bgpd: add an icmp flag for flowspec icmp entries

Some values for icmp type/code can not be encoded like port source or
port destination. This is the case of 0 value that is authorized for
icmp.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c
index 615b5723c42b3f4e286871640123d3f48e0f51a4..43ff78d38e292e0daa67dc1f0887f02e079cdebf 100644 (file)
--- a/bgpd/bgp_pbr.c
+++ b/bgpd/bgp_pbr.c
@@ -1310,7 +1310,9 @@ static void bgp_pbr_policyroute_remove_from_zebra_unit(struct bgp *bgp,
                prefix_copy(&temp2.dst, bpf->dst);
        } else
                temp2.dst.family = AF_INET;
-       if (src_port && src_port->min_port) {
+       if (src_port && (src_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
+               if (bpf->protocol == IPPROTO_ICMP)
+                       temp.flags |= MATCH_ICMP_SET;
                temp.flags |= MATCH_PORT_SRC_SET;
                temp2.src_port_min = src_port->min_port;
                if (src_port->max_port) {
@@ -1318,7 +1320,9 @@ static void bgp_pbr_policyroute_remove_from_zebra_unit(struct bgp *bgp,
                        temp2.src_port_max = src_port->max_port;
                }
        }
-       if (dst_port && dst_port->min_port) {
+       if (dst_port && (dst_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
+               if (bpf->protocol == IPPROTO_ICMP)
+                       temp.flags |= MATCH_ICMP_SET;
                temp.flags |= MATCH_PORT_DST_SET;
                temp2.dst_port_min = dst_port->min_port;
                if (dst_port->max_port) {
@@ -1692,33 +1696,38 @@ static void bgp_pbr_policyroute_add_to_zebra_unit(struct bgp *bgp,
 
        /* then look for bpm */
        memset(&temp, 0, sizeof(temp));
-       if (bpf->src == NULL || bpf->dst == NULL) {
-               if ((src_port && src_port->min_port) ||
-                   (dst_port && dst_port->min_port))
-                       temp.type = IPSET_NET_PORT;
-               else
-                       temp.type = IPSET_NET;
-       } else {
-               if ((src_port && src_port->min_port) ||
-                   (dst_port && dst_port->min_port))
-                       temp.type = IPSET_NET_PORT_NET;
-               else
-                       temp.type = IPSET_NET_NET;
-       }
        temp.vrf_id = bpf->vrf_id;
        if (bpf->src)
                temp.flags |= MATCH_IP_SRC_SET;
        if (bpf->dst)
                temp.flags |= MATCH_IP_DST_SET;
 
-       if (src_port && src_port->min_port)
+       if (src_port && (src_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
+               if (bpf->protocol == IPPROTO_ICMP)
+                       temp.flags |= MATCH_ICMP_SET;
                temp.flags |= MATCH_PORT_SRC_SET;
-       if (dst_port && dst_port->min_port)
+       }
+       if (dst_port && (dst_port->min_port || bpf->protocol == IPPROTO_ICMP)) {
+               if (bpf->protocol == IPPROTO_ICMP)
+                       temp.flags |= MATCH_ICMP_SET;
                temp.flags |= MATCH_PORT_DST_SET;
+       }
        if (src_port && src_port->max_port)
                temp.flags |= MATCH_PORT_SRC_RANGE_SET;
        if (dst_port && dst_port->max_port)
                temp.flags |= MATCH_PORT_DST_RANGE_SET;
+
+       if (bpf->src == NULL || bpf->dst == NULL) {
+               if (temp.flags & (MATCH_PORT_DST_SET | MATCH_PORT_SRC_SET))
+                       temp.type = IPSET_NET_PORT;
+               else
+                       temp.type = IPSET_NET;
+       } else {
+               if (temp.flags & (MATCH_PORT_DST_SET | MATCH_PORT_SRC_SET))
+                       temp.type = IPSET_NET_PORT_NET;
+               else
+                       temp.type = IPSET_NET_NET;
+       }
        if (pkt_len) {
                temp.pkt_len_min = pkt_len->min_port;
                if (pkt_len->max_port)

diff --git a/lib/pbr.h b/lib/pbr.h
index 0c447e605be56176c8d0e5e9ddddba9341822994..76b91e6205bbcad3338cfcb6921aa146fb8c4a6d 100644 (file)
--- a/lib/pbr.h
+++ b/lib/pbr.h
@@ -110,6 +110,7 @@ struct pbr_rule {
 #define MATCH_DSCP_INVERSE_SET         (1 << 7)
 #define MATCH_PKT_LEN_INVERSE_SET      (1 << 8)
 #define MATCH_FRAGMENT_INVERSE_SET     (1 << 9)
+#define MATCH_ICMP_SET                 (1 << 10)
 
 extern int zapi_pbr_rule_encode(uint8_t cmd, struct stream *s,
                                struct pbr_rule *zrule);