[mirror_frr.git] / bgpd / bgp_flowspec_util.c

/* BGP FlowSpec Utilities
 * Portions:
 *     Copyright (C) 2017 ChinaTelecom SDN Group
 *     Copyright (C) 2018 6WIND
 *
 * FRRouting is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2, or (at your option) any
 * later version.
 *
 * FRRouting is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; see the file COPYING; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
 */

#include "zebra.h"

#include "prefix.h"

#include "bgp_table.h"
#include "bgp_flowspec_util.h"
#include "bgp_flowspec_private.h"

static void hex2bin(uint8_t *hex, int *bin)
{
	int remainder = *hex;
	int i = 0;

	while (remainder >= 1 && i < 8) {
		bin[7-i] = remainder % 2;
		remainder = remainder / 2;
		i++;
	}
	for (; i < 8; i++)
		bin[7-i] = 0;
}

static int hexstr2num(uint8_t *hexstr, int len)
{
	int i = 0;
	int num = 0;

	for (i = 0; i < len; i++)
		num = hexstr[i] + 16*16*num;
	return num;
}


/*
 * handle the flowspec address src/dst or generic address NLRI
 * return number of bytes analysed ( >= 0).
 */
int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
			    uint8_t *nlri_ptr,
			    uint32_t max_len,
			    void *result, int *error)
{
	char *display = (char *)result; /* for return_string */
	struct prefix *prefix = (struct prefix *)result;
	uint32_t offset = 0;
	struct prefix prefix_local;
	int psize;

	*error = 0;
	memset(&prefix_local, 0, sizeof(struct prefix));
	/* read the prefix length */
	prefix_local.prefixlen = nlri_ptr[offset];
	psize = PSIZE(prefix_local.prefixlen);
	offset++;
	/* TODO Flowspec IPv6 Support */
	prefix_local.family = AF_INET;
	/* Prefix length check. */
	if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8)
		*error = -1;
	/* When packet overflow occur return immediately. */
	if (psize + offset > max_len)
		*error = -1;
	/* Defensive coding, double-check
	 * the psize fits in a struct prefix
	 */
	if (psize > (ssize_t)sizeof(prefix_local.u))
		*error = -1;
	memcpy(&prefix_local.u.prefix, &nlri_ptr[offset], psize);
	offset += psize;
	switch (type) {
	case BGP_FLOWSPEC_RETURN_STRING:
		prefix2str(&prefix_local, display,
			   BGP_FLOWSPEC_STRING_DISPLAY_MAX);
		break;
	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
		PREFIX_COPY_IPV4(prefix, &prefix_local)
		break;
	case BGP_FLOWSPEC_VALIDATE_ONLY:
	default:
		break;
	}
	return offset;
}

/*
 * handle the flowspec operator NLRI
 * return number of bytes analysed
 * if there is an error, the passed error param is used to give error:
 * -1 if decoding error,
 * if result is a string, its assumed length
 *  is BGP_FLOWSPEC_STRING_DISPLAY_MAX
 */
int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
			   uint8_t *nlri_ptr,
			   uint32_t max_len,
			   void *result, int *error)
{
	int op[8];
	int len, value, value_size;
	int loop = 0;
	char *ptr = (char *)result; /* for return_string */
	uint32_t offset = 0;
	int len_string = BGP_FLOWSPEC_STRING_DISPLAY_MAX;
	int len_written;

	*error = 0;
	do {
		hex2bin(&nlri_ptr[offset], op);
		offset++;
		len = 2*op[2]+op[3];
		value_size = 1 << len;
		value = hexstr2num(&nlri_ptr[offset], value_size);
		/* can not be < and > at the same time */
		if (op[5] == 1 && op[6] == 1)
			*error = -1;
		/* if first element, AND bit can not be set */
		if (op[1] == 1 && loop == 0)
			*error = -1;
		switch (type) {
		case BGP_FLOWSPEC_RETURN_STRING:
			if (loop) {
				len_written = snprintf(ptr, len_string,
						      ", ");
				len_string -= len_written;
				ptr += len_written;
			}
			if (op[5] == 1) {
				len_written = snprintf(ptr, len_string,
						       "<");
				len_string -= len_written;
				ptr += len_written;
			}
			if (op[6] == 1) {
				len_written = snprintf(ptr, len_string,
						      ">");
				len_string -= len_written;
				ptr += len_written;
			}
			if (op[7] == 1) {
				len_written = snprintf(ptr, len_string,
						       "=");
				len_string -= len_written;
				ptr += len_written;
			}
			len_written = snprintf(ptr, len_string,
					       " %d ", value);
			len_string -= len_written;
			ptr += len_written;
			break;
		case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
			/* TODO : FS OPAQUE */
			break;
		case BGP_FLOWSPEC_VALIDATE_ONLY:
		default:
			/* no action */
			break;
		}
		offset += value_size;
		loop++;
	} while (op[0] == 0 && offset < max_len - 1);
	if (offset > max_len)
		*error = -1;
	/* use error parameter to count the number of entries */
	if (*error == 0)
		*error = loop;
	return offset;
}


/*
 * handle the flowspec tcpflags field
 * return number of bytes analysed
 * if there is an error, the passed error param is used to give error:
 * -1 if decoding error,
 * if result is a string, its assumed length
 *  is BGP_FLOWSPEC_STRING_DISPLAY_MAX
 */
int bgp_flowspec_tcpflags_decode(enum bgp_flowspec_util_nlri_t type,
				 uint8_t *nlri_ptr,
				 uint32_t max_len,
				 void *result, int *error)
{
	int op[8];
	int len, value_size, loop = 0, value;
	char *ptr = (char *)result; /* for return_string */
	uint32_t offset = 0;
	int len_string = BGP_FLOWSPEC_STRING_DISPLAY_MAX;
	int len_written;

	*error = 0;
	do {
		hex2bin(&nlri_ptr[offset], op);
		/* if first element, AND bit can not be set */
		if (op[1] == 1 && loop == 0)
			*error = -1;
		offset++;
		len = 2 * op[2] + op[3];
		value_size = 1 << len;
		value = hexstr2num(&nlri_ptr[offset], value_size);
		switch (type) {
		case BGP_FLOWSPEC_RETURN_STRING:
			if (op[1] == 1 && loop != 0) {
				len_written = snprintf(ptr, len_string,
						       ", and ");
				len_string -= len_written;
				ptr += len_written;
			} else if (op[1] == 0 && loop != 0) {
				len_written = snprintf(ptr, len_string,
						      ", or ");
				len_string -= len_written;
				ptr += len_written;
			}
			len_written = snprintf(ptr, len_string,
					       "tcp flags is ");
			len_string -= len_written;
			ptr += len_written;
			if (op[6] == 1) {
				ptr += snprintf(ptr, len_string,
					       "not ");
				len_string -= len_written;
				ptr += len_written;
			}
			if (op[7] == 1) {
				ptr += snprintf(ptr, len_string,
					       "exactly match ");
				len_string -= len_written;
				ptr += len_written;
			}
			ptr += snprintf(ptr, len_string,
				       "%d", value);
			len_string -= len_written;
			ptr += len_written;
			break;
		case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
			/* TODO : FS OPAQUE */
			break;
		case BGP_FLOWSPEC_VALIDATE_ONLY:
		default:
			/* no action */
			break;
		}
		offset += value_size;
		loop++;
	} while (op[0] == 0 && offset < max_len - 1);
	if (offset > max_len)
		*error = -1;
	/* use error parameter to count the number of entries */
	if (*error == 0)
		*error = loop;
	return offset;
}

/*
 * handle the flowspec fragment type field
 * return error (returned values are invalid) or number of bytes analysed
 * -1 if error in decoding
 * >= 0 : number of bytes analysed (ok).
 */
int bgp_flowspec_fragment_type_decode(enum bgp_flowspec_util_nlri_t type,
				      uint8_t *nlri_ptr,
				      uint32_t max_len,
				      void *result, int *error)
{
	int op[8];
	int len, value, value_size, loop = 0;
	char *ptr = (char *)result; /* for return_string */
	uint32_t offset = 0;
	int len_string = BGP_FLOWSPEC_STRING_DISPLAY_MAX;
	int len_written;

	*error = 0;
	do {
		hex2bin(&nlri_ptr[offset], op);
		offset++;
		len = 2 * op[2] + op[3];
		value_size = 1 << len;
		value = hexstr2num(&nlri_ptr[offset], value_size);
		if (value != 1 && value != 2 && value != 4 && value != 8)
			*error = -1;
		offset += value_size;
		/* TODO : as per RFC5574 : first Fragment bits are Reserved
		 * does that mean that it is not possible
		 * to handle multiple occurences ?
		 * as of today, we only grab the first TCP fragment
		 */
		if (loop) {
			*error = -2;
			loop++;
			continue;
		}
		switch (type) {
		case BGP_FLOWSPEC_RETURN_STRING:
			switch (value) {
			case 1:
				len_written = snprintf(ptr, len_string,
						       "dont-fragment");
				len_string -= len_written;
				ptr += len_written;
				break;
			case 2:
				len_written = snprintf(ptr, len_string,
						      "is-fragment");
				len_string -= len_written;
				ptr += len_written;
				break;
			case 4:
				len_written = snprintf(ptr, len_string,
						       "first-fragment");
				len_string -= len_written;
				ptr += len_written;
				break;
			case 8:
				len_written = snprintf(ptr, len_string,
						       "last-fragment");
				len_string -= len_written;
				ptr += len_written;
				break;
			default:
				{}
			}
			break;
		case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
			/* TODO : FS OPAQUE */
			break;
		case BGP_FLOWSPEC_VALIDATE_ONLY:
		default:
			/* no action */
			break;
		}
		loop++;
	} while (op[0] == 0 && offset < max_len - 1);
	if (offset > max_len)
		*error = -1;
	return offset;
}


static bool bgp_flowspec_contains_prefix(struct prefix *pfs,
					 struct prefix *input,
					 int prefix_check)
{
	uint32_t offset = 0;
	int type;
	int ret = 0, error = 0;
	uint8_t *nlri_content = (uint8_t *)pfs->u.prefix_flowspec.ptr;
	size_t len = pfs->u.prefix_flowspec.prefixlen;
	struct prefix compare;

	error = 0;
	while (offset < len-1 && error >= 0) {
		type = nlri_content[offset];
		offset++;
		switch (type) {
		case FLOWSPEC_DEST_PREFIX:
		case FLOWSPEC_SRC_PREFIX:
			memset(&compare, 0, sizeof(struct prefix));
			ret = bgp_flowspec_ip_address(
					BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE,
					nlri_content+offset,
					len - offset,
					&compare, &error);
			if (ret <= 0)
				break;
			if (prefix_check &&
			    compare.prefixlen != input->prefixlen)
				break;
			if (compare.family != input->family)
				break;
			if ((input->family == AF_INET) &&
			    IPV4_ADDR_SAME(&input->u.prefix4,
					   &compare.u.prefix4))
				return true;
			if ((input->family == AF_INET6) &&
			    IPV6_ADDR_SAME(&input->u.prefix6.s6_addr,
					   &compare.u.prefix6.s6_addr))
				return true;
			break;
		case FLOWSPEC_IP_PROTOCOL:
		case FLOWSPEC_PORT:
		case FLOWSPEC_DEST_PORT:
		case FLOWSPEC_SRC_PORT:
		case FLOWSPEC_ICMP_TYPE:
		case FLOWSPEC_ICMP_CODE:
			ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
						     nlri_content+offset,
						     len - offset,
						     NULL, &error);
			break;
		case FLOWSPEC_TCP_FLAGS:
			ret = bgp_flowspec_tcpflags_decode(
						BGP_FLOWSPEC_VALIDATE_ONLY,
						nlri_content+offset,
						len - offset,
						NULL, &error);
			break;
		case FLOWSPEC_PKT_LEN:
		case FLOWSPEC_DSCP:
			ret = bgp_flowspec_op_decode(
						BGP_FLOWSPEC_VALIDATE_ONLY,
						nlri_content + offset,
						len - offset, NULL,
						&error);
			break;
		case FLOWSPEC_FRAGMENT:
			ret = bgp_flowspec_fragment_type_decode(
						BGP_FLOWSPEC_VALIDATE_ONLY,
						nlri_content + offset,
						len - offset, NULL,
						&error);
			break;
		default:
			error = -1;
			break;
		}
		offset += ret;
	}
	return false;
}

struct bgp_node *bgp_flowspec_get_match_per_ip(afi_t afi,
					       struct bgp_table *rib,
					       struct prefix *match,
					       int prefix_check)
{
	struct bgp_node *rn;
	struct prefix *prefix;

	for (rn = bgp_table_top(rib); rn; rn = bgp_route_next(rn)) {
		prefix = &rn->p;

		if (prefix->family != AF_FLOWSPEC)
			continue;

		if (bgp_flowspec_contains_prefix(prefix, match, prefix_check))
			return rn;
	}
	return NULL;
}
Commit	Line	Data
034cdee9 PG	1	/* BGP FlowSpec Utilities
	2	* Portions:
	3	* Copyright (C) 2017 ChinaTelecom SDN Group
	4	* Copyright (C) 2018 6WIND
	5	*
	6	* FRRouting is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2, or (at your option) any
	9	* later version.
	10	*
	11	* FRRouting is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; see the file COPYING; if not, write to the Free Software
	18	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	19	*/
	20
	21	#include "zebra.h"
	22
	23	#include "prefix.h"
98a9dbc7 PG	24
98a9dbc7 PG	25	#include "bgp_table.h"
034cdee9	26	#include "bgp_flowspec_util.h"
98a9dbc7	27	#include "bgp_flowspec_private.h"
034cdee9 PG	28
	29	static void hex2bin(uint8_t hex, int bin)
	30	{
	31	int remainder = *hex;
	32	int i = 0;
	33
	34	while (remainder >= 1 && i < 8) {
	35	bin[7-i] = remainder % 2;
	36	remainder = remainder / 2;
	37	i++;
	38	}
	39	for (; i < 8; i++)
	40	bin[7-i] = 0;
	41	}
	42
	43	static int hexstr2num(uint8_t *hexstr, int len)
	44	{
	45	int i = 0;
	46	int num = 0;
	47
	48	for (i = 0; i < len; i++)
	49	num = hexstr[i] + 1616num;
	50	return num;
	51	}
	52
	53
	54	/*
	55	* handle the flowspec address src/dst or generic address NLRI
	56	* return number of bytes analysed ( >= 0).
	57	*/
	58	int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
	59	uint8_t *nlri_ptr,
	60	uint32_t max_len,
	61	void result, int error)
	62	{
	63	char display = (char )result; /* for return_string */
	64	struct prefix prefix = (struct prefix )result;
	65	uint32_t offset = 0;
	66	struct prefix prefix_local;
	67	int psize;
	68
	69	*error = 0;
	70	memset(&prefix_local, 0, sizeof(struct prefix));
	71	/* read the prefix length */
	72	prefix_local.prefixlen = nlri_ptr[offset];
	73	psize = PSIZE(prefix_local.prefixlen);
	74	offset++;
	75	/* TODO Flowspec IPv6 Support */
	76	prefix_local.family = AF_INET;
	77	/* Prefix length check. */
	78	if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8)
	79	*error = -1;
	80	/* When packet overflow occur return immediately. */
	81	if (psize + offset > max_len)
	82	*error = -1;
	83	/* Defensive coding, double-check
	84	* the psize fits in a struct prefix
	85	*/
	86	if (psize > (ssize_t)sizeof(prefix_local.u))
	87	*error = -1;
	88	memcpy(&prefix_local.u.prefix, &nlri_ptr[offset], psize);
	89	offset += psize;
	90	switch (type) {
	91	case BGP_FLOWSPEC_RETURN_STRING:
92	prefix2str(&prefix_local, display,
93	BGP_FLOWSPEC_STRING_DISPLAY_MAX);
94	break;
95	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
96	PREFIX_COPY_IPV4(prefix, &prefix_local)
97	break;
98	case BGP_FLOWSPEC_VALIDATE_ONLY:
99	default:
100	break;
101	}
102	return offset;
103	}
104
105	/*
106	* handle the flowspec operator NLRI
107	* return number of bytes analysed
108	* if there is an error, the passed error param is used to give error:
109	* -1 if decoding error,
362a06e3 PG	110	* if result is a string, its assumed length
362a06e3 PG	111	* is BGP_FLOWSPEC_STRING_DISPLAY_MAX
034cdee9 PG	112	*/
	113	int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
	114	uint8_t *nlri_ptr,
	115	uint32_t max_len,
	116	void result, int error)
	117	{
	118	int op[8];
	119	int len, value, value_size;
	120	int loop = 0;
	121	char ptr = (char )result; /* for return_string */
	122	uint32_t offset = 0;
362a06e3 PG	123	int len_string = BGP_FLOWSPEC_STRING_DISPLAY_MAX;
362a06e3 PG	124	int len_written;
034cdee9 PG	125
	126	*error = 0;
	127	do {
	128	hex2bin(&nlri_ptr[offset], op);
	129	offset++;
	130	len = 2*op[2]+op[3];
	131	value_size = 1 << len;
	132	value = hexstr2num(&nlri_ptr[offset], value_size);
	133	/* can not be < and > at the same time */
	134	if (op[5] == 1 && op[6] == 1)
	135	*error = -1;
	136	/* if first element, AND bit can not be set */
	137	if (op[1] == 1 && loop == 0)
	138	*error = -1;
	139	switch (type) {
	140	case BGP_FLOWSPEC_RETURN_STRING:
362a06e3 PG	141	if (loop) {
	142	len_written = snprintf(ptr, len_string,
	143	", ");
	144	len_string -= len_written;
	145	ptr += len_written;
	146	}
	147	if (op[5] == 1) {
	148	len_written = snprintf(ptr, len_string,
	149	"<");
	150	len_string -= len_written;
	151	ptr += len_written;
	152	}
	153	if (op[6] == 1) {
	154	len_written = snprintf(ptr, len_string,
	155	">");
	156	len_string -= len_written;
	157	ptr += len_written;
	158	}
	159	if (op[7] == 1) {
	160	len_written = snprintf(ptr, len_string,
	161	"=");
	162	len_string -= len_written;
	163	ptr += len_written;
	164	}
	165	len_written = snprintf(ptr, len_string,
	166	" %d ", value);
	167	len_string -= len_written;
	168	ptr += len_written;
034cdee9 PG	169	break;
	170	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
	171	/* TODO : FS OPAQUE */
	172	break;
	173	case BGP_FLOWSPEC_VALIDATE_ONLY:
	174	default:
	175	/* no action */
	176	break;
	177	}
	178	offset += value_size;
	179	loop++;
	180	} while (op[0] == 0 && offset < max_len - 1);
	181	if (offset > max_len)
	182	*error = -1;
	183	/* use error parameter to count the number of entries */
	184	if (*error == 0)
	185	*error = loop;
	186	return offset;
	187	}
	188
	189
	190	/*
	191	* handle the flowspec tcpflags field
	192	* return number of bytes analysed
	193	* if there is an error, the passed error param is used to give error:
	194	* -1 if decoding error,
362a06e3 PG	195	* if result is a string, its assumed length
362a06e3 PG	196	* is BGP_FLOWSPEC_STRING_DISPLAY_MAX
034cdee9 PG	197	*/
	198	int bgp_flowspec_tcpflags_decode(enum bgp_flowspec_util_nlri_t type,
	199	uint8_t *nlri_ptr,
	200	uint32_t max_len,
	201	void result, int error)
	202	{
	203	int op[8];
	204	int len, value_size, loop = 0, value;
	205	char ptr = (char )result; /* for return_string */
	206	uint32_t offset = 0;
362a06e3 PG	207	int len_string = BGP_FLOWSPEC_STRING_DISPLAY_MAX;
362a06e3 PG	208	int len_written;
034cdee9 PG	209
	210	*error = 0;
	211	do {
	212	hex2bin(&nlri_ptr[offset], op);
	213	/* if first element, AND bit can not be set */
	214	if (op[1] == 1 && loop == 0)
	215	*error = -1;
	216	offset++;
	217	len = 2 * op[2] + op[3];
	218	value_size = 1 << len;
	219	value = hexstr2num(&nlri_ptr[offset], value_size);
	220	switch (type) {
	221	case BGP_FLOWSPEC_RETURN_STRING:
362a06e3 PG	222	if (op[1] == 1 && loop != 0) {
	223	len_written = snprintf(ptr, len_string,
	224	", and ");
	225	len_string -= len_written;
	226	ptr += len_written;
	227	} else if (op[1] == 0 && loop != 0) {
	228	len_written = snprintf(ptr, len_string,
	229	", or ");
	230	len_string -= len_written;
	231	ptr += len_written;
	232	}
	233	len_written = snprintf(ptr, len_string,
	234	"tcp flags is ");
	235	len_string -= len_written;
	236	ptr += len_written;
	237	if (op[6] == 1) {
	238	ptr += snprintf(ptr, len_string,
	239	"not ");
	240	len_string -= len_written;
	241	ptr += len_written;
	242	}
	243	if (op[7] == 1) {
	244	ptr += snprintf(ptr, len_string,
	245	"exactly match ");
	246	len_string -= len_written;
	247	ptr += len_written;
	248	}
	249	ptr += snprintf(ptr, len_string,
	250	"%d", value);
	251	len_string -= len_written;
	252	ptr += len_written;
034cdee9 PG	253	break;
	254	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
	255	/* TODO : FS OPAQUE */
	256	break;
	257	case BGP_FLOWSPEC_VALIDATE_ONLY:
	258	default:
	259	/* no action */
	260	break;
	261	}
	262	offset += value_size;
	263	loop++;
	264	} while (op[0] == 0 && offset < max_len - 1);
	265	if (offset > max_len)
	266	*error = -1;
	267	/* use error parameter to count the number of entries */
	268	if (*error == 0)
	269	*error = loop;
	270	return offset;
	271	}
	272
	273	/*
	274	* handle the flowspec fragment type field
	275	* return error (returned values are invalid) or number of bytes analysed
	276	* -1 if error in decoding
	277	* >= 0 : number of bytes analysed (ok).
	278	*/
	279	int bgp_flowspec_fragment_type_decode(enum bgp_flowspec_util_nlri_t type,
	280	uint8_t *nlri_ptr,
	281	uint32_t max_len,
	282	void result, int error)
	283	{
	284	int op[8];
	285	int len, value, value_size, loop = 0;
	286	char ptr = (char )result; /* for return_string */
	287	uint32_t offset = 0;
362a06e3 PG	288	int len_string = BGP_FLOWSPEC_STRING_DISPLAY_MAX;
362a06e3 PG	289	int len_written;
034cdee9 PG	290
	291	*error = 0;
	292	do {
	293	hex2bin(&nlri_ptr[offset], op);
	294	offset++;
	295	len = 2 * op[2] + op[3];
	296	value_size = 1 << len;
	297	value = hexstr2num(&nlri_ptr[offset], value_size);
	298	if (value != 1 && value != 2 && value != 4 && value != 8)
	299	*error = -1;
	300	offset += value_size;
	301	/* TODO : as per RFC5574 : first Fragment bits are Reserved
	302	* does that mean that it is not possible
	303	* to handle multiple occurences ?
	304	* as of today, we only grab the first TCP fragment
	305	*/
	306	if (loop) {
	307	*error = -2;
	308	loop++;
	309	continue;
	310	}
	311	switch (type) {
	312	case BGP_FLOWSPEC_RETURN_STRING:
	313	switch (value) {
	314	case 1:
362a06e3 PG	315	len_written = snprintf(ptr, len_string,
	316	"dont-fragment");
	317	len_string -= len_written;
	318	ptr += len_written;
034cdee9 PG	319	break;
034cdee9 PG	320	case 2:
362a06e3 PG	321	len_written = snprintf(ptr, len_string,
	322	"is-fragment");
	323	len_string -= len_written;
	324	ptr += len_written;
034cdee9 PG	325	break;
034cdee9 PG	326	case 4:
362a06e3 PG	327	len_written = snprintf(ptr, len_string,
	328	"first-fragment");
	329	len_string -= len_written;
	330	ptr += len_written;
034cdee9 PG	331	break;
034cdee9 PG	332	case 8:
362a06e3 PG	333	len_written = snprintf(ptr, len_string,
	334	"last-fragment");
	335	len_string -= len_written;
	336	ptr += len_written;
034cdee9 PG	337	break;
	338	default:
	339	{}
	340	}
	341	break;
	342	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
	343	/* TODO : FS OPAQUE */
	344	break;
	345	case BGP_FLOWSPEC_VALIDATE_ONLY:
	346	default:
	347	/* no action */
	348	break;
	349	}
	350	loop++;
	351	} while (op[0] == 0 && offset < max_len - 1);
	352	if (offset > max_len)
	353	*error = -1;
	354	return offset;
	355	}
98a9dbc7 PG	356
	357
	358	static bool bgp_flowspec_contains_prefix(struct prefix *pfs,
	359	struct prefix *input,
	360	int prefix_check)
	361	{
	362	uint32_t offset = 0;
	363	int type;
	364	int ret = 0, error = 0;
	365	uint8_t nlri_content = (uint8_t )pfs->u.prefix_flowspec.ptr;
	366	size_t len = pfs->u.prefix_flowspec.prefixlen;
	367	struct prefix compare;
	368
	369	error = 0;
	370	while (offset < len-1 && error >= 0) {
	371	type = nlri_content[offset];
	372	offset++;
	373	switch (type) {
	374	case FLOWSPEC_DEST_PREFIX:
	375	case FLOWSPEC_SRC_PREFIX:
	376	memset(&compare, 0, sizeof(struct prefix));
	377	ret = bgp_flowspec_ip_address(
	378	BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE,
	379	nlri_content+offset,
	380	len - offset,
	381	&compare, &error);
	382	if (ret <= 0)
	383	break;
	384	if (prefix_check &&
	385	compare.prefixlen != input->prefixlen)
	386	break;
	387	if (compare.family != input->family)
	388	break;
	389	if ((input->family == AF_INET) &&
	390	IPV4_ADDR_SAME(&input->u.prefix4,
	391	&compare.u.prefix4))
	392	return true;
	393	if ((input->family == AF_INET6) &&
	394	IPV6_ADDR_SAME(&input->u.prefix6.s6_addr,
	395	&compare.u.prefix6.s6_addr))
	396	return true;
	397	break;
	398	case FLOWSPEC_IP_PROTOCOL:
	399	case FLOWSPEC_PORT:
	400	case FLOWSPEC_DEST_PORT:
	401	case FLOWSPEC_SRC_PORT:
	402	case FLOWSPEC_ICMP_TYPE:
	403	case FLOWSPEC_ICMP_CODE:
	404	ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
	405	nlri_content+offset,
	406	len - offset,
	407	NULL, &error);
	408	break;
	409	case FLOWSPEC_TCP_FLAGS:
	410	ret = bgp_flowspec_tcpflags_decode(
	411	BGP_FLOWSPEC_VALIDATE_ONLY,
	412	nlri_content+offset,
	413	len - offset,
	414	NULL, &error);
	415	break;
	416	case FLOWSPEC_PKT_LEN:
	417	case FLOWSPEC_DSCP:
	418	ret = bgp_flowspec_op_decode(
	419	BGP_FLOWSPEC_VALIDATE_ONLY,
420	nlri_content + offset,
421	len - offset, NULL,
422	&error);
423	break;
424	case FLOWSPEC_FRAGMENT:
425	ret = bgp_flowspec_fragment_type_decode(
426	BGP_FLOWSPEC_VALIDATE_ONLY,
427	nlri_content + offset,
428	len - offset, NULL,
429	&error);
430	break;
431	default:
432	error = -1;
433	break;
434	}
435	offset += ret;
436	}
437	return false;
438	}
439
440	struct bgp_node *bgp_flowspec_get_match_per_ip(afi_t afi,
441	struct bgp_table *rib,
442	struct prefix *match,
443	int prefix_check)
444	{
445	struct bgp_node *rn;
446	struct prefix *prefix;
447
448	for (rn = bgp_table_top(rib); rn; rn = bgp_route_next(rn)) {
449	prefix = &rn->p;
450
451	if (prefix->family != AF_FLOWSPEC)
452	continue;
453
454	if (bgp_flowspec_contains_prefix(prefix, match, prefix_check))
455	return rn;
456	}
457	return NULL;
458	}