IPv6 Support (#127)

Dockerfile

@@ -1,9 +1,10 @@
-FROM golang:1.22-alpine3.20 as builder
+FROM golang:1.23-alpine3.20 AS builder
 WORKDIR /work
 COPY . .
 RUN apk add \
     make \
     binutils \
+    coreutils \
     git \
     gcc \
     libpcap-dev \

cmd/config.go

@@ -31,4 +31,5 @@ type Config struct {
 	GrpcClientCertFile        string        `required:"false" desc:"the gRPC client certificate file" envconfig:"grpc_client_cert_file"`
 	GrpcClientKeyFile         string        `required:"false" desc:"the gRPC client key file" envconfig:"grpc_client_key_file"`
 	PXEVlanID                 uint16        `required:"false" default:"4000" desc:"the id of the pxe vlan" envconfig:"pxe_vlan_id"`
+	AdditionalRouteMapCIDRs   []string      `required:"false" default:"10.240.0.0/12" desc:"additional route map entries, typically the pod/service CIDRs, one or more CIDR for ipv4 or ipv6, separated by comma" envconfig:"additional_route_map_cidrs"`
 }

cmd/internal/core/core.go

@@ -33,7 +33,8 @@ type Core struct {
 
 	metrics *metrics.Metrics
 
-	pxeVlanID uint16
+	pxeVlanID               uint16
+	additionalRouteMapCIDRs []string
 }
 
 type Config struct {
@@ -59,7 +60,8 @@ type Config struct {
 
 	Metrics *metrics.Metrics
 
-	PXEVlanID uint16
+	PXEVlanID               uint16
+	AdditionalRouteMapCIDRs []string
 }
 
 func New(c Config) *Core {
@@ -82,5 +84,6 @@ func New(c Config) *Core {
 		eventServiceClient:        c.EventServiceClient,
 		metrics:                   c.Metrics,
 		pxeVlanID:                 c.PXEVlanID,
+		additionalRouteMapCIDRs:   c.AdditionalRouteMapCIDRs,
 	}
 }

cmd/internal/core/reconfigure-switch.go

@@ -116,23 +116,22 @@ func (c *Core) reconfigureSwitch(switchName string) (*models.V1SwitchResponse, e
 
 func (c *Core) buildSwitcherConfig(s *models.V1SwitchResponse) (*types.Conf, error) {
 	asn64, err := strconv.ParseUint(c.asn, 10, 32)
-	asn := uint32(asn64)
 	if err != nil {
 		return nil, err
 	}
-
 	if c.pxeVlanID >= vlan.VlanIDMin && c.pxeVlanID <= vlan.VlanIDMax {
 		return nil, fmt.Errorf("configured PXE VLAN ID is in the reserved area of %d, %d", vlan.VlanIDMin, vlan.VlanIDMax)
 	}
 
 	switcherConfig := &types.Conf{
-		Name:                 s.Name,
-		LogLevel:             mapLogLevel(c.logLevel),
-		ASN:                  asn,
-		Loopback:             c.loopbackIP,
-		MetalCoreCIDR:        c.cidr,
-		AdditionalBridgeVIDs: c.additionalBridgeVIDs,
-		PXEVlanID:            c.pxeVlanID,
+		Name:                    s.Name,
+		LogLevel:                mapLogLevel(c.logLevel),
+		ASN:                     uint32(asn64), // nolint:gosec
+		Loopback:                c.loopbackIP,
+		MetalCoreCIDR:           c.cidr,
+		AdditionalBridgeVIDs:    c.additionalBridgeVIDs,
+		PXEVlanID:               c.pxeVlanID,
+		AdditionalRouteMapCIDRs: c.additionalRouteMapCIDRs,
 	}
 
 	p := types.Ports{
@@ -186,7 +185,7 @@ func (c *Core) buildSwitcherConfig(s *models.V1SwitchResponse) (*types.Conf, err
 		if err != nil {
 			return nil, err
 		}
-		vrf.VNI = uint32(vni64)
+		vrf.VNI = uint32(vni64) // nolint:gosec
 		vrf.Neighbors = append(vrf.Neighbors, port)
 		if nic.Filter != nil {
 			vrf.Cidrs = nic.Filter.Cidrs
@@ -196,7 +195,10 @@ func (c *Core) buildSwitcherConfig(s *models.V1SwitchResponse) (*types.Conf, err
 	switcherConfig.Ports = p
 
 	c.nos.SanitizeConfig(switcherConfig)
-	switcherConfig.FillRouteMapsAndIPPrefixLists()
+	err = switcherConfig.FillRouteMapsAndIPPrefixLists()
+	if err != nil {
+		return nil, err
+	}
 	m, err := vlan.ReadMapping()
 	if err != nil {
 		return nil, err

cmd/internal/core/reconfigure-switch_test.go

@@ -12,14 +12,15 @@ import (
 
 func TestBuildSwitcherConfig(t *testing.T) {
 	c := &Core{
-		cidr:                 "10.255.255.2/24",
-		partitionID:          "fra-equ01",
-		rackID:               "rack01",
-		asn:                  "420000001",
-		loopbackIP:           "10.0.0.1",
-		spineUplinks:         []string{"swp31", "swp32"},
-		additionalBridgeVIDs: []string{"201-256", "301-356"},
-		nos:                  &cumulus.Cumulus{},
+		cidr:                    "10.255.255.2/24",
+		partitionID:             "fra-equ01",
+		rackID:                  "rack01",
+		asn:                     "420000001",
+		loopbackIP:              "10.0.0.1",
+		spineUplinks:            []string{"swp31", "swp32"},
+		additionalBridgeVIDs:    []string{"201-256", "301-356"},
+		nos:                     &cumulus.Cumulus{},
+		additionalRouteMapCIDRs: []string{"10.240.0.0/12"},
 	}
 
 	n1 := "swp1"
@@ -53,10 +54,11 @@ func TestBuildSwitcherConfig(t *testing.T) {
 	require.NoError(t, err)
 	require.NotNil(t, actual)
 	expected := &types.Conf{
-		LogLevel:      "warnings",
-		Loopback:      "10.0.0.1",
-		MetalCoreCIDR: "10.255.255.2/24",
-		ASN:           420000001,
+		LogLevel:                "warnings",
+		Loopback:                "10.0.0.1",
+		MetalCoreCIDR:           "10.255.255.2/24",
+		ASN:                     420000001,
+		AdditionalRouteMapCIDRs: []string{"10.240.0.0/12"},
 		Ports: types.Ports{
 			DownPorts:     map[string]bool{},
 			Underlay:      []string{"swp31", "swp32"},
@@ -73,8 +75,9 @@ func TestBuildSwitcherConfig(t *testing.T) {
 				Filter: types.Filter{
 					IPPrefixLists: []types.IPPrefixList{
 						{
-							Name: "vrf104001-in-prefixes",
-							Spec: "permit 10.240.0.0/12 le 32",
+							AddressFamily: "ip",
+							Name:          "vrf104001-in-prefixes",
+							Spec:          "permit 10.240.0.0/12 le 32",
 						},
 					},
 					RouteMaps: []types.RouteMap{
@@ -87,6 +90,7 @@ func TestBuildSwitcherConfig(t *testing.T) {
 					},
 				},
 				Cidrs: []string{"10.240.0.0/12"},
+				Has4:  true,
 			}},
 		},
 		AdditionalBridgeVIDs: []string{"201-256", "301-356"},

cmd/internal/switcher/templates/template_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 	"text/template"
 
+	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/require"
 	"gopkg.in/yaml.v3"
 
@@ -39,7 +40,8 @@ func TestCumulusFrrTemplate(t *testing.T) {
 		tt := tests[i]
 		t.Run(tt, func(t *testing.T) {
 			c := readConf(t, path.Join("test_data", tt, "conf.yaml"))
-			c.FillRouteMapsAndIPPrefixLists()
+			err := c.FillRouteMapsAndIPPrefixLists()
+			require.NoError(t, err)
 			tpl := CumulusFrrTemplate("")
 			verifyTemplate(t, tpl, &c, path.Join("test_data", tt, "cumulus_frr.conf"))
 		})
@@ -53,7 +55,8 @@ func TestSonicFrrTpl(t *testing.T) {
 		t.Run(tt, func(t *testing.T) {
 			c := readConf(t, path.Join("test_data", tt, "conf.yaml"))
 			c.CapitalizeVrfName()
-			c.FillRouteMapsAndIPPrefixLists()
+			err := c.FillRouteMapsAndIPPrefixLists()
+			require.NoError(t, err)
 			tpl := SonicFrrTemplate("")
 			verifyTemplate(t, tpl, &c, path.Join("test_data", tt, "sonic_frr.conf"))
 		})
@@ -68,22 +71,26 @@ func TestCustomInterfacesTemplate(t *testing.T) {
 
 func TestCustomCumulusFrrTemplate(t *testing.T) {
 	c := readConf(t, "test_data/dev/conf.yaml")
-	c.FillRouteMapsAndIPPrefixLists()
+	err := c.FillRouteMapsAndIPPrefixLists()
+	require.NoError(t, err)
 	tpl := CumulusFrrTemplate("test_data/dev/customtpl/frr.tpl")
 	verifyTemplate(t, tpl, &c, "test_data/dev/customtpl/frr.conf")
 }
 
 func TestCustomSonicFrrTemplate(t *testing.T) {
 	c := readConf(t, "test_data/dev/conf.yaml")
-	c.FillRouteMapsAndIPPrefixLists()
+	err := c.FillRouteMapsAndIPPrefixLists()
+	require.NoError(t, err)
 	tpl := SonicFrrTemplate("test_data/dev/customtpl/frr.tpl")
 	verifyTemplate(t, tpl, &c, "test_data/dev/customtpl/frr.conf")
 }
 
 func verifyTemplate(t *testing.T, tpl *template.Template, c *types.Conf, expectedFilename string) {
 	actual := renderToString(t, tpl, c)
 	expected := readExpected(t, expectedFilename)
-	require.Equal(t, expected, actual, "Wanted: %s\nGot: %s", expected, actual)
+	if diff := cmp.Diff(expected, actual); diff != "" {
+		t.Errorf("%s render differs:%s", expectedFilename, diff)
+	}
 }
 
 func renderToString(t *testing.T, tpl *template.Template, c *types.Conf) string {

cmd/internal/switcher/templates/test_data/dev/conf.yaml

@@ -4,6 +4,9 @@ loglevel: warnings
 loopback: 10.0.0.10
 asn: 4200000010
 metalcorecidr: 10.255.255.2/24
+additionalroutemapcidrs:
+  - "10.240.0.0/12"
+  - "fd00:10::/64"
 ports:
   eth0:
     addresscidr: 192.168.101.12/24
@@ -36,6 +39,7 @@ ports:
       cidrs:
         - "100.127.131.0/24"
         - "212.17.234.17/32"
+        - "2001:db8:3::1/128"
 additionalbridgevids:
   - 201-256
   - 301-356

cmd/internal/switcher/templates/test_data/dev/cumulus_frr.conf

@@ -53,6 +53,13 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -93,16 +100,28 @@ router bgp 4200000010 vrf vrf104001
   neighbor MACHINE route-map vrf104001-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  neighbor MACHINE activate
+  neighbor MACHINE route-map vrf104001-in6 in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for vrf104001
+ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list vrf104001-in-prefixes permit 212.17.234.17/32 le 32
-ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
+ip prefix-list vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
+ip prefix-list vrf104001-in6-prefixes permit fd00:10::/64 le 128
 route-map vrf104001-in permit 10
  match ip address prefix-list vrf104001-in-prefixes
+route-map vrf104001-in6 permit 10
+ match ipv6 address prefix-list vrf104001-in6-prefixes
 !
 line vty
 !

cmd/internal/switcher/templates/test_data/dev/customtpl/frr.conf

@@ -96,14 +96,19 @@ router bgp 4200000010 vrf vrf104001
  !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for vrf104001
+ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list vrf104001-in-prefixes permit 212.17.234.17/32 le 32
-ip prefix-list vrf104001-in-prefixes permit 10.240.0.0/12 le 32
+ip prefix-list vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
+ip prefix-list vrf104001-in6-prefixes permit fd00:10::/64 le 128
 route-map vrf104001-in permit 10
  match ip address prefix-list vrf104001-in-prefixes
+route-map vrf104001-in6 permit 10
+ match ipv6 address prefix-list vrf104001-in6-prefixes
 !
 line vty
 !

cmd/internal/switcher/templates/test_data/dev/customtpl/frr.tpl

@@ -111,6 +111,7 @@ router bgp {{ $ASN }} vrf {{ $vrf }}
  !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 {{- if gt (len $t.IPPrefixLists) 0 }}

cmd/internal/switcher/templates/test_data/dev/sonic_frr.conf

@@ -58,6 +58,15 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map DENY_MGMT
+  neighbor FIREWALL allowas-in 2
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate
@@ -99,16 +108,30 @@ router bgp 4200000010 vrf Vrf104001
   neighbor MACHINE route-map Vrf104001-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected
+  neighbor MACHINE maximum-prefix 24000
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
+  neighbor MACHINE activate
+  neighbor MACHINE route-map Vrf104001-in6 in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise ipv4 unicast
+  advertise ipv6 unicast
  exit-address-family
 !
 # route-maps for Vrf104001
+ip prefix-list Vrf104001-in-prefixes permit 10.240.0.0/12 le 32
 ip prefix-list Vrf104001-in-prefixes permit 100.127.131.0/24 le 32
 ip prefix-list Vrf104001-in-prefixes permit 212.17.234.17/32 le 32
-ip prefix-list Vrf104001-in-prefixes permit 10.240.0.0/12 le 32
+ip prefix-list Vrf104001-in6-prefixes permit 2001:db8:3::1/128 le 128
+ip prefix-list Vrf104001-in6-prefixes permit fd00:10::/64 le 128
 route-map Vrf104001-in permit 10
  match ip address prefix-list Vrf104001-in-prefixes
+route-map Vrf104001-in6 permit 10
+ match ipv6 address prefix-list Vrf104001-in6-prefixes
 !
 line vty
 !

cmd/internal/switcher/templates/test_data/lab/conf.yaml

@@ -4,6 +4,8 @@ loglevel: debugging
 loopback: 10.0.0.10
 asn: 4200000010
 metalcorecidr: 10.255.255.2/24
+additionalroutemapcidrs:
+  - "10.240.0.0/12"
 ports:
   eth0:
     addresscidr: 192.168.0.11

cmd/internal/switcher/templates/test_data/lab/cumulus_frr.conf

@@ -53,6 +53,13 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map LOOPBACKS
+  neighbor FIREWALL allowas-in 2
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate

cmd/internal/switcher/templates/test_data/lab/sonic_frr.conf

@@ -58,6 +58,15 @@ router bgp 4200000010
   neighbor swp3 route-map fw-swp3-in in
  exit-address-family
  !
+ address-family ipv6 unicast
+  redistribute connected route-map DENY_MGMT
+  neighbor FIREWALL allowas-in 2
+  # see https://docs.frrouting.org/en/latest/bgp.html#clicmd-neighbor-A.B.C.D-activate
+  # why activate is required
+  neighbor FIREWALL activate
+  neighbor swp3 route-map fw-swp3-in in
+ exit-address-family
+ !
  address-family l2vpn evpn
   advertise-all-vni
   neighbor FABRIC activate