bgpd/bgp_flowspec.c

   1 /* BGP FlowSpec for packet handling
   2  * Portions:
   3  *     Copyright (C) 2017 ChinaTelecom SDN Group
   4  *     Copyright (C) 2018 6WIND
   5  *
   6  * FRRouting is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the
   8  * Free Software Foundation; either version 2, or (at your option) any
   9  * later version.
  10  *
  11  * FRRouting is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  14  * General Public License for more details.
  15  *
  16  * You should have received a copy of the GNU General Public License along
  17  * with this program; see the file COPYING; if not, write to the Free Software
  18  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
  19  */
  20
  21 #include <zebra.h>
  22 #include <math.h>
  23
  24 #include "prefix.h"
  25 #include "lib_errors.h"
  26
  27 #include "bgpd/bgpd.h"
  28 #include "bgpd/bgp_route.h"
  29 #include "bgpd/bgp_flowspec.h"
  30 #include "bgpd/bgp_flowspec_util.h"
  31 #include "bgpd/bgp_flowspec_private.h"
  32 #include "bgpd/bgp_ecommunity.h"
  33 #include "bgpd/bgp_debug.h"
  34 #include "bgpd/bgp_errors.h"
  35
  36 static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len,
  37                                 afi_t afi)
  38 {
  39         uint32_t offset = 0;
  40         int type;
  41         int ret = 0, error = 0;
  42
  43         while (offset < len-1) {
  44                 type = nlri_content[offset];
  45                 offset++;
  46                 switch (type) {
  47                 case FLOWSPEC_DEST_PREFIX:
  48                 case FLOWSPEC_SRC_PREFIX:
  49                         ret = bgp_flowspec_ip_address(
  50                                                 BGP_FLOWSPEC_VALIDATE_ONLY,
  51                                                 nlri_content + offset,
  52                                                 len - offset, NULL, &error,
  53                                                 afi, NULL);
  54                         break;
  55                 case FLOWSPEC_FLOW_LABEL:
  56                         if (afi == AFI_IP)
  57                                 return -1;
  58                         ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
  59                                                    nlri_content + offset,
  60                                                    len - offset, NULL, &error);
  61                         break;
  62                 case FLOWSPEC_IP_PROTOCOL:
  63                 case FLOWSPEC_PORT:
  64                 case FLOWSPEC_DEST_PORT:
  65                 case FLOWSPEC_SRC_PORT:
  66                 case FLOWSPEC_ICMP_TYPE:
  67                 case FLOWSPEC_ICMP_CODE:
  68                         ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
  69                                                    nlri_content + offset,
  70                                                    len - offset, NULL, &error);
  71                         break;
  72                 case FLOWSPEC_TCP_FLAGS:
  73                 case FLOWSPEC_FRAGMENT:
  74                         ret = bgp_flowspec_bitmask_decode(
  75                                                    BGP_FLOWSPEC_VALIDATE_ONLY,
  76                                                    nlri_content + offset,
  77                                                    len - offset, NULL, &error);
  78                         break;
  79                 case FLOWSPEC_PKT_LEN:
  80                 case FLOWSPEC_DSCP:
  81                         ret = bgp_flowspec_op_decode(
  82                                                 BGP_FLOWSPEC_VALIDATE_ONLY,
  83                                                 nlri_content + offset,
  84                                                 len - offset, NULL, &error);
  85                         break;
  86                 default:
  87                         error = -1;
  88                         break;
  89                 }
  90                 offset += ret;
  91                 if (error < 0)
  92                         break;
  93         }
  94         return error;
  95 }
  96
  97 int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
  98                             struct bgp_nlri *packet, int withdraw)
  99 {
 100         uint8_t *pnt;
 101         uint8_t *lim;
 102         afi_t afi;
 103         safi_t safi;
 104         int psize = 0;
 105         struct prefix p;
 106         int ret;
 107         void *temp;
 108
 109         /* Start processing the NLRI - there may be multiple in the MP_REACH */
 110         pnt = packet->nlri;
 111         lim = pnt + packet->length;
 112         afi = packet->afi;
 113         safi = packet->safi;
 114
 115         if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
 116                 flog_err(EC_BGP_FLOWSPEC_PACKET,
 117                          "BGP flowspec nlri length maximum reached (%u)",
 118                          packet->length);
 119                 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT;
 120         }
 121
 122         for (; pnt < lim; pnt += psize) {
 123                 /* Clear prefix structure. */
 124                 memset(&p, 0, sizeof(struct prefix));
 125
 126                 /* All FlowSpec NLRI begin with length. */
 127                 if (pnt + 1 > lim)
 128                         return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 129
 130                 psize = *pnt++;
 131                 if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
 132                         psize &= 0x0f;
 133                         psize = psize << 8;
 134                         psize |= *pnt++;
 135                 }
 136                 /* When packet overflow occur return immediately. */
 137                 if (pnt + psize > lim) {
 138                         flog_err(
 139                                 EC_BGP_FLOWSPEC_PACKET,
 140                                 "Flowspec NLRI length inconsistent ( size %u seen)",
 141                                 psize);
 142                         return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
 143                 }
 144                 if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
 145                         flog_err(
 146                                 EC_BGP_FLOWSPEC_PACKET,
 147                                 "Bad flowspec format or NLRI options not supported");
 148                         return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT;
 149                 }
 150                 p.family = AF_FLOWSPEC;
 151                 p.prefixlen = 0;
 152                 /* Flowspec encoding is in bytes */
 153                 p.u.prefix_flowspec.prefixlen = psize;
 154                 p.u.prefix_flowspec.family = afi2family(afi);
 155                 temp = XCALLOC(MTYPE_TMP, psize);
 156                 memcpy(temp, pnt, psize);
 157                 p.u.prefix_flowspec.ptr = (uintptr_t) temp;
 158
 159                 if (BGP_DEBUG(flowspec, FLOWSPEC)) {
 160                         char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
 161                         char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16];
 162                         char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
 163                         char *s = NULL;
 164
 165                         bgp_fs_nlri_get_string((unsigned char *)
 166                                                p.u.prefix_flowspec.ptr,
 167                                                p.u.prefix_flowspec.prefixlen,
 168                                                return_string,
 169                                                NLRI_STRING_FORMAT_MIN, NULL,
 170                                                afi);
 171                         snprintf(ec_string, sizeof(ec_string),
 172                                  "EC{none}");
 173                         if (attr && attr->ecommunity) {
 174                                 s = ecommunity_ecom2str(attr->ecommunity,
 175                                                 ECOMMUNITY_FORMAT_ROUTE_MAP, 0);
 176                                 snprintf(ec_string, sizeof(ec_string),
 177                                          "EC{%s}",
 178                                         s == NULL ? "none" : s);
 179
 180                                 if (s)
 181                                         ecommunity_strfree(&s);
 182                         }
 183                         snprintf(local_string, sizeof(local_string),
 184                                  "FS Rx %s %s %s %s", withdraw ?
 185                                  "Withdraw":"Update",
 186                                  afi2str(afi), return_string,
 187                                  attr != NULL ? ec_string : "");
 188                         zlog_info("%s", local_string);
 189                 }
 190                 /* Process the route. */
 191                 if (!withdraw)
 192                         ret = bgp_update(peer, &p, 0, attr,
 193                                          afi, safi,
 194                                          ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
 195                                          NULL, NULL, 0, 0, NULL);
 196                 else
 197                         ret = bgp_withdraw(peer, &p, 0, attr,
 198                                            afi, safi,
 199                                            ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
 200                                            NULL, NULL, 0, NULL);
 201                 if (ret) {
 202                         flog_err(EC_BGP_FLOWSPEC_INSTALLATION,
 203                                  "Flowspec NLRI failed to be %s.",
 204                                  attr ? "added" : "withdrawn");
 205                         return BGP_NLRI_PARSE_ERROR;
 206                 }
 207         }
 208         return BGP_NLRI_PARSE_OK;
 209 }