[NX-OS] Implement support for RoutingPolicy on Cisco NX-OS

Author: felix-kaestner

internal/provider/cisco/nxos/evi.go

@@ -31,6 +31,14 @@ func (b *BDEVI) XPath() string {
 	return "System/evpn-items/bdevi-items/BDEvi-list[encap=" + b.Encap + "]"
 }
 
+func Community(c string) (string, error) {
+	s, err := stdcommunity(c)
+	if err != nil {
+		return "", err
+	}
+	return "regular:" + s, nil
+}
+
 func RouteDistinguisher(rd string) (string, error) {
 	s, err := extcommunity(rd)
 	if err != nil {
@@ -47,27 +55,61 @@ func RouteTarget(rt string) (string, error) {
 	return "route-target:" + s, nil
 }
 
+// stdcommunity converts a value to a standard community string.
+func stdcommunity(s string) (string, error) {
+	parts := strings.SplitN(s, ":", 2)
+	if len(parts) != 2 {
+		return "", errors.New("invalid bgp community format")
+	}
+	admin, err := strconv.ParseUint(parts[0], 10, 32)
+	if err != nil {
+		return "", fmt.Errorf("invalid bgp community format: %w", err)
+	}
+	if admin > math.MaxUint16 {
+		return "", fmt.Errorf("standard community 'Administrator' must be in range 0–65535, got %d", admin)
+	}
+	assigned, err := strconv.ParseUint(parts[1], 10, 32)
+	if err != nil {
+		return "", fmt.Errorf("invalid bgp community format: %w", err)
+	}
+	if assigned > math.MaxUint16 {
+		return "", fmt.Errorf("standard community 'Assigned Number' must be in range 0–65535, got %d", assigned)
+	}
+	return "as2-nn2:" + s, nil
+}
+
 // extcommunity converts a value to an extended community string.
 func extcommunity(s string) (string, error) {
 	if s == "" {
 		return "unknown:0:0", nil
 	}
 	parts := strings.SplitN(s, ":", 2)
 	if len(parts) != 2 {
-		return "", errors.New("invalid route distinguisher format")
+		return "", errors.New("invalid extended community format")
 	}
-	asn, err := strconv.ParseUint(parts[1], 10, 32)
+	assigned, err := strconv.ParseUint(parts[1], 10, 32)
 	if err != nil {
-		return "", fmt.Errorf("invalid route distinguisher format: %w", err)
-	}
-	// Type-0
-	if asn > math.MaxUint16 {
-		return "as2-nn4:" + s, nil
+		return "", fmt.Errorf("invalid extended community format: %w", err)
 	}
 	// Type-1
 	if _, err := netip.ParseAddr(parts[0]); err == nil {
+		if assigned > math.MaxUint16 {
+			return "", fmt.Errorf("extended community 'Assigned Number' must be in range 0–65535, got %d", assigned)
+		}
 		return "ipv4-nn2:" + s, nil
 	}
+	asn, err := strconv.ParseUint(parts[0], 10, 32)
+	if err != nil {
+		return "", fmt.Errorf("invalid bgp extended community format: %w", err)
+	}
+	// Type-0
+	if asn <= math.MaxUint16 {
+		// standard 2-byte ASN
+		if assigned <= math.MaxUint16 {
+			return "as2-nn2:" + s, nil
+		}
+		return "as2-nn4:" + s, nil
+	}
 	// Type-2
 	return "as4-nn2:" + s, nil
 }

internal/provider/cisco/nxos/provider.go

@@ -52,6 +52,7 @@ var (
 	_ provider.PIMProvider              = (*Provider)(nil)
 	_ provider.SNMPProvider             = (*Provider)(nil)
 	_ provider.PrefixSetProvider        = (*Provider)(nil)
+	_ provider.RoutingPolicyProvider    = (*Provider)(nil)
 	_ provider.SyslogProvider           = (*Provider)(nil)
 	_ provider.UserProvider             = (*Provider)(nil)
 	_ provider.VLANProvider             = (*Provider)(nil)
@@ -1621,6 +1622,55 @@ func (p *Provider) DeletePrefixSet(ctx context.Context, req *provider.PrefixSetR
 	return p.client.Delete(ctx, s)
 }
 
+func (p *Provider) EnsureRoutingPolicy(ctx context.Context, req *provider.EnsureRoutingPolicyRequest) error {
+	rm := new(RouteMap)
+	rm.Name = req.Name
+	for _, stmt := range req.Statements {
+		e := new(RouteMapEntry)
+		e.Order = stmt.Sequence
+
+		for _, cond := range stmt.Conditions {
+			switch v := cond.(type) {
+			case provider.MatchPrefixSetCondition:
+				e.SetPrefixSet(v.PrefixSet)
+			default:
+				return fmt.Errorf("routing policy: unsupported condition type %T", cond)
+			}
+		}
+
+		switch stmt.Actions.RouteDisposition {
+		case v1alpha1.AcceptRoute:
+			e.Action = ActionPermit
+		case v1alpha1.RejectRoute:
+			e.Action = ActionDeny
+		default:
+			return fmt.Errorf("routing policy: unsupported action %q", stmt.Actions.RouteDisposition)
+		}
+
+		if stmt.Actions.BgpActions != nil {
+			if stmt.Actions.BgpActions.SetCommunity != nil {
+				if err := e.SetCommunities(stmt.Actions.BgpActions.SetCommunity.Communities); err != nil {
+					return err
+				}
+			}
+			if stmt.Actions.BgpActions.SetExtCommunity != nil {
+				if err := e.SetExtCommunities(stmt.Actions.BgpActions.SetExtCommunity.Communities); err != nil {
+					return err
+				}
+			}
+		}
+
+		rm.EntItems.EntryList.Set(e)
+	}
+	return p.client.Update(ctx, rm)
+}
+
+func (p *Provider) DeleteRoutingPolicy(ctx context.Context, req *provider.DeleteRoutingPolicyRequest) error {
+	rm := new(RouteMap)
+	rm.Name = req.Name
+	return p.client.Delete(ctx, rm)
+}
+
 func (p *Provider) EnsureUser(ctx context.Context, req *provider.EnsureUserRequest) error {
 	u := new(User)
 	u.AllowExpired = "no"

internal/provider/cisco/nxos/routemap.go

@@ -0,0 +1,104 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package nxos
+
+import (
+	"github.com/ironcore-dev/network-operator/api/core/v1alpha1"
+	"github.com/ironcore-dev/network-operator/internal/provider/cisco/gnmiext/v2"
+)
+
+var _ gnmiext.Configurable = (*RouteMap)(nil)
+
+type RouteMap struct {
+	Name     string `json:"name"`
+	EntItems struct {
+		EntryList gnmiext.List[int32, *RouteMapEntry] `json:"Entry-list,omitzero"`
+	} `json:"ent-items,omitzero"`
+}
+
+func (*RouteMap) IsListItem() {}
+
+func (rm *RouteMap) XPath() string {
+	return "System/rpm-items/rtmap-items/Rule-list[name=" + rm.Name + "]"
+}
+
+type RouteMapEntry struct {
+	Action    Action `json:"action"`
+	Order     int32  `json:"order"`
+	SrttItems struct {
+		ItemItems struct {
+			ItemList gnmiext.List[ExtCommItem, *ExtCommItem] `json:"Item-list,omitzero"`
+		} `json:"item-items,omitzero"`
+	} `json:"srtt-items,omitzero"`
+	SregcommItems struct {
+		NoCommAttr AdminSt `json:"noCommAttr"`
+		ItemItems  struct {
+			ItemList gnmiext.List[string, *CommItem] `json:"Item-list,omitzero"`
+		} `json:"item-items,omitzero"`
+	} `json:"sregcomm-items,omitzero"`
+	MrtdstItems struct {
+		RsrtDstAttItems struct {
+			RsRtDstAttList gnmiext.List[string, *RsRtDstAtt] `json:"RsRtDstAtt-list,omitzero"`
+		} `json:"rsrtDstAtt-items,omitzero"`
+	} `json:"mrtdst-items,omitzero"`
+}
+
+func (e *RouteMapEntry) Key() int32 { return e.Order }
+
+func (e *RouteMapEntry) SetCommunities(communities []string) error {
+	for _, comm := range communities {
+		c, err := Community(comm)
+		if err != nil {
+			return err
+		}
+		e.SregcommItems.NoCommAttr = AdminStDisabled
+		e.SregcommItems.ItemItems.ItemList.Set(&CommItem{Community: c})
+	}
+	return nil
+}
+
+func (e *RouteMapEntry) SetExtCommunities(communities []string) error {
+	for _, comm := range communities {
+		c, err := RouteTarget(comm)
+		if err != nil {
+			return err
+		}
+		e.SrttItems.ItemItems.ItemList.Set(&ExtCommItem{Community: c, Scope: RtExtComScopeTransitive})
+	}
+	return nil
+}
+
+func (e *RouteMapEntry) SetPrefixSet(ps *v1alpha1.PrefixSet) {
+	tdn := "/System/rpm-items/pfxlistv4-items/RuleV4-list[name='" + ps.Name + "']"
+	if ps.Is6() {
+		tdn = "/System/rpm-items/pfxlistv6-items/RuleV6-list[name='" + ps.Name + "']"
+	}
+	e.MrtdstItems.RsrtDstAttItems.RsRtDstAttList.Set(&RsRtDstAtt{TDn: tdn})
+}
+
+type RsRtDstAtt struct {
+	TDn string `json:"tDn"`
+}
+
+func (r *RsRtDstAtt) Key() string { return r.TDn }
+
+type CommItem struct {
+	Community string `json:"community"`
+}
+
+func (c *CommItem) Key() string { return c.Community }
+
+type ExtCommItem struct {
+	Community string        `json:"community"`
+	Scope     RtExtComScope `json:"scope"`
+}
+
+func (c *ExtCommItem) Key() ExtCommItem { return *c }
+
+type RtExtComScope string
+
+const (
+	RtExtComScopeTransitive    RtExtComScope = "transitive"
+	RtExtComScopeNonTransitive RtExtComScope = "non-transitive"
+)

internal/provider/cisco/nxos/routemap_test.go

@@ -0,0 +1,19 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package nxos
+
+func init() {
+	e := &RouteMapEntry{}
+	e.Order = 10
+	e.Action = ActionPermit
+	e.SrttItems.ItemItems.ItemList.Set(&ExtCommItem{Community: "route-target:as2-nn2:65137:107", Scope: RtExtComScopeTransitive})
+	e.SregcommItems.NoCommAttr = AdminStDisabled
+	e.SregcommItems.ItemItems.ItemList.Set(&CommItem{Community: "regular:as2-nn2:65137:107"})
+	e.MrtdstItems.RsrtDstAttItems.RsRtDstAttList.Set(&RsRtDstAtt{TDn: "/System/rpm-items/pfxlistv4-items/RuleV4-list[name='PL-CLOUD07']"})
+
+	rm := &RouteMap{}
+	rm.Name = "RM-REDIST"
+	rm.EntItems.EntryList.Set(e)
+	Register("route_map", rm)
+}

internal/provider/cisco/nxos/testdata/route_map.json

@@ -0,0 +1,48 @@
+{
+  "rpm-items": {
+    "rtmap-items": {
+      "Rule-list": [
+        {
+          "name": "RM-REDIST",
+          "ent-items": {
+            "Entry-list": [
+              {
+                "action": "permit",
+                "order": 10,
+                "srtt-items": {
+                  "item-items": {
+                    "Item-list": [
+                      {
+                        "community": "route-target:as2-nn2:65137:107",
+                        "scope": "transitive"
+                      }
+                    ]
+                  }
+                },
+                "sregcomm-items": {
+                  "noCommAttr": "disabled",
+                  "item-items": {
+                    "Item-list": [
+                      {
+                        "community": "regular:as2-nn2:65137:107"
+                      }
+                    ]
+                  }
+                },
+                "mrtdst-items": {
+                  "rsrtDstAtt-items": {
+                    "RsRtDstAtt-list": [
+                      {
+                        "tDn": "/System/rpm-items/pfxlistv4-items/RuleV4-list[name='PL-CLOUD07']"
+                      }
+                    ]
+                  }
+                }
+              }
+            ]
+          }
+        }
+      ]
+    }
+  }
+}

internal/provider/cisco/nxos/testdata/route_map.json.txt

@@ -0,0 +1,4 @@
+route-map RM-REDIST permit 10
+ match ip address prefix-list PL-CLOUD07
+ set community 65137:107
+ set extcommunity rt 65137:107