]> git.proxmox.com Git - mirror_frr.git/blob - bgpd/bgp_flowspec.c
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #6242 from pguibert6WIND/flowspec_nlri_too_big
[mirror_frr.git] / bgpd / bgp_flowspec.c
1 /* BGP FlowSpec for packet handling
2 * Portions:
3 * Copyright (C) 2017 ChinaTelecom SDN Group
4 * Copyright (C) 2018 6WIND
5 *
6 * FRRouting is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2, or (at your option) any
9 * later version.
10 *
11 * FRRouting is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
19 */
20
21 #include <zebra.h>
22 #include <math.h>
23
24 #include "prefix.h"
25 #include "lib_errors.h"
26
27 #include "bgpd/bgpd.h"
28 #include "bgpd/bgp_route.h"
29 #include "bgpd/bgp_flowspec.h"
30 #include "bgpd/bgp_flowspec_util.h"
31 #include "bgpd/bgp_flowspec_private.h"
32 #include "bgpd/bgp_ecommunity.h"
33 #include "bgpd/bgp_debug.h"
34 #include "bgpd/bgp_errors.h"
35
36 static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len)
37 {
38 uint32_t offset = 0;
39 int type;
40 int ret = 0, error = 0;
41
42 while (offset < len-1) {
43 type = nlri_content[offset];
44 offset++;
45 switch (type) {
46 case FLOWSPEC_DEST_PREFIX:
47 case FLOWSPEC_SRC_PREFIX:
48 ret = bgp_flowspec_ip_address(
49 BGP_FLOWSPEC_VALIDATE_ONLY,
50 nlri_content + offset,
51 len - offset, NULL, &error);
52 break;
53 case FLOWSPEC_IP_PROTOCOL:
54 case FLOWSPEC_PORT:
55 case FLOWSPEC_DEST_PORT:
56 case FLOWSPEC_SRC_PORT:
57 case FLOWSPEC_ICMP_TYPE:
58 case FLOWSPEC_ICMP_CODE:
59 ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
60 nlri_content + offset,
61 len - offset, NULL, &error);
62 break;
63 case FLOWSPEC_TCP_FLAGS:
64 case FLOWSPEC_FRAGMENT:
65 ret = bgp_flowspec_bitmask_decode(
66 BGP_FLOWSPEC_VALIDATE_ONLY,
67 nlri_content + offset,
68 len - offset, NULL, &error);
69 break;
70 case FLOWSPEC_PKT_LEN:
71 case FLOWSPEC_DSCP:
72 ret = bgp_flowspec_op_decode(
73 BGP_FLOWSPEC_VALIDATE_ONLY,
74 nlri_content + offset,
75 len - offset, NULL, &error);
76 break;
77 default:
78 error = -1;
79 break;
80 }
81 offset += ret;
82 if (error < 0)
83 break;
84 }
85 return error;
86 }
87
88 int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
89 struct bgp_nlri *packet, int withdraw)
90 {
91 uint8_t *pnt;
92 uint8_t *lim;
93 afi_t afi;
94 safi_t safi;
95 int psize = 0;
96 struct prefix p;
97 int ret;
98 void *temp;
99
100 /* Start processing the NLRI - there may be multiple in the MP_REACH */
101 pnt = packet->nlri;
102 lim = pnt + packet->length;
103 afi = packet->afi;
104 safi = packet->safi;
105
106 if (afi == AFI_IP6) {
107 flog_err(EC_LIB_DEVELOPMENT, "BGP flowspec IPv6 not supported");
108 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_IPV6_NOT_SUPPORTED;
109 }
110
111 if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
112 flog_err(EC_BGP_FLOWSPEC_PACKET,
113 "BGP flowspec nlri length maximum reached (%u)",
114 packet->length);
115 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT;
116 }
117
118 for (; pnt < lim; pnt += psize) {
119 /* Clear prefix structure. */
120 memset(&p, 0, sizeof(struct prefix));
121
122 /* All FlowSpec NLRI begin with length. */
123 if (pnt + 1 > lim)
124 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
125
126 psize = *pnt++;
127 if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
128 psize &= 0x0f;
129 psize = psize << 8;
130 psize |= *pnt++;
131 }
132 /* When packet overflow occur return immediately. */
133 if (pnt + psize > lim) {
134 flog_err(
135 EC_BGP_FLOWSPEC_PACKET,
136 "Flowspec NLRI length inconsistent ( size %u seen)",
137 psize);
138 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
139 }
140 if (bgp_fs_nlri_validate(pnt, psize) < 0) {
141 flog_err(
142 EC_BGP_FLOWSPEC_PACKET,
143 "Bad flowspec format or NLRI options not supported");
144 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT;
145 }
146 p.family = AF_FLOWSPEC;
147 p.prefixlen = 0;
148 /* Flowspec encoding is in bytes */
149 p.u.prefix_flowspec.prefixlen = psize;
150 temp = XCALLOC(MTYPE_TMP, psize);
151 memcpy(temp, pnt, psize);
152 p.u.prefix_flowspec.ptr = (uintptr_t) temp;
153
154 if (BGP_DEBUG(flowspec, FLOWSPEC)) {
155 char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
156 char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16];
157 char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
158 char *s = NULL;
159
160 bgp_fs_nlri_get_string((unsigned char *)
161 p.u.prefix_flowspec.ptr,
162 p.u.prefix_flowspec.prefixlen,
163 return_string,
164 NLRI_STRING_FORMAT_MIN, NULL);
165 snprintf(ec_string, sizeof(ec_string),
166 "EC{none}");
167 if (attr && attr->ecommunity) {
168 s = ecommunity_ecom2str(attr->ecommunity,
169 ECOMMUNITY_FORMAT_ROUTE_MAP, 0);
170 snprintf(ec_string, sizeof(ec_string),
171 "EC{%s}",
172 s == NULL ? "none" : s);
173
174 if (s)
175 ecommunity_strfree(&s);
176 }
177 snprintf(local_string, sizeof(local_string),
178 "FS Rx %s %s %s %s", withdraw ?
179 "Withdraw":"Update",
180 afi2str(afi), return_string,
181 attr != NULL ? ec_string : "");
182 zlog_info("%s", local_string);
183 }
184 /* Process the route. */
185 if (!withdraw)
186 ret = bgp_update(peer, &p, 0, attr,
187 afi, safi,
188 ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
189 NULL, NULL, 0, 0, NULL);
190 else
191 ret = bgp_withdraw(peer, &p, 0, attr,
192 afi, safi,
193 ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL,
194 NULL, NULL, 0, NULL);
195 if (ret) {
196 flog_err(EC_BGP_FLOWSPEC_INSTALLATION,
197 "Flowspec NLRI failed to be %s.",
198 attr ? "added" : "withdrawn");
199 return BGP_NLRI_PARSE_ERROR;
200 }
201 }
202 return BGP_NLRI_PARSE_OK;
203 }
FRRouting mirror