]>
Commit | Line | Data |
---|---|---|
7c40bf39 | 1 | /* BGP FlowSpec for packet handling |
2 | * Portions: | |
3 | * Copyright (C) 2017 ChinaTelecom SDN Group | |
4 | * Copyright (C) 2018 6WIND | |
5 | * | |
6 | * FRRouting is free software; you can redistribute it and/or modify it | |
7 | * under the terms of the GNU General Public License as published by the | |
8 | * Free Software Foundation; either version 2, or (at your option) any | |
9 | * later version. | |
10 | * | |
11 | * FRRouting is distributed in the hope that it will be useful, but | |
12 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | * General Public License for more details. | |
15 | * | |
16 | * You should have received a copy of the GNU General Public License along | |
17 | * with this program; see the file COPYING; if not, write to the Free Software | |
18 | * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA | |
19 | */ | |
20 | ||
7c40bf39 | 21 | #include <zebra.h> |
b45ac5f5 DL |
22 | #include <math.h> |
23 | ||
7c40bf39 | 24 | #include "prefix.h" |
02705213 | 25 | #include "lib_errors.h" |
7c40bf39 | 26 | |
27 | #include "bgpd/bgpd.h" | |
28 | #include "bgpd/bgp_route.h" | |
29 | #include "bgpd/bgp_flowspec.h" | |
fc836540 | 30 | #include "bgpd/bgp_flowspec_util.h" |
7c40bf39 | 31 | #include "bgpd/bgp_flowspec_private.h" |
268e1b9b PG |
32 | #include "bgpd/bgp_ecommunity.h" |
33 | #include "bgpd/bgp_debug.h" | |
4f3be667 | 34 | #include "bgpd/bgp_errors.h" |
7c40bf39 | 35 | |
1840384b PG |
36 | static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len, |
37 | afi_t afi) | |
fc836540 PG |
38 | { |
39 | uint32_t offset = 0; | |
40 | int type; | |
41 | int ret = 0, error = 0; | |
42 | ||
43 | while (offset < len-1) { | |
44 | type = nlri_content[offset]; | |
45 | offset++; | |
46 | switch (type) { | |
47 | case FLOWSPEC_DEST_PREFIX: | |
48 | case FLOWSPEC_SRC_PREFIX: | |
49 | ret = bgp_flowspec_ip_address( | |
50 | BGP_FLOWSPEC_VALIDATE_ONLY, | |
51 | nlri_content + offset, | |
1840384b PG |
52 | len - offset, NULL, &error, |
53 | afi); | |
fc836540 PG |
54 | break; |
55 | case FLOWSPEC_IP_PROTOCOL: | |
56 | case FLOWSPEC_PORT: | |
57 | case FLOWSPEC_DEST_PORT: | |
58 | case FLOWSPEC_SRC_PORT: | |
59 | case FLOWSPEC_ICMP_TYPE: | |
60 | case FLOWSPEC_ICMP_CODE: | |
61 | ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY, | |
62 | nlri_content + offset, | |
63 | len - offset, NULL, &error); | |
64 | break; | |
65 | case FLOWSPEC_TCP_FLAGS: | |
588ec356 PG |
66 | case FLOWSPEC_FRAGMENT: |
67 | ret = bgp_flowspec_bitmask_decode( | |
fc836540 PG |
68 | BGP_FLOWSPEC_VALIDATE_ONLY, |
69 | nlri_content + offset, | |
70 | len - offset, NULL, &error); | |
71 | break; | |
72 | case FLOWSPEC_PKT_LEN: | |
73 | case FLOWSPEC_DSCP: | |
74 | ret = bgp_flowspec_op_decode( | |
75 | BGP_FLOWSPEC_VALIDATE_ONLY, | |
76 | nlri_content + offset, | |
77 | len - offset, NULL, &error); | |
78 | break; | |
fc836540 PG |
79 | default: |
80 | error = -1; | |
81 | break; | |
82 | } | |
83 | offset += ret; | |
84 | if (error < 0) | |
85 | break; | |
86 | } | |
87 | return error; | |
88 | } | |
89 | ||
7c40bf39 | 90 | int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr, |
91 | struct bgp_nlri *packet, int withdraw) | |
92 | { | |
93 | uint8_t *pnt; | |
94 | uint8_t *lim; | |
95 | afi_t afi; | |
fc836540 | 96 | safi_t safi; |
7c40bf39 | 97 | int psize = 0; |
7c40bf39 | 98 | struct prefix p; |
fc836540 PG |
99 | int ret; |
100 | void *temp; | |
7c40bf39 | 101 | |
102 | /* Start processing the NLRI - there may be multiple in the MP_REACH */ | |
103 | pnt = packet->nlri; | |
104 | lim = pnt + packet->length; | |
105 | afi = packet->afi; | |
fc836540 | 106 | safi = packet->safi; |
7c40bf39 | 107 | |
3255e756 | 108 | if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) { |
e50f7cfd | 109 | flog_err(EC_BGP_FLOWSPEC_PACKET, |
1c50c1c0 QY |
110 | "BGP flowspec nlri length maximum reached (%u)", |
111 | packet->length); | |
513386b5 | 112 | return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT; |
7c40bf39 | 113 | } |
114 | ||
115 | for (; pnt < lim; pnt += psize) { | |
116 | /* Clear prefix structure. */ | |
117 | memset(&p, 0, sizeof(struct prefix)); | |
118 | ||
119 | /* All FlowSpec NLRI begin with length. */ | |
120 | if (pnt + 1 > lim) | |
513386b5 | 121 | return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; |
7c40bf39 | 122 | |
3f54c705 | 123 | psize = *pnt++; |
3255e756 PG |
124 | if (psize >= FLOWSPEC_NLRI_SIZELIMIT) { |
125 | psize &= 0x0f; | |
126 | psize = psize << 8; | |
127 | psize |= *pnt++; | |
128 | } | |
7c40bf39 | 129 | /* When packet overflow occur return immediately. */ |
130 | if (pnt + psize > lim) { | |
1c50c1c0 QY |
131 | flog_err( |
132 | EC_BGP_FLOWSPEC_PACKET, | |
133 | "Flowspec NLRI length inconsistent ( size %u seen)", | |
134 | psize); | |
513386b5 | 135 | return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW; |
7c40bf39 | 136 | } |
1840384b | 137 | if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) { |
1c50c1c0 QY |
138 | flog_err( |
139 | EC_BGP_FLOWSPEC_PACKET, | |
140 | "Bad flowspec format or NLRI options not supported"); | |
513386b5 | 141 | return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT; |
fc836540 PG |
142 | } |
143 | p.family = AF_FLOWSPEC; | |
144 | p.prefixlen = 0; | |
145 | /* Flowspec encoding is in bytes */ | |
146 | p.u.prefix_flowspec.prefixlen = psize; | |
1840384b | 147 | p.u.prefix_flowspec.family = afi2family(afi); |
fc836540 PG |
148 | temp = XCALLOC(MTYPE_TMP, psize); |
149 | memcpy(temp, pnt, psize); | |
150 | p.u.prefix_flowspec.ptr = (uintptr_t) temp; | |
268e1b9b PG |
151 | |
152 | if (BGP_DEBUG(flowspec, FLOWSPEC)) { | |
153 | char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX]; | |
a2dc7057 | 154 | char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16]; |
268e1b9b PG |
155 | char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX]; |
156 | char *s = NULL; | |
157 | ||
158 | bgp_fs_nlri_get_string((unsigned char *) | |
159 | p.u.prefix_flowspec.ptr, | |
160 | p.u.prefix_flowspec.prefixlen, | |
161 | return_string, | |
1840384b PG |
162 | NLRI_STRING_FORMAT_MIN, NULL, |
163 | afi); | |
ff44f570 | 164 | snprintf(ec_string, sizeof(ec_string), |
268e1b9b PG |
165 | "EC{none}"); |
166 | if (attr && attr->ecommunity) { | |
167 | s = ecommunity_ecom2str(attr->ecommunity, | |
168 | ECOMMUNITY_FORMAT_ROUTE_MAP, 0); | |
ff44f570 | 169 | snprintf(ec_string, sizeof(ec_string), |
268e1b9b PG |
170 | "EC{%s}", |
171 | s == NULL ? "none" : s); | |
c7ee6c35 DS |
172 | |
173 | if (s) | |
174 | ecommunity_strfree(&s); | |
268e1b9b | 175 | } |
ff44f570 | 176 | snprintf(local_string, sizeof(local_string), |
268e1b9b PG |
177 | "FS Rx %s %s %s %s", withdraw ? |
178 | "Withdraw":"Update", | |
179 | afi2str(afi), return_string, | |
180 | attr != NULL ? ec_string : ""); | |
181 | zlog_info("%s", local_string); | |
182 | } | |
fc836540 PG |
183 | /* Process the route. */ |
184 | if (!withdraw) | |
185 | ret = bgp_update(peer, &p, 0, attr, | |
186 | afi, safi, | |
187 | ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, | |
188 | NULL, NULL, 0, 0, NULL); | |
189 | else | |
190 | ret = bgp_withdraw(peer, &p, 0, attr, | |
191 | afi, safi, | |
192 | ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, | |
193 | NULL, NULL, 0, NULL); | |
194 | if (ret) { | |
e50f7cfd | 195 | flog_err(EC_BGP_FLOWSPEC_INSTALLATION, |
1c50c1c0 QY |
196 | "Flowspec NLRI failed to be %s.", |
197 | attr ? "added" : "withdrawn"); | |
513386b5 | 198 | return BGP_NLRI_PARSE_ERROR; |
fc836540 | 199 | } |
7c40bf39 | 200 | } |
513386b5 | 201 | return BGP_NLRI_PARSE_OK; |
7c40bf39 | 202 | } |