From 3831b619661d08d935fd78656732cd2f339ff811 Mon Sep 17 00:00:00 2001
From: "Ondrej Zajicek (work)" <santiago@crfreenet.org>
Date: Tue, 16 Jan 2018 04:14:49 +0100
Subject: BGP: Require explicit import and export policies for EBGP channels

To comply with RFC 8212 requirements.
---
 proto/bgp/bgp.c    | 17 +++++++++++++++++
 proto/bgp/config.Y |  2 ++
 2 files changed, 19 insertions(+)

(limited to 'proto')

diff --git a/proto/bgp/bgp.c b/proto/bgp/bgp.c
index 8da5b0aa..9db26050 100644
--- a/proto/bgp/bgp.c
+++ b/proto/bgp/bgp.c
@@ -99,6 +99,7 @@
  * <item> <rfc id="7947"> - Internet Exchange BGP Route Server
  * <item> <rfc id="8092"> - BGP Large Communities Attribute
  * <item> <rfc id="8203"> - BGP Administrative Shutdown Communication
+ * <item> <rfc id="8212"> - Default EBGP Route Propagation Behavior without Policies
  * </itemize>
 */
 
@@ -113,6 +114,7 @@
 #include "nest/cli.h"
 #include "nest/locks.h"
 #include "conf/conf.h"
+#include "filter/filter.h"
 #include "lib/socket.h"
 #include "lib/resource.h"
 #include "lib/string.h"
@@ -1621,6 +1623,7 @@ bgp_postconfig(struct proto_config *CF)
 {
   struct bgp_config *cf = (void *) CF;
   int internal = (cf->local_as == cf->remote_as);
+  int interior = internal || cf->confederation_member;
 
   /* Do not check templates at all */
   if (cf->c.class == SYM_TEMPLATE)
@@ -1677,6 +1680,20 @@ bgp_postconfig(struct proto_config *CF)
   struct bgp_channel_config *cc;
   WALK_LIST(cc, CF->channels)
   {
+    /* Handle undefined import filter */
+    if (cc->c.in_filter == FILTER_UNDEF)
+      if (interior)
+	cc->c.in_filter = FILTER_ACCEPT;
+      else
+	cf_error("EBGP requires explicit import policy");
+
+    /* Handle undefined export filter */
+    if (cc->c.out_filter == FILTER_UNDEF)
+      if (interior)
+	cc->c.out_filter = FILTER_REJECT;
+      else
+	cf_error("EBGP requires explicit export policy");
+
     /* Disable after error incompatible with restart limit action */
     if ((cc->c.in_limit.action == PLA_RESTART) && cf->disable_after_error)
       cc->c.in_limit.action = PLA_DISABLE;
diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index 4e819eb7..04e6d666 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -163,6 +163,8 @@ bgp_channel_start: bgp_afi
   /* New channel */
   if (!BGP_CC->desc)
   {
+    BGP_CC->c.in_filter = FILTER_UNDEF;
+    BGP_CC->c.out_filter = FILTER_UNDEF;
     BGP_CC->c.ra_mode = RA_UNDEF;
     BGP_CC->afi = $1;
     BGP_CC->desc = desc;
-- 
cgit v1.2.3