Add FRR NETCONF/YANG audit foundation#222
Conversation
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f13a8cf8f4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| sys.path.insert(0, str(REPO / "scripts/netops")) | ||
| from frr_semantic import parse_frr_config, semantic_json # noqa: E402 | ||
| from render_frr_policy import effective_policy, load_intent, policy_json, render_policy_conf # noqa: E402 |
There was a problem hiding this comment.
Include netops scripts in IaC change detection
These new static tests import the parser/renderer from scripts/netops, but the iac-tests.yml change detector only treats scripts/ci/ as an IaC path. A PR that changes only scripts/netops/frr_semantic.py or scripts/netops/render_frr_policy.py will set iac_changed=false and skip static-iac/ansible-idempotency, so regressions in the semantic or policy artifact generation can merge without running the parity checks added here.
Useful? React with 👍 / 👎.
| {% set netconf_sources = frr_netconf_allowed_sources_v6 | default([]) %} | ||
| {% if netconf_sources | length > 0 %} | ||
| # --- FRR NETCONF/YANG endpoint (disabled by default) --- | ||
| pass in quick on wg inet6 proto tcp from { {{ netconf_sources | join(', ') }} } to any port = {{ frr_netconf_port | default(830) }} flags S/SA keep state label "NETCONF_RULE: FRR NETCONF/YANG approved sources" |
There was a problem hiding this comment.
Gate NETCONF before the broad WireGuard pass
For FreeBSD routers with frr_netconf_endpoint_enabled=true, this allowlist does not actually constrain NETCONF access because pf.conf.j2 renders pass quick on wg all no state earlier, and quick stops evaluation before this source-restricted rule is reached. If the endpoint is enabled, any traffic arriving on a WireGuard interface can reach TCP/830 regardless of frr_netconf_allowed_sources_v6; the earlier WireGuard pass needs to be narrowed or ordered so port 830 is gated first.
Useful? React with 👍 / 👎.
ff44f07 to
f13a8cf
Compare
Summary
configs/<router>/frr.confcanonical.ENABLE_NETCONF_YANG_TESTS.Safety / production impact
frr_netconf_endpoint_enabledandfrr_netconf_write_enableddefault tofalsefor routers.Validation
scripts/ci/iac-static.shcd ansible && for playbook in playbooks/*.yml; do ansible-playbook "$playbook" --syntax-check >/dev/null || exit 1; donepython3 -m py_compile scripts/netops/frr_semantic.py scripts/netops/render_frr_policy.py tests/iac/containerlab/check_netconf_yang.py tests/iac/containerlab/netconf/netconf_smoke.pybash -n scripts/ci/containerlab-netconf-yang-test.sh tests/iac/containerlab/netconf/entrypoint.sh tests/iac/containerlab/netconf/install-frr-yang-modules.shANSIBLE_ROLES_PATH=ansible/roles ansible-lint ansible/playbooks/frr-yang.yml ansible/roles/frr_yangNot run:
scripts/ci/containerlab-netconf-yang-test.shbecause it builds a lab-only FRR/sysrepo/Netopeer2 image and is intended for trusted CI/manual execution.