diff options
author | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-06-27 13:29:41 +0000 |
---|---|---|
committer | Claudio Jeker <claudio@cvs.openbsd.org> | 2022-06-27 13:29:41 +0000 |
commit | c6266783106033ef29bc2b87eb5a9e20fc0525a3 (patch) | |
tree | c90b2c85e819b90bd9ffbe60c984251b452cb31b | |
parent | e1893109e968c646c1763a45dccf8d917812d9b4 (diff) |
Regress test for the open policy role capability. Make sure it properly
fails when enforced or there is a missmatch and that the session is accepeted
if the roles match.
4 files changed, 178 insertions, 2 deletions
diff --git a/regress/usr.sbin/bgpd/integrationtests/Makefile b/regress/usr.sbin/bgpd/integrationtests/Makefile index 1192fea92ff..ab34483a56a 100644 --- a/regress/usr.sbin/bgpd/integrationtests/Makefile +++ b/regress/usr.sbin/bgpd/integrationtests/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.15 2022/05/31 09:50:26 claudio Exp $ +# $OpenBSD: Makefile,v 1.16 2022/06/27 13:29:40 claudio Exp $ REGRESS_TARGETS = network_statement md5 ovs mrt \ maxprefix maxprefixout maxcomm \ - as0 med eval_all + as0 med eval_all policy BGPD ?= /usr/sbin/bgpd @@ -19,6 +19,9 @@ md5: ovs: ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 +policy: + ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 12 pair11 pair12 + mrt: ${SUDO} ksh ${.CURDIR}/$@.sh ${BGPD} ${.CURDIR} 11 diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf new file mode 100644 index 00000000000..35a6b3182c3 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.client.conf @@ -0,0 +1,20 @@ +AS 4200000002 + +IP=10.12.57.$NUM + +router-id $IP +listen on $IP +fib-update no + +socket $SOCK + +neighbor 10.12.57.254 { + remote-as 4200000001 + local-address $IP + descr "MASTER" + + announce policy $POLICY +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf new file mode 100644 index 00000000000..2158e4c7836 --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/bgpd.op.master.conf @@ -0,0 +1,35 @@ +AS 4200000001 +router-id 10.12.57.254 +listen on 10.12.57.254 +fib-update no + +log updates + +group TEST { + remote-as 4200000002 + local-address 10.12.57.254 + + neighbor 10.12.57.1 { + descr "PEER1" + announce policy peer enforce + } + neighbor 10.12.57.2 { + descr "PEER2" + announce policy rs enforce + } + neighbor 10.12.57.3 { + descr "PEER3" + announce policy rs-client enforce + } + neighbor 10.12.57.4 { + descr "PEER4" + announce policy provider enforce + } + neighbor 10.12.57.5 { + descr "PEER5" + announce policy customer enforce + } +} + +allow from any +allow to any diff --git a/regress/usr.sbin/bgpd/integrationtests/policy.sh b/regress/usr.sbin/bgpd/integrationtests/policy.sh new file mode 100644 index 00000000000..0b6d99245ef --- /dev/null +++ b/regress/usr.sbin/bgpd/integrationtests/policy.sh @@ -0,0 +1,118 @@ +#!/bin/ksh +# $OpenBSD: policy.sh,v 1.1 2022/06/27 13:29:40 claudio Exp $ + +set -e + +BGPD=$1 +BGPDCONFIGDIR=$2 +RDOMAIN1=$3 +RDOMAIN2=$4 +PAIR1=$5 +PAIR2=$6 + +RDOMAINS="${RDOMAIN1} ${RDOMAIN2}" +PAIRS="${PAIR1} ${PAIR2}" +PAIR1IP=10.12.57.254 +PAIR2IP1=10.12.57.1 +PAIR2IP2=10.12.57.2 +PAIR2IP3=10.12.57.3 +PAIR2IP4=10.12.57.4 +PAIR2IP5=10.12.57.5 + +error_notify() { + echo cleanup + pkill -T ${RDOMAIN1} bgpd || true + pkill -T ${RDOMAIN2} bgpd || true + sleep 1 + ifconfig ${PAIR2} destroy || true + ifconfig ${PAIR1} destroy || true + route -qn -T ${RDOMAIN1} flush || true + route -qn -T ${RDOMAIN2} flush || true + ifconfig lo${RDOMAIN1} destroy || true + ifconfig lo${RDOMAIN2} destroy || true + if [ $1 -ne 0 ]; then + echo FAILED + exit 1 + else + echo SUCCESS + fi +} + +test_bgpd() { + set -x + + e=$1 + shift + + route -T ${RDOMAIN1} exec ${BGPD} \ + -v -f ${BGPDCONFIGDIR}/bgpd.op.master.conf + sleep 1 + + i=1 + for p in $@; do + route -T ${RDOMAIN2} exec ${BGPD} -DNUM=$i -DPOLICY=$p \ + -DSOCK=\"/var/run/bgpd.sock.c$i\" \ + -v -f ${BGPDCONFIGDIR}/bgpd.op.client.conf + i=$(($i + 1)) + + sleep 1 + done + + sleep 2 + + for i in 1 2 3 4 5; do + route -T ${RDOMAIN1} exec bgpctl show nei PEER$i | \ + grep "$e" + done + + pkill -T ${RDOMAIN1} bgpd || true + pkill -T ${RDOMAIN2} bgpd || true + + sleep 1 +} + +if [ "$(id -u)" -ne 0 ]; then + echo need root privileges >&2 + exit 1 +fi + +trap 'error_notify $?' EXIT + +echo check if rdomains are busy +for n in ${RDOMAINS}; do + if /sbin/ifconfig | grep -v "^lo${n}:" | grep " rdomain ${n} "; then + echo routing domain ${n} is already used >&2 + exit 1 + fi +done + +echo check if interfaces are busy +for n in ${PAIRS}; do + /sbin/ifconfig "${n}" >/dev/null 2>&1 && \ + ( echo interface ${n} is already used >&2; exit 1 ) +done + +set -x + +echo setup +ifconfig ${PAIR1} rdomain ${RDOMAIN1} ${PAIR1IP}/24 up +ifconfig ${PAIR2} rdomain ${RDOMAIN2} ${PAIR2IP1}/24 up +ifconfig ${PAIR2} alias ${PAIR2IP2}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP3}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP4}/32 up +ifconfig ${PAIR2} alias ${PAIR2IP5}/32 up +ifconfig ${PAIR1} patch ${PAIR2} +ifconfig lo${RDOMAIN1} inet 127.0.0.1/8 +ifconfig lo${RDOMAIN2} inet 127.0.0.1/8 + +echo test1: no policy +test_bgpd "Last error sent: error in OPEN message, role mismatch" \ + "no" "no" "no" "no" "no" + +echo test2: wrong policy +test_bgpd "Last error sent: error in OPEN message, role mismatch" \ + "rs" "provider" "customer" "rs" "rs-client" + +echo test3: correct policy +test_bgpd "BGP state = Established, up" \ + "peer" "rs-client" "rs" "customer" "provider" |