From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id AF37F1FF13A
	for <inbox@lore.proxmox.com>; Wed, 01 Apr 2026 16:45:26 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id B173833F3E;
	Wed,  1 Apr 2026 16:45:53 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network v2 34/34] tests: add exit node with custom route
 map testcase
Date: Wed,  1 Apr 2026 16:39:43 +0200
Message-ID: <20260401143957.386809-35-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260401143957.386809-1-s.hanreich@proxmox.com>
References: <20260401143957.386809-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1775054350213
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.797 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED      1 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED      1 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED      1 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: CB7EOTUD7VFZGHSQH6ZFSLXPEFLC3VM5
X-Message-ID-Hash: CB7EOTUD7VFZGHSQH6ZFSLXPEFLC3VM5
X-MailFrom: s.hanreich@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

This testcase simulates an exit node with a custom route map. It
checks whether the stack still auto-generates the deny rules for
default routes (otherwise traffic will loop between the exit nodes
until TTL is exeeded) and only then jumps into the user-provided
custom route map.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 .../expected_controller_config                | 101 ++++++++++++++++++
 .../expected_sdn_interfaces                   |  41 +++++++
 .../zones/evpn/routemap_exit_node/interfaces  |   7 ++
 .../zones/evpn/routemap_exit_node/sdn_config  |  71 ++++++++++++
 4 files changed, 220 insertions(+)
 create mode 100644 src/test/zones/evpn/routemap_exit_node/expected_controller_config
 create mode 100644 src/test/zones/evpn/routemap_exit_node/expected_sdn_interfaces
 create mode 100644 src/test/zones/evpn/routemap_exit_node/interfaces
 create mode 100644 src/test/zones/evpn/routemap_exit_node/sdn_config

diff --git a/src/test/zones/evpn/routemap_exit_node/expected_controller_config b/src/test/zones/evpn/routemap_exit_node/expected_controller_config
new file mode 100644
index 0000000..b581775
--- /dev/null
+++ b/src/test/zones/evpn/routemap_exit_node/expected_controller_config
@@ -0,0 +1,101 @@
+frr version 10.4.1
+frr defaults datacenter
+hostname localhost
+log syslog informational
+service integrated-vtysh-config
+!
+vrf vrf_myzone
+ vni 1000
+exit-vrf
+!
+router bgp 65000
+ bgp router-id 192.168.0.1
+ no bgp hard-administrative-reset
+ no bgp default ipv4-unicast
+ coalesce-time 1000
+ no bgp graceful-restart notification
+ neighbor VTEP peer-group
+ neighbor VTEP remote-as 65000
+ neighbor VTEP bfd
+ neighbor 192.168.0.2 peer-group VTEP
+ neighbor 192.168.0.3 peer-group VTEP
+ !
+ address-family ipv4 unicast
+  import vrf vrf_myzone
+ exit-address-family
+ !
+ address-family ipv6 unicast
+  import vrf vrf_myzone
+ exit-address-family
+ !
+ address-family l2vpn evpn
+  neighbor VTEP activate
+  neighbor VTEP route-map MAP_VTEP_IN in
+  neighbor VTEP route-map MAP_VTEP_OUT out
+  advertise-all-vni
+ exit-address-family
+exit
+!
+router bgp 65000 vrf vrf_myzone
+ bgp router-id 192.168.0.1
+ no bgp hard-administrative-reset
+ no bgp graceful-restart notification
+ !
+ address-family ipv4 unicast
+  redistribute connected
+ exit-address-family
+ !
+ address-family ipv6 unicast
+  redistribute connected
+ exit-address-family
+ !
+ address-family l2vpn evpn
+  default-originate ipv4
+  default-originate ipv6
+ exit-address-family
+exit
+!
+ip prefix-list only_default seq 1 permit 0.0.0.0/0
+!
+ipv6 prefix-list only_default_v6 seq 1 permit ::/0
+!
+route-map MAP_VTEP_IN deny 1
+ match ip address prefix-list only_default
+exit
+!
+route-map MAP_VTEP_IN deny 2
+ match ipv6 address prefix-list only_default_v6
+exit
+!
+route-map MAP_VTEP_IN permit 3
+ call map-in
+exit
+!
+route-map MAP_VTEP_OUT permit 1
+ call map-out
+exit
+!
+route-map map-in deny 5
+ set src 192.0.2.1
+exit
+!
+route-map map-in permit 123
+ match ip next-hop address 192.0.2.45
+ match metric 8347
+ match local-preference 8347
+ set ip next-hop 198.51.100.3
+ set local-preference 1234
+ set tag 999
+exit
+!
+route-map map-in deny 222
+ match ip next-hop address 192.0.2.45
+ match metric 8347
+ match local-preference 8347
+exit
+!
+route-map map-out permit 999
+exit
+!
+line vty
+!
diff --git a/src/test/zones/evpn/routemap_exit_node/expected_sdn_interfaces b/src/test/zones/evpn/routemap_exit_node/expected_sdn_interfaces
new file mode 100644
index 0000000..5ab3084
--- /dev/null
+++ b/src/test/zones/evpn/routemap_exit_node/expected_sdn_interfaces
@@ -0,0 +1,41 @@
+#version:1
+
+auto myvnet
+iface myvnet
+	address 10.0.0.1/24
+	bridge_ports vxlan_myvnet
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	ip-forward on
+	arp-accept on
+	vrf vrf_myzone
+
+auto vrf_myzone
+iface vrf_myzone
+	vrf-table auto
+	post-up ip route del vrf vrf_myzone unreachable default metric 4278198272
+
+auto vrfbr_myzone
+iface vrfbr_myzone
+	bridge-ports vrfvx_myzone
+	bridge_stp off
+	bridge_fd 0
+	mtu 1450
+	vrf vrf_myzone
+
+auto vrfvx_myzone
+iface vrfvx_myzone
+	vxlan-id 1000
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
+
+auto vxlan_myvnet
+iface vxlan_myvnet
+	vxlan-id 100
+	vxlan-local-tunnelip 192.168.0.1
+	bridge-learning off
+	bridge-arp-nd-suppress on
+	mtu 1450
diff --git a/src/test/zones/evpn/routemap_exit_node/interfaces b/src/test/zones/evpn/routemap_exit_node/interfaces
new file mode 100644
index 0000000..66bb826
--- /dev/null
+++ b/src/test/zones/evpn/routemap_exit_node/interfaces
@@ -0,0 +1,7 @@
+auto vmbr0
+iface vmbr0 inet static
+	address 192.168.0.1/24
+	gateway 192.168.0.254
+        bridge-ports eth0
+        bridge-stp off
+        bridge-fd 0
diff --git a/src/test/zones/evpn/routemap_exit_node/sdn_config b/src/test/zones/evpn/routemap_exit_node/sdn_config
new file mode 100644
index 0000000..812c13b
--- /dev/null
+++ b/src/test/zones/evpn/routemap_exit_node/sdn_config
@@ -0,0 +1,71 @@
+{
+  version => 1,
+  vnets   => {
+               ids => {
+                        myvnet => { tag => "100", type => "vnet", zone => "myzone" },
+                      },
+             },
+
+  zones   => {
+               ids => { myzone => { ipam => "pve", type => "evpn", controller =>
+               "evpnctl", 'vrf-vxlan' => 1000, exitnodes => { 'localhost' => 1 } } },
+             },
+  controllers  => {
+               ids => { evpnctl => { type => "evpn", 'peers' =>
+               '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000",
+               'route-map-in' => 'map-in', 'route-map-out' => 'map-out' } },
+             },
+
+  subnets => {
+              ids => { 'myzone-10.0.0.0-24' => {
+							'type' => 'subnet',
+							'vnet' => 'myvnet',
+							'gateway' => '10.0.0.1',
+						  }
+		     }
+	     },
+  'route-maps' => {
+        ids => {
+            'map-in_222' => {
+                id => 'map-in_222',
+                type => 'route-map-entry',
+                action => 'deny',
+                match => [
+                      'key=ip-next-hop-address,value=192.0.2.45',
+                      'key=metric,value=8347',
+                      'key=local-preference,value=8347',
+                ],
+            },
+            'map-in_5' => {
+                id => 'map-in_5',
+                type => 'route-map-entry',
+                action => 'deny',
+                set => [
+                      'key=src,value=192.0.2.1'
+                ],
+            },
+            'map-in_123' => {
+                id => 'map-in_123',
+                type => 'route-map-entry',
+                action => 'permit',
+                match => [
+                      'key=ip-next-hop-address,value=192.0.2.45',
+                      'key=metric,value=8347',
+                      'key=local-preference,value=8347',
+                ],
+                set => [
+                      'key=ip-next-hop,value=198.51.100.3',
+                      'key=local-preference,value=1234',
+                      'key=tag,value=999',
+                ],
+            },
+            'map-out_999' => {
+                id => 'map-out_999',
+                type => 'route-map-entry',
+                action => 'permit',
+            }
+        }
+  }
+}
+
+
-- 
2.47.3