From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 292A71FF139
	for <inbox@lore.proxmox.com>; Tue, 24 Feb 2026 14:26:48 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 8BD57B05F;
	Tue, 24 Feb 2026 14:27:40 +0100 (CET)
Message-ID: <fb6bf0bb-371f-4c8a-b776-24d67184b15f@proxmox.com>
Date: Tue, 24 Feb 2026 14:27:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [PATCH pve-network 10/10] test: add test for frr.conf.local
 merging
To: pve-devel@lists.proxmox.com
References: <20260203160246.353351-1-g.goller@proxmox.com>
 <20260203160246.353351-22-g.goller@proxmox.com>
Content-Language: en-US
From: Stefan Hanreich <s.hanreich@proxmox.com>
In-Reply-To: <20260203160246.353351-22-g.goller@proxmox.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.344 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED  1.179 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_RPBL_BLOCKED  0.717 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	RCVD_IN_VALIDITY_SAFE_BLOCKED  0.236 ADMINISTRATOR NOTICE: The query to
 Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
 information.
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: HRQIVFAQ3XLNYT4WZEKATZX4UVBF5Z5Y
X-Message-ID-Hash: HRQIVFAQ3XLNYT4WZEKATZX4UVBF5Z5Y
X-MailFrom: s.hanreich@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

I've scoured the forum for posts of users utilizing frr.conf.local to
override the generated FRR configuration. The following additional
features / snippets would be interesting to include as well imo:


interface sections for fabrics, e.g.:

  interface vmbr0
   no ip ospf passive
  exit
  !
  interface iface2
   ip ospf area 192.0.2.0/24
  exit
  !


OSPF router additons:

  router ospf
   passive-interface default
  exit


Zebra nexthop options:

  ip nht resolve-via-default


Override route-map completely:

  router bgp 65000
   address-family l2vpn evpn
    no neighbor VTEP route-map MAP_VTEP_IN in
    neighbor VTEP route-map MAP_VTEP_IN_CUSTOM in
   exit-address-family
  exit


Custom routes:

  ip route 192.0.2.0/24 198.51.100.1


IP protocol route-map setting:

  ip protocol bgp route-map correct_src


Set additional options for existing peer-groups:

  neighbor BGP prefix-list MY_PREFIX_LIST out
  neighbor BGP allowas-in 1


remove existing peer-group:

 no neighbor VTEP peer-group


Override ASN:

 neighbor BGP remote-as 64600



The OSPF / interface additions might even be worth a second test case?

Not sure if all the others can be condensed into one test case, or would
require specific ones as well...

For some of those, ordering is quite important - so it would make sense
to double-check proper ordering after mergin as well for stuff that
overrides with no explicit 'no' statement.


On 2/3/26 5:04 PM, Gabriel Goller wrote:
> Add a test that tests the frr.conf.local merging. This should ensure we
> do not run into further regressions. The test also "succeeds" with the
> pre-templates version, there are just some whitespace and "!" issues.
> Also the route-maps are merged instead of pushed with higher sequence
> number. This shouldn't change anything.
> 
> Signed-off-by: Gabriel Goller <g.goller@proxmox.com>
> ---
>  src/test/run_test_zones.pl                    | 16 ++++-
>  .../expected_controller_config                | 61 +++++++++++++++++++
>  .../frr_local_merge/expected_sdn_interfaces   | 42 +++++++++++++
>  .../zones/evpn/frr_local_merge/frr.conf.local | 30 +++++++++
>  .../zones/evpn/frr_local_merge/interfaces     |  7 +++
>  .../zones/evpn/frr_local_merge/sdn_config     | 24 ++++++++
>  6 files changed, 177 insertions(+), 3 deletions(-)
>  create mode 100644 src/test/zones/evpn/frr_local_merge/expected_controller_config
>  create mode 100644 src/test/zones/evpn/frr_local_merge/expected_sdn_interfaces
>  create mode 100644 src/test/zones/evpn/frr_local_merge/frr.conf.local
>  create mode 100644 src/test/zones/evpn/frr_local_merge/interfaces
>  create mode 100644 src/test/zones/evpn/frr_local_merge/sdn_config
> 
> diff --git a/src/test/run_test_zones.pl b/src/test/run_test_zones.pl
> index 905b2f42e1dc..806225735e6b 100755
> --- a/src/test/run_test_zones.pl
> +++ b/src/test/run_test_zones.pl
> @@ -126,12 +126,22 @@ foreach my $test (@tests) {
>              reload_controller => sub {
>                  return;
>              },
> -            read_local_frr_config => sub {
> -                return;
> -            },
>          );
>      }
>  
> +    # Mock read_local_frr_config in PVE::Network::SDN::Frr to support testing frr.conf.local merging
> +    my $frr_local_config;
> +    my $frr_local_path = "./$test/frr.conf.local";
> +    if (-e $frr_local_path) {
> +        $frr_local_config = read_file($frr_local_path);
> +    }
> +    my $mocked_frr = Test::MockModule->new('PVE::Network::SDN::Frr');
> +    $mocked_frr->mock(
> +        read_local_frr_config => sub {
> +            return $frr_local_config;
> +        },
> +    );
> +
>      my $name = $test;
>      my $expected = read_file("./$test/expected_sdn_interfaces");
>  
> diff --git a/src/test/zones/evpn/frr_local_merge/expected_controller_config b/src/test/zones/evpn/frr_local_merge/expected_controller_config
> new file mode 100644
> index 000000000000..9d47e080bf7a
> --- /dev/null
> +++ b/src/test/zones/evpn/frr_local_merge/expected_controller_config
> @@ -0,0 +1,61 @@
> +frr version 10.4.1
> +frr defaults datacenter
> +hostname localhost
> +log syslog informational
> +service integrated-vtysh-config
> +!
> +vrf vrf_myzone
> + vni 1000
> +exit-vrf
> +!
> +router bgp 65000
> + bgp router-id 192.168.0.1
> + no bgp hard-administrative-reset
> + no bgp default ipv4-unicast
> + coalesce-time 1000
> + no bgp graceful-restart notification
> + neighbor VTEP peer-group
> + neighbor VTEP remote-as 65000
> + neighbor VTEP bfd
> + neighbor 192.168.0.2 peer-group VTEP
> + neighbor 192.168.0.3 peer-group VTEP
> + neighbor 192.168.1.1 remote-as 65001
> + neighbor 192.168.1.1 description "External Peer"
> + address-family ipv4 unicast
> +  neighbor VTEP activate
> + exit-address-family
> + !
> + address-family l2vpn evpn
> +  neighbor VTEP activate
> +  neighbor VTEP route-map MAP_VTEP_IN in
> +  neighbor VTEP route-map MAP_VTEP_OUT out
> +  advertise-svi-ip
> +  advertise-all-vni
> + exit-address-family
> +exit
> +!
> +router bgp 65000 vrf vrf_myzone
> + bgp router-id 192.168.0.1
> + no bgp hard-administrative-reset
> + no bgp graceful-restart notification
> +exit
> +!
> +route-map MAP_VTEP_IN permit 1
> +exit
> +!
> +route-map MAP_VTEP_OUT permit 1
> + set community 65000:100
> +exit
> +route-map MAP_VTEP_IN permit 2
> + set community 65000:200
> +exit
> +!
> +ip prefix-list PL_ALLOW seq 10 permit 10.0.0.0/8 le 24
> +route-map CUSTOM_MAP permit 10
> + match ip address prefix-list PL_ALLOW
> +exit
> +!
> +bgp community-list standard CL_LOCAL permit 65000:200
> +!
> +line vty
> +!
> diff --git a/src/test/zones/evpn/frr_local_merge/expected_sdn_interfaces b/src/test/zones/evpn/frr_local_merge/expected_sdn_interfaces
> new file mode 100644
> index 000000000000..9d1c64c0f3fa
> --- /dev/null
> +++ b/src/test/zones/evpn/frr_local_merge/expected_sdn_interfaces
> @@ -0,0 +1,42 @@
> +#version:1
> +
> +auto myvnet
> +iface myvnet
> +	address 10.0.0.1/24
> +	hwaddress A2:1D:CB:1A:C0:8B
> +	bridge_ports vxlan_myvnet
> +	bridge_stp off
> +	bridge_fd 0
> +	mtu 1450
> +	ip-forward on
> +	arp-accept on
> +	vrf vrf_myzone
> +
> +auto vrf_myzone
> +iface vrf_myzone
> +	vrf-table auto
> +	post-up ip route add vrf vrf_myzone unreachable default metric 4278198272
> +
> +auto vrfbr_myzone
> +iface vrfbr_myzone
> +	bridge-ports vrfvx_myzone
> +	bridge_stp off
> +	bridge_fd 0
> +	mtu 1450
> +	vrf vrf_myzone
> +
> +auto vrfvx_myzone
> +iface vrfvx_myzone
> +	vxlan-id 1000
> +	vxlan-local-tunnelip 192.168.0.1
> +	bridge-learning off
> +	bridge-arp-nd-suppress on
> +	mtu 1450
> +
> +auto vxlan_myvnet
> +iface vxlan_myvnet
> +	vxlan-id 100
> +	vxlan-local-tunnelip 192.168.0.1
> +	bridge-learning off
> +	bridge-arp-nd-suppress on
> +	mtu 1450
> diff --git a/src/test/zones/evpn/frr_local_merge/frr.conf.local b/src/test/zones/evpn/frr_local_merge/frr.conf.local
> new file mode 100644
> index 000000000000..a08f805cdabc
> --- /dev/null
> +++ b/src/test/zones/evpn/frr_local_merge/frr.conf.local
> @@ -0,0 +1,30 @@
> +!
> +! Custom FRR configuration to be merged
> +!
> +router bgp 65000
> + neighbor 192.168.1.1 remote-as 65001
> + neighbor 192.168.1.1 description "External Peer"
> + address-family l2vpn evpn
> +  advertise-svi-ip
> + exit-address-family
> + address-family ipv4 unicast
> +  neighbor VTEP activate
> + exit-address-family
> +exit
> +!
> +route-map MAP_VTEP_OUT permit 1
> + set community 65000:100
> +exit
> +!
> +route-map MAP_VTEP_IN permit 2
> + set community 65000:200
> +exit
> +!
> +ip prefix-list PL_ALLOW seq 10 permit 10.0.0.0/8 le 24
> +!
> +route-map CUSTOM_MAP permit 10
> + match ip address prefix-list PL_ALLOW
> +exit
> +!
> +bgp community-list standard CL_LOCAL permit 65000:200
> +!
> diff --git a/src/test/zones/evpn/frr_local_merge/interfaces b/src/test/zones/evpn/frr_local_merge/interfaces
> new file mode 100644
> index 000000000000..66bb826a44b3
> --- /dev/null
> +++ b/src/test/zones/evpn/frr_local_merge/interfaces
> @@ -0,0 +1,7 @@
> +auto vmbr0
> +iface vmbr0 inet static
> +	address 192.168.0.1/24
> +	gateway 192.168.0.254
> +        bridge-ports eth0
> +        bridge-stp off
> +        bridge-fd 0
> diff --git a/src/test/zones/evpn/frr_local_merge/sdn_config b/src/test/zones/evpn/frr_local_merge/sdn_config
> new file mode 100644
> index 000000000000..d6e44b7593c2
> --- /dev/null
> +++ b/src/test/zones/evpn/frr_local_merge/sdn_config
> @@ -0,0 +1,24 @@
> +{
> +    version => 1,
> +            vnets   => {
> +                ids => {
> +                    myvnet => { tag => "100", type => "vnet", zone => "myzone" },
> +                },
> +            },
> +
> +            zones   => {
> +                ids => { myzone => { ipam => "pve", type => "evpn", controller => "evpnctl", 'vrf-vxlan' => 1000, 'mac' => 'A2:1D:CB:1A:C0:8B' } },
> +            },
> +            controllers  => {
> +                ids => { evpnctl => { type => "evpn", 'peers' => '192.168.0.1,192.168.0.2,192.168.0.3', asn => "65000" } },
> +            },
> +
> +            subnets => {
> +                ids => { 'myzone-10.0.0.0-24' => {
> +                    'type' => 'subnet',
> +                    'vnet' => 'myvnet',
> +                    'gateway' => '10.0.0.1',
> +                }
> +                }
> +            }
> +}