[mirror_frr.git] / bgpd / bgp_flowspec_util.c

/* BGP FlowSpec Utilities
 * Portions:
 *     Copyright (C) 2017 ChinaTelecom SDN Group
 *     Copyright (C) 2018 6WIND
 *
 * FRRouting is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2, or (at your option) any
 * later version.
 *
 * FRRouting is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; see the file COPYING; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
 */

#include "zebra.h"

#include "prefix.h"
#include "bgp_flowspec_util.h"

static void hex2bin(uint8_t *hex, int *bin)
{
	int remainder = *hex;
	int i = 0;

	while (remainder >= 1 && i < 8) {
		bin[7-i] = remainder % 2;
		remainder = remainder / 2;
		i++;
	}
	for (; i < 8; i++)
		bin[7-i] = 0;
}

static int hexstr2num(uint8_t *hexstr, int len)
{
	int i = 0;
	int num = 0;

	for (i = 0; i < len; i++)
		num = hexstr[i] + 16*16*num;
	return num;
}


/*
 * handle the flowspec address src/dst or generic address NLRI
 * return number of bytes analysed ( >= 0).
 */
int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
			    uint8_t *nlri_ptr,
			    uint32_t max_len,
			    void *result, int *error)
{
	char *display = (char *)result; /* for return_string */
	struct prefix *prefix = (struct prefix *)result;
	uint32_t offset = 0;
	struct prefix prefix_local;
	int psize;

	*error = 0;
	memset(&prefix_local, 0, sizeof(struct prefix));
	/* read the prefix length */
	prefix_local.prefixlen = nlri_ptr[offset];
	psize = PSIZE(prefix_local.prefixlen);
	offset++;
	/* TODO Flowspec IPv6 Support */
	prefix_local.family = AF_INET;
	/* Prefix length check. */
	if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8)
		*error = -1;
	/* When packet overflow occur return immediately. */
	if (psize + offset > max_len)
		*error = -1;
	/* Defensive coding, double-check
	 * the psize fits in a struct prefix
	 */
	if (psize > (ssize_t)sizeof(prefix_local.u))
		*error = -1;
	memcpy(&prefix_local.u.prefix, &nlri_ptr[offset], psize);
	offset += psize;
	switch (type) {
	case BGP_FLOWSPEC_RETURN_STRING:
		prefix2str(&prefix_local, display,
			   BGP_FLOWSPEC_STRING_DISPLAY_MAX);
		break;
	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
		PREFIX_COPY_IPV4(prefix, &prefix_local)
		break;
	case BGP_FLOWSPEC_VALIDATE_ONLY:
	default:
		break;
	}
	return offset;
}

/*
 * handle the flowspec operator NLRI
 * return number of bytes analysed
 * if there is an error, the passed error param is used to give error:
 * -1 if decoding error,
 */
int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
			   uint8_t *nlri_ptr,
			   uint32_t max_len,
			   void *result, int *error)
{
	int op[8];
	int len, value, value_size;
	int loop = 0;
	char *ptr = (char *)result; /* for return_string */
	uint32_t offset = 0;

	*error = 0;
	do {
		hex2bin(&nlri_ptr[offset], op);
		offset++;
		len = 2*op[2]+op[3];
		value_size = 1 << len;
		value = hexstr2num(&nlri_ptr[offset], value_size);
		/* can not be < and > at the same time */
		if (op[5] == 1 && op[6] == 1)
			*error = -1;
		/* if first element, AND bit can not be set */
		if (op[1] == 1 && loop == 0)
			*error = -1;
		switch (type) {
		case BGP_FLOWSPEC_RETURN_STRING:
			if (loop)
				ptr += sprintf(ptr, ", ");
			if (op[5] == 1)
				ptr += sprintf(ptr, "<");
			if (op[6] == 1)
				ptr += sprintf(ptr, ">");
			if (op[7] == 1)
				ptr += sprintf(ptr, "=");
			ptr += sprintf(ptr, " %d ", value);
			break;
		case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
			/* TODO : FS OPAQUE */
			break;
		case BGP_FLOWSPEC_VALIDATE_ONLY:
		default:
			/* no action */
			break;
		}
		offset += value_size;
		loop++;
	} while (op[0] == 0 && offset < max_len - 1);
	if (offset > max_len)
		*error = -1;
	/* use error parameter to count the number of entries */
	if (*error == 0)
		*error = loop;
	return offset;
}


/*
 * handle the flowspec tcpflags field
 * return number of bytes analysed
 * if there is an error, the passed error param is used to give error:
 * -1 if decoding error,
 */
int bgp_flowspec_tcpflags_decode(enum bgp_flowspec_util_nlri_t type,
				 uint8_t *nlri_ptr,
				 uint32_t max_len,
				 void *result, int *error)
{
	int op[8];
	int len, value_size, loop = 0, value;
	char *ptr = (char *)result; /* for return_string */
	uint32_t offset = 0;

	*error = 0;
	do {
		hex2bin(&nlri_ptr[offset], op);
		/* if first element, AND bit can not be set */
		if (op[1] == 1 && loop == 0)
			*error = -1;
		offset++;
		len = 2 * op[2] + op[3];
		value_size = 1 << len;
		value = hexstr2num(&nlri_ptr[offset], value_size);
		switch (type) {
		case BGP_FLOWSPEC_RETURN_STRING:
			if (op[1] == 1 && loop != 0)
				ptr += sprintf(ptr, ", and ");
			else if (op[1] == 0 && loop != 0)
				ptr += sprintf(ptr, ", or ");
			ptr += sprintf(ptr, "tcp flags is ");
			if (op[6] == 1)
				ptr += sprintf(ptr, "not ");
			if (op[7] == 1)
				ptr += sprintf(ptr, "exactly match ");
			ptr += sprintf(ptr, "%d", value);
			break;
		case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
			/* TODO : FS OPAQUE */
			break;
		case BGP_FLOWSPEC_VALIDATE_ONLY:
		default:
			/* no action */
			break;
		}
		offset += value_size;
		loop++;
	} while (op[0] == 0 && offset < max_len - 1);
	if (offset > max_len)
		*error = -1;
	/* use error parameter to count the number of entries */
	if (*error == 0)
		*error = loop;
	return offset;
}

/*
 * handle the flowspec fragment type field
 * return error (returned values are invalid) or number of bytes analysed
 * -1 if error in decoding
 * >= 0 : number of bytes analysed (ok).
 */
int bgp_flowspec_fragment_type_decode(enum bgp_flowspec_util_nlri_t type,
				      uint8_t *nlri_ptr,
				      uint32_t max_len,
				      void *result, int *error)
{
	int op[8];
	int len, value, value_size, loop = 0;
	char *ptr = (char *)result; /* for return_string */
	uint32_t offset = 0;

	*error = 0;
	do {
		hex2bin(&nlri_ptr[offset], op);
		offset++;
		len = 2 * op[2] + op[3];
		value_size = 1 << len;
		value = hexstr2num(&nlri_ptr[offset], value_size);
		if (value != 1 && value != 2 && value != 4 && value != 8)
			*error = -1;
		offset += value_size;
		/* TODO : as per RFC5574 : first Fragment bits are Reserved
		 * does that mean that it is not possible
		 * to handle multiple occurences ?
		 * as of today, we only grab the first TCP fragment
		 */
		if (loop) {
			*error = -2;
			loop++;
			continue;
		}
		switch (type) {
		case BGP_FLOWSPEC_RETURN_STRING:
			switch (value) {
			case 1:
				ptr += sprintf(ptr, "dont-fragment");
				break;
			case 2:
				ptr += sprintf(ptr, "is-fragment");
				break;
			case 4:
				ptr += sprintf(ptr, "first-fragment");
				break;
			case 8:
				ptr += sprintf(ptr, "last-fragment");
				break;
			default:
				{}
			}
			break;
		case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
			/* TODO : FS OPAQUE */
			break;
		case BGP_FLOWSPEC_VALIDATE_ONLY:
		default:
			/* no action */
			break;
		}
		loop++;
	} while (op[0] == 0 && offset < max_len - 1);
	if (offset > max_len)
		*error = -1;
	return offset;
}
Commit	Line	Data
034cdee9 PG	1	/* BGP FlowSpec Utilities
	2	* Portions:
	3	* Copyright (C) 2017 ChinaTelecom SDN Group
	4	* Copyright (C) 2018 6WIND
	5	*
	6	* FRRouting is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2, or (at your option) any
	9	* later version.
	10	*
	11	* FRRouting is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	* General Public License for more details.
	15	*
	16	* You should have received a copy of the GNU General Public License along
	17	* with this program; see the file COPYING; if not, write to the Free Software
	18	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	19	*/
	20
	21	#include "zebra.h"
	22
	23	#include "prefix.h"
	24	#include "bgp_flowspec_util.h"
	25
	26	static void hex2bin(uint8_t hex, int bin)
	27	{
	28	int remainder = *hex;
	29	int i = 0;
	30
	31	while (remainder >= 1 && i < 8) {
	32	bin[7-i] = remainder % 2;
	33	remainder = remainder / 2;
	34	i++;
	35	}
	36	for (; i < 8; i++)
	37	bin[7-i] = 0;
	38	}
	39
	40	static int hexstr2num(uint8_t *hexstr, int len)
	41	{
	42	int i = 0;
	43	int num = 0;
	44
	45	for (i = 0; i < len; i++)
	46	num = hexstr[i] + 1616num;
	47	return num;
	48	}
	49
	50
	51	/*
	52	* handle the flowspec address src/dst or generic address NLRI
	53	* return number of bytes analysed ( >= 0).
	54	*/
	55	int bgp_flowspec_ip_address(enum bgp_flowspec_util_nlri_t type,
	56	uint8_t *nlri_ptr,
	57	uint32_t max_len,
	58	void result, int error)
	59	{
	60	char display = (char )result; /* for return_string */
	61	struct prefix prefix = (struct prefix )result;
	62	uint32_t offset = 0;
	63	struct prefix prefix_local;
	64	int psize;
65
66	*error = 0;
67	memset(&prefix_local, 0, sizeof(struct prefix));
68	/* read the prefix length */
69	prefix_local.prefixlen = nlri_ptr[offset];
70	psize = PSIZE(prefix_local.prefixlen);
71	offset++;
72	/* TODO Flowspec IPv6 Support */
73	prefix_local.family = AF_INET;
74	/* Prefix length check. */
75	if (prefix_local.prefixlen > prefix_blen(&prefix_local) * 8)
76	*error = -1;
77	/* When packet overflow occur return immediately. */
78	if (psize + offset > max_len)
79	*error = -1;
80	/* Defensive coding, double-check
81	* the psize fits in a struct prefix
82	*/
83	if (psize > (ssize_t)sizeof(prefix_local.u))
84	*error = -1;
85	memcpy(&prefix_local.u.prefix, &nlri_ptr[offset], psize);
86	offset += psize;
87	switch (type) {
88	case BGP_FLOWSPEC_RETURN_STRING:
89	prefix2str(&prefix_local, display,
90	BGP_FLOWSPEC_STRING_DISPLAY_MAX);
91	break;
92	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
93	PREFIX_COPY_IPV4(prefix, &prefix_local)
94	break;
95	case BGP_FLOWSPEC_VALIDATE_ONLY:
96	default:
97	break;
98	}
99	return offset;
100	}
101
102	/*
103	* handle the flowspec operator NLRI
104	* return number of bytes analysed
105	* if there is an error, the passed error param is used to give error:
106	* -1 if decoding error,
107	*/
108	int bgp_flowspec_op_decode(enum bgp_flowspec_util_nlri_t type,
109	uint8_t *nlri_ptr,
110	uint32_t max_len,
111	void result, int error)
112	{
113	int op[8];
114	int len, value, value_size;
115	int loop = 0;
116	char ptr = (char )result; /* for return_string */
117	uint32_t offset = 0;
118
119	*error = 0;
120	do {
121	hex2bin(&nlri_ptr[offset], op);
122	offset++;
123	len = 2*op[2]+op[3];
124	value_size = 1 << len;
125	value = hexstr2num(&nlri_ptr[offset], value_size);
126	/* can not be < and > at the same time */
127	if (op[5] == 1 && op[6] == 1)
128	*error = -1;
129	/* if first element, AND bit can not be set */
130	if (op[1] == 1 && loop == 0)
131	*error = -1;
132	switch (type) {
133	case BGP_FLOWSPEC_RETURN_STRING:
134	if (loop)
135	ptr += sprintf(ptr, ", ");
136	if (op[5] == 1)
137	ptr += sprintf(ptr, "<");
138	if (op[6] == 1)
139	ptr += sprintf(ptr, ">");
140	if (op[7] == 1)
141	ptr += sprintf(ptr, "=");
142	ptr += sprintf(ptr, " %d ", value);
143	break;
144	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
145	/* TODO : FS OPAQUE */
146	break;
147	case BGP_FLOWSPEC_VALIDATE_ONLY:
148	default:
149	/* no action */
150	break;
151	}
152	offset += value_size;
153	loop++;
154	} while (op[0] == 0 && offset < max_len - 1);
155	if (offset > max_len)
156	*error = -1;
157	/* use error parameter to count the number of entries */
158	if (*error == 0)
159	*error = loop;
160	return offset;
161	}
162
163
164	/*
165	* handle the flowspec tcpflags field
166	* return number of bytes analysed
167	* if there is an error, the passed error param is used to give error:
168	* -1 if decoding error,
169	*/
170	int bgp_flowspec_tcpflags_decode(enum bgp_flowspec_util_nlri_t type,
171	uint8_t *nlri_ptr,
172	uint32_t max_len,
173	void result, int error)
174	{
175	int op[8];
176	int len, value_size, loop = 0, value;
177	char ptr = (char )result; /* for return_string */
178	uint32_t offset = 0;
179
180	*error = 0;
181	do {
182	hex2bin(&nlri_ptr[offset], op);
183	/* if first element, AND bit can not be set */
184	if (op[1] == 1 && loop == 0)
185	*error = -1;
186	offset++;
187	len = 2 * op[2] + op[3];
188	value_size = 1 << len;
189	value = hexstr2num(&nlri_ptr[offset], value_size);
190	switch (type) {
191	case BGP_FLOWSPEC_RETURN_STRING:
192	if (op[1] == 1 && loop != 0)
193	ptr += sprintf(ptr, ", and ");
194	else if (op[1] == 0 && loop != 0)
195	ptr += sprintf(ptr, ", or ");
196	ptr += sprintf(ptr, "tcp flags is ");
197	if (op[6] == 1)
198	ptr += sprintf(ptr, "not ");
199	if (op[7] == 1)
200	ptr += sprintf(ptr, "exactly match ");
201	ptr += sprintf(ptr, "%d", value);
202	break;
203	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
204	/* TODO : FS OPAQUE */
205	break;
206	case BGP_FLOWSPEC_VALIDATE_ONLY:
207	default:
208	/* no action */
209	break;
210	}
211	offset += value_size;
212	loop++;
213	} while (op[0] == 0 && offset < max_len - 1);
214	if (offset > max_len)
215	*error = -1;
216	/* use error parameter to count the number of entries */
217	if (*error == 0)
218	*error = loop;
219	return offset;
220	}
221
222	/*
223	* handle the flowspec fragment type field
224	* return error (returned values are invalid) or number of bytes analysed
225	* -1 if error in decoding
226	* >= 0 : number of bytes analysed (ok).
227	*/
228	int bgp_flowspec_fragment_type_decode(enum bgp_flowspec_util_nlri_t type,
229	uint8_t *nlri_ptr,
230	uint32_t max_len,
231	void result, int error)
232	{
233	int op[8];
234	int len, value, value_size, loop = 0;
235	char ptr = (char )result; /* for return_string */
236	uint32_t offset = 0;
237
238	*error = 0;
239	do {
240	hex2bin(&nlri_ptr[offset], op);
241	offset++;
242	len = 2 * op[2] + op[3];
243	value_size = 1 << len;
244	value = hexstr2num(&nlri_ptr[offset], value_size);
245	if (value != 1 && value != 2 && value != 4 && value != 8)
246	*error = -1;
247	offset += value_size;
248	/* TODO : as per RFC5574 : first Fragment bits are Reserved
249	* does that mean that it is not possible
250	* to handle multiple occurences ?
251	* as of today, we only grab the first TCP fragment
252	*/
253	if (loop) {
254	*error = -2;
255	loop++;
256	continue;
257	}
258	switch (type) {
259	case BGP_FLOWSPEC_RETURN_STRING:
260	switch (value) {
261	case 1:
262	ptr += sprintf(ptr, "dont-fragment");
263	break;
264	case 2:
265	ptr += sprintf(ptr, "is-fragment");
266	break;
267	case 4:
268	ptr += sprintf(ptr, "first-fragment");
269	break;
270	case 8:
271	ptr += sprintf(ptr, "last-fragment");
272	break;
273	default:
274	{}
275	}
276	break;
277	case BGP_FLOWSPEC_CONVERT_TO_NON_OPAQUE:
278	/* TODO : FS OPAQUE */
279	break;
280	case BGP_FLOWSPEC_VALIDATE_ONLY:
281	default:
282	/* no action */
283	break;
284	}
285	loop++;
286	} while (op[0] == 0 && offset < max_len - 1);
287	if (offset > max_len)
288	*error = -1;
289	return offset;
290	}