]> git.proxmox.com Git - mirror_frr.git/blob - bgpd/bgp_flowspec.c
projects / mirror_frr.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #13649 from donaldsharp/unlock_the_node_or_else
[mirror_frr.git] / bgpd / bgp_flowspec.c
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* BGP FlowSpec for packet handling
3 * Portions:
4 * Copyright (C) 2017 ChinaTelecom SDN Group
5 * Copyright (C) 2018 6WIND
6 */
7
8 #include <zebra.h>
9 #include <math.h>
10
11 #include "prefix.h"
12 #include "lib_errors.h"
13
14 #include "bgpd/bgpd.h"
15 #include "bgpd/bgp_route.h"
16 #include "bgpd/bgp_flowspec.h"
17 #include "bgpd/bgp_flowspec_util.h"
18 #include "bgpd/bgp_flowspec_private.h"
19 #include "bgpd/bgp_ecommunity.h"
20 #include "bgpd/bgp_debug.h"
21 #include "bgpd/bgp_errors.h"
22
23 static int bgp_fs_nlri_validate(uint8_t *nlri_content, uint32_t len,
24 afi_t afi)
25 {
26 uint32_t offset = 0;
27 int type;
28 int ret = 0, error = 0;
29
30 while (offset < len-1) {
31 type = nlri_content[offset];
32 offset++;
33 switch (type) {
34 case FLOWSPEC_DEST_PREFIX:
35 case FLOWSPEC_SRC_PREFIX:
36 ret = bgp_flowspec_ip_address(
37 BGP_FLOWSPEC_VALIDATE_ONLY,
38 nlri_content + offset,
39 len - offset, NULL, &error,
40 afi, NULL);
41 break;
42 case FLOWSPEC_FLOW_LABEL:
43 if (afi == AFI_IP)
44 return -1;
45 ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
46 nlri_content + offset,
47 len - offset, NULL, &error);
48 break;
49 case FLOWSPEC_IP_PROTOCOL:
50 case FLOWSPEC_PORT:
51 case FLOWSPEC_DEST_PORT:
52 case FLOWSPEC_SRC_PORT:
53 case FLOWSPEC_ICMP_TYPE:
54 case FLOWSPEC_ICMP_CODE:
55 ret = bgp_flowspec_op_decode(BGP_FLOWSPEC_VALIDATE_ONLY,
56 nlri_content + offset,
57 len - offset, NULL, &error);
58 break;
59 case FLOWSPEC_TCP_FLAGS:
60 case FLOWSPEC_FRAGMENT:
61 ret = bgp_flowspec_bitmask_decode(
62 BGP_FLOWSPEC_VALIDATE_ONLY,
63 nlri_content + offset,
64 len - offset, NULL, &error);
65 break;
66 case FLOWSPEC_PKT_LEN:
67 case FLOWSPEC_DSCP:
68 ret = bgp_flowspec_op_decode(
69 BGP_FLOWSPEC_VALIDATE_ONLY,
70 nlri_content + offset,
71 len - offset, NULL, &error);
72 break;
73 default:
74 error = -1;
75 break;
76 }
77 offset += ret;
78 if (error < 0)
79 break;
80 }
81 return error;
82 }
83
84 int bgp_nlri_parse_flowspec(struct peer *peer, struct attr *attr,
85 struct bgp_nlri *packet, bool withdraw)
86 {
87 uint8_t *pnt;
88 uint8_t *lim;
89 afi_t afi;
90 safi_t safi;
91 int psize = 0;
92 struct prefix p;
93 void *temp;
94
95 /* Start processing the NLRI - there may be multiple in the MP_REACH */
96 pnt = packet->nlri;
97 lim = pnt + packet->length;
98 afi = packet->afi;
99 safi = packet->safi;
100
101 /*
102 * All other AFI/SAFI's treat no attribute as a implicit
103 * withdraw. Flowspec should as well.
104 */
105 if (!attr)
106 withdraw = true;
107
108 if (packet->length >= FLOWSPEC_NLRI_SIZELIMIT_EXTENDED) {
109 flog_err(EC_BGP_FLOWSPEC_PACKET,
110 "BGP flowspec nlri length maximum reached (%u)",
111 packet->length);
112 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_NLRI_SIZELIMIT;
113 }
114
115 for (; pnt < lim; pnt += psize) {
116 /* Clear prefix structure. */
117 memset(&p, 0, sizeof(p));
118
119 /* All FlowSpec NLRI begin with length. */
120 if (pnt + 1 > lim)
121 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
122
123 psize = *pnt++;
124 if (psize >= FLOWSPEC_NLRI_SIZELIMIT) {
125 psize &= 0x0f;
126 psize = psize << 8;
127 psize |= *pnt++;
128 }
129 /* When packet overflow occur return immediately. */
130 if (pnt + psize > lim) {
131 flog_err(
132 EC_BGP_FLOWSPEC_PACKET,
133 "Flowspec NLRI length inconsistent ( size %u seen)",
134 psize);
135 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
136 }
137
138 if (psize == 0) {
139 flog_err(EC_BGP_FLOWSPEC_PACKET,
140 "Flowspec NLRI length 0 which makes no sense");
141 return BGP_NLRI_PARSE_ERROR_PACKET_OVERFLOW;
142 }
143
144 if (bgp_fs_nlri_validate(pnt, psize, afi) < 0) {
145 flog_err(
146 EC_BGP_FLOWSPEC_PACKET,
147 "Bad flowspec format or NLRI options not supported");
148 return BGP_NLRI_PARSE_ERROR_FLOWSPEC_BAD_FORMAT;
149 }
150 p.family = AF_FLOWSPEC;
151 p.prefixlen = 0;
152 /* Flowspec encoding is in bytes */
153 p.u.prefix_flowspec.prefixlen = psize;
154 p.u.prefix_flowspec.family = afi2family(afi);
155 temp = XCALLOC(MTYPE_TMP, psize);
156 memcpy(temp, pnt, psize);
157 p.u.prefix_flowspec.ptr = (uintptr_t) temp;
158
159 if (BGP_DEBUG(flowspec, FLOWSPEC)) {
160 char return_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
161 char local_string[BGP_FLOWSPEC_NLRI_STRING_MAX*2+16];
162 char ec_string[BGP_FLOWSPEC_NLRI_STRING_MAX];
163 char *s = NULL;
164
165 bgp_fs_nlri_get_string((unsigned char *)
166 p.u.prefix_flowspec.ptr,
167 p.u.prefix_flowspec.prefixlen,
168 return_string,
169 NLRI_STRING_FORMAT_MIN, NULL,
170 afi);
171 snprintf(ec_string, sizeof(ec_string),
172 "EC{none}");
173 if (attr && bgp_attr_get_ecommunity(attr)) {
174 s = ecommunity_ecom2str(
175 bgp_attr_get_ecommunity(attr),
176 ECOMMUNITY_FORMAT_ROUTE_MAP, 0);
177 snprintf(ec_string, sizeof(ec_string),
178 "EC{%s}",
179 s == NULL ? "none" : s);
180
181 if (s)
182 ecommunity_strfree(&s);
183 }
184 snprintf(local_string, sizeof(local_string),
185 "FS Rx %s %s %s %s", withdraw ?
186 "Withdraw":"Update",
187 afi2str(afi), return_string,
188 attr != NULL ? ec_string : "");
189 zlog_info("%s", local_string);
190 }
191 /* Process the route. */
192 if (!withdraw)
193 bgp_update(peer, &p, 0, attr, afi, safi,
194 ZEBRA_ROUTE_BGP, BGP_ROUTE_NORMAL, NULL,
195 NULL, 0, 0, NULL);
196 else
197 bgp_withdraw(peer, &p, 0, afi, safi, ZEBRA_ROUTE_BGP,
198 BGP_ROUTE_NORMAL, NULL, NULL, 0, NULL);
199 }
200 return BGP_NLRI_PARSE_OK;
201 }
FRRouting mirror