switch to irrd graphql API and yaml filter format

Author: unfokus

README.md

@@ -9,7 +9,7 @@ The output is quite specific to our setup and automation stack, so consider it n
 ## Architecture
 
 The tooling connects to the [Peering-Manager](https://peering-manager.net/) API to fetch BGP sessions.
-Then it generates filters for those sessions using the tool bgpq4 that fetches data from an IRR server as data source.
+Then it generates filters for those sessions using the IRRD GraphQL API.
 
 We're not only using this to manage peering sessions, but *all* eBGP sessions, so transit and downstream as well.
 
@@ -117,8 +117,6 @@ If you are using Nix as a package manager you can can start right away using the
 For everyone else:
 - Install Python3 packages listed in `requirements.txt`
   - `pip3 install -r requirements.txt`
-- bgpq4
-  - `apt install bgpq4`
 
 
 ### Usage

flake.nix

@@ -45,7 +45,6 @@
 
         devShell = pkgs.mkShell {
           buildInputs = with pkgs; [
-            bgpq4
             wanda.dependencyEnv
           ];
         };

nixos-test.nix

@@ -12,7 +12,7 @@
         abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
       '';
     };
-    environment.systemPackages = with pkgs; [ wanda wandaTestEnv bgpq4 ];
+    environment.systemPackages = with pkgs; [ wanda wandaTestEnv ];
   };
 
   testScript = { nodes }: let

wanda/as_filter/as_filter.py

@@ -24,88 +24,26 @@ def prefix_lists(self):
         irr_names = self.autos.get_irr_names()
 
         for irr_name in irr_names:
-            result_entries_v4_cleaned, result_entries_v6_cleaned = self.irrd_client.generate_prefix_lists(irr_name)
+            result_entries_v4, result_entries_v6 = self.irrd_client.generate_prefix_lists(irr_name)
 
-            v4_set.update(result_entries_v4_cleaned)
-            v6_set.update(result_entries_v6_cleaned)
+            v4_set.update(result_entries_v4)
+            v6_set.update(result_entries_v6)
 
         if len(v4_set) == 0 and len(v6_set) == 0 and self.is_customer:
             raise Exception(
                 f"{self.autos} has neither IPv4, nor IPv6 filter lists. Since AS is our customer, we forbid this for security reasons.")
 
-        return v4_set, v6_set
+        return list(v4_set), list(v6_set)
 
     def get_filter_lists(self, enable_extended_filters=False):
 
         irr_names = self.autos.get_irr_names()
-        file_content = self.irrd_client.generate_input_aspath_access_list(self.autos.asn, irr_names[0])
-
-        if file_content is None:
-            l.warning(f"{self.autos} could not generate as-path access-lists, this breaks configuration syntax..")
-            return ""
+        filters = {}
+        filters['origin_asns'] = self.irrd_client.generate_input_aspath_access_list(self.autos.asn, irr_names[0])
 
         if enable_extended_filters:
             v4_set, v6_set = self.prefix_lists
+            filters[f"v4_prefixes_{self.autos.asn}"] = v4_set
+            filters[f"v6_prefixes_{self.autos.asn}"] = v6_set
 
-            v4_tmpl = ';\n    '.join(sorted(v4_set))
-            v6_tmpl = ';\n    '.join(sorted(v6_set))
-
-            file_content += f"""
-prefix-list AS{self.autos.asn}_V4 {{
-    {v4_tmpl}
-}}
-
-prefix-list AS{self.autos.asn}_V6 {{
-    {v6_tmpl}
-}}
-
-policy-statement POLICY_AS{self.autos.asn}_V4 {{
-    term FILTER_LISTS {{
-        from {{
-            as-path-neighbors as-list AS{self.autos.asn}_NEIGHBOR;
-            as-path-origins as-list-group AS{self.autos.asn}_ORIGINS;
-            prefix-list-filter AS{self.autos.asn}_V4 orlonger;
-        }}
-        then next policy;
-    }}
-    then reject;
-}}
-
-policy-statement POLICY_AS{self.autos.asn}_V6 {{
-    term FILTER_LISTS {{
-        from {{
-            as-path-neighbors as-list AS{self.autos.asn}_NEIGHBOR;
-            as-path-origins as-list-group AS{self.autos.asn}_ORIGINS;
-            prefix-list-filter AS{self.autos.asn}_V6 orlonger;
-        }}
-        then next policy;
-    }}
-    then reject;
-}}
-                """
-        else:
-            file_content += f"""
-policy-statement POLICY_AS{self.autos.asn}_V4 {{
-    term IMPORT_AS_PATHS {{
-        from {{
-            as-path-neighbors as-list AS{self.autos.asn}_NEIGHBOR;
-            as-path-origins as-list-group AS{self.autos.asn}_ORIGINS;
-        }}
-        then next policy;
-    }}
-    then reject;
-}}
-
-policy-statement POLICY_AS{self.autos.asn}_V6 {{
-    term IMPORT_AS_PATHS {{
-        from {{
-            as-path-neighbors as-list AS{self.autos.asn}_NEIGHBOR;
-            as-path-origins as-list-group AS{self.autos.asn}_ORIGINS;
-        }}
-        then next policy;
-    }}
-    then reject;
-}}
-                """
-
-        return file_content
+        return filters

wanda/bgp_dg_generation.py

@@ -289,7 +289,7 @@ def main_bgp(enlighten_manager, sync_manager, peering_manager_instance, wanda_co
 
     config_hosts = wanda_configuration.get('devices', [])
 
-    enabled_routers = list(filter(lambda r: ((not hosts) or (r['hostname'] in hosts)) and ((not config_hosts) or (r['name'] in config_hosts)), routers))
+    enabled_routers = list(filter(lambda r: ((not hosts) or (r['hostname'] in hosts)) and ((not config_hosts) or (r['hostname'] in config_hosts)), routers))
     e_routers = enlighten_manager.counter(total=len(enabled_routers), desc='Generating Configurations', unit='Router')
 
     for router in enabled_routers:

wanda/filter_list_generation.py

@@ -2,6 +2,7 @@
 import platform
 from collections import defaultdict
 from multiprocessing.pool import Pool
+import yaml
 
 from wanda.as_filter.as_filter import ASFilter
 from wanda.autonomous_system.autonomous_system import AutonomousSystem
@@ -65,11 +66,12 @@ def main_customer_filter_lists(
     router_per_as = {}
     enabled_asn = set()
     extended_filtering_as = set()
+    config_hosts = wanda_configuration.get('devices', [])
 
     for dp in dp_list:
         router_hostname = dp['router']['hostname']
 
-        if hosts and router_hostname not in hosts:
+        if (hosts and router_hostname not in hosts) or router_hostname not in config_hosts:
             continue
 
         asn = dp['autonomous_system']['asn']
@@ -96,12 +98,12 @@ def main_customer_filter_lists(
         asn = ixp['autonomous_system']['asn']
         router_hostname = connection['router']['hostname']
 
-        if hosts and router_hostname not in hosts:
+        if (hosts and router_hostname not in hosts) or router_hostname not in config_hosts:
             continue
 
         if ixp['is_route_server']:
             if router_hostname not in router_per_as:
-                router_per_as[router_hostname] = {}
+                router_per_as[router_hostname] = set()
             continue
 
         enabled_asn.add(asn)
@@ -159,14 +161,13 @@ def main_customer_filter_lists(
             l.info(f"Skipping {router['hostname']}, because there is no 'automated' tag. ")
             continue
 
-        config_parts = []
+        config_parts = {}
 
         for asn in as_list:
             if asn in filter_lists:
-                config_parts.append(filter_lists[asn])
+                config_parts[f"AS{asn}"] = filter_lists[asn]
 
-        pathlib.Path("./generated_vars").mkdir(parents=True, exist_ok=True)
-        with open('./generated_vars/filter_groups-' + router_hostname + '.tmpl', 'w') as yaml_file:
-            yaml_file.write("\n".join(config_parts))
+        with open('./machines/' + router_hostname.split(".")[0] + '/generated-wanda-filters.yaml', 'w') as yaml_file:
+            yaml_file.write(yaml.safe_dump(config_parts))
 
     return 0

wanda/irrd_client.py

@@ -1,4 +1,5 @@
-import subprocess
+import requests
+import json
 import re
 
 from wanda.logger import Logger
@@ -8,74 +9,49 @@
 
 class IRRDClient:
 
-    POSSIBLE_RETRIES = 3
-
     def __init__(self, irrd_url):
-        self.data = []
-        self.irrdURL = irrd_url
-        self.host_params = ['-h', irrd_url]
-
-    def call_subprocess(self, command_array):
-
-        current_try = 1
-
-        while current_try <= self.POSSIBLE_RETRIES:
-            result = subprocess.run(command_array, capture_output=True)
-            if result.returncode == 0:
-                result_str = result.stdout.decode("utf-8")
-                return result_str
+        self.irrdURL = f"https://{irrd_url}/graphql/"
 
-            current_try += 1
+    def fetch_graphql_data(self, query):
+      response = requests.post(url=self.irrdURL, json={"query": query})
+      if response.status_code == 200:
+          return json.loads(response.content)["data"]
 
-        l.error(f"Failed to execute command: {' '.join(command_array)}")
-        raise Exception("bgpq4 could not be called successfully, this may be an programming error or a bad internet connection.")
-
-    def call_bgpq4_aspath_access_list(self, asn, irr_name):
-        command_array = ["bgpq4", *self.host_params, "-H", str(asn), "-W 100", "-J", "-l", f"AS{asn}_ORIGINS", irr_name]
-        return self.call_subprocess(command_array)
+      return None
 
     def generate_input_aspath_access_list(self, asn, irr_name):
-        # bgpq4 AS-TELIANET-V6 -H 1299 -W 100 -J -l AS1299_ORIGINS
-        result_str = self.call_bgpq4_aspath_access_list(asn, irr_name)
-        m = re.search(r'.*as-list-group.*{(.|\n)*?}', result_str)
-
-        if m:
-            # Technically, only adding the AS..._NEIGHBOR list would work, but we do some cleaning for better quality of the generated configuration
-
-            lines = m[0].split("\n")
-            new_lines = list()
-            new_lines.append(f"as-list AS{asn}_NEIGHBOR members {asn};")
-            indent_count = 0
+        if re.match(r"^AS\d+$", irr_name):
+            return [ irr_name[2:] ]
 
-            for line in lines:
-                line_without_prefixed_spaces = line.lstrip()
+        body = f"""
+          {{
+              recursiveSetMembers(setNames: ["{irr_name}"], depth: 5) {{ members }}
+          }}
+        """
+        result = self.fetch_graphql_data(body)
 
-                if '}' in line_without_prefixed_spaces:
-                    indent_count -= 1
+        # return unique members that are ASNs
+        members = set(result["recursiveSetMembers"][0]["members"])
+        return [int(i[2:]) for i in members if re.match(r"^AS\d+$", i)]
 
-                spaces = [" " for _ in range(indent_count * 4)]
-                new_lines.append("".join(spaces) + line_without_prefixed_spaces)
-
-                if '{' in line_without_prefixed_spaces:
-                    indent_count += 1
-
-            return "\n".join(new_lines)
-
-        return None
-
-    def call_bgpq4_prefix_lists(self, irr_name, ip_version):
-        command_array = ["bgpq4", *self.host_params, f"-{ip_version}", "-F", "%n/%l\n", irr_name]
-        return self.call_subprocess(command_array)
 
     def generate_prefix_lists(self, irr_name):
-        result_v4 = self.call_bgpq4_prefix_lists(irr_name, 4)
-        result_v6 = self.call_bgpq4_prefix_lists(irr_name, 6)
-
-        result_entries_v4 = result_v4.splitlines()
-        result_entries_v6 = result_v6.splitlines()
-
-        # Stripping empty lines
-        result_entries_v4_cleaned = [x for x in result_entries_v4 if x]
-        result_entries_v6_cleaned = [x for x in result_entries_v6 if x]
-
-        return result_entries_v4_cleaned, result_entries_v6_cleaned
+        if re.match(r"^AS\d+$", irr_name):
+            # ASNs
+            body = f"""
+              {{
+                v4: asnPrefixes(asns: ["{irr_name[2:]}"], ipVersion: 4) {{ prefixes }}
+                v6: asnPrefixes(asns: ["{irr_name[2:]}"], ipVersion: 6) {{ prefixes }}
+              }}
+            """
+        else:
+            # AS-Set
+            body = f"""
+              {{
+                v4: asSetPrefixes(setNames: ["{irr_name}"], ipVersion: 4) {{ prefixes }}
+                v6: asSetPrefixes(setNames: ["{irr_name}"], ipVersion: 6) {{ prefixes }}
+              }}
+            """
+        result = self.fetch_graphql_data(body)
+
+        return result["v4"][0]["prefixes"], result["v6"][0]["prefixes"]