From e1957bcd04da53022b78ec576eb9db088d120909 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 22 Mar 2023 14:15:13 +0200
Subject: [PATCH 1/2] tests: Check if BGP peering with MD5 per-VRF works
 correctly

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
 .../topotests/bgp_vrf_md5_peering/__init__.py |  0
 .../topotests/bgp_vrf_md5_peering/exabgp.env  | 53 +++++++++++
 .../bgp_vrf_md5_peering/peer1/exabgp.cfg      | 13 +++
 .../bgp_vrf_md5_peering/r1/bgpd.conf          | 11 +++
 .../bgp_vrf_md5_peering/r1/zebra.conf         |  6 ++
 .../test_bgp_vrf_md5_peering.py               | 87 +++++++++++++++++++
 6 files changed, 170 insertions(+)
 create mode 100644 tests/topotests/bgp_vrf_md5_peering/__init__.py
 create mode 100644 tests/topotests/bgp_vrf_md5_peering/exabgp.env
 create mode 100644 tests/topotests/bgp_vrf_md5_peering/peer1/exabgp.cfg
 create mode 100644 tests/topotests/bgp_vrf_md5_peering/r1/bgpd.conf
 create mode 100644 tests/topotests/bgp_vrf_md5_peering/r1/zebra.conf
 create mode 100644 tests/topotests/bgp_vrf_md5_peering/test_bgp_vrf_md5_peering.py

diff --git a/tests/topotests/bgp_vrf_md5_peering/__init__.py b/tests/topotests/bgp_vrf_md5_peering/__init__.py
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/tests/topotests/bgp_vrf_md5_peering/exabgp.env b/tests/topotests/bgp_vrf_md5_peering/exabgp.env
new file mode 100644
index 0000000000..28e642360a
--- /dev/null
+++ b/tests/topotests/bgp_vrf_md5_peering/exabgp.env
@@ -0,0 +1,53 @@
+[exabgp.api]
+encoder = text
+highres = false
+respawn = false
+socket = ''
+
+[exabgp.bgp]
+openwait = 60
+
+[exabgp.cache]
+attributes = true
+nexthops = true
+
+[exabgp.daemon]
+daemonize = true
+pid = '/var/run/exabgp/exabgp.pid'
+user = 'exabgp'
+##daemonize = false
+
+[exabgp.log]
+all = false
+configuration = true
+daemon = true
+destination = '/var/log/exabgp.log'
+enable = true
+level = INFO
+message = false
+network = true
+packets = false
+parser = false
+processes = true
+reactor = true
+rib = false
+routes = false
+short = false
+timers = false
+
+[exabgp.pdb]
+enable = false
+
+[exabgp.profile]
+enable = false
+file = ''
+
+[exabgp.reactor]
+speed = 1.0
+
+[exabgp.tcp]
+acl = false
+bind = ''
+delay = 0
+once = false
+port = 179
diff --git a/tests/topotests/bgp_vrf_md5_peering/peer1/exabgp.cfg b/tests/topotests/bgp_vrf_md5_peering/peer1/exabgp.cfg
new file mode 100644
index 0000000000..3260513903
--- /dev/null
+++ b/tests/topotests/bgp_vrf_md5_peering/peer1/exabgp.cfg
@@ -0,0 +1,13 @@
+neighbor 10.0.0.1 {
+  router-id 10.0.0.2;
+  local-address 10.0.0.2;
+  local-as 65001;
+  peer-as 65534;
+  md5 test123;
+
+  static {
+    route 192.168.100.1/32 {
+      next-hop 10.0.0.2;
+    }
+  }
+}
diff --git a/tests/topotests/bgp_vrf_md5_peering/r1/bgpd.conf b/tests/topotests/bgp_vrf_md5_peering/r1/bgpd.conf
new file mode 100644
index 0000000000..8d8f64158f
--- /dev/null
+++ b/tests/topotests/bgp_vrf_md5_peering/r1/bgpd.conf
@@ -0,0 +1,11 @@
+!
+debug bgp neighbor
+!
+router bgp 65534 vrf public
+ bgp router-id 10.0.0.1
+ no bgp ebgp-requires-policy
+ neighbor 10.0.0.2 remote-as external
+ neighbor 10.0.0.2 timers 3 10
+ neighbor 10.0.0.2 timers connect 1
+ neighbor 10.0.0.2 password test123
+!
diff --git a/tests/topotests/bgp_vrf_md5_peering/r1/zebra.conf b/tests/topotests/bgp_vrf_md5_peering/r1/zebra.conf
new file mode 100644
index 0000000000..0c183ae785
--- /dev/null
+++ b/tests/topotests/bgp_vrf_md5_peering/r1/zebra.conf
@@ -0,0 +1,6 @@
+!
+interface r1-eth0 vrf public
+ ip address 10.0.0.1/24
+!
+ip forwarding
+!
diff --git a/tests/topotests/bgp_vrf_md5_peering/test_bgp_vrf_md5_peering.py b/tests/topotests/bgp_vrf_md5_peering/test_bgp_vrf_md5_peering.py
new file mode 100644
index 0000000000..eefe586d7b
--- /dev/null
+++ b/tests/topotests/bgp_vrf_md5_peering/test_bgp_vrf_md5_peering.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python
+# SPDX-License-Identifier: ISC
+
+#
+# Copyright (c) 2023 by
+# Donatas Abraitis <donatas.abraitis@gmail.com>
+#
+
+"""
+Test if BGP MD5 basic authentication works per-VRF.
+"""
+
+import os
+import sys
+import json
+import pytest
+import functools
+
+CWD = os.path.dirname(os.path.realpath(__file__))
+sys.path.append(os.path.join(CWD, "../"))
+
+# pylint: disable=C0413
+from lib import topotest
+from lib.topogen import Topogen, TopoRouter, get_topogen
+
+pytestmark = [pytest.mark.bgpd]
+
+
+def build_topo(tgen):
+    r1 = tgen.add_router("r1")
+    peer1 = tgen.add_exabgp_peer("peer1", ip="10.0.0.2", defaultRoute="via 10.0.0.1")
+
+    switch = tgen.add_switch("s1")
+    switch.add_link(r1)
+    switch.add_link(peer1)
+
+
+def setup_module(mod):
+    tgen = Topogen(build_topo, mod.__name__)
+    tgen.start_topology()
+
+    r1 = tgen.gears["r1"]
+    r1.load_config(TopoRouter.RD_ZEBRA, os.path.join(CWD, "r1/zebra.conf"))
+    r1.load_config(TopoRouter.RD_BGP, os.path.join(CWD, "r1/bgpd.conf"))
+    r1.start()
+
+    peer = tgen.gears["peer1"]
+    peer.start(os.path.join(CWD, "peer1"), os.path.join(CWD, "exabgp.env"))
+
+    # VRF 'public'
+    r1.cmd_raises("ip link add public type vrf table 1001")
+    r1.cmd_raises("ip link set up dev public")
+    r1.cmd_raises("ip link set r1-eth0 master public")
+
+
+def teardown_module(mod):
+    tgen = get_topogen()
+    tgen.stop_topology()
+
+
+def test_bgp_vrf_md5_peering():
+    tgen = get_topogen()
+
+    if tgen.routers_have_failure():
+        pytest.skip(tgen.errors)
+
+    def _bgp_converge():
+        output = json.loads(
+            tgen.gears["r1"].vtysh_cmd("show ip bgp vrf public neighbor 10.0.0.2 json")
+        )
+        expected = {
+            "10.0.0.2": {
+                "bgpState": "Established",
+                "addressFamilyInfo": {"ipv4Unicast": {"acceptedPrefixCounter": 1}},
+            }
+        }
+        return topotest.json_cmp(output, expected)
+
+    test_func = functools.partial(_bgp_converge)
+    _, result = topotest.run_and_expect(test_func, None, count=30, wait=1)
+
+    assert result is None, "Can't peer with md5 per-VRF"
+
+
+if __name__ == "__main__":
+    args = ["-s"] + sys.argv[1:]
+    sys.exit(pytest.main(args))

From 280400847481529b101b2320c3b9833a07c94245 Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Wed, 22 Mar 2023 15:17:30 +0200
Subject: [PATCH 2/2] bgpd: Set TCP_MD5 for outgoing connections when
 `password` is set

If configuring `neighbor password` under VRF (not default), the session
will never be established.

Before setting TCP_MD5 for the connection fd, we need to enable this on the
accept direction as well (listener).

Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
 bgpd/bgp_network.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index 6f035358f1..3f9926151e 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -759,6 +759,9 @@ int bgp_connect(struct peer *peer)
 					     ? IPV4_MAX_BITLEN
 					     : IPV6_MAX_BITLEN;
 
+		if (!BGP_PEER_SU_UNSPEC(peer))
+			bgp_md5_set(peer);
+
 		bgp_md5_set_connect(peer->fd, &peer->su, prefixlen,
 				    peer->password);
 	}