]> git.proxmox.com Git - mirror_frr.git/blob - bgpd/bgp_flowspec.c
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
bgpd: flowspec code support for ipv6
[mirror_frr.git] / bgpd / bgp_flowspec.c
1 /* BGP FlowSpec for packet handling
2 * Portions:
3 * Copyright (C) 2017 ChinaTelecom SDN Group
4 * Copyright (C) 2018 6WIND
5 *
6 * FRRouting is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2, or (at your option) any
9 * later version.
10 *
11 * FRRouting is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19 */
20
21 #include <zebra.h>
22 #include <math.h>
23
24 #include "prefix.h"
25 #include "lib_errors.h"
26
27 #include "bgpd/bgpd.h"
28 #include "bgpd/bgp_route.h"
29 #include "bgpd/bgp_flowspec.h"
30 #include "bgpd/bgp_flowspec_util.h"
31 #include "bgpd/bgp_flowspec_private.h"
32 #include "bgpd/bgp_ecommunity.h"
33 #include "bgpd/bgp_debug.h"
34 #include "bgpd/bgp_errors.h"
35
36 static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len,
37 afi_t afi)
38 {
39 uint32_t offset = 0;
40 int type;
41 int ret = 0, error = 0;
42
43 while (offset < len-1) {
44 type = nlri_content[offset];
45 offset++;
46 switch (type) {
47 case FLOWSPEC_DEST_PREFIX:
48 case FLOWSPEC_SRC_PREFIX:
49 ret = bgp_flowspec_ip_address(
50 BGP_FLOWSPEC_VALIDATE_ONLY,
51 nlri_content + offset,
52 len - offset, NULL, &error,
53 afi);
54 break;
55 case FLOWSPEC_IP_PROTOCOL:
56 case FLOWSPEC_PORT:
57 case FLOWSPEC_DEST_PORT:
58 case FLOWSPEC_SRC_PORT:
59 case FLOWSPEC_ICMP_TYPE:
60 case FLOWSPEC_ICMP_CODE:
61 ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
62 nlri_content + offset,
63 len - offset, NULL, &error);
64 break;
65 case FLOWSPEC_TCP_FLAGS:
66 case FLOWSPEC_FRAGMENT:
67 ret = bgp_flowspec_bitmask_decode(
68 BGP_FLOWSPEC_VALIDATE_ONLY,
69 nlri_content + offset,
70 len - offset, NULL, &error);
71 break;
72 case FLOWSPEC_PKT_LEN:
73 case FLOWSPEC_DSCP:
74 ret = bgp_flowspec_op_decode(
75 BGP_FLOWSPEC_VALIDATE_ONLY,
76 nlri_content + offset,
77 len - offset, NULL, &error);
78 break;
79 default:
80 error = -1;
81 break;
82 }
83 offset += ret;
84 if (error < 0)
85 break;
86 }
87 return error;
88 }
89
90 int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
91 struct bgp_nlri *packet, int withdraw)
92 {
93 uint8_t *pnt;
94 uint8_t *lim;
95 afi_t afi;
96 safi_t safi;
97 int psize = 0;
98 struct prefix p;
99 int ret;
100 void *temp;
101
102 /* Start processing the NLRI - there may be multiple in the MP_REACH */
103 pnt = packet->nlri;
104 lim = pnt + packet->length;
105 afi = packet->afi;
106 safi = packet->safi;
107
108 if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
109 flog_err(EC_BGP_FLOWSPEC_PACKET,
110 "BGP flowspec nlri length maximum reached (%u)",
111 packet->length);
112 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT;
113 }
114
115 for (; pnt < lim; pnt += psize) {
116 /* Clear prefix structure. */
117 memset(&p, 0, sizeof(struct prefix));
118
119 /* All FlowSpec NLRI begin with length. */
120 if (pnt + 1 > lim)
121 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
122
123 psize = *pnt++;
124 if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
125 psize &= 0x0f;
126 psize = psize << 8;
127 psize |= *pnt++;
128 }
129 /* When packet overflow occur return immediately. */
130 if (pnt + psize > lim) {
131 flog_err(
132 EC_BGP_FLOWSPEC_PACKET,
133 "Flowspec NLRI length inconsistent ( size %u seen)",
134 psize);
135 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
136 }
137 if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
138 flog_err(
139 EC_BGP_FLOWSPEC_PACKET,
140 "Bad flowspec format or NLRI options not supported");
141 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT;
142 }
143 p.family = AF_FLOWSPEC;
144 p.prefixlen = 0;
145 /* Flowspec encoding is in bytes */
146 p.u.prefix_flowspec.prefixlen = psize;
147 p.u.prefix_flowspec.family = afi2family(afi);
148 temp = XCALLOC(MTYPE_TMP, psize);
149 memcpy(temp, pnt, psize);
150 p.u.prefix_flowspec.ptr = (uintptr_t) temp;
151
152 if (BGP_DEBUG(flowspec, FLOWSPEC)) {
153 char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
154 char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16];
155 char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
156 char *s = NULL;
157
158 bgp_fs_nlri_get_string((unsigned char *)
159 p.u.prefix_flowspec.ptr,
160 p.u.prefix_flowspec.prefixlen,
161 return_string,
162 NLRI_STRING_FORMAT_MIN, NULL,
163 afi);
164 snprintf(ec_string, sizeof(ec_string),
165 "EC{none}");
166 if (attr && attr->ecommunity) {
167 s = ecommunity_ecom2str(attr->ecommunity,
168 ECOMMUNITY_FORMAT_ROUTE_MAP, 0);
169 snprintf(ec_string, sizeof(ec_string),
170 "EC{%s}",
171 s == NULL ? "none" : s);
172
173 if (s)
174 ecommunity_strfree(&s);
175 }
176 snprintf(local_string, sizeof(local_string),
177 "FS Rx %s %s %s %s", withdraw ?
178 "Withdraw":"Update",
179 afi2str(afi), return_string,
180 attr != NULL ? ec_string : "");
181 zlog_info("%s", local_string);
182 }
183 /* Process the route. */
184 if (!withdraw)
185 ret = bgp_update(peer, &p, 0, attr,
186 afi, safi,
187 ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
188 NULL, NULL, 0, 0, NULL);
189 else
190 ret = bgp_withdraw(peer, &p, 0, attr,
191 afi, safi,
192 ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
193 NULL, NULL, 0, NULL);
194 if (ret) {
195 flog_err(EC_BGP_FLOWSPEC_INSTALLATION,
196 "Flowspec NLRI failed to be %s.",
197 attr ? "added" : "withdrawn");
198 return BGP_NLRI_PARSE_ERROR;
199 }
200 }
201 return BGP_NLRI_PARSE_OK;
202 }
FRRouting mirror