diff --git a/data/templates/frr/rpki.frr.j2 b/data/templates/frr/rpki.frr.j2
index 384cbbe52..59724102c 100644
--- a/data/templates/frr/rpki.frr.j2
+++ b/data/templates/frr/rpki.frr.j2
@@ -1,18 +1,24 @@
!
{# as FRR does not support deleting the entire rpki section we leave it in place even when it's empty #}
rpki
{% if cache is vyos_defined %}
{% for peer, peer_config in cache.items() %}
{# port is mandatory and preference uses a default value #}
{% if peer_config.ssh.username is vyos_defined %}
rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }} preference {{ peer_config.preference }}
{% else %}
rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} preference {{ peer_config.preference }}
{% endif %}
{% endfor %}
{% endif %}
+{% if expire_interval is vyos_defined %}
+ rpki expire_interval {{ expire_interval }}
+{% endif %}
{% if polling_period is vyos_defined %}
rpki polling_period {{ polling_period }}
{% endif %}
+{% if retry_interval is vyos_defined %}
+ rpki retry_interval {{ retry_interval }}
+{% endif %}
exit
!
diff --git a/interface-definitions/protocols_rpki.xml.in b/interface-definitions/protocols_rpki.xml.in
index 6a38b2961..a2a0a2799 100644
--- a/interface-definitions/protocols_rpki.xml.in
+++ b/interface-definitions/protocols_rpki.xml.in
@@ -1,87 +1,113 @@
<?xml version="1.0" encoding="utf-8"?>
<interfaceDefinition>
<node name="protocols">
<children>
<node name="rpki" owner="${vyos_conf_scripts_dir}/protocols_rpki.py">
<properties>
<help>BGP prefix origin validation</help>
</properties>
<children>
<tagNode name="cache">
<properties>
<help>RPKI cache server address</help>
<valueHelp>
<format>ipv4</format>
<description>IP address of RPKI server</description>
</valueHelp>
<valueHelp>
<format>ipv6</format>
<description>IPv6 address of RPKI server</description>
</valueHelp>
<valueHelp>
<format>hostname</format>
<description>Fully qualified domain name of RPKI server</description>
</valueHelp>
<constraint>
<validator name="ip-address"/>
<validator name="fqdn"/>
</constraint>
</properties>
<children>
#include <include/port-number.xml.i>
<leafNode name="preference">
<properties>
<help>Preference of the cache server</help>
<valueHelp>
<format>u32:1-255</format>
<description>Preference of the cache server</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-255"/>
</constraint>
</properties>
</leafNode>
<node name="ssh">
<properties>
<help>RPKI SSH connection settings</help>
</properties>
<children>
<leafNode name="private-key-file">
<properties>
<help>RPKI SSH private key file</help>
<constraint>
<validator name="file-path"/>
</constraint>
</properties>
</leafNode>
<leafNode name="public-key-file">
<properties>
<help>RPKI SSH public key file path</help>
<constraint>
<validator name="file-path"/>
</constraint>
</properties>
</leafNode>
#include <include/generic-username.xml.i>
</children>
</node>
</children>
</tagNode>
+ <leafNode name="expire-interval">
+ <properties>
+ <help>Interval to wait before expiring the cache</help>
+ <valueHelp>
+ <format>u32:600-172800</format>
+ <description>Interval in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 600-172800"/>
+ </constraint>
+ </properties>
+ <defaultValue>7200</defaultValue>
+ </leafNode>
<leafNode name="polling-period">
<properties>
- <help>RPKI cache polling period</help>
+ <help>Cache polling interval</help>
<valueHelp>
<format>u32:1-86400</format>
- <description>Polling period in seconds</description>
+ <description>Interval in seconds</description>
</valueHelp>
<constraint>
<validator name="numeric" argument="--range 1-86400"/>
</constraint>
</properties>
<defaultValue>300</defaultValue>
</leafNode>
+ <leafNode name="retry-interval">
+ <properties>
+ <help>Retry interval to connect to the cache server</help>
+ <valueHelp>
+ <format>u32:1-7200</format>
+ <description>Interval in seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-7200"/>
+ </constraint>
+ </properties>
+ <defaultValue>600</defaultValue>
+ </leafNode>
</children>
</node>
</children>
</node>
</interfaceDefinition>
diff --git a/smoketest/scripts/cli/test_protocols_rpki.py b/smoketest/scripts/cli/test_protocols_rpki.py
index b43c626c4..c52c0dd76 100755
--- a/smoketest/scripts/cli/test_protocols_rpki.py
+++ b/smoketest/scripts/cli/test_protocols_rpki.py
@@ -1,156 +1,159 @@
#!/usr/bin/env python3
#
# Copyright (C) 2021-2024 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import unittest
from base_vyostest_shim import VyOSUnitTestSHIM
from vyos.configsession import ConfigSessionError
from vyos.utils.process import cmd
from vyos.utils.process import process_named_running
base_path = ['protocols', 'rpki']
PROCESS_NAME = 'bgpd'
rpki_ssh_key = '/config/auth/id_rsa_rpki'
rpki_ssh_pub = f'{rpki_ssh_key}.pub'
class TestProtocolsRPKI(VyOSUnitTestSHIM.TestCase):
@classmethod
def setUpClass(cls):
# call base-classes classmethod
super(TestProtocolsRPKI, cls).setUpClass()
# Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same
cls.daemon_pid = process_named_running(PROCESS_NAME)
# ensure we can also run this test on a live system - so lets clean
# out the current configuration :)
cls.cli_delete(cls, base_path)
def tearDown(self):
self.cli_delete(base_path)
self.cli_commit()
# Nothing RPKI specific should be left over in the config
# frrconfig = self.getFRRconfig('rpki')
# self.assertNotIn('rpki', frrconfig)
# check process health and continuity
self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME))
def test_rpki(self):
- polling = '7200'
+ expire_interval = '3600'
+ polling_period = '600'
+ retry_interval = '300'
cache = {
'192.0.2.1' : {
'port' : '8080',
- 'preference' : '1'
- },
- '192.0.2.2' : {
- 'port' : '9090',
- 'preference' : '2'
+ 'preference' : '10'
},
'2001:db8::1' : {
'port' : '1234',
- 'preference' : '3'
+ 'preference' : '30'
},
- '2001:db8::2' : {
+ 'rpki.vyos.net' : {
'port' : '5678',
- 'preference' : '4'
+ 'preference' : '40'
},
}
- self.cli_set(base_path + ['polling-period', polling])
+ self.cli_set(base_path + ['expire-interval', expire_interval])
+ self.cli_set(base_path + ['polling-period', polling_period])
+ self.cli_set(base_path + ['retry-interval', retry_interval])
+
for peer, peer_config in cache.items():
self.cli_set(base_path + ['cache', peer, 'port', peer_config['port']])
self.cli_set(base_path + ['cache', peer, 'preference', peer_config['preference']])
# commit changes
self.cli_commit()
# Verify FRR configuration
frrconfig = self.getFRRconfig('rpki')
- self.assertIn(f'rpki polling_period {polling}', frrconfig)
+ self.assertIn(f'rpki expire_interval {expire_interval}', frrconfig)
+ self.assertIn(f'rpki polling_period {polling_period}', frrconfig)
+ self.assertIn(f'rpki retry_interval {retry_interval}', frrconfig)
for peer, peer_config in cache.items():
port = peer_config['port']
preference = peer_config['preference']
self.assertIn(f'rpki cache {peer} {port} preference {preference}', frrconfig)
def test_rpki_ssh(self):
polling = '7200'
cache = {
'192.0.2.3' : {
'port' : '1234',
'username' : 'foo',
'preference' : '10'
},
'192.0.2.4' : {
'port' : '5678',
'username' : 'bar',
'preference' : '20'
},
}
self.cli_set(base_path + ['polling-period', polling])
for peer, peer_config in cache.items():
self.cli_set(base_path + ['cache', peer, 'port', peer_config['port']])
self.cli_set(base_path + ['cache', peer, 'preference', peer_config['preference']])
self.cli_set(base_path + ['cache', peer, 'ssh', 'username', peer_config['username']])
self.cli_set(base_path + ['cache', peer, 'ssh', 'public-key-file', rpki_ssh_pub])
self.cli_set(base_path + ['cache', peer, 'ssh', 'private-key-file', rpki_ssh_key])
# commit changes
self.cli_commit()
# Verify FRR configuration
frrconfig = self.getFRRconfig('rpki')
self.assertIn(f'rpki polling_period {polling}', frrconfig)
for peer, peer_config in cache.items():
port = peer_config['port']
preference = peer_config['preference']
username = peer_config['username']
self.assertIn(f'rpki cache {peer} {port} {username} {rpki_ssh_key} {rpki_ssh_pub} preference {preference}', frrconfig)
def test_rpki_verify_preference(self):
cache = {
'192.0.2.1' : {
'port' : '8080',
'preference' : '1'
},
'192.0.2.2' : {
'port' : '9090',
'preference' : '1'
},
}
for peer, peer_config in cache.items():
self.cli_set(base_path + ['cache', peer, 'port', peer_config['port']])
self.cli_set(base_path + ['cache', peer, 'preference', peer_config['preference']])
# check validate() - preferences must be unique
with self.assertRaises(ConfigSessionError):
self.cli_commit()
if __name__ == '__main__':
# Create OpenSSH keypair used in RPKI tests
if not os.path.isfile(rpki_ssh_key):
cmd(f'ssh-keygen -t rsa -f {rpki_ssh_key} -N ""')
unittest.main(verbosity=2)