]>
Commit | Line | Data |
---|---|---|
acddc0ed | 1 | // SPDX-License-Identifier: GPL-2.0-or-later |
7c40bf39 | 2 | /* BGP FlowSpec for packet handling |
3 | * Portions: | |
4 | * Copyright (C) 2017 ChinaTelecom SDN Group | |
5 | * Copyright (C) 2018 6WIND | |
7c40bf39 | 6 | */ |
7 | ||
7c40bf39 | 8 | #include <zebra.h> |
b45ac5f5 DL |
9 | #include <math.h> |
10 | ||
7c40bf39 | 11 | #include "prefix.h" |
02705213 | 12 | #include "lib_errors.h" |
7c40bf39 | 13 | |
14 | #include "bgpd/bgpd.h" | |
15 | #include "bgpd/bgp_route.h" | |
16 | #include "bgpd/bgp_flowspec.h" | |
fc836540 | 17 | #include "bgpd/bgp_flowspec_util.h" |
7c40bf39 | 18 | #include "bgpd/bgp_flowspec_private.h" |
268e1b9b PG |
19 | #include "bgpd/bgp_ecommunity.h" |
20 | #include "bgpd/bgp_debug.h" | |
4f3be667 | 21 | #include "bgpd/bgp_errors.h" |
7c40bf39 | 22 | |
1840384b PG |
23 | static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len, |
24 | afi_t afi) | |
fc836540 PG |
25 | { |
26 | uint32_t offset = 0; | |
27 | int type; | |
28 | int ret = 0, error = 0; | |
29 | ||
30 | while (offset < len-1) { | |
31 | type = nlri_content[offset]; | |
32 | offset++; | |
33 | switch (type) { | |
34 | case FLOWSPEC_DEST_PREFIX: | |
35 | case FLOWSPEC_SRC_PREFIX: | |
36 | ret = bgp_flowspec_ip_address( | |
37 | BGP_FLOWSPEC_VALIDATE_ONLY, | |
38 | nlri_content + offset, | |
1840384b | 39 | len - offset, NULL, &error, |
9cec4121 | 40 | afi, NULL); |
fc836540 | 41 | break; |
40881800 PG |
42 | case FLOWSPEC_FLOW_LABEL: |
43 | if (afi == AFI_IP) | |
44 | return -1; | |
45 | ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY, | |
46 | nlri_content + offset, | |
47 | len - offset, NULL, &error); | |
48 | break; | |
fc836540 PG |
49 | case FLOWSPEC_IP_PROTOCOL: |
50 | case FLOWSPEC_PORT: | |
51 | case FLOWSPEC_DEST_PORT: | |
52 | case FLOWSPEC_SRC_PORT: | |
53 | case FLOWSPEC_ICMP_TYPE: | |
54 | case FLOWSPEC_ICMP_CODE: | |
55 | ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY, | |
56 | nlri_content + offset, | |
57 | len - offset, NULL, &error); | |
58 | break; | |
59 | case FLOWSPEC_TCP_FLAGS: | |
588ec356 PG |
60 | case FLOWSPEC_FRAGMENT: |
61 | ret = bgp_flowspec_bitmask_decode( | |
fc836540 PG |
62 | BGP_FLOWSPEC_VALIDATE_ONLY, |
63 | nlri_content + offset, | |
64 | len - offset, NULL, &error); | |
65 | break; | |
66 | case FLOWSPEC_PKT_LEN: | |
67 | case FLOWSPEC_DSCP: | |
68 | ret = bgp_flowspec_op_decode( | |
69 | BGP_FLOWSPEC_VALIDATE_ONLY, | |
70 | nlri_content + offset, | |
71 | len - offset, NULL, &error); | |
72 | break; | |
fc836540 PG |
73 | default: |
74 | error = -1; | |
75 | break; | |
76 | } | |
77 | offset += ret; | |
78 | if (error < 0) | |
79 | break; | |
80 | } | |
81 | return error; | |
82 | } | |
83 | ||
7c40bf39 | 84 | int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, |
85 | struct bgp_nlri *packet, int withdraw) | |
86 | { | |
87 | uint8_t *pnt; | |
88 | uint8_t *lim; | |
89 | afi_t afi; | |
fc836540 | 90 | safi_t safi; |
7c40bf39 | 91 | int psize = 0; |
7c40bf39 | 92 | struct prefix p; |
fc836540 | 93 | void *temp; |
7c40bf39 | 94 | |
95 | /* Start processing the NLRI - there may be multiple in the MP_REACH */ | |
96 | pnt = packet->nlri; | |
97 | lim = pnt + packet->length; | |
98 | afi = packet->afi; | |
fc836540 | 99 | safi = packet->safi; |
7c40bf39 | 100 | |
3255e756 | 101 | if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) { |
e50f7cfd | 102 | flog_err(EC_BGP_FLOWSPEC_PACKET, |
1c50c1c0 QY |
103 | "BGP flowspec nlri length maximum reached (%u)", |
104 | packet->length); | |
513386b5 | 105 | return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT; |
7c40bf39 | 106 | } |
107 | ||
108 | for (; pnt < lim; pnt += psize) { | |
109 | /* Clear prefix structure. */ | |
6006b807 | 110 | memset(&p, 0, sizeof(p)); |
7c40bf39 | 111 | |
112 | /* All FlowSpec NLRI begin with length. */ | |
113 | if (pnt + 1 > lim) | |
513386b5 | 114 | return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; |
7c40bf39 | 115 | |
3f54c705 | 116 | psize = *pnt++; |
3255e756 PG |
117 | if (psize >= FLOWSPEC_NLRI_SIZELIMIT) { |
118 | psize &= 0x0f; | |
119 | psize = psize << 8; | |
120 | psize |= *pnt++; | |
121 | } | |
7c40bf39 | 122 | /* When packet overflow occur return immediately. */ |
123 | if (pnt + psize > lim) { | |
1c50c1c0 QY |
124 | flog_err( |
125 | EC_BGP_FLOWSPEC_PACKET, | |
126 | "Flowspec NLRI length inconsistent ( size %u seen)", | |
127 | psize); | |
513386b5 | 128 | return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; |
7c40bf39 | 129 | } |
1840384b | 130 | if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { |
1c50c1c0 QY |
131 | flog_err( |
132 | EC_BGP_FLOWSPEC_PACKET, | |
133 | "Bad flowspec format or NLRI options not supported"); | |
513386b5 | 134 | return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT; |
fc836540 PG |
135 | } |
136 | p.family = AF_FLOWSPEC; | |
137 | p.prefixlen = 0; | |
138 | /* Flowspec encoding is in bytes */ | |
139 | p.u.prefix_flowspec.prefixlen = psize; | |
1840384b | 140 | p.u.prefix_flowspec.family = afi2family(afi); |
fc836540 PG |
141 | temp = XCALLOC(MTYPE_TMP, psize); |
142 | memcpy(temp, pnt, psize); | |
143 | p.u.prefix_flowspec.ptr = (uintptr_t) temp; | |
268e1b9b PG |
144 | |
145 | if (BGP_DEBUG(flowspec, FLOWSPEC)) { | |
146 | char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX]; | |
a2dc7057 | 147 | char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16]; |
268e1b9b PG |
148 | char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX]; |
149 | char *s = NULL; | |
150 | ||
151 | bgp_fs_nlri_get_string((unsigned char *) | |
152 | p.u.prefix_flowspec.ptr, | |
153 | p.u.prefix_flowspec.prefixlen, | |
154 | return_string, | |
1840384b PG |
155 | NLRI_STRING_FORMAT_MIN, NULL, |
156 | afi); | |
ff44f570 | 157 | snprintf(ec_string, sizeof(ec_string), |
268e1b9b | 158 | "EC{none}"); |
b53e67a3 DA |
159 | if (attr && bgp_attr_get_ecommunity(attr)) { |
160 | s = ecommunity_ecom2str( | |
161 | bgp_attr_get_ecommunity(attr), | |
162 | ECOMMUNITY_FORMAT_ROUTE_MAP, 0); | |
ff44f570 | 163 | snprintf(ec_string, sizeof(ec_string), |
268e1b9b PG |
164 | "EC{%s}", |
165 | s == NULL ? "none" : s); | |
c7ee6c35 DS |
166 | |
167 | if (s) | |
168 | ecommunity_strfree(&s); | |
268e1b9b | 169 | } |
ff44f570 | 170 | snprintf(local_string, sizeof(local_string), |
268e1b9b PG |
171 | "FS Rx %s %s %s %s", withdraw ? |
172 | "Withdraw":"Update", | |
173 | afi2str(afi), return_string, | |
174 | attr != NULL ? ec_string : ""); | |
175 | zlog_info("%s", local_string); | |
176 | } | |
fc836540 PG |
177 | /* Process the route. */ |
178 | if (!withdraw) | |
367b458c DS |
179 | bgp_update(peer, &p, 0, attr, afi, safi, |
180 | ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, NULL, | |
181 | NULL, 0, 0, NULL); | |
fc836540 | 182 | else |
367b458c DS |
183 | bgp_withdraw(peer, &p, 0, attr, afi, safi, |
184 | ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, NULL, | |
185 | NULL, 0, NULL); | |
7c40bf39 | 186 | } |
513386b5 | 187 | return BGP_NLRI_PARSE_OK; |
7c40bf39 | 188 | } |