[mirror_frr.git] / bgpd / bgp_flowspec.c

/* BGP FlowSpec for packet handling
 * Portions:
 *     Copyright (C) 2017 ChinaTelecom SDN Group
 *     Copyright (C) 2018 6WIND
 *
 * FRRouting is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2, or (at your option) any
 * later version.
 *
 * FRRouting is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; see the file COPYING; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
 */

#include <zebra.h>
#include <math.h>

#include "prefix.h"
#include "lib_errors.h"

#include "bgpd/bgpd.h"
#include "bgpd/bgp_route.h"
#include "bgpd/bgp_flowspec.h"
#include "bgpd/bgp_flowspec_util.h"
#include "bgpd/bgp_flowspec_private.h"
#include "bgpd/bgp_ecommunity.h"
#include "bgpd/bgp_debug.h"
#include "bgpd/bgp_errors.h"

static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len,
				afi_t afi)
{
	uint32_t offset = 0;
	int type;
	int ret = 0, error = 0;

	while (offset < len-1) {
		type = nlri_content[offset];
		offset++;
		switch (type) {
		case FLOWSPEC_DEST_PREFIX:
		case FLOWSPEC_SRC_PREFIX:
			ret = bgp_flowspec_ip_address(
						BGP_FLOWSPEC_VALIDATE_ONLY,
						nlri_content + offset,
						len - offset, NULL, &error,
						afi);
			break;
		case FLOWSPEC_IP_PROTOCOL:
		case FLOWSPEC_PORT:
		case FLOWSPEC_DEST_PORT:
		case FLOWSPEC_SRC_PORT:
		case FLOWSPEC_ICMP_TYPE:
		case FLOWSPEC_ICMP_CODE:
			ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
						   nlri_content + offset,
						   len - offset, NULL, &error);
			break;
		case FLOWSPEC_TCP_FLAGS:
		case FLOWSPEC_FRAGMENT:
			ret = bgp_flowspec_bitmask_decode(
						   BGP_FLOWSPEC_VALIDATE_ONLY,
						   nlri_content + offset,
						   len - offset, NULL, &error);
			break;
		case FLOWSPEC_PKT_LEN:
		case FLOWSPEC_DSCP:
			ret = bgp_flowspec_op_decode(
						BGP_FLOWSPEC_VALIDATE_ONLY,
						nlri_content + offset,
						len - offset, NULL, &error);
			break;
		default:
			error = -1;
			break;
		}
		offset += ret;
		if (error < 0)
			break;
	}
	return error;
}

int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
			    struct bgp_nlri *packet, int withdraw)
{
	uint8_t *pnt;
	uint8_t *lim;
	afi_t afi;
	safi_t safi;
	int psize = 0;
	struct prefix p;
	int ret;
	void *temp;

	/* Start processing the NLRI - there may be multiple in the MP_REACH */
	pnt = packet->nlri;
	lim = pnt + packet->length;
	afi = packet->afi;
	safi = packet->safi;

	if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
		flog_err(EC_BGP_FLOWSPEC_PACKET,
			 "BGP flowspec nlri length maximum reached (%u)",
			 packet->length);
		return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT;
	}

	for (; pnt < lim; pnt += psize) {
		/* Clear prefix structure. */
		memset(&p, 0, sizeof(struct prefix));

		/* All FlowSpec NLRI begin with length. */
		if (pnt + 1 > lim)
			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;

		psize = *pnt++;
		if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
			psize &= 0x0f;
			psize = psize << 8;
			psize |= *pnt++;
		}
		/* When packet overflow occur return immediately. */
		if (pnt + psize > lim) {
			flog_err(
				EC_BGP_FLOWSPEC_PACKET,
				"Flowspec NLRI length inconsistent ( size %u seen)",
				psize);
			return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
		}
		if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
			flog_err(
				EC_BGP_FLOWSPEC_PACKET,
				"Bad flowspec format or NLRI options not supported");
			return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT;
		}
		p.family = AF_FLOWSPEC;
		p.prefixlen = 0;
		/* Flowspec encoding is in bytes */
		p.u.prefix_flowspec.prefixlen = psize;
		p.u.prefix_flowspec.family = afi2family(afi);
		temp = XCALLOC(MTYPE_TMP, psize);
		memcpy(temp, pnt, psize);
		p.u.prefix_flowspec.ptr = (uintptr_t) temp;

		if (BGP_DEBUG(flowspec, FLOWSPEC)) {
			char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
			char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16];
			char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
			char *s = NULL;

			bgp_fs_nlri_get_string((unsigned char *)
					       p.u.prefix_flowspec.ptr,
					       p.u.prefix_flowspec.prefixlen,
					       return_string,
					       NLRI_STRING_FORMAT_MIN, NULL,
					       afi);
			snprintf(ec_string, sizeof(ec_string),
				 "EC{none}");
			if (attr && attr->ecommunity) {
				s = ecommunity_ecom2str(attr->ecommunity,
						ECOMMUNITY_FORMAT_ROUTE_MAP, 0);
				snprintf(ec_string, sizeof(ec_string),
					 "EC{%s}",
					s == NULL ? "none" : s);

				if (s)
					ecommunity_strfree(&s);
			}
			snprintf(local_string, sizeof(local_string),
				 "FS Rx %s %s %s %s", withdraw ?
				 "Withdraw":"Update",
				 afi2str(afi), return_string,
				 attr != NULL ? ec_string : "");
			zlog_info("%s", local_string);
		}
		/* Process the route. */
		if (!withdraw)
			ret = bgp_update(peer, &p, 0, attr,
					 afi, safi,
					 ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
					 NULL, NULL, 0, 0, NULL);
		else
			ret = bgp_withdraw(peer, &p, 0, attr,
					   afi, safi,
					   ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
					   NULL, NULL, 0, NULL);
		if (ret) {
			flog_err(EC_BGP_FLOWSPEC_INSTALLATION,
				 "Flowspec NLRI failed to be %s.",
				 attr ? "added" : "withdrawn");
			return BGP_NLRI_PARSE_ERROR;
		}
	}
	return BGP_NLRI_PARSE_OK;
}
Commit	Line	Data
7c40bf39	1	/* BGP FlowSpec for packet handling
	2	* Portions:
	3	* Copyright (C) 2017 ChinaTelecom SDN Group
	4	* Copyright (C) 2018 6WIND
	5	*
	6	* FRRouting is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2, or (at your option) any
	9	* later version.
	10	*
	11	* FRRouting is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; see the file COPYING; if not, write to the Free Software
	18	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	19	*/
	20
7c40bf39	21	#include <zebra.h>
b45ac5f5 DL	22	#include <math.h>
b45ac5f5 DL	23
7c40bf39	24	#include "prefix.h"
02705213	25	#include "lib_errors.h"
7c40bf39	26
	27	#include "bgpd/bgpd.h"
	28	#include "bgpd/bgp_route.h"
	29	#include "bgpd/bgp_flowspec.h"
fc836540	30	#include "bgpd/bgp_flowspec_util.h"
7c40bf39	31	#include "bgpd/bgp_flowspec_private.h"
268e1b9b PG	32	#include "bgpd/bgp_ecommunity.h"
268e1b9b PG	33	#include "bgpd/bgp_debug.h"
4f3be667	34	#include "bgpd/bgp_errors.h"
7c40bf39	35
1840384b PG	36	static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len,
1840384b PG	37	afi_t afi)
fc836540 PG	38	{
	39	uint32_t offset = 0;
	40	int type;
	41	int ret = 0, error = 0;
	42
	43	while (offset < len-1) {
	44	type = nlri_content[offset];
	45	offset++;
	46	switch (type) {
	47	case FLOWSPEC_DEST_PREFIX:
	48	case FLOWSPEC_SRC_PREFIX:
	49	ret = bgp_flowspec_ip_address(
	50	BGP_FLOWSPEC_VALIDATE_ONLY,
	51	nlri_content + offset,
1840384b PG	52	len - offset, NULL, &error,
1840384b PG	53	afi);
fc836540 PG	54	break;
	55	case FLOWSPEC_IP_PROTOCOL:
	56	case FLOWSPEC_PORT:
	57	case FLOWSPEC_DEST_PORT:
	58	case FLOWSPEC_SRC_PORT:
	59	case FLOWSPEC_ICMP_TYPE:
	60	case FLOWSPEC_ICMP_CODE:
	61	ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
	62	nlri_content + offset,
	63	len - offset, NULL, &error);
	64	break;
	65	case FLOWSPEC_TCP_FLAGS:
588ec356 PG	66	case FLOWSPEC_FRAGMENT:
588ec356 PG	67	ret = bgp_flowspec_bitmask_decode(
fc836540 PG	68	BGP_FLOWSPEC_VALIDATE_ONLY,
	69	nlri_content + offset,
	70	len - offset, NULL, &error);
	71	break;
	72	case FLOWSPEC_PKT_LEN:
	73	case FLOWSPEC_DSCP:
	74	ret = bgp_flowspec_op_decode(
	75	BGP_FLOWSPEC_VALIDATE_ONLY,
	76	nlri_content + offset,
	77	len - offset, NULL, &error);
	78	break;
fc836540 PG	79	default:
	80	error = -1;
	81	break;
	82	}
	83	offset += ret;
	84	if (error < 0)
	85	break;
	86	}
	87	return error;
	88	}
	89
7c40bf39	90	int bgp_nlri_parse_flowspec(struct peer peer, struct attr attr,
	91	struct bgp_nlri *packet, int withdraw)
	92	{
	93	uint8_t *pnt;
	94	uint8_t *lim;
	95	afi_t afi;
fc836540	96	safi_t safi;
7c40bf39	97	int psize = 0;
7c40bf39	98	struct prefix p;
fc836540 PG	99	int ret;
fc836540 PG	100	void *temp;
7c40bf39	101
	102	/* Start processing the NLRI - there may be multiple in the MP_REACH */
	103	pnt = packet->nlri;
	104	lim = pnt + packet->length;
	105	afi = packet->afi;
fc836540	106	safi = packet->safi;
7c40bf39	107
3255e756	108	if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
e50f7cfd	109	flog_err(EC_BGP_FLOWSPEC_PACKET,
1c50c1c0 QY	110	"BGP flowspec nlri length maximum reached (%u)",
1c50c1c0 QY	111	packet->length);
513386b5	112	return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT;
7c40bf39	113	}
	114
	115	for (; pnt < lim; pnt += psize) {
	116	/* Clear prefix structure. */
	117	memset(&p, 0, sizeof(struct prefix));
	118
	119	/* All FlowSpec NLRI begin with length. */
	120	if (pnt + 1 > lim)
513386b5	121	return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
7c40bf39	122
3f54c705	123	psize = *pnt++;
3255e756 PG	124	if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
	125	psize &= 0x0f;
	126	psize = psize << 8;
	127	psize \|= *pnt++;
	128	}
7c40bf39	129	/* When packet overflow occur return immediately. */
7c40bf39	130	if (pnt + psize > lim) {
1c50c1c0 QY	131	flog_err(
	132	EC_BGP_FLOWSPEC_PACKET,
	133	"Flowspec NLRI length inconsistent ( size %u seen)",
	134	psize);
513386b5	135	return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
7c40bf39	136	}
1840384b	137	if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
1c50c1c0 QY	138	flog_err(
	139	EC_BGP_FLOWSPEC_PACKET,
	140	"Bad flowspec format or NLRI options not supported");
513386b5	141	return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT;
fc836540 PG	142	}
	143	p.family = AF_FLOWSPEC;
	144	p.prefixlen = 0;
	145	/* Flowspec encoding is in bytes */
	146	p.u.prefix_flowspec.prefixlen = psize;
1840384b	147	p.u.prefix_flowspec.family = afi2family(afi);
fc836540 PG	148	temp = XCALLOC(MTYPE_TMP, psize);
	149	memcpy(temp, pnt, psize);
	150	p.u.prefix_flowspec.ptr = (uintptr_t) temp;
268e1b9b PG	151
	152	if (BGP_DEBUG(flowspec, FLOWSPEC)) {
	153	char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
a2dc7057	154	char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16];
268e1b9b PG	155	char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
	156	char *s = NULL;
	157
	158	bgp_fs_nlri_get_string((unsigned char *)
	159	p.u.prefix_flowspec.ptr,
	160	p.u.prefix_flowspec.prefixlen,
	161	return_string,
1840384b PG	162	NLRI_STRING_FORMAT_MIN, NULL,
1840384b PG	163	afi);
ff44f570	164	snprintf(ec_string, sizeof(ec_string),
268e1b9b PG	165	"EC{none}");
	166	if (attr && attr->ecommunity) {
	167	s = ecommunity_ecom2str(attr->ecommunity,
	168	ECOMMUNITY_FORMAT_ROUTE_MAP, 0);
ff44f570	169	snprintf(ec_string, sizeof(ec_string),
268e1b9b PG	170	"EC{%s}",
268e1b9b PG	171	s == NULL ? "none" : s);
c7ee6c35 DS	172
	173	if (s)
	174	ecommunity_strfree(&s);
268e1b9b	175	}
ff44f570	176	snprintf(local_string, sizeof(local_string),
268e1b9b PG	177	"FS Rx %s %s %s %s", withdraw ?
	178	"Withdraw":"Update",
	179	afi2str(afi), return_string,
	180	attr != NULL ? ec_string : "");
	181	zlog_info("%s", local_string);
	182	}
fc836540 PG	183	/* Process the route. */
	184	if (!withdraw)
	185	ret = bgp_update(peer, &p, 0, attr,
	186	afi, safi,
	187	ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
	188	NULL, NULL, 0, 0, NULL);
	189	else
	190	ret = bgp_withdraw(peer, &p, 0, attr,
	191	afi, safi,
	192	ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
	193	NULL, NULL, 0, NULL);
	194	if (ret) {
e50f7cfd	195	flog_err(EC_BGP_FLOWSPEC_INSTALLATION,
1c50c1c0 QY	196	"Flowspec NLRI failed to be %s.",
1c50c1c0 QY	197	attr ? "added" : "withdrawn");
513386b5	198	return BGP_NLRI_PARSE_ERROR;
fc836540	199	}
7c40bf39	200	}
513386b5	201	return BGP_NLRI_PARSE_OK;
7c40bf39	202	}