bgpv1: Add support for eBGP-multihop in BGP control plane

Documentation/network/bgp-control-plane.rst

@@ -77,6 +77,7 @@ The policy in ``yaml`` form is defined below:
       neighbors: # []CiliumBGPNeighbor
        - peerAddress: 'fc00:f853:ccd:e793::50/128'
          peerASN: 64512
+         eBGPMultihopTTL: 10
          gracefulRestart:
             enabled: true
             restartTime: "20s"
@@ -99,6 +100,7 @@ Fields
        virtualRouters[*].neighbors: A list of neighbors to peer with
            neighbors[*].peerAddress: The address of the peer neighbor
            neighbors[*].peerASN: The ASN of the peer
+           neighbors[*].eBGPMultihopTTL: (optional) Time To Live (TTL) value used in BGP packets. 0 if eBGP multi-hop feature is disabled.
            neighbors[*].gracefulRestart.enabled: The flag to enable graceful restart capability.
            neighbors[*].gracefulRestart.restartTime: The restart time advertised to the peer (RFC 4724 section 4.2).
 

api/v1/openapi.yaml

@@ -3529,6 +3529,11 @@ definitions:
       peer-address:
         description: IP Address of peer
         type: string
+      ebgp-multihop-ttl:
+        description: |
+          Time To Live (TTL) value used in BGP packets sent to the eBGP neighbor.
+          0 if eBGP multi-hop feature is disabled.
+        type: integer
       session-state:
         description: |
           BGP peer operational state as described here

go.mod

@@ -64,7 +64,7 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6
-	github.com/osrg/gobgp/v3 v3.14.0
+	github.com/osrg/gobgp/v3 v3.15.1-0.20230605074248-03982e597eac
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.15.1
 	github.com/prometheus/client_model v0.4.0

pkg/bgpv1/gobgp/server.go

@@ -189,6 +189,14 @@ func (g *GoBGPServer) getPeerConfig(ctx context.Context, n *v2alpha1api.CiliumBG
 		peer.Transport = &gobgp.Transport{LocalAddress: wildcardIPv6Addr}
 	}
 
+	// Enable multi-hop for eBGP if non-zero TTL is provided
+	if g.asn != uint32(n.PeerASN) && n.EBGPMultihopTTL > 0 {
+		peer.EbgpMultihop = &gobgp.EbgpMultihop{
+			Enabled:     true,
+			MultihopTtl: uint32(n.EBGPMultihopTTL),
+		}
+	}
+
 	if peer.Timers == nil {
 		peer.Timers = &gobgp.Timers{}
 	}

pkg/bgpv1/gobgp/state.go

@@ -74,6 +74,10 @@ func (g *GoBGPServer) GetPeerState(ctx context.Context) (types.GetPeerStateRespo
 			peerState.Families = append(peerState.Families, toAgentAfiSafiState(afiSafi.State))
 		}
 
+		if peer.EbgpMultihop != nil && peer.EbgpMultihop.Enabled {
+			peerState.EbgpMultihopTTL = int64(peer.EbgpMultihop.MultihopTtl)
+		}
+
 		if peer.Timers != nil {
 			tConfig := peer.Timers.Config
 			tState := peer.Timers.State

pkg/bgpv1/gobgp/state_test.go

@@ -84,6 +84,24 @@ var (
 
 	neighbor64127 = &v2alpha1api.CiliumBGPNeighbor{
 		PeerASN:          64127,
+		PeerAddress:      "192.168.88.1/32",
+		ConnectRetryTime: metav1.Duration{Duration: 99 * time.Second},
+		HoldTime:         metav1.Duration{Duration: 9 * time.Second},
+		KeepAliveTime:    metav1.Duration{Duration: 3 * time.Second},
+	}
+
+	// changed EBGPMultihopTTL
+	neighbor64127Update = &v2alpha1api.CiliumBGPNeighbor{
+		PeerASN:          64127,
+		PeerAddress:      "192.168.88.1/32",
+		ConnectRetryTime: metav1.Duration{Duration: 99 * time.Second},
+		HoldTime:         metav1.Duration{Duration: 9 * time.Second},
+		KeepAliveTime:    metav1.Duration{Duration: 3 * time.Second},
+		EBGPMultihopTTL:  10,
+	}
+
+	neighbor64128 = &v2alpha1api.CiliumBGPNeighbor{
+		PeerASN:          64128,
 		PeerAddress:      "192.168.77.1/32",
 		ConnectRetryTime: metav1.Duration{Duration: 99 * time.Second},
 		HoldTime:         metav1.Duration{Duration: 9 * time.Second},
@@ -119,14 +137,17 @@ func TestGetPeerState(t *testing.T) {
 				neighbor64125,
 				neighbor64126,
 				neighbor64127,
+				neighbor64128,
 			},
 			neighborsAfterUpdate: []*v2alpha1api.CiliumBGPNeighbor{
 				// changed ConnectRetryTime
 				neighbor64125Update,
 				// changed HoldTime & KeepAliveTime
 				neighbor64126Update,
+				// changed EBGPMultihopTTL
+				neighbor64127Update,
 				// no change
-				neighbor64127,
+				neighbor64128,
 			},
 			localASN: 64124,
 			errStr:   "",
@@ -271,6 +292,10 @@ func validatePeers(t *testing.T, localASN uint32, neighbors []*v2alpha1api.Ciliu
 		require.EqualValues(t, n.GracefulRestart.Enabled, p.GracefulRestart.Enabled)
 		require.EqualValues(t, n.GracefulRestart.RestartTime.Seconds(), p.GracefulRestart.RestartTimeSeconds)
 
+		if n.EBGPMultihopTTL > 0 {
+			require.EqualValues(t, n.EBGPMultihopTTL, p.EbgpMultihopTTL)
+		}
+
 		// since there is no real neighbor, bgp session state will be either idle or active.
 		require.Contains(t, []string{"idle", "active"}, p.SessionState)
 	}

pkg/k8s/apis/cilium.io/client/crds/v2alpha1/ciliumbgppeeringpolicies.yaml

@@ -132,6 +132,15 @@ spec:
                               whole second.
                             format: duration
                             type: string
+                          eBGPMultihopTTL:
+                            description: EBGPMultihopTTL controls the multi-hop feature
+                              for eBGP peers. Its value defines the Time To Live (TTL)
+                              value used in BGP packets sent to the neighbor. When
+                              empty or zero, eBGP multi-hop feature is disabled. The
+                              value is ignored for iBGP peers.
+                            maximum: 255
+                            minimum: 0
+                            type: integer
                           gracefulRestart:
                             description: GracefulRestart defines graceful restart
                               parameters which are negotiated with this neighbor.

pkg/k8s/apis/cilium.io/v2alpha1/bgpp_types.go

@@ -97,6 +97,14 @@ type CiliumBGPNeighbor struct {
 	// +kubebuilder:validation:Minimum=0
 	// +kubebuilder:validation:Maximum=4294967295
 	PeerASN int `json:"peerASN"`
+	// EBGPMultihopTTL controls the multi-hop feature for eBGP peers.
+	// Its value defines the Time To Live (TTL) value used in BGP packets sent to the neighbor.
+	// When empty or zero, eBGP multi-hop feature is disabled. The value is ignored for iBGP peers.
+	//
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Minimum=0
+	// +kubebuilder:validation:Maximum=255
+	EBGPMultihopTTL int `json:"eBGPMultihopTTL,omitempty"`
 	// ConnectRetryTime defines the initial value for the BGP ConnectRetryTimer (RFC 4271, Section 8).
 	// The default value for the ConnectRetryTime (if empty or zero) is 120 seconds.
 	// Rounded internally to the nearest whole second.