:37.052416 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__find_next_seq_number '10' has_community='yes'
Sep 10 00:12:37.052416 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v6' seqno='10' Allow pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010_V6' cl='COMMUNITY_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_1010:1010'
Sep 10 00:12:37.052490 str-s6100-acs-1 DEBUG bgp#bgpcfgd: execute command '['vtysh', '-f', '/tmp/tmpQ5Uinl']'.
Sep 10 00:12:37.305769 str-s6100-acs-1 INFO bgp#bgpcfgd: BGPAllowListMgr::Restart peers with deployment_id=0
Sep 10 00:12:37.305861 str-s6100-acs-1 DEBUG bgp#bgpcfgd: execute command '['vtysh', '-c', 'clear bgp * soft in']'.
Sep 10 00:12:37.533604 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_policy. The peers were updated: rc=0
Sep 10 00:12:37.533690 str-s6100-acs-1 INFO bgp#bgpcfgd: BGPAllowListMgr::Done
Sep 10 00:12:37.533806 str-s6100-acs-1 DEBUG bgp#bgpcfgd: Received message : '('DEPLOYMENT_ID|0', 'SET', (('prefixes_v6', 'fc01:10::/64,fc02:20::/64'), ('prefixes_v4', '10.20.0.0/16,10.50.1.0/29')))'
Sep 10 00:12:37.534456 str-s6100-acs-1 INFO bgp#bgpcfgd: BGPAllowListMgr::Updating 'Allow list' policy. deployment_id '0'. community: 'empty' prefix_v4 '['10.20.0.0/16', '10.50.1.0/29']'. prefix_v6: '['fc01:10::/64', 'fc02:20::/64']'
Sep 10 00:12:37.534613 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__generate_names. deployment_id: 0, community: empty. names: {'community': 'empty', 'pl_v4': 'PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4', 'rm_v4': 'ALLOW_LIST_DEPLOYMENT_ID_0_V4', 'pl_v6': 'PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6', 'rm_v6': 'ALLOW_LIST_DEPLOYMENT_ID_0_V6'}
Sep 10 00:12:37.534883 str-s6100-acs-1 DEBUG bgp#bgpcfgd: execute command '['vtysh', '-c', 'show running-config']'.
Sep 10 00:12:37.765318 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_prefix_list. af='v4' prefix-list name=PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4
Sep 10 00:12:37.765807 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_prefix_list. af='v6' prefix-list name=PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6
Sep 10 00:12:37.766093 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_community. community_name='empty' community='empty'
Sep 10 00:12:37.766260 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_community. Empty community. exiting
Sep 10 00:12:37.766518 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v4' Allow rm='ALLOW_LIST_DEPLOYMENT_ID_0_V4' pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4' cl='empty'
Sep 10 00:12:37.766805 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__parse_allow_route_map_entries. af='v4', rm='ALLOW_LIST_DEPLOYMENT_ID_0_V4'
Sep 10 00:12:37.767303 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__find_next_seq_number '30000' has_community='no'
Sep 10 00:12:37.767553 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v4' seqno='30000' Allow pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V4' cl='empty'
Sep 10 00:12:37.767612 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v6' Allow rm='ALLOW_LIST_DEPLOYMENT_ID_0_V6' pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6' cl='empty'
Sep 10 00:12:37.767665 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__parse_allow_route_map_entries. af='v6', rm='ALLOW_LIST_DEPLOYMENT_ID_0_V6'
Sep 10 00:12:37.768116 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__find_next_seq_number '30000' has_community='no'
Sep 10 00:12:37.768391 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_allow_route_map_entry. af='v6' seqno='30000' Allow pl='PL_ALLOW_LIST_DEPLOYMENT_ID_0_COMMUNITY_empty_V6' cl='empty'
Sep 10 00:12:37.768636 str-s6100-acs-1 DEBUG bgp#bgpcfgd: execute command '['vtysh', '-f', '/tmp/tmpDW7cL6']'.
Sep 10 00:12:38.000131 str-s6100-acs-1 INFO bgp#bgpcfgd: BGPAllowListMgr::Restart peers with deployment_id=0
Sep 10 00:12:38.000646 str-s6100-acs-1 DEBUG bgp#bgpcfgd: execute command '['vtysh', '-c', 'clear bgp * soft in']'.
Sep 10 00:12:38.225079 str-s6100-acs-1 DEBUG bgp#bgpcfgd: BGPAllowListMgr::__update_policy. The peers were updated: rc=0
Sep 10 00:12:38.225079 str-s6100-acs-1 INFO bgp#bgpcfgd: BGPAllowListMgr::Done

You can remove the feature configuration by the following commands. The default configuration will be restored.

redis-cli -n 4 del 'BGP_ALLOWED_PREFIXES*'

After that you can use show runningconfiguration bgp to check the changed configuration.

Test coverage data

Name                Stmts   Miss  Cover
---------------------------------------
app/__init__.py         0      0   100%
app/allow_list.py     385     21    95%
app/config.py          78     41    47%
app/directory.py       63     44    30%
app/log.py             15      3    80%
app/manager.py         41     23    44%
app/template.py        64     11    83%
app/util.py            11      8    27%
app/vars.py             1      0   100%
---------------------------------------
TOTAL                 658    151    77%

- Which release branch to backport (provide reason below if selected)

201811
201911
202006

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

lguohan · 2020-09-04T17:14:01Z

test failure, can you also add description for this pr?

pavel-shirshov · 2020-09-10T14:13:44Z

retest vsimage please

src/sonic-bgpcfgd/tests/test_allow_list.py

files/image_config/constants/constants.yml

dockers/docker-fpm-frr/frr/bgpd/templates/general/policies.conf.j2

src/sonic-bgpcfgd/app/allow_list.py

lguohan · 2020-09-22T08:54:47Z

src/sonic-bgpcfgd/app/allow_list.py

+        :param deployment_id: deployment_id number
+        """
+        log_info("BGPAllowListMgr::Restart peers with deployment_id=%d" % deployment_id)
+        no_error, _, _ = run_command(["vtysh", "-c", "clear bgp * soft in"])


are we clearing all peers? including the upstream peers?

it does not see you only clear the neighbor with deployment_id. impl and description does not match.

Yes. Currently I clear all peers. But in this case I use soft in which will not reset any established bgp session, it will just update it.
It is not easy to find a neighbor with the deployment_id. For that I need to make a map between peer-group and neighbors and between peer-group and deployment id.

I'll look at it today.

I am not sure I understand the impact here. does this soft in clear withdrawn and then readvertise all the routes?

I have added implementation of reboot only required peer-groups.

src/sonic-bgpcfgd/app/config.py

src/sonic-bgpcfgd/tests/test_allow_list.py

lguohan · 2020-09-25T16:35:54Z

app/directory.py 63 44 30%
app/manager.py 41 23 44%

both seems low, can you improve it?

pavel-shirshov · 2020-09-25T16:42:37Z

Yes, I can.
But I think it is better to do in other PR? This PR is about "allow list" feature.

lguohan · 2020-09-25T16:58:36Z

both directory and manager are added in this pr.

pavel-shirshov · 2020-09-25T17:01:48Z

@lguohan: The objects Directory and Manager were moved from bgpcfgd to their own modules to make it possible to use them from modules. Both of them were written before this PR

pavel-shirshov · 2020-09-26T05:34:12Z

retest vsimage please

pavel-shirshov · 2020-09-26T05:34:20Z

retest mellanox please

implements a new feature: "BGP Allow list." This feature allows us to control which IP prefixes are going to be advertised via ebgp from the routes received from EBGP neighbors.

This reverts commit 6eed082.

This reverts commit b5d33b3.

What is the motivation for this PR? The BGP allow list feature was introduced in SONiC. This PR is to add a script for testing the BGP allow list feature. How did you do it? Add a new script for testing BGP allow list. Covered scenarios: * Ensure that constants.bgp.allow_list.default_action is "permit". No BGP allow list is configured. * Announce routes with and without test community '1010:1010' to the first T0 VM by exabgp. * Check routes on the first T0 VM. All the routes should be successfully injected. * Check routes on DUT. All the routes should be accepted by DUT. * Check routes on other T0 and T2 VMs. All the routes should be advertised by DUT. The drop_community defined in * /etc/sonic/constants.yml should be added to all routes. The original community of routes should be kept. * Ensure that constants.bgp.allow_list.default_action is "permit". BGP allow list is configured. * Announce routes with and without test community '1010:1010' to the first T0 VM by exabgp. * Check routes on the first T0 VM. All the routes should be successfully injected. * Check routes on DUT. All the routes should be accepted by DUT. * Check routes on other T0 and T2 VMs. All the routes should be advertised by DUT. The drop_community should only be * added to routes not on allow list. The original community of routes should be kept. * Ensure that constants.bgp.allow_list.default_action is "deny". No BGP allow list is configured. * Announce routes with and without test community '1010:1010' to the first T0 VM by exabgp. * Check routes on the first T0 VM. All the routes should be successfully injected. * Check routes on DUT. All the routes should be accepted by DUT. * Check routes on other T0 and T2 VMs. No routes should be advertised by DUT. * Ensure that constants.bgp.allow_list.default_action is "deny". BGP allow list is configured. * Announce routes with and without test community '1010:1010' to the first T0 VM by exabgp. * Check routes on the first T0 VM. All the routes should be successfully injected. * Check routes on DUT. All the routes should be accepted by DUT. * Check routes on other T0 and T2 VMs. Only the routes on allow list should be advertised by DUT. No drop_community should be added to advertised routes. The original community of routes should be kept. Relevant change: sonic-net/sonic-buildimage#5309 How did you verify/test it? Run the test script using latest master image. Currently some test cases can't pass because of issue: sonic-net/sonic-buildimage#6001 If add `on-match next` to /usr/share/sonic/templates/bgpd/templates/general/policies.conf.j2 and restart bgp service, then all the cases can pass: ``` route-map FROM_BGP_PEER_V6 permit 1 on-match next set ipv6 next-hop prefer-global ``` Any platform specific information? No Supported testbed topology if it's a new test case? This test only supports topology type t1. Signed-off-by: Xin Wang <xiwang5@microsoft.com>

implements a new feature: "BGP Allow list." This feature allows us to control which IP prefixes are going to be advertised via ebgp from the routes received from EBGP neighbors.

This reverts commit 6eed082.

Add 'allow list' manager feature

5434edd

Pavel Shirshov and others added 7 commits September 4, 2020 15:58

Fix tests

5c460be

Enhance ipv6 nexthopset test logic

5da789c

Use correct dependancy

9187764

Add LIBSWSSCOMMON into deps

883a54b

Load python-swsscommin as debian dependency

4d2d6dc

Use old version of pyyaml

5b59929

Don't make any warning on default route-map entry

33b9327

pavel-shirshov marked this pull request as ready for review September 10, 2020 00:19

pavel-shirshov requested review from lguohan and ivlee1 September 10, 2020 00:19

pavel-shirshov self-assigned this Sep 10, 2020

pavel-shirshov added bgp Enhancement ➕ FRR 🚥 Request for 201911 Branch Request for 202006 Branch labels Sep 10, 2020

pavel-shirshov mentioned this pull request Sep 10, 2020

BGP "Allow list" feature implementation #4563

Closed

sonic-net deleted a comment from paulnice Sep 10, 2020

Merge remote-tracking branch 'origin' into pavelsh/allow_list_feature

d616046

jleveque changed the title ~~Add 'allow list' manager feature~~ [bgp] Add 'allow list' manager feature Sep 11, 2020

lguohan reviewed Sep 21, 2020

View reviewed changes

src/sonic-bgpcfgd/tests/test_allow_list.py Show resolved Hide resolved