bgpd: add neighbor ip-transparent

vjardin · vjardin · commit a5a96aa468f9 · 2025-05-11T00:24:12.000+02:00
Implement a per‑neighbor flag that sets IP_TRANSPARENT for the
underlying TCP socket. With this flag bgpd can accept or initiate a
session to/from an address that is not present on the host.

Typical use‑cases:
  - running bgpd inside a container without configuring the router
    loopback address inside that netns.
  - hitless switchover of a keepalived/VRRP VIP: the standby bgpd
    can pre‑bind and come up instantly after takeover.
  - BGP speakers when the IP address is not set (transparent
    firewall).
  - others...

It is safeguarded by a CAP_NET_ADMIN.

Signed-off-by: Vincent Jardin &lt;vjardin@free.fr&gt;
diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
@@ -829,6 +829,14 @@ enum connect_result bgp_connect(struct peer_connection *connection)
 	if (CHECK_FLAG(peer->flags, PEER_FLAG_TCP_MSS))
 		sockopt_tcp_mss_set(connection->fd, peer->tcp_mss);
 
+	/* Neighbor's bind() as a source address when ip transparent is used */
+	if (CHECK_FLAG(peer->flags, PEER_FLAG_IP_TRANSPARENT) &&
+	    CHECK_FLAG(peer->flags, PEER_FLAG_UPDATE_SOURCE)) {
+		frr_with_privs(&bgpd_privs) {
+			sockopt_ip_transparent(connection->fd);
+		}
+	}
+
 	bgp_socket_set_buffer_size(connection->fd);
 
 	/* Set TCP keepalive when TCP keepalive is enabled */
diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
@@ -18356,6 +18356,37 @@ DEFUN(no_neighbor_tcp_mss, no_neighbor_tcp_mss_cmd,
 	return peer_tcp_mss_vty(vty, argv[peer_index]->arg, NULL);
 }
 
+DEFPY(neighbor_ip_transparent,
+      neighbor_ip_transparent_cmd,
+      "[no$no] neighbor <A.B.C.D|X:X::X:X|WORD>$neighbor ip-transparent",
+      NO_STR
+      NEIGHBOR_STR
+      NEIGHBOR_ADDR_STR2
+      "Enable IP_TRANSPARENT on the BGP TCP socket\n")
+{
+	struct peer *peer;
+	bool oldflag;
+	int ret;
+
+	peer = peer_and_group_lookup_vty(vty, neighbor);
+	if (!peer)
+		return CMD_WARNING_CONFIG_FAILED;
+
+	if (!peergroup_flag_check(peer, PEER_FLAG_UPDATE_SOURCE)) {
+		vty_out(vty, "%% Missing update-source\n");
+		return CMD_WARNING_CONFIG_FAILED;
+	}
+
+	oldflag = peergroup_flag_check(peer, PEER_FLAG_IP_TRANSPARENT);
+	ret = peer_flag_modify_vty(vty, neighbor, PEER_FLAG_IP_TRANSPARENT, no == NULL);
+
+	/* do nothing if no change */
+	if (oldflag != peergroup_flag_check(peer, PEER_FLAG_IP_TRANSPARENT))
+		bgp_session_reset(peer);
+
+	return bgp_vty_return(vty, ret);
+}
+
 DEFPY(bgp_retain_route_target, bgp_retain_route_target_cmd,
       "[no$no] bgp retain route-target all",
       NO_STR BGP_STR
@@ -18945,6 +18976,10 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp,
 				peer->update_if);
 	}
 
+	/* ip-transparent on/off */
+	if (peergroup_flag_check(peer, PEER_FLAG_IP_TRANSPARENT))
+		vty_out(vty, " neighbor %s ip-transparent\n", addr);
+
 	/* advertisement-interval */
 	if (peergroup_flag_check(peer, PEER_FLAG_ROUTEADV))
 		vty_out(vty, " neighbor %s advertisement-interval %u\n", addr,
@@ -22134,6 +22169,8 @@ void bgp_vty_init(void)
 	install_element(BGP_NODE, &neighbor_tcp_mss_cmd);
 	install_element(BGP_NODE, &no_neighbor_tcp_mss_cmd);
 
+	install_element(BGP_NODE, &neighbor_ip_transparent_cmd);
+
 	/* srv6 commands */
 	install_element(VIEW_NODE, &show_bgp_srv6_cmd);
 	install_element(BGP_NODE, &bgp_segment_routing_srv6_cmd);
diff --git a/bgpd/bgpd.h b/bgpd/bgpd.h
@@ -1770,6 +1770,7 @@ struct peer {
 #define PEER_FLAG_SEND_EXT_COMMUNITY_RPKI (1ULL << 29)
 #define PEER_FLAG_ADDPATH_RX_PATHS_LIMIT (1ULL << 30)
 #define PEER_FLAG_CONFIG_DAMPENING (1U << 31)
+#define PEER_FLAG_IP_TRANSPARENT (1ULL << 32)
 #define PEER_FLAG_ACCEPT_OWN (1ULL << 63)
 
 	enum bgp_addpath_strat addpath_type[AFI_MAX][SAFI_MAX];
diff --git a/doc/user/bgp.rst b/doc/user/bgp.rst
@@ -1766,6 +1766,13 @@ Configuring Peers
        neighbor foo update-source 192.168.0.1
        neighbor bar update-source lo0
 
+.. clicmd:: neighbor PEER ip-transparent
+
+   Use this command when you need to establish a BGP session with a
+   neighbor using an IP address that you do *not* own. Some typical use
+   cases include running BGP in a container without configuring the
+   address on a loopback interface, peering over a virtual (floating)
+   IP (VIP), or operating as a transparent IP firewall.
 
 .. clicmd:: neighbor PEER default-originate [route-map WORD]
 
