From 74682f943cb057058a896b9e9060c7d84528f68c Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Thu, 26 Oct 2023 14:56:52 +0300
Subject: [PATCH] bgpd: Enable `enforce-first-as` by default

It's been for a while disabled by default, but this seems reasonable to flip it.

We had `bgp enforce-first-as` as a global BGP knob to enable/disable this
behavior globally, later we introduced `enforce-first-as` per neighbor, with disabled
by default. Now let's enable this by default.

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
 bgpd/bgp_vty.c               | 4 ++--
 bgpd/bgpd.c                  | 9 +++++++++
 doc/user/bgp.rst             | 2 +-
 tests/bgpd/test_peer_attr.c  | 5 -----
 tests/bgpd/test_peer_attr.py | 1 -
 yang/frr-bgp-neighbor.yang   | 2 +-
 6 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
index 5d6ae589face..30219049144e 100644
--- a/bgpd/bgp_vty.c
+++ b/bgpd/bgp_vty.c
@@ -17973,8 +17973,8 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp,
 			addr);
 
 	/* enforce-first-as */
-	if (peergroup_flag_check(peer, PEER_FLAG_ENFORCE_FIRST_AS))
-		vty_out(vty, " neighbor %s enforce-first-as\n", addr);
+	if (!peergroup_flag_check(peer, PEER_FLAG_ENFORCE_FIRST_AS))
+		vty_out(vty, " no neighbor %s enforce-first-as\n", addr);
 
 	/* update-source */
 	if (peergroup_flag_check(peer, PEER_FLAG_UPDATE_SOURCE)) {
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 0a01d719687f..7e6d2852fc04 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -1491,6 +1491,8 @@ struct peer *peer_new(struct bgp *bgp)
 
 	SET_FLAG(peer->sflags, PEER_STATUS_CAPABILITY_OPEN);
 
+	SET_FLAG(peer->flags, PEER_FLAG_ENFORCE_FIRST_AS);
+
 	/* Initialize per peer bgp GR FSM */
 	bgp_peer_gr_init(peer);
 
@@ -2860,6 +2862,13 @@ static void peer_group2peer_config_copy(struct peer_group *group,
 			SET_FLAG(peer->flags,
 				 PEER_FLAG_CAPABILITY_SOFT_VERSION);
 
+	/* enforce-first-as */
+	if (!CHECK_FLAG(peer->flags_override,
+			PEER_FLAG_ENFORCE_FIRST_AS))
+		if (CHECK_FLAG(conf->flags, PEER_FLAG_ENFORCE_FIRST_AS))
+			SET_FLAG(peer->flags,
+				 PEER_FLAG_ENFORCE_FIRST_AS);
+
 	/* password apply */
 	if (!CHECK_FLAG(peer->flags_override, PEER_FLAG_PASSWORD))
 		PEER_STR_ATTR_INHERIT(peer, group, password,
diff --git a/doc/user/bgp.rst b/doc/user/bgp.rst
index 43572be07e40..e4c326584d11 100644
--- a/doc/user/bgp.rst
+++ b/doc/user/bgp.rst
@@ -1526,7 +1526,7 @@ Configuring Peers
    Discard updates received from the specified (eBGP) peer if the AS_PATH
    attribute does not contain the PEER's ASN as the first AS_PATH segment.
 
-   Default: disabled.
+   Default: enabled.
 
 .. clicmd:: neighbor PEER extended-optional-parameters
 
diff --git a/tests/bgpd/test_peer_attr.c b/tests/bgpd/test_peer_attr.c
index bc6eba906905..dd154e34297f 100644
--- a/tests/bgpd/test_peer_attr.c
+++ b/tests/bgpd/test_peer_attr.c
@@ -296,11 +296,6 @@ static struct test_peer_attr test_peer_attrs[] = {
 		.u.flag = PEER_FLAG_DONT_CAPABILITY,
 		.type = PEER_AT_GLOBAL_FLAG,
 	},
-	{
-		.cmd = "enforce-first-as",
-		.u.flag = PEER_FLAG_ENFORCE_FIRST_AS,
-		.type = PEER_AT_GLOBAL_FLAG,
-	},
 	{
 		.cmd = "local-as",
 		.peer_cmd = "local-as 1",
diff --git a/tests/bgpd/test_peer_attr.py b/tests/bgpd/test_peer_attr.py
index eb5761843496..bd8b06e2f052 100644
--- a/tests/bgpd/test_peer_attr.py
+++ b/tests/bgpd/test_peer_attr.py
@@ -15,7 +15,6 @@ class TestFlag(frrtest.TestMultiOut):
 TestFlag.okfail("peer\\description")
 TestFlag.okfail("peer\\disable-connected-check")
 TestFlag.okfail("peer\\dont-capability-negotiate")
-TestFlag.okfail("peer\\enforce-first-as")
 TestFlag.okfail("peer\\local-as")
 TestFlag.okfail("peer\\local-as 1 no-prepend")
 TestFlag.okfail("peer\\local-as 1 no-prepend replace-as")
diff --git a/yang/frr-bgp-neighbor.yang b/yang/frr-bgp-neighbor.yang
index 5a4c37974f40..b199ab94694b 100644
--- a/yang/frr-bgp-neighbor.yang
+++ b/yang/frr-bgp-neighbor.yang
@@ -76,7 +76,7 @@ submodule frr-bgp-neighbor {
 
     leaf enforce-first-as {
       type boolean;
-      default "false";
+      default "true";
       description
         "When set to 'true' it will enforce the first AS for EBGP routes.";
     }