summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorClaudio Jeker <claudio@cvs.openbsd.org>2022-06-27 13:29:41 +0000
committerClaudio Jeker <claudio@cvs.openbsd.org>2022-06-27 13:29:41 +0000
commitc6266783106033ef29bc2b87eb5a9e20fc0525a3 (patch)
treec90b2c85e819b90bd9ffbe60c984251b452cb31b
parente1893109e968c646c1763a45dccf8d917812d9b4 (diff)
Regress test for the open policy role capability. Make sure it properly
fails when enforced or there is a missmatch and that the session is accepeted if the roles match.
-rw-r--r--regress/usr.sbin/bgpd/integrationtests/Makefile7
-rw-r--r--regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf20
-rw-r--r--regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf35
-rw-r--r--regress/usr.sbin/bgpd/integrationtests/policy.sh118
4 files changed, 178 insertions, 2 deletions
diff --git a/regress/usr.sbin/bgpd/integrationtests/Makefile b/regress/usr.sbin/bgpd/integrationtests/Makefile
index 1192fea92ff..ab34483a56a 100644
--- a/regress/usr.sbin/bgpd/integrationtests/Makefile
+++ b/regress/usr.sbin/bgpd/integrationtests/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.15 2022/05/31 09:50:26 claudio Exp $
+# $OpenBSD: Makefile,v 1.16 2022/06/27 13:29:40 claudio Exp $
REGRESS_TARGETS = network_statement md5 ovs mrt \
maxprefix maxprefixout maxcomm \
- as0 med eval_all
+ as0 med eval_all policy
BGPD ?= /usr/sbin/bgpd
@@ -19,6 +19,9 @@ md5:
ovs:
${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12
+policy:
+ ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12
+
mrt:
${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11
diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf
new file mode 100644
index 00000000000..35a6b3182c3
--- /dev/null
+++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf
@@ -0,0 +1,20 @@
+AS 4200000002
+
+IP=10.12.57.$NUM
+
+router-id $IP
+listen on $IP
+fib-update no
+
+socket $SOCK
+
+neighbor 10.12.57.254 {
+ remote-as 4200000001
+ local-address $IP
+ descr "MASTER"
+
+ announce policy $POLICY
+}
+
+allow from any
+allow to any
diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf
new file mode 100644
index 00000000000..2158e4c7836
--- /dev/null
+++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf
@@ -0,0 +1,35 @@
+AS 4200000001
+router-id 10.12.57.254
+listen on 10.12.57.254
+fib-update no
+
+log updates
+
+group TEST {
+ remote-as 4200000002
+ local-address 10.12.57.254
+
+ neighbor 10.12.57.1 {
+ descr "PEER1"
+ announce policy peer enforce
+ }
+ neighbor 10.12.57.2 {
+ descr "PEER2"
+ announce policy rs enforce
+ }
+ neighbor 10.12.57.3 {
+ descr "PEER3"
+ announce policy rs-client enforce
+ }
+ neighbor 10.12.57.4 {
+ descr "PEER4"
+ announce policy provider enforce
+ }
+ neighbor 10.12.57.5 {
+ descr "PEER5"
+ announce policy customer enforce
+ }
+}
+
+allow from any
+allow to any
diff --git a/regress/usr.sbin/bgpd/integrationtests/policy.sh b/regress/usr.sbin/bgpd/integrationtests/policy.sh
new file mode 100644
index 00000000000..0b6d99245ef
--- /dev/null
+++ b/regress/usr.sbin/bgpd/integrationtests/policy.sh
@@ -0,0 +1,118 @@
+#!/bin/ksh
+# $OpenBSD: policy.sh,v 1.1 2022/06/27 13:29:40 claudio Exp $
+
+set -e
+
+BGPD=$1
+BGPDCONFIGDIR=$2
+RDOMAIN1=$3
+RDOMAIN2=$4
+PAIR1=$5
+PAIR2=$6
+
+RDOMAINS="${RDOMAIN1} ${RDOMAIN2}"
+PAIRS="${PAIR1} ${PAIR2}"
+PAIR1IP=10.12.57.254
+PAIR2IP1=10.12.57.1
+PAIR2IP2=10.12.57.2
+PAIR2IP3=10.12.57.3
+PAIR2IP4=10.12.57.4
+PAIR2IP5=10.12.57.5
+
+error_notify() {
+ echo cleanup
+ pkill -T ${RDOMAIN1} bgpd || true
+ pkill -T ${RDOMAIN2} bgpd || true
+ sleep 1
+ ifconfig ${PAIR2} destroy || true
+ ifconfig ${PAIR1} destroy || true
+ route -qn -T ${RDOMAIN1} flush || true
+ route -qn -T ${RDOMAIN2} flush || true
+ ifconfig lo${RDOMAIN1} destroy || true
+ ifconfig lo${RDOMAIN2} destroy || true
+ if [ $1 -ne 0 ]; then
+ echo FAILED
+ exit 1
+ else
+ echo SUCCESS
+ fi
+}
+
+test_bgpd() {
+ set -x
+
+ e=$1
+ shift
+
+ route -T ${RDOMAIN1} exec ${BGPD} \
+ -v -f ${BGPDCONFIGDIR}/bgpd.op.master.conf
+ sleep 1
+
+ i=1
+ for p in $@; do
+ route -T ${RDOMAIN2} exec ${BGPD} -DNUM=$i -DPOLICY=$p \
+ -DSOCK=\"/var/run/bgpd.sock.c$i\" \
+ -v -f ${BGPDCONFIGDIR}/bgpd.op.client.conf
+ i=$(($i + 1))
+
+ sleep 1
+ done
+
+ sleep 2
+
+ for i in 1 2 3 4 5; do
+ route -T ${RDOMAIN1} exec bgpctl show nei PEER$i | \
+ grep "$e"
+ done
+
+ pkill -T ${RDOMAIN1} bgpd || true
+ pkill -T ${RDOMAIN2} bgpd || true
+
+ sleep 1
+}
+
+if [ "$(id -u)" -ne 0 ]; then
+ echo need root privileges >&2
+ exit 1
+fi
+
+trap 'error_notify $?' EXIT
+
+echo check if rdomains are busy
+for n in ${RDOMAINS}; do
+ if /sbin/ifconfig | grep -v "^lo${n}:" | grep " rdomain ${n} "; then
+ echo routing domain ${n} is already used >&2
+ exit 1
+ fi
+done
+
+echo check if interfaces are busy
+for n in ${PAIRS}; do
+ /sbin/ifconfig "${n}" >/dev/null 2>&1 && \
+ ( echo interface ${n} is already used >&2; exit 1 )
+done
+
+set -x
+
+echo setup
+ifconfig ${PAIR1} rdomain ${RDOMAIN1} ${PAIR1IP}/24 up
+ifconfig ${PAIR2} rdomain ${RDOMAIN2} ${PAIR2IP1}/24 up
+ifconfig ${PAIR2} alias ${PAIR2IP2}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP3}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP4}/32 up
+ifconfig ${PAIR2} alias ${PAIR2IP5}/32 up
+ifconfig ${PAIR1} patch ${PAIR2}
+ifconfig lo${RDOMAIN1} inet 127.0.0.1/8
+ifconfig lo${RDOMAIN2} inet 127.0.0.1/8
+
+echo test1: no policy
+test_bgpd "Last error sent: error in OPEN message, role mismatch" \
+ "no" "no" "no" "no" "no"
+
+echo test2: wrong policy
+test_bgpd "Last error sent: error in OPEN message, role mismatch" \
+ "rs" "provider" "customer" "rs" "rs-client"
+
+echo test3: correct policy
+test_bgpd "BGP state = Established, up" \
+ "peer" "rs-client" "rs" "customer" "provider"