virtual router: Add route-maps to BGP peers for Routed Mode

It is best practice, and mandatory in newer version of FRR, that route-maps should be applied to BGP peers. This is to prevent that mistakes can propogate through a network and cause outages. This change changes the route-maps where the VR will only accept IPv4 and IPv4 default gateways (0.0.0.0/0 and ::/0) to be sent by the upstream router to the VR. The other way around this change makes sure that FRR will not allow announcing anything else than the locally defined subnets to the upstream BGP router.
apache · Nov 22, 2024 · 14e27de · 14e27de
1 parent 8a2c0f3
commit 14e27de
Showing 1 changed file with 51 additions and 1 deletion.
diff --git a/systemvm/debian/opt/cloud/bin/cs/CsBgpPeers.py b/systemvm/debian/opt/cloud/bin/cs/CsBgpPeers.py
@@ -54,7 +54,9 @@ def process(self):
         self.frr_conf = CsFile(FRR_CONFIG)
         self.frr_conf.repopulate()
         self._pre_set()
+        self._access_list_set()
         self._process_peers()
+        self._route_map_set()
         self._post_set()
         if self.frr_conf.commit():
             restart_frr = True
@@ -75,13 +77,35 @@ def _process_dbag_item(self, item):
             self.peers[as_number]['ip6_peers'].append(item)
 
     def _pre_set(self):
-        self.frr_conf.add("frr version 6.0")
         self.frr_conf.add("frr defaults traditional")
         self.frr_conf.add("hostname {}".format(CsHelper.get_hostname()))
         self.frr_conf.add("service integrated-vtysh-config")
         self.frr_conf.add("ip nht resolve-via-default")
         return
 
+    def _access_list_set(self):
+        self.frr_conf.add("ip prefix-list all-v4 seq 1 permit any")
+        self.frr_conf.add("ip prefix-list default-v4 seq 1 permit 0.0.0.0/0")
+        self.frr_conf.add("ipv6 prefix-list all-v6 seq 1 permit any")
+        self.frr_conf.add("ipv6 prefix-list default-v6 seq 1 permit ::/0")
+
+        for as_number in self.peers.keys():
+            if self.peers[as_number]['ip4_peers']:
+                seq = 1
+                ip4_cidrs = set({ip4_peer['guest_ip4_cidr'] for ip4_peer in self.peers[as_number]['ip4_peers']})
+                for ip4_cidr in ip4_cidrs:
+                    self.frr_conf.add("ip prefix-list local-v4 seq {} permit {}".format(seq, ip4_cidr))
+                    seq += 1
+
+            if self.peers[as_number]['ip6_peers']:
+                seq = 1
+                ip6_cidrs = set({ip6_peer['guest_ip6_cidr'] for ip6_peer in self.peers[as_number]['ip6_peers']})
+                for ip6_cidr in ip6_cidrs:
+                    self.frr_conf.add("ipv6 prefix-list local-v6 seq {} permit {}".format(seq, ip6_cidr))
+                    seq += 1
+
+        return
+
     def _process_peers(self):
         for as_number in self.peers.keys():
             self.frr_conf.add("router bgp {}".format(as_number))
@@ -90,13 +114,17 @@ def _process_peers(self):
                 self.frr_conf.add(" bgp default ipv6-unicast")
             for ip4_peer in self.peers[as_number]['ip4_peers']:
                 self.frr_conf.add(" neighbor {} remote-as {}".format(ip4_peer['ip4_address'], ip4_peer['peer_as_number']))
+                self.frr_conf.add(" neighbor {} route-map upstream-v4-in in")
+                self.frr_conf.add(" neighbor {} route-map upstream-v4-out out")
                 if 'peer_password' in ip4_peer:
                     self.frr_conf.add(" neighbor {} password {}".format(ip4_peer['ip4_address'], ip4_peer['peer_password']))
                 if 'details' in ip4_peer:
                     if 'EBGP_MultiHop' in ip4_peer['details']:
                         self.frr_conf.add(" neighbor {} ebgp-multihop {}".format(ip4_peer['ip4_address'], ip4_peer['details']['EBGP_MultiHop']))
             for ip6_peer in self.peers[as_number]['ip6_peers']:
                 self.frr_conf.add(" neighbor {} remote-as {}".format(ip6_peer['ip6_address'], ip6_peer['peer_as_number']))
+                self.frr_conf.add(" neighbor {} route-map upstream-v6-in in")
+                self.frr_conf.add(" neighbor {} route-map upstream-v6-out out")
                 if 'peer_password' in ip6_peer:
                     self.frr_conf.add(" neighbor {} password {}".format(ip6_peer['ip6_address'], ip6_peer['peer_password']))
                 if 'details' in ip6_peer:
@@ -115,5 +143,27 @@ def _process_peers(self):
                     self.frr_conf.add("  network {}".format(ip6_cidr))
                 self.frr_conf.add(" exit-address-family")
 
+    def _route_map_set(self):
+        self.frr_conf.add("route-map upstream-v4-in permit 10")
+        self.frr_conf.add("  match ip address prefix-list default-v4")
+        self.frr_conf.add("route-map upstream-v4-in deny 1000")
+        self.frr_conf.add("  match ip address prefix-list all-v4")
+
+        self.frr_conf.add("route-map upstream-v4-out permit 10")
+        self.frr_conf.add("  match ip address prefix-list local-v4")
+        self.frr_conf.add("route-map upstream-v4-out deny 1000")
+        self.frr_conf.add("  match ip address prefix-list all-v4")
+
+        self.frr_conf.add("route-map upstream-v6-in permit 10")
+        self.frr_conf.add("  match ipv6 address prefix-list default-v6")
+        self.frr_conf.add("route-map upstream-v6-in deny 1000")
+        self.frr_conf.add("  match ipv6 address prefix-list all-v6")
+
+        self.frr_conf.add("route-map upstream-v6-out permit 10")
+        self.frr_conf.add("  match ipv6 address prefix-list local-v6")
+        self.frr_conf.add("route-map upstream-v6-out deny 1000")
+        self.frr_conf.add("  match ipv6 address prefix-list all-v6")
+        return
+
     def _post_set(self):
         self.frr_conf.add("line vty")