]> git.proxmox.com Git - mirror_frr.git/blob - bgpd/bgp_pbr.c
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #2726 from sworleys/Netlink-Filter-AFI
[mirror_frr.git] / bgpd / bgp_pbr.c
1 /*
2 * BGP pbr
3 * Copyright (C) 6WIND
4 *
5 * FRR is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2, or (at your option) any
8 * later version.
9 *
10 * FRR is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; see the file COPYING; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18 */
19
20 #include "zebra.h"
21 #include "prefix.h"
22 #include "zclient.h"
23 #include "jhash.h"
24 #include "pbr.h"
25
26 #include "bgpd/bgpd.h"
27 #include "bgpd/bgp_pbr.h"
28 #include "bgpd/bgp_debug.h"
29 #include "bgpd/bgp_flowspec_util.h"
30 #include "bgpd/bgp_ecommunity.h"
31 #include "bgpd/bgp_route.h"
32 #include "bgpd/bgp_attr.h"
33 #include "bgpd/bgp_zebra.h"
34 #include "bgpd/bgp_mplsvpn.h"
35 #include "bgpd/bgp_flowspec_private.h"
36
37 DEFINE_MTYPE_STATIC(BGPD, PBR_MATCH_ENTRY, "PBR match entry")
38 DEFINE_MTYPE_STATIC(BGPD, PBR_MATCH, "PBR match")
39 DEFINE_MTYPE_STATIC(BGPD, PBR_ACTION, "PBR action")
40 DEFINE_MTYPE_STATIC(BGPD, PBR, "BGP PBR Context")
41 DEFINE_MTYPE_STATIC(BGPD, PBR_VALMASK, "BGP PBR Val Mask Value")
42
43 RB_GENERATE(bgp_pbr_interface_head, bgp_pbr_interface,
44 id_entry, bgp_pbr_interface_compare);
45 struct bgp_pbr_interface_head ifaces_by_name_ipv4 =
46 RB_INITIALIZER(&ifaces_by_name_ipv4);
47
48 static int bgp_pbr_match_counter_unique;
49 static int bgp_pbr_match_entry_counter_unique;
50 static int bgp_pbr_action_counter_unique;
51 static int bgp_pbr_match_iptable_counter_unique;
52
53 struct bgp_pbr_match_iptable_unique {
54 uint32_t unique;
55 struct bgp_pbr_match *bpm_found;
56 };
57
58 struct bgp_pbr_match_entry_unique {
59 uint32_t unique;
60 struct bgp_pbr_match_entry *bpme_found;
61 };
62
63 struct bgp_pbr_action_unique {
64 uint32_t unique;
65 struct bgp_pbr_action *bpa_found;
66 };
67
68 static int bgp_pbr_action_walkcb(struct hash_backet *backet, void *arg)
69 {
70 struct bgp_pbr_action *bpa = (struct bgp_pbr_action *)backet->data;
71 struct bgp_pbr_action_unique *bpau = (struct bgp_pbr_action_unique *)
72 arg;
73 uint32_t unique = bpau->unique;
74
75 if (bpa->unique == unique) {
76 bpau->bpa_found = bpa;
77 return HASHWALK_ABORT;
78 }
79 return HASHWALK_CONTINUE;
80 }
81
82 static int bgp_pbr_match_entry_walkcb(struct hash_backet *backet, void *arg)
83 {
84 struct bgp_pbr_match_entry *bpme =
85 (struct bgp_pbr_match_entry *)backet->data;
86 struct bgp_pbr_match_entry_unique *bpmeu =
87 (struct bgp_pbr_match_entry_unique *)arg;
88 uint32_t unique = bpmeu->unique;
89
90 if (bpme->unique == unique) {
91 bpmeu->bpme_found = bpme;
92 return HASHWALK_ABORT;
93 }
94 return HASHWALK_CONTINUE;
95 }
96
97 struct bgp_pbr_match_ipsetname {
98 char *ipsetname;
99 struct bgp_pbr_match *bpm_found;
100 };
101
102 static int bgp_pbr_match_pername_walkcb(struct hash_backet *backet, void *arg)
103 {
104 struct bgp_pbr_match *bpm = (struct bgp_pbr_match *)backet->data;
105 struct bgp_pbr_match_ipsetname *bpmi =
106 (struct bgp_pbr_match_ipsetname *)arg;
107 char *ipset_name = bpmi->ipsetname;
108
109 if (!strncmp(ipset_name, bpm->ipset_name,
110 ZEBRA_IPSET_NAME_SIZE)) {
111 bpmi->bpm_found = bpm;
112 return HASHWALK_ABORT;
113 }
114 return HASHWALK_CONTINUE;
115 }
116
117 static int bgp_pbr_match_iptable_walkcb(struct hash_backet *backet, void *arg)
118 {
119 struct bgp_pbr_match *bpm = (struct bgp_pbr_match *)backet->data;
120 struct bgp_pbr_match_iptable_unique *bpmiu =
121 (struct bgp_pbr_match_iptable_unique *)arg;
122 uint32_t unique = bpmiu->unique;
123
124 if (bpm->unique2 == unique) {
125 bpmiu->bpm_found = bpm;
126 return HASHWALK_ABORT;
127 }
128 return HASHWALK_CONTINUE;
129 }
130
131 struct bgp_pbr_match_unique {
132 uint32_t unique;
133 struct bgp_pbr_match *bpm_found;
134 };
135
136 static int bgp_pbr_match_walkcb(struct hash_backet *backet, void *arg)
137 {
138 struct bgp_pbr_match *bpm = (struct bgp_pbr_match *)backet->data;
139 struct bgp_pbr_match_unique *bpmu = (struct bgp_pbr_match_unique *)
140 arg;
141 uint32_t unique = bpmu->unique;
142
143 if (bpm->unique == unique) {
144 bpmu->bpm_found = bpm;
145 return HASHWALK_ABORT;
146 }
147 return HASHWALK_CONTINUE;
148 }
149
150 static int sprintf_bgp_pbr_match_val(char *str, struct bgp_pbr_match_val *mval,
151 const char *prepend)
152 {
153 char *ptr = str;
154
155 if (prepend)
156 ptr += sprintf(ptr, "%s", prepend);
157 else {
158 if (mval->unary_operator & OPERATOR_UNARY_OR)
159 ptr += sprintf(ptr, ", or ");
160 if (mval->unary_operator & OPERATOR_UNARY_AND)
161 ptr += sprintf(ptr, ", and ");
162 }
163 if (mval->compare_operator & OPERATOR_COMPARE_LESS_THAN)
164 ptr += sprintf(ptr, "<");
165 if (mval->compare_operator & OPERATOR_COMPARE_GREATER_THAN)
166 ptr += sprintf(ptr, ">");
167 if (mval->compare_operator & OPERATOR_COMPARE_EQUAL_TO)
168 ptr += sprintf(ptr, "=");
169 if (mval->compare_operator & OPERATOR_COMPARE_EXACT_MATCH)
170 ptr += sprintf(ptr, "match");
171 ptr += sprintf(ptr, " %u", mval->value);
172 return (int)(ptr - str);
173 }
174
175 #define INCREMENT_DISPLAY(_ptr, _cnt) do { \
176 if (_cnt) \
177 (_ptr) += sprintf((_ptr), "; "); \
178 _cnt++; \
179 } while (0)
180
181 /* this structure can be used for port range,
182 * but also for other values range like packet length range
183 */
184 struct bgp_pbr_range_port {
185 uint16_t min_port;
186 uint16_t max_port;
187 };
188
189 /* this structure can be used to filter with a mask
190 * for instance it supports not instructions like for
191 * tcpflags
192 */
193 struct bgp_pbr_val_mask {
194 uint16_t val;
195 uint16_t mask;
196 };
197
198 /* this structure is used to pass instructs
199 * so that BGP can create pbr instructions to ZEBRA
200 */
201 struct bgp_pbr_filter {
202 vrf_id_t vrf_id;
203 struct prefix *src;
204 struct prefix *dst;
205 uint8_t protocol;
206 struct bgp_pbr_range_port *pkt_len;
207 struct bgp_pbr_range_port *src_port;
208 struct bgp_pbr_range_port *dst_port;
209 struct bgp_pbr_val_mask *tcp_flags;
210 struct bgp_pbr_val_mask *dscp;
211 struct bgp_pbr_val_mask *pkt_len_val;
212 struct bgp_pbr_val_mask *fragment;
213 };
214
215 /* this structure is used to contain OR instructions
216 * so that BGP can create multiple pbr instructions
217 * to ZEBRA
218 */
219 struct bgp_pbr_or_filter {
220 struct list *tcpflags;
221 struct list *dscp;
222 struct list *pkt_len;
223 struct list *fragment;
224 struct list *icmp_type;
225 struct list *icmp_code;
226 };
227
228 static void bgp_pbr_policyroute_add_to_zebra_unit(struct bgp *bgp,
229 struct bgp_info *binfo,
230 struct bgp_pbr_filter *bpf,
231 struct nexthop *nh,
232 float *rate);
233
234 static void bgp_pbr_dump_entry(struct bgp_pbr_filter *bpf, bool add);
235
236 static bool bgp_pbr_extract_enumerate_unary_opposite(
237 uint8_t unary_operator,
238 struct bgp_pbr_val_mask *and_valmask,
239 struct list *or_valmask, uint32_t value,
240 uint8_t type_entry)
241 {
242 if (unary_operator == OPERATOR_UNARY_AND && and_valmask) {
243 if (type_entry == FLOWSPEC_TCP_FLAGS) {
244 and_valmask->mask |=
245 TCP_HEADER_ALL_FLAGS &
246 ~(value);
247 } else if (type_entry == FLOWSPEC_DSCP ||
248 type_entry == FLOWSPEC_PKT_LEN ||
249 type_entry == FLOWSPEC_FRAGMENT) {
250 and_valmask->val = value;
251 and_valmask->mask = 1; /* inverse */
252 }
253 } else if (unary_operator == OPERATOR_UNARY_OR && or_valmask) {
254 and_valmask = XCALLOC(MTYPE_PBR_VALMASK,
255 sizeof(struct bgp_pbr_val_mask));
256 if (type_entry == FLOWSPEC_TCP_FLAGS) {
257 and_valmask->val = TCP_HEADER_ALL_FLAGS;
258 and_valmask->mask |=
259 TCP_HEADER_ALL_FLAGS &
260 ~(value);
261 } else if (type_entry == FLOWSPEC_DSCP ||
262 type_entry == FLOWSPEC_FRAGMENT ||
263 type_entry == FLOWSPEC_PKT_LEN) {
264 and_valmask->val = value;
265 and_valmask->mask = 1; /* inverse */
266 }
267 listnode_add(or_valmask, and_valmask);
268 } else if (type_entry == FLOWSPEC_ICMP_CODE ||
269 type_entry == FLOWSPEC_ICMP_TYPE)
270 return false;
271 return true;
272 }
273
274 /* TCP : FIN and SYN -> val = ALL; mask = 3
275 * TCP : not (FIN and SYN) -> val = ALL; mask = ALL & ~(FIN|RST)
276 * other variables type: dscp, pkt len, fragment
277 * - value is copied in bgp_pbr_val_mask->val value
278 * - if negate form is identifierd, bgp_pbr_val_mask->mask set to 1
279 */
280 static bool bgp_pbr_extract_enumerate_unary(struct bgp_pbr_match_val list[],
281 int num, uint8_t unary_operator,
282 void *valmask, uint8_t type_entry)
283 {
284 int i = 0;
285 struct bgp_pbr_val_mask *and_valmask = NULL;
286 struct list *or_valmask = NULL;
287 bool ret;
288
289 if (valmask) {
290 if (unary_operator == OPERATOR_UNARY_AND) {
291 and_valmask = (struct bgp_pbr_val_mask *)valmask;
292 memset(and_valmask, 0, sizeof(struct bgp_pbr_val_mask));
293 } else if (unary_operator == OPERATOR_UNARY_OR) {
294 or_valmask = (struct list *)valmask;
295 }
296 }
297 for (i = 0; i < num; i++) {
298 if (i != 0 && list[i].unary_operator !=
299 unary_operator)
300 return false;
301 if (!(list[i].compare_operator &
302 OPERATOR_COMPARE_EQUAL_TO) &&
303 !(list[i].compare_operator &
304 OPERATOR_COMPARE_EXACT_MATCH)) {
305 if ((list[i].compare_operator &
306 OPERATOR_COMPARE_LESS_THAN) &&
307 (list[i].compare_operator &
308 OPERATOR_COMPARE_GREATER_THAN)) {
309 ret = bgp_pbr_extract_enumerate_unary_opposite(
310 unary_operator, and_valmask,
311 or_valmask, list[i].value,
312 type_entry);
313 if (ret == false)
314 return ret;
315 continue;
316 }
317 return false;
318 }
319 if (unary_operator == OPERATOR_UNARY_AND && and_valmask) {
320 if (type_entry == FLOWSPEC_TCP_FLAGS)
321 and_valmask->mask |=
322 TCP_HEADER_ALL_FLAGS & list[i].value;
323 } else if (unary_operator == OPERATOR_UNARY_OR && or_valmask) {
324 and_valmask = XCALLOC(MTYPE_PBR_VALMASK,
325 sizeof(struct bgp_pbr_val_mask));
326 if (type_entry == FLOWSPEC_TCP_FLAGS) {
327 and_valmask->val = TCP_HEADER_ALL_FLAGS;
328 and_valmask->mask |=
329 TCP_HEADER_ALL_FLAGS & list[i].value;
330 } else if (type_entry == FLOWSPEC_DSCP ||
331 type_entry == FLOWSPEC_ICMP_TYPE ||
332 type_entry == FLOWSPEC_ICMP_CODE ||
333 type_entry == FLOWSPEC_FRAGMENT ||
334 type_entry == FLOWSPEC_PKT_LEN)
335 and_valmask->val = list[i].value;
336 listnode_add(or_valmask, and_valmask);
337 }
338 }
339 if (unary_operator == OPERATOR_UNARY_AND && and_valmask
340 && type_entry == FLOWSPEC_TCP_FLAGS)
341 and_valmask->val = TCP_HEADER_ALL_FLAGS;
342 return true;
343 }
344
345 /* if unary operator can either be UNARY_OR/AND/OR-AND.
346 * in the latter case, combinationf of both is not handled
347 */
348 static bool bgp_pbr_extract_enumerate(struct bgp_pbr_match_val list[],
349 int num, uint8_t unary_operator,
350 void *valmask, uint8_t type_entry)
351 {
352 bool ret;
353 uint8_t unary_operator_val;
354 bool double_check = false;
355
356 if ((unary_operator & OPERATOR_UNARY_OR) &&
357 (unary_operator & OPERATOR_UNARY_AND)) {
358 unary_operator_val = OPERATOR_UNARY_AND;
359 double_check = true;
360 } else
361 unary_operator_val = unary_operator;
362 ret = bgp_pbr_extract_enumerate_unary(list, num, unary_operator_val,
363 valmask, type_entry);
364 if (!ret && double_check)
365 ret = bgp_pbr_extract_enumerate_unary(list, num,
366 OPERATOR_UNARY_OR,
367 valmask,
368 type_entry);
369 return ret;
370 }
371
372 /* returns the unary operator that is in the list
373 * return 0 if both operators are used
374 */
375 static uint8_t bgp_pbr_match_val_get_operator(struct bgp_pbr_match_val list[],
376 int num)
377
378 {
379 int i;
380 uint8_t unary_operator = OPERATOR_UNARY_AND;
381
382 for (i = 0; i < num; i++) {
383 if (i == 0)
384 continue;
385 if (list[i].unary_operator & OPERATOR_UNARY_OR)
386 unary_operator = OPERATOR_UNARY_OR;
387 if ((list[i].unary_operator & OPERATOR_UNARY_AND
388 && unary_operator == OPERATOR_UNARY_OR) ||
389 (list[i].unary_operator & OPERATOR_UNARY_OR
390 && unary_operator == OPERATOR_UNARY_AND))
391 return 0;
392 }
393 return unary_operator;
394 }
395
396
397 /* return true if extraction ok
398 */
399 static bool bgp_pbr_extract(struct bgp_pbr_match_val list[],
400 int num,
401 struct bgp_pbr_range_port *range)
402 {
403 int i = 0;
404 bool exact_match = false;
405
406 if (range)
407 memset(range, 0, sizeof(struct bgp_pbr_range_port));
408
409 if (num > 2)
410 return false;
411 for (i = 0; i < num; i++) {
412 if (i != 0 && (list[i].compare_operator ==
413 OPERATOR_COMPARE_EQUAL_TO))
414 return false;
415 if (i == 0 && (list[i].compare_operator ==
416 OPERATOR_COMPARE_EQUAL_TO)) {
417 if (range)
418 range->min_port = list[i].value;
419 exact_match = true;
420 }
421 if (exact_match == true && i > 0)
422 return false;
423 if (list[i].compare_operator ==
424 (OPERATOR_COMPARE_GREATER_THAN +
425 OPERATOR_COMPARE_EQUAL_TO)) {
426 if (range)
427 range->min_port = list[i].value;
428 } else if (list[i].compare_operator ==
429 (OPERATOR_COMPARE_LESS_THAN +
430 OPERATOR_COMPARE_EQUAL_TO)) {
431 if (range)
432 range->max_port = list[i].value;
433 } else if (list[i].compare_operator ==
434 OPERATOR_COMPARE_LESS_THAN) {
435 if (range)
436 range->max_port = list[i].value - 1;
437 } else if (list[i].compare_operator ==
438 OPERATOR_COMPARE_GREATER_THAN) {
439 if (range)
440 range->min_port = list[i].value + 1;
441 }
442 }
443 return true;
444 }
445
446 static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
447 {
448 bool enumerate_icmp = false;
449
450 /* because bgp pbr entry may contain unsupported
451 * combinations, a message will be displayed here if
452 * not supported.
453 * for now, only match/set supported is
454 * - combination src/dst => redirect nexthop [ + rate]
455 * - combination src/dst => redirect VRF [ + rate]
456 * - combination src/dst => drop
457 * - combination srcport + @IP
458 */
459 if (api->match_protocol_num > 1) {
460 if (BGP_DEBUG(pbr, PBR))
461 zlog_debug("BGP: match protocol operations:"
462 "multiple protocols ( %d). ignoring.",
463 api->match_protocol_num);
464 return 0;
465 }
466 if (api->match_protocol_num == 1 &&
467 api->protocol[0].value != PROTOCOL_UDP &&
468 api->protocol[0].value != PROTOCOL_ICMP &&
469 api->protocol[0].value != PROTOCOL_TCP) {
470 if (BGP_DEBUG(pbr, PBR))
471 zlog_debug("BGP: match protocol operations:"
472 "protocol (%d) not supported. ignoring",
473 api->match_protocol_num);
474 return 0;
475 }
476 if (!bgp_pbr_extract(api->src_port, api->match_src_port_num, NULL)) {
477 if (BGP_DEBUG(pbr, PBR))
478 zlog_debug("BGP: match src port operations:"
479 "too complex. ignoring.");
480 return 0;
481 }
482 if (!bgp_pbr_extract(api->dst_port, api->match_dst_port_num, NULL)) {
483 if (BGP_DEBUG(pbr, PBR))
484 zlog_debug("BGP: match dst port operations:"
485 "too complex. ignoring.");
486 return 0;
487 }
488 if (!bgp_pbr_extract_enumerate(api->tcpflags,
489 api->match_tcpflags_num,
490 OPERATOR_UNARY_AND |
491 OPERATOR_UNARY_OR, NULL,
492 FLOWSPEC_TCP_FLAGS)) {
493 if (BGP_DEBUG(pbr, PBR))
494 zlog_debug("BGP: match tcp flags:"
495 "too complex. ignoring.");
496 return 0;
497 }
498 if (!bgp_pbr_extract(api->icmp_type, api->match_icmp_type_num, NULL)) {
499 if (!bgp_pbr_extract_enumerate(api->icmp_type,
500 api->match_icmp_type_num,
501 OPERATOR_UNARY_OR, NULL,
502 FLOWSPEC_ICMP_TYPE)) {
503 if (BGP_DEBUG(pbr, PBR))
504 zlog_debug("BGP: match icmp type operations:"
505 "too complex. ignoring.");
506 return 0;
507 }
508 enumerate_icmp = true;
509 }
510 if (!bgp_pbr_extract(api->icmp_code, api->match_icmp_code_num, NULL)) {
511 if (!bgp_pbr_extract_enumerate(api->icmp_code,
512 api->match_icmp_code_num,
513 OPERATOR_UNARY_OR, NULL,
514 FLOWSPEC_ICMP_CODE)) {
515 if (BGP_DEBUG(pbr, PBR))
516 zlog_debug("BGP: match icmp code operations:"
517 "too complex. ignoring.");
518 return 0;
519 } else if (api->match_icmp_type_num > 1 &&
520 enumerate_icmp == false) {
521 if (BGP_DEBUG(pbr, PBR))
522 zlog_debug("BGP: match icmp code is enumerate"
523 ", and icmp type is not."
524 " too complex. ignoring.");
525 return 0;
526 }
527 }
528 if (!bgp_pbr_extract(api->port, api->match_port_num, NULL)) {
529 if (BGP_DEBUG(pbr, PBR))
530 zlog_debug("BGP: match port operations:"
531 "too complex. ignoring.");
532 return 0;
533 }
534 if (api->match_packet_length_num) {
535 bool ret;
536
537 ret = bgp_pbr_extract(api->packet_length,
538 api->match_packet_length_num, NULL);
539 if (!ret)
540 ret = bgp_pbr_extract_enumerate(api->packet_length,
541 api->match_packet_length_num,
542 OPERATOR_UNARY_OR
543 | OPERATOR_UNARY_AND,
544 NULL, FLOWSPEC_PKT_LEN);
545 if (!ret) {
546 if (BGP_DEBUG(pbr, PBR))
547 zlog_debug("BGP: match packet length operations:"
548 "too complex. ignoring.");
549 return 0;
550 }
551 }
552 if (api->match_dscp_num) {
553 if (!bgp_pbr_extract_enumerate(api->dscp, api->match_dscp_num,
554 OPERATOR_UNARY_OR | OPERATOR_UNARY_AND,
555 NULL, FLOWSPEC_DSCP)) {
556 if (BGP_DEBUG(pbr, PBR))
557 zlog_debug("BGP: match DSCP operations:"
558 "too complex. ignoring.");
559 return 0;
560 }
561 }
562 if (api->match_fragment_num) {
563 char fail_str[64];
564 bool success;
565
566 success = bgp_pbr_extract_enumerate(api->fragment,
567 api->match_fragment_num,
568 OPERATOR_UNARY_OR
569 | OPERATOR_UNARY_AND,
570 NULL, FLOWSPEC_FRAGMENT);
571 if (success) {
572 int i;
573
574 for (i = 0; i < api->match_fragment_num; i++) {
575 if (api->fragment[i].value != 1 &&
576 api->fragment[i].value != 2 &&
577 api->fragment[i].value != 4 &&
578 api->fragment[i].value != 8) {
579 success = false;
580 sprintf(fail_str,
581 "Value not valid (%d) for this implementation",
582 api->fragment[i].value);
583 }
584 }
585 } else
586 sprintf(fail_str, "too complex. ignoring");
587 if (!success) {
588 if (BGP_DEBUG(pbr, PBR))
589 zlog_debug("BGP: match fragment operation (%d) %s",
590 api->match_fragment_num,
591 fail_str);
592 return 0;
593 }
594 }
595
596 /* no combinations with both src_port and dst_port
597 * or port with src_port and dst_port
598 */
599 if (api->match_src_port_num + api->match_dst_port_num +
600 api->match_port_num > 3) {
601 if (BGP_DEBUG(pbr, PBR))
602 zlog_debug("BGP: match multiple port operations:"
603 " too complex. ignoring.");
604 return 0;
605 }
606 if ((api->match_src_port_num || api->match_dst_port_num
607 || api->match_port_num) && (api->match_icmp_type_num
608 || api->match_icmp_code_num)) {
609 if (BGP_DEBUG(pbr, PBR))
610 zlog_debug("BGP: match multiple port/imcp operations:"
611 " too complex. ignoring.");
612 return 0;
613 }
614 if (!(api->match_bitmask & PREFIX_SRC_PRESENT) &&
615 !(api->match_bitmask & PREFIX_DST_PRESENT)) {
616 if (BGP_DEBUG(pbr, PBR)) {
617 bgp_pbr_print_policy_route(api);
618 zlog_debug("BGP: match actions without src"
619 " or dst address can not operate."
620 " ignoring.");
621 }
622 return 0;
623 }
624 return 1;
625 }
626
627 /* return -1 if build or validation failed */
628 static int bgp_pbr_build_and_validate_entry(struct prefix *p,
629 struct bgp_info *info,
630 struct bgp_pbr_entry_main *api)
631 {
632 int ret;
633 int i, action_count = 0;
634 struct ecommunity *ecom;
635 struct ecommunity_val *ecom_eval;
636 struct bgp_pbr_entry_action *api_action;
637 struct prefix *src = NULL, *dst = NULL;
638 int valid_prefix = 0;
639 afi_t afi = AFI_IP;
640
641 /* extract match from flowspec entries */
642 ret = bgp_flowspec_match_rules_fill((uint8_t *)p->u.prefix_flowspec.ptr,
643 p->u.prefix_flowspec.prefixlen, api);
644 if (ret < 0)
645 return -1;
646 /* extract actiosn from flowspec ecom list */
647 if (info && info->attr && info->attr->ecommunity) {
648 ecom = info->attr->ecommunity;
649 for (i = 0; i < ecom->size; i++) {
650 ecom_eval = (struct ecommunity_val *)
651 (ecom->val + (i * ECOMMUNITY_SIZE));
652 action_count++;
653 if (action_count > ACTIONS_MAX_NUM) {
654 if (BGP_DEBUG(pbr, PBR_ERROR))
655 zlog_err("%s: flowspec actions exceeds limit (max %u)",
656 __func__, action_count);
657 break;
658 }
659 api_action = &api->actions[action_count - 1];
660
661 if ((ecom_eval->val[1] ==
662 (char)ECOMMUNITY_REDIRECT_VRF) &&
663 (ecom_eval->val[0] ==
664 (char)ECOMMUNITY_ENCODE_TRANS_EXP ||
665 ecom_eval->val[0] ==
666 (char)ECOMMUNITY_EXTENDED_COMMUNITY_PART_2 ||
667 ecom_eval->val[0] ==
668 (char)ECOMMUNITY_EXTENDED_COMMUNITY_PART_3)) {
669 struct ecommunity *eckey = ecommunity_new();
670 struct ecommunity_val ecom_copy;
671
672 memcpy(&ecom_copy, ecom_eval,
673 sizeof(struct ecommunity_val));
674 ecom_copy.val[0] &=
675 ~ECOMMUNITY_ENCODE_TRANS_EXP;
676 ecom_copy.val[1] = ECOMMUNITY_ROUTE_TARGET;
677 ecommunity_add_val(eckey, &ecom_copy);
678
679 api_action->action = ACTION_REDIRECT;
680 api_action->u.redirect_vrf =
681 get_first_vrf_for_redirect_with_rt(
682 eckey);
683 ecommunity_free(&eckey);
684 } else if ((ecom_eval->val[0] ==
685 (char)ECOMMUNITY_ENCODE_REDIRECT_IP_NH) &&
686 (ecom_eval->val[1] ==
687 (char)ECOMMUNITY_REDIRECT_IP_NH)) {
688 api_action->action = ACTION_REDIRECT_IP;
689 api_action->u.zr.redirect_ip_v4.s_addr =
690 info->attr->nexthop.s_addr;
691 api_action->u.zr.duplicate = ecom_eval->val[7];
692 } else {
693 if (ecom_eval->val[0] !=
694 (char)ECOMMUNITY_ENCODE_TRANS_EXP)
695 continue;
696 ret = ecommunity_fill_pbr_action(ecom_eval,
697 api_action);
698 if (ret != 0)
699 continue;
700 }
701 api->action_num++;
702 }
703 }
704
705 /* validate if incoming matc/action is compatible
706 * with our policy routing engine
707 */
708 if (!bgp_pbr_validate_policy_route(api))
709 return -1;
710
711 /* check inconsistency in the match rule */
712 if (api->match_bitmask & PREFIX_SRC_PRESENT) {
713 src = &api->src_prefix;
714 afi = family2afi(src->family);
715 valid_prefix = 1;
716 }
717 if (api->match_bitmask & PREFIX_DST_PRESENT) {
718 dst = &api->dst_prefix;
719 if (valid_prefix && afi != family2afi(dst->family)) {
720 if (BGP_DEBUG(pbr, PBR)) {
721 bgp_pbr_print_policy_route(api);
722 zlog_debug("%s: inconsistency:"
723 " no match for afi src and dst (%u/%u)",
724 __func__, afi, family2afi(dst->family));
725 }
726 return -1;
727 }
728 }
729 return 0;
730 }
731
732 static void bgp_pbr_match_entry_free(void *arg)
733 {
734 struct bgp_pbr_match_entry *bpme;
735
736 bpme = (struct bgp_pbr_match_entry *)arg;
737
738 if (bpme->installed) {
739 bgp_send_pbr_ipset_entry_match(bpme, false);
740 bpme->installed = false;
741 bpme->backpointer = NULL;
742 }
743 XFREE(MTYPE_PBR_MATCH_ENTRY, bpme);
744 }
745
746 static void bgp_pbr_match_free(void *arg)
747 {
748 struct bgp_pbr_match *bpm;
749
750 bpm = (struct bgp_pbr_match *)arg;
751
752 hash_clean(bpm->entry_hash, bgp_pbr_match_entry_free);
753
754 if (hashcount(bpm->entry_hash) == 0) {
755 /* delete iptable entry first */
756 /* then delete ipset match */
757 if (bpm->installed) {
758 if (bpm->installed_in_iptable) {
759 bgp_send_pbr_iptable(bpm->action,
760 bpm, false);
761 bpm->installed_in_iptable = false;
762 bpm->action->refcnt--;
763 }
764 bgp_send_pbr_ipset_match(bpm, false);
765 bpm->installed = false;
766 bpm->action = NULL;
767 }
768 }
769 hash_free(bpm->entry_hash);
770
771 XFREE(MTYPE_PBR_MATCH, bpm);
772 }
773
774 static void *bgp_pbr_match_alloc_intern(void *arg)
775 {
776 struct bgp_pbr_match *bpm, *new;
777
778 bpm = (struct bgp_pbr_match *)arg;
779
780 new = XCALLOC(MTYPE_PBR_MATCH, sizeof(*new));
781 memcpy(new, bpm, sizeof(*bpm));
782
783 return new;
784 }
785
786 static void bgp_pbr_action_free(void *arg)
787 {
788 struct bgp_pbr_action *bpa;
789
790 bpa = (struct bgp_pbr_action *)arg;
791
792 if (bpa->refcnt == 0) {
793 if (bpa->installed && bpa->table_id != 0) {
794 bgp_send_pbr_rule_action(bpa, false);
795 bgp_zebra_announce_default(bpa->bgp, &(bpa->nh),
796 AFI_IP,
797 bpa->table_id,
798 false);
799 bpa->installed = false;
800 }
801 }
802 XFREE(MTYPE_PBR_ACTION, bpa);
803 }
804
805 static void *bgp_pbr_action_alloc_intern(void *arg)
806 {
807 struct bgp_pbr_action *bpa, *new;
808
809 bpa = (struct bgp_pbr_action *)arg;
810
811 new = XCALLOC(MTYPE_PBR_ACTION, sizeof(*new));
812
813 memcpy(new, bpa, sizeof(*bpa));
814
815 return new;
816 }
817
818 static void *bgp_pbr_match_entry_alloc_intern(void *arg)
819 {
820 struct bgp_pbr_match_entry *bpme, *new;
821
822 bpme = (struct bgp_pbr_match_entry *)arg;
823
824 new = XCALLOC(MTYPE_PBR_MATCH_ENTRY, sizeof(*new));
825
826 memcpy(new, bpme, sizeof(*bpme));
827
828 return new;
829 }
830
831 uint32_t bgp_pbr_match_hash_key(void *arg)
832 {
833 struct bgp_pbr_match *pbm = (struct bgp_pbr_match *)arg;
834 uint32_t key;
835
836 key = jhash_1word(pbm->vrf_id, 0x4312abde);
837 key = jhash_1word(pbm->flags, key);
838 key = jhash(&pbm->pkt_len_min, 2, key);
839 key = jhash(&pbm->pkt_len_max, 2, key);
840 key = jhash(&pbm->tcp_flags, 2, key);
841 key = jhash(&pbm->tcp_mask_flags, 2, key);
842 key = jhash(&pbm->dscp_value, 1, key);
843 key = jhash(&pbm->fragment, 1, key);
844 return jhash_1word(pbm->type, key);
845 }
846
847 int bgp_pbr_match_hash_equal(const void *arg1, const void *arg2)
848 {
849 const struct bgp_pbr_match *r1, *r2;
850
851 r1 = (const struct bgp_pbr_match *)arg1;
852 r2 = (const struct bgp_pbr_match *)arg2;
853
854 if (r1->vrf_id != r2->vrf_id)
855 return 0;
856
857 if (r1->type != r2->type)
858 return 0;
859
860 if (r1->flags != r2->flags)
861 return 0;
862
863 if (r1->action != r2->action)
864 return 0;
865
866 if (r1->pkt_len_min != r2->pkt_len_min)
867 return 0;
868
869 if (r1->pkt_len_max != r2->pkt_len_max)
870 return 0;
871
872 if (r1->tcp_flags != r2->tcp_flags)
873 return 0;
874
875 if (r1->tcp_mask_flags != r2->tcp_mask_flags)
876 return 0;
877
878 if (r1->dscp_value != r2->dscp_value)
879 return 0;
880
881 if (r1->fragment != r2->fragment)
882 return 0;
883 return 1;
884 }
885
886 uint32_t bgp_pbr_match_entry_hash_key(void *arg)
887 {
888 struct bgp_pbr_match_entry *pbme;
889 uint32_t key;
890
891 pbme = (struct bgp_pbr_match_entry *)arg;
892 key = prefix_hash_key(&pbme->src);
893 key = jhash_1word(prefix_hash_key(&pbme->dst), key);
894 key = jhash(&pbme->dst_port_min, 2, key);
895 key = jhash(&pbme->src_port_min, 2, key);
896 key = jhash(&pbme->dst_port_max, 2, key);
897 key = jhash(&pbme->src_port_max, 2, key);
898 key = jhash(&pbme->proto, 1, key);
899
900 return key;
901 }
902
903 int bgp_pbr_match_entry_hash_equal(const void *arg1, const void *arg2)
904 {
905 const struct bgp_pbr_match_entry *r1, *r2;
906
907 r1 = (const struct bgp_pbr_match_entry *)arg1;
908 r2 = (const struct bgp_pbr_match_entry *)arg2;
909
910 /* on updates, comparing
911 * backpointer is not necessary
912 */
913
914 /* unique value is self calculated
915 */
916
917 /* rate is ignored for now
918 */
919
920 if (!prefix_same(&r1->src, &r2->src))
921 return 0;
922
923 if (!prefix_same(&r1->dst, &r2->dst))
924 return 0;
925
926 if (r1->src_port_min != r2->src_port_min)
927 return 0;
928
929 if (r1->dst_port_min != r2->dst_port_min)
930 return 0;
931
932 if (r1->src_port_max != r2->src_port_max)
933 return 0;
934
935 if (r1->dst_port_max != r2->dst_port_max)
936 return 0;
937
938 if (r1->proto != r2->proto)
939 return 0;
940
941 return 1;
942 }
943
944 uint32_t bgp_pbr_action_hash_key(void *arg)
945 {
946 struct bgp_pbr_action *pbra;
947 uint32_t key;
948
949 pbra = (struct bgp_pbr_action *)arg;
950 key = jhash_1word(pbra->table_id, 0x4312abde);
951 key = jhash_1word(pbra->fwmark, key);
952 return key;
953 }
954
955 int bgp_pbr_action_hash_equal(const void *arg1, const void *arg2)
956 {
957 const struct bgp_pbr_action *r1, *r2;
958
959 r1 = (const struct bgp_pbr_action *)arg1;
960 r2 = (const struct bgp_pbr_action *)arg2;
961
962 /* unique value is self calculated
963 * table and fwmark is self calculated
964 * rate is ignored
965 */
966 if (r1->vrf_id != r2->vrf_id)
967 return 0;
968
969 if (memcmp(&r1->nh, &r2->nh, sizeof(struct nexthop)))
970 return 0;
971 return 1;
972 }
973
974 struct bgp_pbr_action *bgp_pbr_action_rule_lookup(vrf_id_t vrf_id,
975 uint32_t unique)
976 {
977 struct bgp *bgp = bgp_lookup_by_vrf_id(vrf_id);
978 struct bgp_pbr_action_unique bpau;
979
980 if (!bgp || unique == 0)
981 return NULL;
982 bpau.unique = unique;
983 bpau.bpa_found = NULL;
984 hash_walk(bgp->pbr_action_hash, bgp_pbr_action_walkcb, &bpau);
985 return bpau.bpa_found;
986 }
987
988 struct bgp_pbr_match *bgp_pbr_match_ipset_lookup(vrf_id_t vrf_id,
989 uint32_t unique)
990 {
991 struct bgp *bgp = bgp_lookup_by_vrf_id(vrf_id);
992 struct bgp_pbr_match_unique bpmu;
993
994 if (!bgp || unique == 0)
995 return NULL;
996 bpmu.unique = unique;
997 bpmu.bpm_found = NULL;
998 hash_walk(bgp->pbr_match_hash, bgp_pbr_match_walkcb, &bpmu);
999 return bpmu.bpm_found;
1000 }
1001
1002 struct bgp_pbr_match_entry *bgp_pbr_match_ipset_entry_lookup(vrf_id_t vrf_id,
1003 char *ipset_name,
1004 uint32_t unique)
1005 {
1006 struct bgp *bgp = bgp_lookup_by_vrf_id(vrf_id);
1007 struct bgp_pbr_match_entry_unique bpmeu;
1008 struct bgp_pbr_match_ipsetname bpmi;
1009
1010 if (!bgp || unique == 0)
1011 return NULL;
1012 bpmi.ipsetname = XCALLOC(MTYPE_TMP, ZEBRA_IPSET_NAME_SIZE);
1013 snprintf(bpmi.ipsetname, ZEBRA_IPSET_NAME_SIZE, "%s", ipset_name);
1014 bpmi.bpm_found = NULL;
1015 hash_walk(bgp->pbr_match_hash, bgp_pbr_match_pername_walkcb, &bpmi);
1016 XFREE(MTYPE_TMP, bpmi.ipsetname);
1017 if (!bpmi.bpm_found)
1018 return NULL;
1019 bpmeu.bpme_found = NULL;
1020 bpmeu.unique = unique;
1021 hash_walk(bpmi.bpm_found->entry_hash,
1022 bgp_pbr_match_entry_walkcb, &bpmeu);
1023 return bpmeu.bpme_found;
1024 }
1025
1026 struct bgp_pbr_match *bgp_pbr_match_iptable_lookup(vrf_id_t vrf_id,
1027 uint32_t unique)
1028 {
1029 struct bgp *bgp = bgp_lookup_by_vrf_id(vrf_id);
1030 struct bgp_pbr_match_iptable_unique bpmiu;
1031
1032 if (!bgp || unique == 0)
1033 return NULL;
1034 bpmiu.unique = unique;
1035 bpmiu.bpm_found = NULL;
1036 hash_walk(bgp->pbr_match_hash, bgp_pbr_match_iptable_walkcb, &bpmiu);
1037 return bpmiu.bpm_found;
1038 }
1039
1040 void bgp_pbr_cleanup(struct bgp *bgp)
1041 {
1042 if (bgp->pbr_match_hash) {
1043 hash_clean(bgp->pbr_match_hash, bgp_pbr_match_free);
1044 hash_free(bgp->pbr_match_hash);
1045 bgp->pbr_match_hash = NULL;
1046 }
1047 if (bgp->pbr_action_hash) {
1048 hash_clean(bgp->pbr_action_hash, bgp_pbr_action_free);
1049 hash_free(bgp->pbr_action_hash);
1050 bgp->pbr_action_hash = NULL;
1051 }
1052 if (bgp->bgp_pbr_cfg == NULL)
1053 return;
1054 bgp_pbr_reset(bgp, AFI_IP);
1055 XFREE(MTYPE_PBR, bgp->bgp_pbr_cfg);
1056 bgp->bgp_pbr_cfg = NULL;
1057 }
1058
1059 void bgp_pbr_init(struct bgp *bgp)
1060 {
1061 bgp->pbr_match_hash =
1062 hash_create_size(8, bgp_pbr_match_hash_key,
1063 bgp_pbr_match_hash_equal,
1064 "Match Hash");
1065 bgp->pbr_action_hash =
1066 hash_create_size(8, bgp_pbr_action_hash_key,
1067 bgp_pbr_action_hash_equal,
1068 "Match Hash Entry");
1069
1070 bgp->bgp_pbr_cfg = XCALLOC(MTYPE_PBR, sizeof(struct bgp_pbr_config));
1071 bgp->bgp_pbr_cfg->pbr_interface_any_ipv4 = true;
1072 }
1073
1074 void bgp_pbr_print_policy_route(struct bgp_pbr_entry_main *api)
1075 {
1076 int i = 0;
1077 char return_string[512];
1078 char *ptr = return_string;
1079 char buff[64];
1080 int nb_items = 0;
1081
1082 ptr += sprintf(ptr, "MATCH : ");
1083 if (api->match_bitmask & PREFIX_SRC_PRESENT) {
1084 struct prefix *p = &(api->src_prefix);
1085
1086 ptr += sprintf(ptr, "@src %s", prefix2str(p, buff, 64));
1087 INCREMENT_DISPLAY(ptr, nb_items);
1088 }
1089 if (api->match_bitmask & PREFIX_DST_PRESENT) {
1090 struct prefix *p = &(api->dst_prefix);
1091
1092 INCREMENT_DISPLAY(ptr, nb_items);
1093 ptr += sprintf(ptr, "@dst %s", prefix2str(p, buff, 64));
1094 }
1095
1096 if (api->match_protocol_num)
1097 INCREMENT_DISPLAY(ptr, nb_items);
1098 for (i = 0; i < api->match_protocol_num; i++)
1099 ptr += sprintf_bgp_pbr_match_val(ptr, &api->protocol[i],
1100 i > 0 ? NULL : "@proto ");
1101
1102 if (api->match_src_port_num)
1103 INCREMENT_DISPLAY(ptr, nb_items);
1104 for (i = 0; i < api->match_src_port_num; i++)
1105 ptr += sprintf_bgp_pbr_match_val(ptr, &api->src_port[i],
1106 i > 0 ? NULL : "@srcport ");
1107
1108 if (api->match_dst_port_num)
1109 INCREMENT_DISPLAY(ptr, nb_items);
1110 for (i = 0; i < api->match_dst_port_num; i++)
1111 ptr += sprintf_bgp_pbr_match_val(ptr, &api->dst_port[i],
1112 i > 0 ? NULL : "@dstport ");
1113
1114 if (api->match_port_num)
1115 INCREMENT_DISPLAY(ptr, nb_items);
1116 for (i = 0; i < api->match_port_num; i++)
1117 ptr += sprintf_bgp_pbr_match_val(ptr, &api->port[i],
1118 i > 0 ? NULL : "@port ");
1119
1120 if (api->match_icmp_type_num)
1121 INCREMENT_DISPLAY(ptr, nb_items);
1122 for (i = 0; i < api->match_icmp_type_num; i++)
1123 ptr += sprintf_bgp_pbr_match_val(ptr, &api->icmp_type[i],
1124 i > 0 ? NULL : "@icmptype ");
1125
1126 if (api->match_icmp_code_num)
1127 INCREMENT_DISPLAY(ptr, nb_items);
1128 for (i = 0; i < api->match_icmp_code_num; i++)
1129 ptr += sprintf_bgp_pbr_match_val(ptr, &api->icmp_code[i],
1130 i > 0 ? NULL : "@icmpcode ");
1131
1132 if (api->match_packet_length_num)
1133 INCREMENT_DISPLAY(ptr, nb_items);
1134 for (i = 0; i < api->match_packet_length_num; i++)
1135 ptr += sprintf_bgp_pbr_match_val(ptr, &api->packet_length[i],
1136 i > 0 ? NULL : "@plen ");
1137
1138 if (api->match_dscp_num)
1139 INCREMENT_DISPLAY(ptr, nb_items);
1140 for (i = 0; i < api->match_dscp_num; i++)
1141 ptr += sprintf_bgp_pbr_match_val(ptr, &api->dscp[i],
1142 i > 0 ? NULL : "@dscp ");
1143
1144 if (api->match_tcpflags_num)
1145 INCREMENT_DISPLAY(ptr, nb_items);
1146 for (i = 0; i < api->match_tcpflags_num; i++)
1147 ptr += sprintf_bgp_pbr_match_val(ptr, &api->tcpflags[i],
1148 i > 0 ? NULL : "@tcpflags ");
1149
1150 if (api->match_fragment_num)
1151 INCREMENT_DISPLAY(ptr, nb_items);
1152 for (i = 0; i < api->match_fragment_num; i++)
1153 ptr += sprintf_bgp_pbr_match_val(ptr, &api->fragment[i],
1154 i > 0 ? NULL : "@fragment ");
1155 if (!nb_items)
1156 ptr = return_string;
1157 else
1158 ptr += sprintf(ptr, "; ");
1159 if (api->action_num)
1160 ptr += sprintf(ptr, "SET : ");
1161 nb_items = 0;
1162 for (i = 0; i < api->action_num; i++) {
1163 switch (api->actions[i].action) {
1164 case ACTION_TRAFFICRATE:
1165 INCREMENT_DISPLAY(ptr, nb_items);
1166 ptr += sprintf(ptr, "@set rate %f",
1167 api->actions[i].u.r.rate);
1168 break;
1169 case ACTION_TRAFFIC_ACTION:
1170 INCREMENT_DISPLAY(ptr, nb_items);
1171 ptr += sprintf(ptr, "@action ");
1172 if (api->actions[i].u.za.filter
1173 & TRAFFIC_ACTION_TERMINATE)
1174 ptr += sprintf(ptr,
1175 " terminate (apply filter(s))");
1176 if (api->actions[i].u.za.filter
1177 & TRAFFIC_ACTION_DISTRIBUTE)
1178 ptr += sprintf(ptr, " distribute");
1179 if (api->actions[i].u.za.filter
1180 & TRAFFIC_ACTION_SAMPLE)
1181 ptr += sprintf(ptr, " sample");
1182 break;
1183 case ACTION_REDIRECT_IP:
1184 INCREMENT_DISPLAY(ptr, nb_items);
1185 char local_buff[INET_ADDRSTRLEN];
1186
1187 if (inet_ntop(AF_INET,
1188 &api->actions[i].u.zr.redirect_ip_v4,
1189 local_buff, INET_ADDRSTRLEN) != NULL)
1190 ptr += sprintf(ptr,
1191 "@redirect ip nh %s", local_buff);
1192 break;
1193 case ACTION_REDIRECT:
1194 INCREMENT_DISPLAY(ptr, nb_items);
1195 ptr += sprintf(ptr, "@redirect vrf %u",
1196 api->actions[i].u.redirect_vrf);
1197 break;
1198 case ACTION_MARKING:
1199 INCREMENT_DISPLAY(ptr, nb_items);
1200 ptr += sprintf(ptr, "@set dscp %u",
1201 api->actions[i].u.marking_dscp);
1202 break;
1203 default:
1204 break;
1205 }
1206 }
1207 zlog_info("%s", return_string);
1208 }
1209
1210 static void bgp_pbr_flush_entry(struct bgp *bgp, struct bgp_pbr_action *bpa,
1211 struct bgp_pbr_match *bpm,
1212 struct bgp_pbr_match_entry *bpme)
1213 {
1214 /* if bpme is null, bpm is also null
1215 */
1216 if (bpme == NULL)
1217 return;
1218 /* ipset del entry */
1219 if (bpme->installed) {
1220 bgp_send_pbr_ipset_entry_match(bpme, false);
1221 bpme->installed = false;
1222 bpme->backpointer = NULL;
1223 if (bpme->bgp_info) {
1224 struct bgp_info *bgp_info;
1225 struct bgp_info_extra *extra;
1226
1227 /* unlink bgp_info to bpme */
1228 bgp_info = (struct bgp_info *)bpme->bgp_info;
1229 extra = bgp_info_extra_get(bgp_info);
1230 if (extra->bgp_fs_pbr)
1231 listnode_delete(extra->bgp_fs_pbr, bpme);
1232 bpme->bgp_info = NULL;
1233 }
1234 }
1235 hash_release(bpm->entry_hash, bpme);
1236 if (hashcount(bpm->entry_hash) == 0) {
1237 /* delete iptable entry first */
1238 /* then delete ipset match */
1239 if (bpm->installed) {
1240 if (bpm->installed_in_iptable) {
1241 bgp_send_pbr_iptable(bpm->action,
1242 bpm, false);
1243 bpm->installed_in_iptable = false;
1244 bpm->action->refcnt--;
1245 }
1246 bgp_send_pbr_ipset_match(bpm, false);
1247 bpm->installed = false;
1248 bpm->action = NULL;
1249 }
1250 hash_release(bgp->pbr_match_hash, bpm);
1251 /* XXX release pbr_match_action if not used
1252 * note that drop does not need to call send_pbr_action
1253 */
1254 }
1255 if (bpa->refcnt == 0) {
1256 if (bpa->installed && bpa->table_id != 0) {
1257 bgp_send_pbr_rule_action(bpa, false);
1258 bgp_zebra_announce_default(bpa->bgp, &(bpa->nh),
1259 AFI_IP,
1260 bpa->table_id,
1261 false);
1262 bpa->installed = false;
1263 }
1264 }
1265 }
1266
1267 struct bgp_pbr_match_entry_remain {
1268 struct bgp_pbr_match_entry *bpme_to_match;
1269 struct bgp_pbr_match_entry *bpme_found;
1270 };
1271
1272 static int bgp_pbr_get_remaining_entry(struct hash_backet *backet, void *arg)
1273 {
1274 struct bgp_pbr_match *bpm = (struct bgp_pbr_match *)backet->data;
1275 struct bgp_pbr_match_entry_remain *bpmer =
1276 (struct bgp_pbr_match_entry_remain *)arg;
1277 struct bgp_pbr_match *bpm_temp;
1278 struct bgp_pbr_match_entry *bpme = bpmer->bpme_to_match;
1279
1280 if (!bpme->backpointer ||
1281 bpm == bpme->backpointer ||
1282 bpme->backpointer->action == bpm->action)
1283 return HASHWALK_CONTINUE;
1284 /* ensure bpm other characteristics are equal */
1285 bpm_temp = bpme->backpointer;
1286 if (bpm_temp->vrf_id != bpm->vrf_id ||
1287 bpm_temp->type != bpm->type ||
1288 bpm_temp->flags != bpm->flags ||
1289 bpm_temp->tcp_flags != bpm->tcp_flags ||
1290 bpm_temp->tcp_mask_flags != bpm->tcp_mask_flags ||
1291 bpm_temp->pkt_len_min != bpm->pkt_len_min ||
1292 bpm_temp->pkt_len_max != bpm->pkt_len_max ||
1293 bpm_temp->dscp_value != bpm->dscp_value ||
1294 bpm_temp->fragment != bpm->fragment)
1295 return HASHWALK_CONTINUE;
1296
1297 /* look for remaining bpme */
1298 bpmer->bpme_found = hash_lookup(bpm->entry_hash, bpme);
1299 if (!bpmer->bpme_found)
1300 return HASHWALK_CONTINUE;
1301 return HASHWALK_ABORT;
1302 }
1303
1304 static void bgp_pbr_policyroute_remove_from_zebra_unit(struct bgp *bgp,
1305 struct bgp_info *binfo,
1306 struct bgp_pbr_filter *bpf)
1307 {
1308 struct bgp_pbr_match temp;
1309 struct bgp_pbr_match_entry temp2;
1310 struct bgp_pbr_match *bpm;
1311 struct bgp_pbr_match_entry *bpme;
1312 struct bgp_pbr_match_entry_remain bpmer;
1313 struct bgp_pbr_range_port *src_port;
1314 struct bgp_pbr_range_port *dst_port;
1315 struct bgp_pbr_range_port *pkt_len;
1316
1317 if (!bpf)
1318 return;
1319 src_port = bpf->src_port;
1320 dst_port = bpf->dst_port;
1321 pkt_len = bpf->pkt_len;
1322
1323 if (BGP_DEBUG(zebra, ZEBRA))
1324 bgp_pbr_dump_entry(bpf, false);
1325
1326 /* as we don't know information from EC
1327 * look for bpm that have the bpm
1328 * with vrf_id characteristics
1329 */
1330 memset(&temp2, 0, sizeof(temp2));
1331 memset(&temp, 0, sizeof(temp));
1332 if (bpf->src) {
1333 temp.flags |= MATCH_IP_SRC_SET;
1334 prefix_copy(&temp2.src, bpf->src);
1335 } else
1336 temp2.src.family = AF_INET;
1337 if (bpf->dst) {
1338 temp.flags |= MATCH_IP_DST_SET;
1339 prefix_copy(&temp2.dst, bpf->dst);
1340 } else
1341 temp2.dst.family = AF_INET;
1342 if (src_port && (src_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
1343 if (bpf->protocol == IPPROTO_ICMP)
1344 temp.flags |= MATCH_ICMP_SET;
1345 temp.flags |= MATCH_PORT_SRC_SET;
1346 temp2.src_port_min = src_port->min_port;
1347 if (src_port->max_port) {
1348 temp.flags |= MATCH_PORT_SRC_RANGE_SET;
1349 temp2.src_port_max = src_port->max_port;
1350 }
1351 }
1352 if (dst_port && (dst_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
1353 if (bpf->protocol == IPPROTO_ICMP)
1354 temp.flags |= MATCH_ICMP_SET;
1355 temp.flags |= MATCH_PORT_DST_SET;
1356 temp2.dst_port_min = dst_port->min_port;
1357 if (dst_port->max_port) {
1358 temp.flags |= MATCH_PORT_DST_RANGE_SET;
1359 temp2.dst_port_max = dst_port->max_port;
1360 }
1361 }
1362 temp2.proto = bpf->protocol;
1363
1364 if (pkt_len) {
1365 temp.pkt_len_min = pkt_len->min_port;
1366 if (pkt_len->max_port)
1367 temp.pkt_len_max = pkt_len->max_port;
1368 } else if (bpf->pkt_len_val) {
1369 if (bpf->pkt_len_val->mask)
1370 temp.flags |= MATCH_PKT_LEN_INVERSE_SET;
1371 temp.pkt_len_min = bpf->pkt_len_val->val;
1372 }
1373 if (bpf->tcp_flags) {
1374 temp.tcp_flags = bpf->tcp_flags->val;
1375 temp.tcp_mask_flags = bpf->tcp_flags->mask;
1376 }
1377 if (bpf->dscp) {
1378 if (bpf->dscp->mask)
1379 temp.flags |= MATCH_DSCP_INVERSE_SET;
1380 else
1381 temp.flags |= MATCH_DSCP_SET;
1382 temp.dscp_value = bpf->dscp->val;
1383 }
1384 if (bpf->fragment) {
1385 if (bpf->fragment->mask)
1386 temp.flags |= MATCH_FRAGMENT_INVERSE_SET;
1387 temp.fragment = bpf->fragment->val;
1388 }
1389
1390 if (bpf->src == NULL || bpf->dst == NULL) {
1391 if (temp.flags & (MATCH_PORT_DST_SET | MATCH_PORT_SRC_SET))
1392 temp.type = IPSET_NET_PORT;
1393 else
1394 temp.type = IPSET_NET;
1395 } else {
1396 if (temp.flags & (MATCH_PORT_DST_SET | MATCH_PORT_SRC_SET))
1397 temp.type = IPSET_NET_PORT_NET;
1398 else
1399 temp.type = IPSET_NET_NET;
1400 }
1401 if (bpf->vrf_id == VRF_UNKNOWN) /* XXX case BGP destroy */
1402 temp.vrf_id = 0;
1403 else
1404 temp.vrf_id = bpf->vrf_id;
1405 bpme = &temp2;
1406 bpm = &temp;
1407 bpme->backpointer = bpm;
1408 /* right now, a previous entry may already exist
1409 * flush previous entry if necessary
1410 */
1411 bpmer.bpme_to_match = bpme;
1412 bpmer.bpme_found = NULL;
1413 hash_walk(bgp->pbr_match_hash, bgp_pbr_get_remaining_entry, &bpmer);
1414 if (bpmer.bpme_found) {
1415 static struct bgp_pbr_match *local_bpm;
1416 static struct bgp_pbr_action *local_bpa;
1417
1418 local_bpm = bpmer.bpme_found->backpointer;
1419 local_bpa = local_bpm->action;
1420 bgp_pbr_flush_entry(bgp, local_bpa,
1421 local_bpm, bpmer.bpme_found);
1422 }
1423 }
1424
1425 static uint8_t bgp_pbr_next_type_entry(uint8_t type_entry)
1426 {
1427 if (type_entry == FLOWSPEC_TCP_FLAGS)
1428 return FLOWSPEC_DSCP;
1429 if (type_entry == FLOWSPEC_DSCP)
1430 return FLOWSPEC_PKT_LEN;
1431 if (type_entry == FLOWSPEC_PKT_LEN)
1432 return FLOWSPEC_FRAGMENT;
1433 if (type_entry == FLOWSPEC_FRAGMENT)
1434 return FLOWSPEC_ICMP_TYPE;
1435 return 0;
1436 }
1437
1438 static void bgp_pbr_icmp_action(struct bgp *bgp,
1439 struct bgp_info *binfo,
1440 struct bgp_pbr_filter *bpf,
1441 struct bgp_pbr_or_filter *bpof,
1442 bool add,
1443 struct nexthop *nh,
1444 float *rate)
1445 {
1446 struct bgp_pbr_range_port srcp, dstp;
1447 struct bgp_pbr_val_mask *icmp_type, *icmp_code;
1448 struct listnode *tnode, *cnode;
1449
1450 if (!bpf)
1451 return;
1452 if (bpf->protocol != IPPROTO_ICMP)
1453 return;
1454 bpf->src_port = &srcp;
1455 bpf->dst_port = &dstp;
1456 /* parse icmp type and lookup appropriate icmp code
1457 * if no icmp code found, create as many entryes as
1458 * there are listed icmp codes for that icmp type
1459 */
1460 if (!bpof->icmp_type) {
1461 srcp.min_port = 0;
1462 srcp.max_port = 255;
1463 for (ALL_LIST_ELEMENTS_RO(bpof->icmp_code, cnode, icmp_code)) {
1464 dstp.min_port = icmp_code->val;
1465 if (add)
1466 bgp_pbr_policyroute_add_to_zebra_unit(bgp, binfo,
1467 bpf, nh, rate);
1468 else
1469 bgp_pbr_policyroute_remove_from_zebra_unit(
1470 bgp, binfo, bpf);
1471 }
1472 return;
1473 }
1474 for (ALL_LIST_ELEMENTS_RO(bpof->icmp_type, tnode, icmp_type)) {
1475 srcp.min_port = icmp_type->val;
1476 srcp.max_port = 0;
1477 dstp.max_port = 0;
1478 /* only icmp type. create an entry only with icmp type */
1479 if (!bpof->icmp_code) {
1480 /* icmp type is not one of the above
1481 * forge an entry only based on the icmp type
1482 */
1483 dstp.min_port = 0;
1484 dstp.max_port = 255;
1485 if (add)
1486 bgp_pbr_policyroute_add_to_zebra_unit(
1487 bgp, binfo,
1488 bpf, nh, rate);
1489 else
1490 bgp_pbr_policyroute_remove_from_zebra_unit(bgp,
1491 binfo, bpf);
1492 continue;
1493 }
1494 for (ALL_LIST_ELEMENTS_RO(bpof->icmp_code, cnode, icmp_code)) {
1495 dstp.min_port = icmp_code->val;
1496 if (add)
1497 bgp_pbr_policyroute_add_to_zebra_unit(
1498 bgp, binfo,
1499 bpf, nh, rate);
1500 else
1501 bgp_pbr_policyroute_remove_from_zebra_unit(
1502 bgp, binfo, bpf);
1503 }
1504 }
1505 }
1506
1507 static void bgp_pbr_policyroute_remove_from_zebra_recursive(struct bgp *bgp,
1508 struct bgp_info *binfo,
1509 struct bgp_pbr_filter *bpf,
1510 struct bgp_pbr_or_filter *bpof,
1511 uint8_t type_entry)
1512 {
1513 struct listnode *node, *nnode;
1514 struct bgp_pbr_val_mask *valmask;
1515 uint8_t next_type_entry;
1516 struct list *orig_list;
1517 struct bgp_pbr_val_mask **target_val;
1518
1519 if (type_entry == 0)
1520 return bgp_pbr_policyroute_remove_from_zebra_unit(bgp,
1521 binfo, bpf);
1522 next_type_entry = bgp_pbr_next_type_entry(type_entry);
1523 if (type_entry == FLOWSPEC_TCP_FLAGS && bpof->tcpflags) {
1524 orig_list = bpof->tcpflags;
1525 target_val = &bpf->tcp_flags;
1526 } else if (type_entry == FLOWSPEC_DSCP && bpof->dscp) {
1527 orig_list = bpof->dscp;
1528 target_val = &bpf->dscp;
1529 } else if (type_entry == FLOWSPEC_PKT_LEN && bpof->pkt_len) {
1530 orig_list = bpof->pkt_len;
1531 target_val = &bpf->pkt_len_val;
1532 } else if (type_entry == FLOWSPEC_FRAGMENT && bpof->fragment) {
1533 orig_list = bpof->fragment;
1534 target_val = &bpf->fragment;
1535 } else if (type_entry == FLOWSPEC_ICMP_TYPE &&
1536 (bpof->icmp_type || bpof->icmp_code)) {
1537 /* enumerate list for icmp - must be last one */
1538 bgp_pbr_icmp_action(bgp, binfo, bpf, bpof, false, NULL, NULL);
1539 return;
1540 } else {
1541 return bgp_pbr_policyroute_remove_from_zebra_recursive(bgp,
1542 binfo,
1543 bpf, bpof,
1544 next_type_entry);
1545 }
1546 for (ALL_LIST_ELEMENTS(orig_list, node, nnode, valmask)) {
1547 *target_val = valmask;
1548 bgp_pbr_policyroute_remove_from_zebra_recursive(bgp, binfo,
1549 bpf, bpof,
1550 next_type_entry);
1551 }
1552 }
1553
1554 static void bgp_pbr_policyroute_remove_from_zebra(struct bgp *bgp,
1555 struct bgp_info *binfo,
1556 struct bgp_pbr_filter *bpf,
1557 struct bgp_pbr_or_filter *bpof)
1558 {
1559 if (!bpof)
1560 return bgp_pbr_policyroute_remove_from_zebra_unit(bgp,
1561 binfo,
1562 bpf);
1563 if (bpof->tcpflags)
1564 bgp_pbr_policyroute_remove_from_zebra_recursive(bgp, binfo,
1565 bpf, bpof,
1566 FLOWSPEC_TCP_FLAGS);
1567 else if (bpof->dscp)
1568 bgp_pbr_policyroute_remove_from_zebra_recursive(bgp, binfo,
1569 bpf, bpof,
1570 FLOWSPEC_DSCP);
1571 else if (bpof->pkt_len)
1572 bgp_pbr_policyroute_remove_from_zebra_recursive(bgp, binfo,
1573 bpf, bpof,
1574 FLOWSPEC_PKT_LEN);
1575 else if (bpof->fragment)
1576 bgp_pbr_policyroute_remove_from_zebra_recursive(bgp, binfo,
1577 bpf, bpof,
1578 FLOWSPEC_FRAGMENT);
1579 else if (bpof->icmp_type || bpof->icmp_code)
1580 bgp_pbr_policyroute_remove_from_zebra_recursive(bgp, binfo,
1581 bpf, bpof,
1582 FLOWSPEC_ICMP_TYPE);
1583 else
1584 bgp_pbr_policyroute_remove_from_zebra_unit(bgp, binfo, bpf);
1585 /* flush bpof */
1586 if (bpof->tcpflags)
1587 list_delete_all_node(bpof->tcpflags);
1588 if (bpof->dscp)
1589 list_delete_all_node(bpof->dscp);
1590 if (bpof->pkt_len)
1591 list_delete_all_node(bpof->pkt_len);
1592 if (bpof->fragment)
1593 list_delete_all_node(bpof->fragment);
1594 }
1595
1596 static void bgp_pbr_dump_entry(struct bgp_pbr_filter *bpf, bool add)
1597 {
1598 struct bgp_pbr_range_port *src_port;
1599 struct bgp_pbr_range_port *dst_port;
1600 struct bgp_pbr_range_port *pkt_len;
1601 char bufsrc[64], bufdst[64];
1602 char buffer[64];
1603 int remaining_len = 0;
1604 char protocol_str[16];
1605
1606 if (!bpf)
1607 return;
1608 src_port = bpf->src_port;
1609 dst_port = bpf->dst_port;
1610 pkt_len = bpf->pkt_len;
1611
1612 protocol_str[0] = '\0';
1613 if (bpf->tcp_flags && bpf->tcp_flags->mask)
1614 bpf->protocol = IPPROTO_TCP;
1615 if (bpf->protocol)
1616 snprintf(protocol_str, sizeof(protocol_str),
1617 "proto %d", bpf->protocol);
1618 buffer[0] = '\0';
1619 if (bpf->protocol == IPPROTO_ICMP && src_port && dst_port)
1620 remaining_len += snprintf(buffer, sizeof(buffer),
1621 "type %d, code %d",
1622 src_port->min_port,
1623 dst_port->min_port);
1624 else if (bpf->protocol == IPPROTO_UDP ||
1625 bpf->protocol == IPPROTO_TCP) {
1626
1627 if (src_port && src_port->min_port)
1628 remaining_len += snprintf(buffer,
1629 sizeof(buffer),
1630 "from [%u:%u]",
1631 src_port->min_port,
1632 src_port->max_port ?
1633 src_port->max_port :
1634 src_port->min_port);
1635 if (dst_port && dst_port->min_port)
1636 remaining_len += snprintf(buffer +
1637 remaining_len,
1638 sizeof(buffer)
1639 - remaining_len,
1640 "to [%u:%u]",
1641 dst_port->min_port,
1642 dst_port->max_port ?
1643 dst_port->max_port :
1644 dst_port->min_port);
1645 }
1646 if (pkt_len && (pkt_len->min_port || pkt_len->max_port)) {
1647 remaining_len += snprintf(buffer + remaining_len,
1648 sizeof(buffer)
1649 - remaining_len,
1650 " len [%u:%u]",
1651 pkt_len->min_port,
1652 pkt_len->max_port ?
1653 pkt_len->max_port :
1654 pkt_len->min_port);
1655 } else if (bpf->pkt_len_val) {
1656 remaining_len += snprintf(buffer + remaining_len,
1657 sizeof(buffer)
1658 - remaining_len,
1659 " %s len %u",
1660 bpf->pkt_len_val->mask
1661 ? "!" : "",
1662 bpf->pkt_len_val->val);
1663 }
1664 if (bpf->tcp_flags) {
1665 remaining_len += snprintf(buffer + remaining_len,
1666 sizeof(buffer)
1667 - remaining_len,
1668 "tcpflags %x/%x",
1669 bpf->tcp_flags->val,
1670 bpf->tcp_flags->mask);
1671 }
1672 if (bpf->dscp) {
1673 snprintf(buffer + remaining_len,
1674 sizeof(buffer)
1675 - remaining_len,
1676 "%s dscp %d",
1677 bpf->dscp->mask
1678 ? "!" : "",
1679 bpf->dscp->val);
1680 }
1681 zlog_info("BGP: %s FS PBR from %s to %s, %s %s",
1682 add ? "adding" : "removing",
1683 bpf->src == NULL ? "<all>" :
1684 prefix2str(bpf->src, bufsrc, sizeof(bufsrc)),
1685 bpf->dst == NULL ? "<all>" :
1686 prefix2str(bpf->dst, bufdst, sizeof(bufdst)),
1687 protocol_str, buffer);
1688
1689 }
1690
1691 static void bgp_pbr_policyroute_add_to_zebra_unit(struct bgp *bgp,
1692 struct bgp_info *binfo,
1693 struct bgp_pbr_filter *bpf,
1694 struct nexthop *nh,
1695 float *rate)
1696 {
1697 struct bgp_pbr_match temp;
1698 struct bgp_pbr_match_entry temp2;
1699 struct bgp_pbr_match *bpm;
1700 struct bgp_pbr_match_entry *bpme = NULL;
1701 struct bgp_pbr_action temp3;
1702 struct bgp_pbr_action *bpa = NULL;
1703 struct bgp_pbr_match_entry_remain bpmer;
1704 struct bgp_pbr_range_port *src_port;
1705 struct bgp_pbr_range_port *dst_port;
1706 struct bgp_pbr_range_port *pkt_len;
1707 bool bpme_found = false;
1708
1709 if (!bpf)
1710 return;
1711 src_port = bpf->src_port;
1712 dst_port = bpf->dst_port;
1713 pkt_len = bpf->pkt_len;
1714
1715 if (BGP_DEBUG(zebra, ZEBRA))
1716 bgp_pbr_dump_entry(bpf, true);
1717
1718 /* look for bpa first */
1719 memset(&temp3, 0, sizeof(temp3));
1720 if (rate)
1721 temp3.rate = *rate;
1722 if (nh)
1723 memcpy(&temp3.nh, nh, sizeof(struct nexthop));
1724 temp3.vrf_id = bpf->vrf_id;
1725 bpa = hash_get(bgp->pbr_action_hash, &temp3,
1726 bgp_pbr_action_alloc_intern);
1727
1728 if (bpa->fwmark == 0) {
1729 /* drop is handled by iptable */
1730 if (nh && nh->type == NEXTHOP_TYPE_BLACKHOLE) {
1731 bpa->table_id = 0;
1732 bpa->installed = true;
1733 } else {
1734 bpa->fwmark = bgp_zebra_tm_get_id();
1735 bpa->table_id = bpa->fwmark;
1736 bpa->installed = false;
1737 }
1738 bpa->bgp = bgp;
1739 bpa->unique = ++bgp_pbr_action_counter_unique;
1740 /* 0 value is forbidden */
1741 bpa->install_in_progress = false;
1742 }
1743
1744 /* then look for bpm */
1745 memset(&temp, 0, sizeof(temp));
1746 temp.vrf_id = bpf->vrf_id;
1747 if (bpf->src)
1748 temp.flags |= MATCH_IP_SRC_SET;
1749 if (bpf->dst)
1750 temp.flags |= MATCH_IP_DST_SET;
1751
1752 if (src_port && (src_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
1753 if (bpf->protocol == IPPROTO_ICMP)
1754 temp.flags |= MATCH_ICMP_SET;
1755 temp.flags |= MATCH_PORT_SRC_SET;
1756 }
1757 if (dst_port && (dst_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
1758 if (bpf->protocol == IPPROTO_ICMP)
1759 temp.flags |= MATCH_ICMP_SET;
1760 temp.flags |= MATCH_PORT_DST_SET;
1761 }
1762 if (src_port && src_port->max_port)
1763 temp.flags |= MATCH_PORT_SRC_RANGE_SET;
1764 if (dst_port && dst_port->max_port)
1765 temp.flags |= MATCH_PORT_DST_RANGE_SET;
1766
1767 if (bpf->src == NULL || bpf->dst == NULL) {
1768 if (temp.flags & (MATCH_PORT_DST_SET | MATCH_PORT_SRC_SET))
1769 temp.type = IPSET_NET_PORT;
1770 else
1771 temp.type = IPSET_NET;
1772 } else {
1773 if (temp.flags & (MATCH_PORT_DST_SET | MATCH_PORT_SRC_SET))
1774 temp.type = IPSET_NET_PORT_NET;
1775 else
1776 temp.type = IPSET_NET_NET;
1777 }
1778 if (pkt_len) {
1779 temp.pkt_len_min = pkt_len->min_port;
1780 if (pkt_len->max_port)
1781 temp.pkt_len_max = pkt_len->max_port;
1782 } else if (bpf->pkt_len_val) {
1783 if (bpf->pkt_len_val->mask)
1784 temp.flags |= MATCH_PKT_LEN_INVERSE_SET;
1785 temp.pkt_len_min = bpf->pkt_len_val->val;
1786 }
1787 if (bpf->tcp_flags) {
1788 temp.tcp_flags = bpf->tcp_flags->val;
1789 temp.tcp_mask_flags = bpf->tcp_flags->mask;
1790 }
1791 if (bpf->dscp) {
1792 if (bpf->dscp->mask)
1793 temp.flags |= MATCH_DSCP_INVERSE_SET;
1794 else
1795 temp.flags |= MATCH_DSCP_SET;
1796 temp.dscp_value = bpf->dscp->val;
1797 }
1798 if (bpf->fragment) {
1799 if (bpf->fragment->mask)
1800 temp.flags |= MATCH_FRAGMENT_INVERSE_SET;
1801 temp.fragment = bpf->fragment->val;
1802 }
1803 temp.action = bpa;
1804 bpm = hash_get(bgp->pbr_match_hash, &temp,
1805 bgp_pbr_match_alloc_intern);
1806
1807 /* new, then self allocate ipset_name and unique */
1808 if (bpm && bpm->unique == 0) {
1809 bpm->unique = ++bgp_pbr_match_counter_unique;
1810 /* 0 value is forbidden */
1811 sprintf(bpm->ipset_name, "match%p", bpm);
1812 bpm->entry_hash = hash_create_size(8,
1813 bgp_pbr_match_entry_hash_key,
1814 bgp_pbr_match_entry_hash_equal,
1815 "Match Entry Hash");
1816 bpm->installed = false;
1817
1818 /* unique2 should be updated too */
1819 bpm->unique2 = ++bgp_pbr_match_iptable_counter_unique;
1820 bpm->installed_in_iptable = false;
1821 bpm->install_in_progress = false;
1822 bpm->install_iptable_in_progress = false;
1823 }
1824
1825 memset(&temp2, 0, sizeof(temp2));
1826 if (bpf->src)
1827 prefix_copy(&temp2.src, bpf->src);
1828 else
1829 temp2.src.family = AF_INET;
1830 if (bpf->dst)
1831 prefix_copy(&temp2.dst, bpf->dst);
1832 else
1833 temp2.dst.family = AF_INET;
1834 temp2.src_port_min = src_port ? src_port->min_port : 0;
1835 temp2.dst_port_min = dst_port ? dst_port->min_port : 0;
1836 temp2.src_port_max = src_port ? src_port->max_port : 0;
1837 temp2.dst_port_max = dst_port ? dst_port->max_port : 0;
1838 temp2.proto = bpf->protocol;
1839 if (bpm)
1840 bpme = hash_get(bpm->entry_hash, &temp2,
1841 bgp_pbr_match_entry_alloc_intern);
1842 if (bpme && bpme->unique == 0) {
1843 bpme->unique = ++bgp_pbr_match_entry_counter_unique;
1844 /* 0 value is forbidden */
1845 bpme->backpointer = bpm;
1846 bpme->installed = false;
1847 bpme->install_in_progress = false;
1848 /* link bgp info to bpme */
1849 bpme->bgp_info = (void *)binfo;
1850 } else
1851 bpme_found = true;
1852
1853 /* already installed */
1854 if (bpme_found && bpme) {
1855 struct bgp_info_extra *extra = bgp_info_extra_get(binfo);
1856
1857 if (extra && extra->bgp_fs_pbr &&
1858 listnode_lookup(extra->bgp_fs_pbr, bpme)) {
1859 if (BGP_DEBUG(pbr, PBR_ERROR))
1860 zlog_err("%s: entry %p/%p already installed in bgp pbr",
1861 __func__, binfo, bpme);
1862 return;
1863 }
1864 }
1865 /* BGP FS: append entry to zebra
1866 * - policies are not routing entries and as such
1867 * route replace semantics don't necessarily follow
1868 * through to policy entries
1869 * - because of that, not all policing information will be stored
1870 * into zebra. and non selected policies will be suppressed from zebra
1871 * - as consequence, in order to bring consistency
1872 * a policy will be added, then ifan ecmp policy exists,
1873 * it will be suppressed subsequently
1874 */
1875 /* ip rule add */
1876 if (!bpa->installed && !bpa->install_in_progress) {
1877 bgp_send_pbr_rule_action(bpa, true);
1878 bgp_zebra_announce_default(bgp, nh,
1879 AFI_IP, bpa->table_id, true);
1880 }
1881
1882 /* ipset create */
1883 if (bpm && !bpm->installed)
1884 bgp_send_pbr_ipset_match(bpm, true);
1885 /* ipset add */
1886 if (bpme && !bpme->installed)
1887 bgp_send_pbr_ipset_entry_match(bpme, true);
1888
1889 /* iptables */
1890 if (bpm && !bpm->installed_in_iptable)
1891 bgp_send_pbr_iptable(bpa, bpm, true);
1892
1893 /* A previous entry may already exist
1894 * flush previous entry if necessary
1895 */
1896 bpmer.bpme_to_match = bpme;
1897 bpmer.bpme_found = NULL;
1898 hash_walk(bgp->pbr_match_hash, bgp_pbr_get_remaining_entry, &bpmer);
1899 if (bpmer.bpme_found) {
1900 static struct bgp_pbr_match *local_bpm;
1901 static struct bgp_pbr_action *local_bpa;
1902
1903 local_bpm = bpmer.bpme_found->backpointer;
1904 local_bpa = local_bpm->action;
1905 bgp_pbr_flush_entry(bgp, local_bpa,
1906 local_bpm, bpmer.bpme_found);
1907 }
1908
1909
1910 }
1911
1912 static void bgp_pbr_policyroute_add_to_zebra_recursive(struct bgp *bgp,
1913 struct bgp_info *binfo,
1914 struct bgp_pbr_filter *bpf,
1915 struct bgp_pbr_or_filter *bpof,
1916 struct nexthop *nh,
1917 float *rate,
1918 uint8_t type_entry)
1919 {
1920 struct listnode *node, *nnode;
1921 struct bgp_pbr_val_mask *valmask;
1922 uint8_t next_type_entry;
1923 struct list *orig_list;
1924 struct bgp_pbr_val_mask **target_val;
1925
1926 if (type_entry == 0)
1927 return bgp_pbr_policyroute_add_to_zebra_unit(bgp, binfo, bpf,
1928 nh, rate);
1929 next_type_entry = bgp_pbr_next_type_entry(type_entry);
1930 if (type_entry == FLOWSPEC_TCP_FLAGS && bpof->tcpflags) {
1931 orig_list = bpof->tcpflags;
1932 target_val = &bpf->tcp_flags;
1933 } else if (type_entry == FLOWSPEC_DSCP && bpof->dscp) {
1934 orig_list = bpof->dscp;
1935 target_val = &bpf->dscp;
1936 } else if (type_entry == FLOWSPEC_PKT_LEN && bpof->pkt_len) {
1937 orig_list = bpof->pkt_len;
1938 target_val = &bpf->pkt_len_val;
1939 } else if (type_entry == FLOWSPEC_FRAGMENT && bpof->fragment) {
1940 orig_list = bpof->fragment;
1941 target_val = &bpf->fragment;
1942 } else if (type_entry == FLOWSPEC_ICMP_TYPE &&
1943 (bpof->icmp_type || bpof->icmp_code)) {
1944 /* enumerate list for icmp - must be last one */
1945 bgp_pbr_icmp_action(bgp, binfo, bpf, bpof, true, nh, rate);
1946 return;
1947 } else {
1948 return bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1949 bpf, bpof, nh, rate,
1950 next_type_entry);
1951 }
1952 for (ALL_LIST_ELEMENTS(orig_list, node, nnode, valmask)) {
1953 *target_val = valmask;
1954 bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1955 bpf, bpof,
1956 nh, rate,
1957 next_type_entry);
1958 }
1959 }
1960
1961 static void bgp_pbr_policyroute_add_to_zebra(struct bgp *bgp,
1962 struct bgp_info *binfo,
1963 struct bgp_pbr_filter *bpf,
1964 struct bgp_pbr_or_filter *bpof,
1965 struct nexthop *nh,
1966 float *rate)
1967 {
1968 if (!bpof)
1969 return bgp_pbr_policyroute_add_to_zebra_unit(bgp, binfo,
1970 bpf, nh, rate);
1971 if (bpof->tcpflags)
1972 bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1973 bpf, bpof,
1974 nh, rate,
1975 FLOWSPEC_TCP_FLAGS);
1976 else if (bpof->dscp)
1977 bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1978 bpf, bpof,
1979 nh, rate,
1980 FLOWSPEC_DSCP);
1981 else if (bpof->pkt_len)
1982 bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1983 bpf, bpof,
1984 nh, rate,
1985 FLOWSPEC_PKT_LEN);
1986 else if (bpof->fragment)
1987 bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1988 bpf, bpof,
1989 nh, rate,
1990 FLOWSPEC_FRAGMENT);
1991 else if (bpof->icmp_type || bpof->icmp_code)
1992 bgp_pbr_policyroute_add_to_zebra_recursive(bgp, binfo,
1993 bpf, bpof, nh, rate,
1994 FLOWSPEC_ICMP_TYPE);
1995 else
1996 bgp_pbr_policyroute_add_to_zebra_unit(bgp, binfo, bpf,
1997 nh, rate);
1998 /* flush bpof */
1999 if (bpof->tcpflags)
2000 list_delete_all_node(bpof->tcpflags);
2001 if (bpof->dscp)
2002 list_delete_all_node(bpof->dscp);
2003 if (bpof->pkt_len)
2004 list_delete_all_node(bpof->pkt_len);
2005 if (bpof->fragment)
2006 list_delete_all_node(bpof->fragment);
2007 if (bpof->icmp_type)
2008 list_delete_all_node(bpof->icmp_type);
2009 if (bpof->icmp_code)
2010 list_delete_all_node(bpof->icmp_code);
2011 }
2012
2013 static void bgp_pbr_handle_entry(struct bgp *bgp,
2014 struct bgp_info *binfo,
2015 struct bgp_pbr_entry_main *api,
2016 bool add)
2017 {
2018 struct nexthop nh;
2019 int i = 0;
2020 int continue_loop = 1;
2021 float rate = 0;
2022 struct prefix *src = NULL, *dst = NULL;
2023 uint8_t proto = 0;
2024 struct bgp_pbr_range_port *srcp = NULL, *dstp = NULL;
2025 struct bgp_pbr_range_port range, range_icmp_code;
2026 struct bgp_pbr_range_port pkt_len;
2027 struct bgp_pbr_filter bpf;
2028 uint8_t kind_enum;
2029 struct bgp_pbr_or_filter bpof;
2030 struct bgp_pbr_val_mask bpvm;
2031
2032 memset(&nh, 0, sizeof(struct nexthop));
2033 memset(&bpf, 0, sizeof(struct bgp_pbr_filter));
2034 memset(&bpof, 0, sizeof(struct bgp_pbr_or_filter));
2035 if (api->match_bitmask & PREFIX_SRC_PRESENT)
2036 src = &api->src_prefix;
2037 if (api->match_bitmask & PREFIX_DST_PRESENT)
2038 dst = &api->dst_prefix;
2039 memset(&nh, 0, sizeof(struct nexthop));
2040 nh.vrf_id = VRF_UNKNOWN;
2041 if (api->match_protocol_num)
2042 proto = (uint8_t)api->protocol[0].value;
2043 /* if match_port is selected, then either src or dst port will be parsed
2044 * but not both at the same time
2045 */
2046 if (api->match_port_num >= 1) {
2047 bgp_pbr_extract(api->port,
2048 api->match_port_num,
2049 &range);
2050 srcp = dstp = &range;
2051 } else if (api->match_src_port_num >= 1) {
2052 bgp_pbr_extract(api->src_port,
2053 api->match_src_port_num,
2054 &range);
2055 srcp = &range;
2056 dstp = NULL;
2057 } else if (api->match_dst_port_num >= 1) {
2058 bgp_pbr_extract(api->dst_port,
2059 api->match_dst_port_num,
2060 &range);
2061 dstp = &range;
2062 srcp = NULL;
2063 }
2064 if (api->match_icmp_type_num >= 1) {
2065 proto = IPPROTO_ICMP;
2066 if (bgp_pbr_extract(api->icmp_type,
2067 api->match_icmp_type_num,
2068 &range))
2069 srcp = &range;
2070 else {
2071 bpof.icmp_type = list_new();
2072 bgp_pbr_extract_enumerate(api->icmp_type,
2073 api->match_icmp_type_num,
2074 OPERATOR_UNARY_OR,
2075 bpof.icmp_type,
2076 FLOWSPEC_ICMP_TYPE);
2077 }
2078 }
2079 if (api->match_icmp_code_num >= 1) {
2080 proto = IPPROTO_ICMP;
2081 if (bgp_pbr_extract(api->icmp_code,
2082 api->match_icmp_code_num,
2083 &range_icmp_code))
2084 dstp = &range_icmp_code;
2085 else {
2086 bpof.icmp_code = list_new();
2087 bgp_pbr_extract_enumerate(api->icmp_code,
2088 api->match_icmp_code_num,
2089 OPERATOR_UNARY_OR,
2090 bpof.icmp_code,
2091 FLOWSPEC_ICMP_CODE);
2092 }
2093 }
2094
2095 if (api->match_tcpflags_num) {
2096 kind_enum = bgp_pbr_match_val_get_operator(api->tcpflags,
2097 api->match_tcpflags_num);
2098 if (kind_enum == OPERATOR_UNARY_AND) {
2099 bpf.tcp_flags = &bpvm;
2100 bgp_pbr_extract_enumerate(api->tcpflags,
2101 api->match_tcpflags_num,
2102 OPERATOR_UNARY_AND,
2103 bpf.tcp_flags,
2104 FLOWSPEC_TCP_FLAGS);
2105 } else if (kind_enum == OPERATOR_UNARY_OR) {
2106 bpof.tcpflags = list_new();
2107 bgp_pbr_extract_enumerate(api->tcpflags,
2108 api->match_tcpflags_num,
2109 OPERATOR_UNARY_OR,
2110 bpof.tcpflags,
2111 FLOWSPEC_TCP_FLAGS);
2112 }
2113 }
2114 if (api->match_packet_length_num) {
2115 bool ret;
2116
2117 ret = bgp_pbr_extract(api->packet_length,
2118 api->match_packet_length_num,
2119 &pkt_len);
2120 if (ret)
2121 bpf.pkt_len = &pkt_len;
2122 else {
2123 bpof.pkt_len = list_new();
2124 bgp_pbr_extract_enumerate(api->packet_length,
2125 api->match_packet_length_num,
2126 OPERATOR_UNARY_OR,
2127 bpof.pkt_len,
2128 FLOWSPEC_PKT_LEN);
2129 }
2130 }
2131 if (api->match_dscp_num >= 1) {
2132 bpof.dscp = list_new();
2133 bgp_pbr_extract_enumerate(api->dscp, api->match_dscp_num,
2134 OPERATOR_UNARY_OR,
2135 bpof.dscp, FLOWSPEC_DSCP);
2136 }
2137 if (api->match_fragment_num) {
2138 bpof.fragment = list_new();
2139 bgp_pbr_extract_enumerate(api->fragment,
2140 api->match_fragment_num,
2141 OPERATOR_UNARY_OR,
2142 bpof.fragment,
2143 FLOWSPEC_FRAGMENT);
2144 }
2145 bpf.vrf_id = api->vrf_id;
2146 bpf.src = src;
2147 bpf.dst = dst;
2148 bpf.protocol = proto;
2149 bpf.src_port = srcp;
2150 bpf.dst_port = dstp;
2151 if (!add)
2152 return bgp_pbr_policyroute_remove_from_zebra(bgp,
2153 binfo,
2154 &bpf, &bpof);
2155 /* no action for add = true */
2156 for (i = 0; i < api->action_num; i++) {
2157 switch (api->actions[i].action) {
2158 case ACTION_TRAFFICRATE:
2159 /* drop packet */
2160 if (api->actions[i].u.r.rate == 0) {
2161 nh.vrf_id = api->vrf_id;
2162 nh.type = NEXTHOP_TYPE_BLACKHOLE;
2163 bgp_pbr_policyroute_add_to_zebra(bgp, binfo,
2164 &bpf, &bpof,
2165 &nh, &rate);
2166 } else {
2167 /* update rate. can be reentrant */
2168 rate = api->actions[i].u.r.rate;
2169 if (BGP_DEBUG(pbr, PBR)) {
2170 bgp_pbr_print_policy_route(api);
2171 zlog_warn("PBR: ignoring Set action rate %f",
2172 api->actions[i].u.r.rate);
2173 }
2174 }
2175 break;
2176 case ACTION_TRAFFIC_ACTION:
2177 if (api->actions[i].u.za.filter
2178 & TRAFFIC_ACTION_SAMPLE) {
2179 if (BGP_DEBUG(pbr, PBR)) {
2180 bgp_pbr_print_policy_route(api);
2181 zlog_warn("PBR: Sample action Ignored");
2182 }
2183 }
2184 #if 0
2185 if (api->actions[i].u.za.filter
2186 & TRAFFIC_ACTION_DISTRIBUTE) {
2187 if (BGP_DEBUG(pbr, PBR)) {
2188 bgp_pbr_print_policy_route(api);
2189 zlog_warn("PBR: Distribute action Applies");
2190 }
2191 continue_loop = 0;
2192 /* continue forwarding entry as before
2193 * no action
2194 */
2195 }
2196 #endif /* XXX to confirm behaviour of traffic action. for now , ignore */
2197 /* terminate action: run other filters
2198 */
2199 break;
2200 case ACTION_REDIRECT_IP:
2201 nh.type = NEXTHOP_TYPE_IPV4;
2202 nh.gate.ipv4.s_addr =
2203 api->actions[i].u.zr.redirect_ip_v4.s_addr;
2204 nh.vrf_id = api->vrf_id;
2205 bgp_pbr_policyroute_add_to_zebra(bgp, binfo,
2206 &bpf, &bpof,
2207 &nh, &rate);
2208 /* XXX combination with REDIRECT_VRF
2209 * + REDIRECT_NH_IP not done
2210 */
2211 continue_loop = 0;
2212 break;
2213 case ACTION_REDIRECT:
2214 nh.vrf_id = api->actions[i].u.redirect_vrf;
2215 nh.type = NEXTHOP_TYPE_IPV4;
2216 bgp_pbr_policyroute_add_to_zebra(bgp, binfo,
2217 &bpf, &bpof,
2218 &nh, &rate);
2219 continue_loop = 0;
2220 break;
2221 case ACTION_MARKING:
2222 if (BGP_DEBUG(pbr, PBR)) {
2223 bgp_pbr_print_policy_route(api);
2224 zlog_warn("PBR: Set DSCP %u Ignored",
2225 api->actions[i].u.marking_dscp);
2226 }
2227 break;
2228 default:
2229 break;
2230 }
2231 if (continue_loop == 0)
2232 break;
2233 }
2234 }
2235
2236 void bgp_pbr_update_entry(struct bgp *bgp, struct prefix *p,
2237 struct bgp_info *info, afi_t afi, safi_t safi,
2238 bool nlri_update)
2239 {
2240 struct bgp_pbr_entry_main api;
2241
2242 if (afi == AFI_IP6)
2243 return; /* IPv6 not supported */
2244 if (safi != SAFI_FLOWSPEC)
2245 return; /* not supported */
2246 /* Make Zebra API structure. */
2247 memset(&api, 0, sizeof(api));
2248 api.vrf_id = bgp->vrf_id;
2249 api.afi = afi;
2250
2251 if (!bgp_zebra_tm_chunk_obtained()) {
2252 if (BGP_DEBUG(pbr, PBR_ERROR))
2253 zlog_err("%s: table chunk not obtained yet",
2254 __func__);
2255 return;
2256 }
2257
2258 if (bgp_pbr_build_and_validate_entry(p, info, &api) < 0) {
2259 if (BGP_DEBUG(pbr, PBR_ERROR))
2260 zlog_err("%s: cancel updating entry %p in bgp pbr",
2261 __func__, info);
2262 return;
2263 }
2264 bgp_pbr_handle_entry(bgp, info, &api, nlri_update);
2265 }
2266
2267 int bgp_pbr_interface_compare(const struct bgp_pbr_interface *a,
2268 const struct bgp_pbr_interface *b)
2269 {
2270 return strcmp(a->name, b->name);
2271 }
2272
2273 struct bgp_pbr_interface *bgp_pbr_interface_lookup(const char *name,
2274 struct bgp_pbr_interface_head *head)
2275 {
2276 struct bgp_pbr_interface pbr_if;
2277
2278 strlcpy(pbr_if.name, name, sizeof(pbr_if.name));
2279 return (RB_FIND(bgp_pbr_interface_head,
2280 head, &pbr_if));
2281 }
2282
2283 /* this function resets to the default policy routing
2284 * go back to default status
2285 */
2286 void bgp_pbr_reset(struct bgp *bgp, afi_t afi)
2287 {
2288 struct bgp_pbr_config *bgp_pbr_cfg = bgp->bgp_pbr_cfg;
2289 struct bgp_pbr_interface_head *head;
2290 struct bgp_pbr_interface *pbr_if;
2291
2292 if (!bgp_pbr_cfg || afi != AFI_IP)
2293 return;
2294 head = &(bgp_pbr_cfg->ifaces_by_name_ipv4);
2295
2296 while (!RB_EMPTY(bgp_pbr_interface_head, head)) {
2297 pbr_if = RB_ROOT(bgp_pbr_interface_head, head);
2298 RB_REMOVE(bgp_pbr_interface_head, head, pbr_if);
2299 XFREE(MTYPE_TMP, pbr_if);
2300 }
2301 }
FRRouting mirror