PAN: fix up default BGP AF capabilities (#6563)

AllowRemoteAsOut is true; Warn in the case where we do not support correct enable-sender-side-loop-detection semantics

projects/batfish/src/main/antlr4/org/batfish/grammar/palo_alto/PaloAltoLexer.g4

@@ -468,6 +468,11 @@ ENABLE
     'enable'
 ;
 
+ENABLE_SENDER_SIDE_LOOP_DETECTION
+:
+    'enable-sender-side-loop-detection'
+;
+
 ENCRYPTION
 :
     'encryption'

projects/batfish/src/main/antlr4/org/batfish/grammar/palo_alto/PaloAlto_bgp.g4

@@ -99,6 +99,7 @@ bgppg_peer
         bgppgp_bfd
         | bgppgp_connection_options
         | bgppgp_enable
+        | bgppgp_enable_sender_side_loop_detection
         | bgppgp_local_address
         | bgppgp_max_prefixes
         | bgppgp_peer_address
@@ -184,6 +185,11 @@ bgppgp_enable
     ENABLE yn = yes_or_no
 ;
 
+bgppgp_enable_sender_side_loop_detection
+:
+    ENABLE_SENDER_SIDE_LOOP_DETECTION yn = yes_or_no
+;
+
 bgppgp_local_address
 :
     LOCAL_ADDRESS

projects/batfish/src/main/java/org/batfish/grammar/palo_alto/PaloAltoConfigurationBuilder.java

@@ -122,6 +122,7 @@
 import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_coo_allowContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_coo_local_portContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_enableContext;
+import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_enable_sender_side_loop_detectionContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_la_interfaceContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_la_ipContext;
 import org.batfish.grammar.palo_alto.PaloAltoParser.Bgppgp_max_prefixesContext;
@@ -948,6 +949,12 @@ public void exitBgppgp_enable(Bgppgp_enableContext ctx) {
     _currentBgpPeer.setEnable(toBoolean(ctx.yn));
   }
 
+  @Override
+  public void exitBgppgp_enable_sender_side_loop_detection(
+      Bgppgp_enable_sender_side_loop_detectionContext ctx) {
+    _currentBgpPeer.setEnableSenderSideLoopDetection(toBoolean(ctx.yn));
+  }
+
   @Override
   public void exitBgppgp_la_interface(Bgppgp_la_interfaceContext ctx) {
     String name = getText(ctx.name);

projects/batfish/src/main/java/org/batfish/representation/palo_alto/BgpPeer.java

@@ -36,6 +36,15 @@ public void setEnable(boolean enable) {
     _enable = enable;
   }
 
+  @Nullable
+  public Boolean getEnableSenderSideLoopDetection() {
+    return _enableSenderSideLoopDetection;
+  }
+
+  public void setEnableSenderSideLoopDetection(boolean enableSenderSideLoopDetection) {
+    _enableSenderSideLoopDetection = enableSenderSideLoopDetection;
+  }
+
   public @Nullable Ip getLocalAddress() {
     return _localAddress;
   }
@@ -93,6 +102,7 @@ public void setReflectorClient(@Nullable ReflectorClient reflectorClient) {
 
   private BgpConnectionOptions _connectionOptions = new BgpConnectionOptions();
   private boolean _enable;
+  private @Nullable Boolean _enableSenderSideLoopDetection;
   private @Nullable Ip _localAddress;
   private @Nullable String _localInterface;
   private final @Nonnull String _name;

projects/batfish/src/main/java/org/batfish/representation/palo_alto/PaloAltoConfiguration.java

@@ -2106,10 +2106,20 @@ private void convertPeer(
           .ifPresent(peerB::setLocalIp);
     }
 
-    // TODO
-    Builder ipv4af =
-        Ipv4UnicastAddressFamily.builder()
-            .setAddressFamilyCapabilities(AddressFamilyCapabilities.builder().build());
+    Builder ipv4af = Ipv4UnicastAddressFamily.builder();
+    if (Boolean.TRUE.equals(peer.getEnableSenderSideLoopDetection())) {
+      /*
+       TODO: routes should be sent, but AS path should be modified to remove the peer's ASN
+       https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/bgp/configure-a-bgp-peer-with-mp-bgp-for-ipv4-or-ipv6-unicast.html
+      */
+      getWarnings().redFlag("'enable-sender-side-loop-detection yes' is not supported");
+    }
+    ipv4af.setAddressFamilyCapabilities(
+        // TODO: need to support other setAddressFamilyCapabilities like sendCommunity, etc.
+        AddressFamilyCapabilities.builder()
+            .setAllowRemoteAsOut(
+                true) // PAN always sends routes, but may change AS path (see above)
+            .build());
 
     ipv4af.setExportPolicy(
         computeAndSetPerPeerExportPolicy(peer, _c, vr, bgp, pg.getName()).getName());

projects/batfish/src/test/java/org/batfish/grammar/palo_alto/PaloAltoGrammarTest.java

@@ -879,6 +879,7 @@ public void testBgpExtraction() {
     assertThat(pg.getPeers().keySet(), contains("PEER"));
     BgpPeer peer = pg.getOrCreatePeerGroup("PEER");
     assertThat(peer.getEnable(), equalTo(true));
+    assertThat(peer.getEnableSenderSideLoopDetection(), equalTo(false));
     assertThat(peer.getLocalInterface(), equalTo("ethernet1/1"));
     assertThat(peer.getLocalAddress(), equalTo(Ip.parse("1.2.3.6")));
     assertThat(peer.getPeerAddress(), equalTo(Ip.parse("5.4.3.2")));
@@ -905,6 +906,8 @@ public void testBgpConversion() {
     assertThat(peer.getLocalIp(), equalTo(Ip.parse("1.2.3.6")));
     assertThat(peer.getLocalAs(), equalTo(65001L));
     assertThat(peer.getRemoteAsns(), equalTo(LongSpace.of(65001)));
+    assertTrue(
+        peer.getIpv4UnicastAddressFamily().getAddressFamilyCapabilities().getAllowRemoteAsOut());
     // BgpRoutingProcess requires an export policy be present
     String exportPolicyName = peer.getIpv4UnicastAddressFamily().getExportPolicy();
     assertThat(exportPolicyName, not(nullValue()));

projects/batfish/src/test/resources/org/batfish/grammar/palo_alto/testconfigs/bgp

@@ -41,6 +41,7 @@ network {
                  }
                }
                enable yes;
+               enable-sender-side-loop-detection no;
                local-address {
                  interface ethernet1/1;
                  ip 1.2.3.6/24;