Firewall Precedence

pkg/netconf/frr.go

@@ -144,7 +144,7 @@
 			VNI:            int(*network.Vrf),
 			ImportVRFNames: i.ImportVRFs,
 			IPPrefixLists:  i.prefixLists(),
-			RouteMaps:      i.routeMaps(),
+			RouteMaps:      i.routeMaps(*network.Asn),
 		}
 		result = append(result, vrf)
 	}

pkg/netconf/routemap.go

@@ -282,50 +282,58 @@ func byName(prefixLists []IPPrefixList) map[string]IPPrefixList {
 	return byName
 }
 
-func (i *importRule) routeMaps() []RouteMap {
-	var result []RouteMap
-
-	order := RouteMapOrderSeed
-	byName := byName(i.prefixLists())
-
-	names := []string{}
-	for n := range byName {
-		names = append(names, n)
-	}
-	sort.Sort(sort.Reverse(sort.StringSlice(names)))
-
-	for _, n := range names {
-		prefixList := byName[n]
-
-		matchVrf := fmt.Sprintf("match source-vrf %s", prefixList.SourceVRF)
-		matchPfxList := fmt.Sprintf("match %s address prefix-list %s", prefixList.AddressFamily, n)
-		entries := []string{matchVrf, matchPfxList}
-		if strings.HasSuffix(n, IPPrefixListNoExportSuffix) {
-			entries = append(entries, "set community additive no-export")
-		}
-
-		routeMap := RouteMap{
-			Name:    routeMapName(i.TargetVRF),
-			Policy:  Permit.String(),
-			Order:   order,
-			Entries: entries,
-		}
-		order += RouteMapOrderSeed
-
-		result = append(result, routeMap)
-	}
-
-	routeMap := RouteMap{
-		Name:   routeMapName(i.TargetVRF),
-		Policy: Deny.String(),
-		Order:  order,
-	}
-
-	result = append(result, routeMap)
-
-	return result
+func (i *importRule) routeMaps(asn int64, distance uint8) []RouteMap {
+    var result []RouteMap
+
+    order := RouteMapOrderSeed
+    byName := byName(i.prefixLists())
+
+    names := []string{}
+    for n := range byName {
+        names = append(names, n)
+    }
+    sort.Sort(sort.Reverse(sort.StringSlice(names)))
+
+    for _, n := range names {
+        prefixList := byName[n]
+
+        matchVrf := fmt.Sprintf("match source-vrf %s", prefixList.SourceVRF)
+        matchPfxList := fmt.Sprintf("match %s address prefix-list %s", prefixList.AddressFamily, n)
+		// Using the distance we extend the path of a firewall by adding asn to its as-path prepend
+        numAsns := int(2 + distance) 
+        asnList := make([]string, numAsns)
+        for i := 0; i < numAsns; i++ {
+            asnList[i] = fmt.Sprintf("%d", asn)
+        }
+        asPathPrepend := fmt.Sprintf("set as-path prepend %s", strings.Join(asnList, " "))
+        entries := []string{matchVrf, matchPfxList, asPathPrepend}
+        if strings.HasSuffix(n, IPPrefixListNoExportSuffix) {
+            entries = append(entries, "set community additive no-export")
+        }
+
+        routeMap := RouteMap{
+            Name:    routeMapName(i.TargetVRF),
+            Policy:  Permit.String(),
+            Order:   order,
+            Entries: entries,
+        }
+        order += RouteMapOrderSeed
+
+        result = append(result, routeMap)
+    }
+
+    routeMap := RouteMap{
+        Name:   routeMapName(i.TargetVRF),
+        Policy: Deny.String(),
+        Order:  order,
+    }
+
+    result = append(result, routeMap)
+
+    return result
 }
 
+
 func routeMapName(vrfName string) string {
 	return vrfName + "-import-map"
 }

pkg/netconf/testdata/frr.conf.firewall

@@ -157,19 +157,23 @@ ip prefix-list vrf3981-import-from-vrf3982 seq 106 permit 10.0.18.0/22 le 32
 route-map vrf3981-import-map permit 10
  match source-vrf vrf3982
  match ip address prefix-list vrf3981-import-from-vrf3982
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map permit 20
  match source-vrf vrf104010
  match ip address prefix-list vrf3981-import-from-vrf104010
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map permit 30
  match source-vrf vrf104009
  match ip address prefix-list vrf3981-import-from-vrf104009
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map deny 40
 !
 ip prefix-list vrf3982-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32
 ip prefix-list vrf3982-import-from-vrf3981 seq 101 permit 10.0.18.0/22 le 32
 route-map vrf3982-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf3982-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf3982-import-map deny 20
 !
 ip prefix-list vrf104009-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32
@@ -178,21 +182,25 @@ ip prefix-list vrf104009-import-from-vrf3981 seq 102 permit 185.27.0.0/22 le 32
 route-map vrf104009-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf104009-import-from-vrf3981-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104009-import-map permit 20
  match source-vrf vrf3981
  match ip address prefix-list vrf104009-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf104009-import-map deny 30
 !
 ip prefix-list vrf104010-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32
 ip prefix-list vrf104010-import-from-vrf3981 seq 101 permit 100.127.129.0/24 le 32
 route-map vrf104010-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf104010-import-from-vrf3981-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104010-import-map permit 20
  match source-vrf vrf3981
  match ip address prefix-list vrf104010-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf104010-import-map deny 30
 !
 route-map only-self-out permit 10

pkg/netconf/testdata/frr.conf.firewall_dmz

@@ -132,9 +132,11 @@ ip prefix-list vrf3981-import-from-vrf3983 seq 104 permit 10.0.20.0/22 le 32
 route-map vrf3981-import-map permit 10
  match source-vrf vrf3983
  match ip address prefix-list vrf3981-import-from-vrf3983
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map permit 20
  match source-vrf vrf104009
  match ip address prefix-list vrf3981-import-from-vrf104009
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map deny 30
 !
 ip prefix-list vrf3983-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32
@@ -145,9 +147,11 @@ ip prefix-list vrf3983-import-from-vrf104009 seq 104 permit 185.27.0.0/22 le 32
 route-map vrf3983-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf3983-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf3983-import-map permit 20
  match source-vrf vrf104009
  match ip address prefix-list vrf3983-import-from-vrf104009
+ set as-path prepend 4200003073 4200003073
 route-map vrf3983-import-map deny 30
 !
 ip prefix-list vrf104009-import-from-vrf3981-no-export seq 100 permit 10.0.16.0/22 le 32
@@ -157,14 +161,17 @@ ip prefix-list vrf104009-import-from-vrf3981 seq 103 permit 185.27.0.0/22 le 32
 route-map vrf104009-import-map permit 10
  match source-vrf vrf3983
  match ip address prefix-list vrf104009-import-from-vrf3983-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104009-import-map permit 20
  match source-vrf vrf3981
  match ip address prefix-list vrf104009-import-from-vrf3981-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104009-import-map permit 30
  match source-vrf vrf3981
  match ip address prefix-list vrf104009-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf104009-import-map deny 40
 !
 route-map only-self-out permit 10

pkg/netconf/testdata/frr.conf.firewall_dmz_app

@@ -99,13 +99,15 @@ ip prefix-list vrf3981-import-from-vrf3983 permit 0.0.0.0/0
 route-map vrf3981-import-map permit 10
  match source-vrf vrf3983
  match ip address prefix-list vrf3981-import-from-vrf3983
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map deny 20
 !
 ip prefix-list vrf3983-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32
 ip prefix-list vrf3983-import-from-vrf3981 seq 101 permit 10.0.20.0/22 le 32
 route-map vrf3983-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf3983-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf3983-import-map deny 20
 !
 route-map only-self-out permit 10

pkg/netconf/testdata/frr.conf.firewall_dmz_app_storage

@@ -127,23 +127,27 @@ ip prefix-list vrf3981-import-from-vrf3983 permit 0.0.0.0/0
 route-map vrf3981-import-map permit 10
  match source-vrf vrf3983
  match ip address prefix-list vrf3981-import-from-vrf3983
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map permit 20
  match source-vrf vrf3982
  match ip address prefix-list vrf3981-import-from-vrf3982
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map deny 30
 !
 ip prefix-list vrf3983-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32
 ip prefix-list vrf3983-import-from-vrf3981 seq 101 permit 10.0.20.0/22 le 32
 route-map vrf3983-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf3983-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf3983-import-map deny 20
 !
 ip prefix-list vrf3982-import-from-vrf3981 seq 100 permit 10.0.16.0/22 le 32
 ip prefix-list vrf3982-import-from-vrf3981 seq 101 permit 10.0.18.0/22 le 32
 route-map vrf3982-import-map permit 10
  match source-vrf vrf3981
  match ip address prefix-list vrf3982-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf3982-import-map deny 20
 !
 route-map only-self-out permit 10

pkg/netconf/testdata/frr.conf.firewall_ipv6

@@ -156,44 +156,53 @@ ipv6 prefix-list vrf3981-import-from-vrf104009-ipv6 seq 105 permit 2a02:c00:20::
 route-map vrf3981-import-map permit 10
  match source-vrf vrf3982
  match ip address prefix-list vrf3981-import-from-vrf3982
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map permit 20
  match source-vrf vrf104010
  match ip address prefix-list vrf3981-import-from-vrf104010
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map permit 30
  match source-vrf vrf104009
  match ipv6 address prefix-list vrf3981-import-from-vrf104009-ipv6
+ set as-path prepend 4200003073 4200003073
 route-map vrf3981-import-map deny 40
 !
 ip prefix-list vrf3982-import-from-vrf3981 seq 100 permit 10.0.18.0/22 le 32
 ipv6 prefix-list vrf3982-import-from-vrf3981-ipv6 seq 101 permit 2002::/64 le 128
 route-map vrf3982-import-map permit 10
  match source-vrf vrf3981
  match ipv6 address prefix-list vrf3982-import-from-vrf3981-ipv6
+ set as-path prepend 4200003073 4200003073
 route-map vrf3982-import-map permit 20
  match source-vrf vrf3981
  match ip address prefix-list vrf3982-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf3982-import-map deny 30
 !
 ipv6 prefix-list vrf104009-import-from-vrf3981-ipv6-no-export seq 100 permit 2002::/64 le 128
 ipv6 prefix-list vrf104009-import-from-vrf3981-ipv6 seq 101 permit 2a02:c00:20::/45 le 128
 route-map vrf104009-import-map permit 10
  match source-vrf vrf3981
  match ipv6 address prefix-list vrf104009-import-from-vrf3981-ipv6-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104009-import-map permit 20
  match source-vrf vrf3981
  match ipv6 address prefix-list vrf104009-import-from-vrf3981-ipv6
+ set as-path prepend 4200003073 4200003073
 route-map vrf104009-import-map deny 30
 !
 ip prefix-list vrf104010-import-from-vrf3981 seq 100 permit 100.127.129.0/24 le 32
 ipv6 prefix-list vrf104010-import-from-vrf3981-ipv6-no-export seq 100 permit 2002::/64 le 128
 route-map vrf104010-import-map permit 10
  match source-vrf vrf3981
  match ipv6 address prefix-list vrf104010-import-from-vrf3981-ipv6-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104010-import-map permit 20
  match source-vrf vrf3981
  match ip address prefix-list vrf104010-import-from-vrf3981
+ set as-path prepend 4200003073 4200003073
 route-map vrf104010-import-map deny 30
 !
 route-map only-self-out permit 10

pkg/netconf/testdata/frr.conf.firewall_shared

@@ -100,6 +100,7 @@ ip prefix-list vrf3982-import-from-vrf104009 seq 103 permit 185.27.0.0/22 le 32
 route-map vrf3982-import-map permit 10
  match source-vrf vrf104009
  match ip address prefix-list vrf3982-import-from-vrf104009
+ set as-path prepend 4200003073 4200003073
 route-map vrf3982-import-map deny 20
 !
 ip prefix-list vrf104009-import-from-vrf3982-no-export seq 100 permit 10.0.18.0/22 le 32
@@ -108,10 +109,12 @@ ip prefix-list vrf104009-import-from-vrf3982 seq 102 permit 185.27.0.0/22 le 32
 route-map vrf104009-import-map permit 10
  match source-vrf vrf3982
  match ip address prefix-list vrf104009-import-from-vrf3982-no-export
+ set as-path prepend 4200003073 4200003073
  set community additive no-export
 route-map vrf104009-import-map permit 20
  match source-vrf vrf3982
  match ip address prefix-list vrf104009-import-from-vrf3982
+ set as-path prepend 4200003073 4200003073
 route-map vrf104009-import-map deny 30
 !
 route-map only-self-out permit 10