fritzlab-public/flock
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d6e50c98049c26f336086e3ab53f1fd3c4ba423
flock/pkg/routing/bird/config_test.go
T
Donavan Fritz 9b777ca7d1
Build flock Image / build (push) Successful in 2m17s
Details
bird: per-peer import filter rejects connected subnet 
Without a filter, crt001's `network 2602:817:3000:A25::/64` gets
re-advertised to every peer on that subnet. bird installs the BGP /64
with metric 32, beating the kernel-connected route at 256, and all
inter-host VLAN-25 traffic hairpins through the gateway — losing PMTU
9000 and ~30x throughput. Broke Plex 2026-05-04: NFS to nas002 capped
at 7 MB/s, jumbo blackholed.

Add LocalSubnetV6/V4 (CIDR) to NodeBGP. Agent populates by masking the
peer's address to /64 (v6) or /24 (v4) — same fritzlab convention
already in localAddrSameSubnet. Render emits `import where net !=
<subnet>;` per BGP channel when set, falls back to `import all;`
otherwise so existing tests stay green.

Defence in depth: with the matching outbound route-map on crt001
(ROUTE_MAP_CLUSTER_OUT_V{4,6}) the agent now refuses the leak on its
own if the router filter ever drifts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 21:03:59 -05:00

172 lines
4.7 KiB
Go
Raw Blame History

package bird
import (
"strings"
"testing"
)
func TestRender_Host001(t *testing.T) {
out, err := Render(NodeBGP{
NodeName: "host001",
RouterID: "172.25.25.101",
LocalASN: 65101,
Peers: []Peer{
{Family: "v6", Address: "2602:817:3000:a25::1", ASN: 65000},
{Family: "v4", Address: "172.25.25.1", ASN: 65000},
},
CIDR6: []string{"2602:817:3000:f001::/64"},
CIDR4: []string{"172.25.210.0/24"},
})
if err != nil {
t.Fatal(err)
}
for _, want := range []string{
"router id 172.25.25.101",
"local as 65101;",
"neighbor 2602:817:3000:a25::1 as 65000;",
"neighbor 172.25.25.1 as 65000;",
"if net = 2602:817:3000:f001::/64 then accept;",
"if net = 172.25.210.0/24 then accept;",
"graceful restart;",
} {
if !strings.Contains(out, want) {
t.Errorf("missing %q in output:\n%s", want, out)
}
}
}
func TestRender_AnycastInjection(t *testing.T) {
out, err := Render(NodeBGP{
RouterID: "10.0.0.1",
LocalASN: 65101,
Peers: []Peer{{Family: "v6", Address: "2001:db8::1", ASN: 65000}},
CIDR6: []string{"2001:db8:f001::/64"},
Anycast6: []string{"2001:db8:a::1"},
})
if err != nil {
t.Fatal(err)
}
if !strings.Contains(out, "if net = 2001:db8:a::1/128 then accept;") {
t.Fatalf("anycast /128 not advertised:\n%s", out)
}
}
func TestRender_StableOutput(t *testing.T) {
in := NodeBGP{
RouterID: "10.0.0.1",
LocalASN: 65101,
Peers: []Peer{
{Family: "v4", Address: "10.0.0.2", ASN: 65000},
{Family: "v6", Address: "2001:db8::1", ASN: 65000},
},
CIDR6: []string{"2001:db8:f002::/64", "2001:db8:f001::/64"},
CIDR4: []string{"10.1.1.0/24", "10.0.1.0/24"},
}
a, _ := Render(in)
b, _ := Render(in)
if a != b {
t.Fatalf("render not deterministic")
}
// Sorted ordering of CIDR6.
i1 := strings.Index(a, "2001:db8:f001::/64")
i2 := strings.Index(a, "2001:db8:f002::/64")
if !(i1 < i2) {
t.Fatalf("CIDR6 not sorted")
}
}
func TestRender_LocalSubnetImportFilter(t *testing.T) {
out, err := Render(NodeBGP{
RouterID: "172.25.25.104",
LocalASN: 65104,
Peers: []Peer{{Family: "v6", Address: "2602:817:3000:a25::1", ASN: 65000}, {Family: "v4", Address: "172.25.25.1", ASN: 65000}},
CIDR6: []string{"2602:817:3000:f004::/64"},
CIDR4: []string{"172.25.214.0/24"},
LocalSubnetV6: "2602:817:3000:a25::/64",
LocalSubnetV4: "172.25.25.0/24",
})
if err != nil {
t.Fatal(err)
}
for _, want := range []string{
"import where net != 2602:817:3000:a25::/64;",
"import where net != 172.25.25.0/24;",
} {
if !strings.Contains(out, want) {
t.Errorf("missing %q in output:\n%s", want, out)
}
}
// Each BGP peer block should use the import filter, not import all.
// Slice out just the `protocol bgp ...` stanzas to avoid catching the
// kernel proto's legitimate `import all;`.
for _, marker := range []string{"protocol bgp upstream6_", "protocol bgp upstream4_"} {
idx := strings.Index(out, marker)
if idx < 0 {
continue
}
end := strings.Index(out[idx:], "\n}")
if end < 0 {
continue
}
stanza := out[idx : idx+end]
if strings.Contains(stanza, "import all;") {
t.Errorf("BGP stanza still has `import all;`:\n%s", stanza)
}
}
}
func TestRender_LocalSubnetEmpty_FallsBackToImportAll(t *testing.T) {
out, err := Render(NodeBGP{
RouterID: "10.0.0.1",
LocalASN: 65101,
Peers: []Peer{{Family: "v6", Address: "2001:db8::1", ASN: 65000}},
CIDR6: []string{"2001:db8:f001::/64"},
})
if err != nil {
t.Fatal(err)
}
if !strings.Contains(out, "import all;") {
t.Errorf("expected `import all;` when LocalSubnetV6 unset:\n%s", out)
}
}
func TestRender_LocalSubnetValidation(t *testing.T) {
cases := []struct {
name string
v6, v4 string
wantErr string
}{
{name: "non-canonical v6", v6: "2602:817:3000:a25::1/64", wantErr: "non-zero host bits"},
{name: "non-canonical v4", v4: "172.25.25.1/24", wantErr: "non-zero host bits"},
{name: "v6 family mismatch", v6: "172.25.25.0/24", wantErr: "is IPv4"},
{name: "v4 family mismatch", v4: "2602:817:3000:a25::/64", wantErr: "is IPv6"},
{name: "garbage", v6: "not-a-cidr", wantErr: "not a valid CIDR"},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
_, err := Render(NodeBGP{
RouterID: "10.0.0.1",
LocalASN: 65101,
Peers: []Peer{{Family: "v6", Address: "2001:db8::1", ASN: 65000}},
LocalSubnetV6: tc.v6,
LocalSubnetV4: tc.v4,
})
if err == nil || !strings.Contains(err.Error(), tc.wantErr) {
t.Fatalf("want error containing %q, got %v", tc.wantErr, err)
}
})
}
}
func TestFamilyOf(t *testing.T) {
if FamilyOf("2001:db8::1") != "v6" {
t.Fatal("v6 detection broken")
}
if FamilyOf("10.0.0.1") != "v4" {
t.Fatal("v4 detection broken")
}
if FamilyOf("not-an-ip") != "" {
t.Fatal("garbage should return empty")
}
}
Reference in New Issue View Git Blame Copy Permalink