bgp unnumbered plumbing

Author: rcgoodfellow

Cargo.lock

@@ -566,8 +566,8 @@ ntp-admin-api = { path = "ntp-admin/api" }
 ntp-admin-client = { path = "clients/ntp-admin-client" }
 ntp-admin-types = { path = "ntp-admin/types" }
 ntp-admin-types-versions = { path = "ntp-admin/types/versions" }
-mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "7f78e2b9ab37981e9edcf2e076a3257a032bbb06" }
-ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "7f78e2b9ab37981e9edcf2e076a3257a032bbb06" }
+mg-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "f1ea4650fc95a95bbcd1a64d19a45c40e98286f7" }
+ddm-admin-client = { git = "https://github.com/oxidecomputer/maghemite", rev = "f1ea4650fc95a95bbcd1a64d19a45c40e98286f7" }
 multimap = "0.10.1"
 nexus-auth = { path = "nexus/auth" }
 nexus-background-task-interface = { path = "nexus/background-task-interface" }
@@ -697,7 +697,7 @@ rats-corim = { git = "https://github.com/oxidecomputer/rats-corim.git", rev = "f
 raw-cpuid = { git = "https://github.com/oxidecomputer/rust-cpuid.git", rev = "a4cf01df76f35430ff5d39dc2fe470bcb953503b" }
 rayon = "1.10"
 rcgen = "0.12.1"
-rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "7f78e2b9ab37981e9edcf2e076a3257a032bbb06" }
+rdb-types = { git = "https://github.com/oxidecomputer/maghemite", rev = "f1ea4650fc95a95bbcd1a64d19a45c40e98286f7" }
 reconfigurator-cli = { path = "dev-tools/reconfigurator-cli" }
 reedline = "0.40.0"
 ref-cast = "1.0"

Cargo.toml

@@ -3244,8 +3244,10 @@ pub struct BgpPeer {
     /// could be vlan47 to refer to a VLAN interface.
     pub interface_name: Name,
 
-    /// The address of the host to peer with.
-    pub addr: IpAddr,
+    /// The address of the host to peer with. If not provided, this is an
+    /// unnumbered BGP session that will be established over the interface
+    /// specified by `interface_name`.
+    pub addr: Option<IpAddr>,
 
     /// How long to hold peer connections between keepalives (seconds).
     pub hold_time: u32,

common/src/api/external/mod.rs

@@ -91,7 +91,9 @@ pub struct BgpPeerConfig {
     pub asn: u32,
     /// Switch port the peer is reachable on.
     pub port: String,
-    /// Address of the peer.
+    /// Address of the peer. Use `Ipv4Addr::UNSPECIFIED` to indicate an
+    /// unnumbered BGP session established over the interface specified by
+    /// `port`.
     pub addr: Ipv4Addr,
     /// How long to keep a session alive without a keepalive in seconds.
     /// Defaults to 6.

common/src/api/internal/shared/mod.rs

@@ -46,6 +46,7 @@ Downstairs Controller (debugging only) (client: dsc-client)
 
 Management Gateway Service (client: gateway-client)
     consumed by: dpd (dendrite/dpd) via 1 path
+    consumed by: mgd (maghemite/mgd) via 1 path
     consumed by: omicron-nexus (omicron/nexus) via 4 paths
     consumed by: omicron-sled-agent (omicron/sled-agent) via 1 path
     consumed by: wicketd (omicron/wicketd) via 3 paths

dev-tools/ls-apis/tests/api_dependencies.out

@@ -128,7 +128,7 @@ impl Into<external::BgpAnnouncement> for BgpAnnouncement {
 pub struct BgpPeerView {
     pub switch_location: String,
     pub port_name: String,
-    pub addr: IpNetwork,
+    pub addr: Option<IpNetwork>,
     pub asn: SqlU32,
     pub connect_retry: SqlU32,
     pub delay_open: SqlU32,

nexus/db-model/src/bgp.rs

@@ -16,7 +16,7 @@ use std::{collections::BTreeMap, sync::LazyLock};
 ///
 /// This must be updated when you change the database schema.  Refer to
 /// schema/crdb/README.adoc in the root of this repository for details.
-pub const SCHEMA_VERSION: Version = Version::new(217, 0, 0);
+pub const SCHEMA_VERSION: Version = Version::new(218, 0, 0);
 
 /// List of all past database schema versions, in *reverse* order
 ///
@@ -28,6 +28,7 @@ static KNOWN_VERSIONS: LazyLock<Vec<KnownVersion>> = LazyLock::new(|| {
         // |  leaving the first copy as an example for the next person.
         // v
         // KnownVersion::new(next_int, "unique-dirname-with-the-sql-files"),
+        KnownVersion::new(218, "bgp-unnumbered-peers"),
         KnownVersion::new(217, "multiple-default-ip-pools-per-silo"),
         KnownVersion::new(216, "add-trust-quorum"),
         KnownVersion::new(215, "support-up-to-12-disks"),

nexus/db-model/src/schema_versions.rs

@@ -650,10 +650,11 @@ impl Into<external::SwitchPortRouteConfig> for SwitchPortRouteConfig {
 )]
 #[diesel(table_name = switch_port_settings_bgp_peer_config)]
 pub struct SwitchPortBgpPeerConfig {
+    pub id: Uuid,
     pub port_settings_id: Uuid,
     pub bgp_config_id: Uuid,
     pub interface_name: Name,
-    pub addr: IpNetwork,
+    pub addr: Option<IpNetwork>,
     pub hold_time: SqlU32,
     pub idle_hold_time: SqlU32,
     pub delay_open: SqlU32,
@@ -740,10 +741,11 @@ impl SwitchPortBgpPeerConfig {
         p: &BgpPeer,
     ) -> Self {
         Self {
+            id: Uuid::new_v4(),
             port_settings_id,
             bgp_config_id,
             interface_name,
-            addr: p.addr.into(),
+            addr: p.addr.map(|a| a.into()),
             hold_time: p.hold_time.into(),
             idle_hold_time: p.idle_hold_time.into(),
             delay_open: p.delay_open.into(),

nexus/db-model/src/switch_port.rs

@@ -828,19 +828,28 @@ impl DataStore {
         Ok(results)
     }
 
+    /// Look up communities for a BGP peer.
+    ///
+    /// For numbered peers, pass `Some(addr)`. For unnumbered peers, pass `None`
+    /// (the function will query using the sentinel value 0.0.0.0/32).
     pub async fn communities_for_peer(
         &self,
         opctx: &OpContext,
         port_settings_id: Uuid,
         interface_name: &str,
-        addr: IpNetwork,
+        addr: Option<IpNetwork>,
     ) -> ListResultVec<SwitchPortBgpPeerConfigCommunity> {
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config_communities::dsl;
 
+        // For unnumbered peers (addr is None), use UNSPECIFIED as sentinel
+        let db_addr: IpNetwork = addr.unwrap_or_else(|| {
+            std::net::IpAddr::V4(std::net::Ipv4Addr::UNSPECIFIED).into()
+        });
+
         let results = dsl::switch_port_settings_bgp_peer_config_communities
             .filter(dsl::port_settings_id.eq(port_settings_id))
             .filter(dsl::interface_name.eq(interface_name.to_owned()))
-            .filter(dsl::addr.eq(addr))
+            .filter(dsl::addr.eq(db_addr))
             .load_async(&*self.pool_connection_authorized(opctx).await?)
             .await
             .map_err(|e| {
@@ -852,43 +861,66 @@ impl DataStore {
         Ok(results)
     }
 
+    /// Look up allowed exports for a BGP peer.
+    ///
+    /// For numbered peers, pass `Some(addr)`. For unnumbered peers, pass `None`.
     pub async fn allow_export_for_peer(
         &self,
         opctx: &OpContext,
         port_settings_id: Uuid,
         interface_name: &str,
-        addr: IpNetwork,
+        addr: Option<IpNetwork>,
     ) -> LookupResult<Option<Vec<SwitchPortBgpPeerConfigAllowExport>>> {
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config as db_peer;
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config::dsl as peer_dsl;
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config_allow_export as db_allow;
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config_allow_export::dsl;
 
+        // For unnumbered peers (addr is None), use UNSPECIFIED as sentinel
+        // for the allow_export table (which has non-nullable addr)
+        let db_addr: IpNetwork = addr.unwrap_or_else(|| {
+            std::net::IpAddr::V4(std::net::Ipv4Addr::UNSPECIFIED).into()
+        });
+
         let conn = self.pool_connection_authorized(opctx).await?;
         let err = OptionalError::new();
         self.transaction_retry_wrapper("bgp_allow_export_for_peer")
             .transaction(&conn, |conn| {
                 let err = err.clone();
                 async move {
-                    let active = peer_dsl::switch_port_settings_bgp_peer_config
-                        .filter(db_peer::port_settings_id.eq(port_settings_id))
-                        .filter(db_peer::addr.eq(addr))
-                        .select(db_peer::allow_export_list_active)
-                        .limit(1)
-                        .first_async::<bool>(&conn)
-                        .await
-                        .map_err(|e| {
-                            let msg = "failed to lookup export settings for peer";
-                            error!(opctx.log, "{msg}"; "error" => ?e);
+                    // Query the main peer config table. For unnumbered peers,
+                    // addr is NULL; for numbered peers, addr matches.
+                    let active = if addr.is_some() {
+                        peer_dsl::switch_port_settings_bgp_peer_config
+                            .filter(db_peer::port_settings_id.eq(port_settings_id))
+                            .filter(db_peer::addr.eq(addr))
+                            .select(db_peer::allow_export_list_active)
+                            .limit(1)
+                            .first_async::<bool>(&conn)
+                            .await
+                    } else {
+                        peer_dsl::switch_port_settings_bgp_peer_config
+                            .filter(db_peer::port_settings_id.eq(port_settings_id))
+                            .filter(db_peer::addr.is_null())
+                            .filter(db_peer::interface_name.eq(interface_name.to_owned()))
+                            .select(db_peer::allow_export_list_active)
+                            .limit(1)
+                            .first_async::<bool>(&conn)
+                            .await
+                    };
 
-                            match e {
-                                diesel::result::Error::NotFound => {
-                                    let not_found_msg = format!("peer with {addr} not found for port settings {port_settings_id}");
-                                    err.bail(Error::non_resourcetype_not_found(not_found_msg))
-                                },
-                                _ => err.bail(Error::internal_error(msg)),
-                            }
-                        })?;
+                    let active = active.map_err(|e| {
+                        let msg = "failed to lookup export settings for peer";
+                        error!(opctx.log, "{msg}"; "error" => ?e);
+
+                        match e {
+                            diesel::result::Error::NotFound => {
+                                let not_found_msg = format!("peer with {:?} not found for port settings {port_settings_id}", addr);
+                                err.bail(Error::non_resourcetype_not_found(not_found_msg))
+                            },
+                            _ => err.bail(Error::internal_error(msg)),
+                        }
+                    })?;
 
                     if !active {
                         return Ok(None);
@@ -903,7 +935,7 @@ impl DataStore {
                             db_allow::interface_name
                                 .eq(interface_name.to_owned()),
                         )
-                        .filter(db_allow::addr.eq(addr))
+                        .filter(db_allow::addr.eq(db_addr))
                         .load_async(&conn)
                         .await?;
 
@@ -923,44 +955,67 @@ impl DataStore {
             })
     }
 
+    /// Look up allowed imports for a BGP peer.
+    ///
+    /// For numbered peers, pass `Some(addr)`. For unnumbered peers, pass `None`.
     pub async fn allow_import_for_peer(
         &self,
         opctx: &OpContext,
         port_settings_id: Uuid,
         interface_name: &str,
-        addr: IpNetwork,
+        addr: Option<IpNetwork>,
     ) -> LookupResult<Option<Vec<SwitchPortBgpPeerConfigAllowImport>>> {
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config as db_peer;
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config::dsl as peer_dsl;
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config_allow_import as db_allow;
         use nexus_db_schema::schema::switch_port_settings_bgp_peer_config_allow_import::dsl;
 
+        // For unnumbered peers (addr is None), use UNSPECIFIED as sentinel
+        // for the allow_import table (which has non-nullable addr)
+        let db_addr: IpNetwork = addr.unwrap_or_else(|| {
+            std::net::IpAddr::V4(std::net::Ipv4Addr::UNSPECIFIED).into()
+        });
+
         let err = OptionalError::new();
         let conn = self.pool_connection_authorized(opctx).await?;
         self
             .transaction_retry_wrapper("bgp_allow_import_for_peer")
             .transaction(&conn, |conn| {
                 let err = err.clone();
                 async move {
-                    let active = peer_dsl::switch_port_settings_bgp_peer_config
-                        .filter(db_peer::port_settings_id.eq(port_settings_id))
-                        .filter(db_peer::addr.eq(addr))
-                        .select(db_peer::allow_import_list_active)
-                        .limit(1)
-                        .first_async::<bool>(&conn)
-                        .await
-                        .map_err(|e| {
-                            let msg = "failed to lookup import settings for peer";
-                            error!(opctx.log, "{msg}"; "error" => ?e);
+                    // Query the main peer config table. For unnumbered peers,
+                    // addr is NULL; for numbered peers, addr matches.
+                    let active = if addr.is_some() {
+                        peer_dsl::switch_port_settings_bgp_peer_config
+                            .filter(db_peer::port_settings_id.eq(port_settings_id))
+                            .filter(db_peer::addr.eq(addr))
+                            .select(db_peer::allow_import_list_active)
+                            .limit(1)
+                            .first_async::<bool>(&conn)
+                            .await
+                    } else {
+                        peer_dsl::switch_port_settings_bgp_peer_config
+                            .filter(db_peer::port_settings_id.eq(port_settings_id))
+                            .filter(db_peer::addr.is_null())
+                            .filter(db_peer::interface_name.eq(interface_name.to_owned()))
+                            .select(db_peer::allow_import_list_active)
+                            .limit(1)
+                            .first_async::<bool>(&conn)
+                            .await
+                    };
 
-                            match e {
-                                diesel::result::Error::NotFound => {
-                                    let not_found_msg = format!("peer with {addr} not found for port settings {port_settings_id}");
-                                    err.bail(Error::non_resourcetype_not_found(not_found_msg))
-                                },
-                                _ => err.bail(Error::internal_error(msg)),
-                            }
-                        })?;
+                    let active = active.map_err(|e| {
+                        let msg = "failed to lookup import settings for peer";
+                        error!(opctx.log, "{msg}"; "error" => ?e);
+
+                        match e {
+                            diesel::result::Error::NotFound => {
+                                let not_found_msg = format!("peer with {:?} not found for port settings {port_settings_id}", addr);
+                                err.bail(Error::non_resourcetype_not_found(not_found_msg))
+                            },
+                            _ => err.bail(Error::internal_error(msg)),
+                        }
+                    })?;
 
                     if !active {
                         return Ok(None);
@@ -975,7 +1030,7 @@ impl DataStore {
                             db_allow::interface_name
                                 .eq(interface_name.to_owned()),
                         )
-                        .filter(db_allow::addr.eq(addr))
+                        .filter(db_allow::addr.eq(db_addr))
                         .load_async(&conn)
                         .await?;