Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flowspec other options #2594

Merged
merged 28 commits into from Jul 3, 2018
Merged

Flowspec other options #2594

merged 28 commits into from Jul 3, 2018

Conversation

pguibert6WIND
Copy link
Member

support for:

ICMP values ( type and code)
DSCP : enumerate or single value
packet length : enumerate or single value or range
fragment : enumerate
tcp flags : enumerate or single value

the enumerate is a OR list.
that implies that there is a demultiplexer in BGP that creates as many pbr ipset and pbr iptable entries as needed.

@pguibert6WIND
zebra: pbr ipset_type2_str command is externalised
847b7ab 
The API of that function that converts ipset types is externalised.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
zebra: improve show zebra ipset output for icmp
6a04dac 
The icmp type/code is displayed.
Also, the flags are correctly set in case ICMP protocol is elected.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: handle ICMP type and code from flowspec
3b70517 
It is possible for flowspec entries containing ICMP rule to insert PBR
entries based on ICMP type and ICMP code.
Flowspec ICMP filtering can either have icmp type or icmp code or both.
Not all combinations are permitted:
- if icmp code is provided, then it is not possible to derive the
  correct icmp value. This will not be installed
- range of ICMP is authorised or list of ICMP, but not both.
- on receiving a list of ICMPtype/code, each ICMP type is attempted to
  be associated to ICMP code. If not found, then ICMPtype is combined
  with all known ICMP code values associated to that ICMP type.
- if a specific ICMP type/code is needed, despite the ICMP code/type
  combination does not exist, then it is possible to do it by forging a
  FS ICMP type/code specific for that.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: add comment to inform that icmp can be stored in that struct
cea32b6 
Generic ipset entry structure will be reused to host icmp information.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: add support of bgp flowspec filtering per packet length
c0b8c1a 
It is possible to do filtering based on packet length value or a range
of packet-length.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: add debug routine to display which PBR entry is handled
fa73fdc 
To know which entry is set/unset, a debug handler is present, that
displays which entry is injected/removed to/from zebra.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
zebra: add packet length into pbr support
a0ca133 
The packet length is added to iptable zapi message.
Then the iptable structure is taking into account the pkt_len field.
The show pbr iptable command displays the packet length used if any.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: simplify API in BGP policy-routing to handle Flowspec
db23793 
To handle FS params between FS RIB and BGP PBR entities, a structure
intermediate named bgp_pbr_filter is used, and contains all filtering
information that was before passed as a parameter.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: fix display with flowspec tcp flags option
e38991c 
When displaying RIB FS summary, the TCP option is not displayed.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: support for flowspec tcp flags
d9e3799 
Ability to handle flowspec tcp flags.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
zebra: handling of policy routing iptable tcpflags
8a18a5c 
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd, lib: share flags values for iptable configuration
7b2c731 
Those flags can be shared between BGP and Zebra. That is why
those flags are moved to common pbr.h header file.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: do not add default route for flowspec for each FS entry
f43d659 
Because the Flowspec entries are parsed first, then injected to Zebra,
there are cases where the install feedback from zebra is not received.
This leads to unnecessary add route events, whereas one should be
enough.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: extend enumerate API to handle or operations
6d47669 
The flowspec enumerate list can either be and values or or values.
In the latter case, a list is created that will be used later.
Also, the API supports the check for both and or or operations. This API
does not permit to handle both and and or operations at the same time.
The list will have to be either and or or. An other API retrieves the
operator unary value that is used: and or or. or 0 is the two operators
are used at the same time.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: use a bgp_pbr_or_filter structure to host tcpflags combinations
fd36d12 
tcp flags combinations ( or enumerates)  are hosted in a structure that
will be analysed later, when wanting to inject that information to
zebra.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: add a parameter to handle param or combinations
674a711 
Before adding/removing to zebra, flowspec entries parses the list of
combinations or avaialble and creates contexts in order to be injected
to zebra.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
*: add flowspec dscp handling
d7e3bf1 
Only one dscp value is accepted as filtering option.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
zebra: add show pbr iptable dscp information
ccf4811 
The iptable configured with dscp displays the dscp value configured.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: enumerate support for dscp values
77bfc3d 
If one dscp value or an enumerate list of or values of dscp are
provided, then the bgp pbr entries created will take into account the
dscp values.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: introduce recursive operations for or flowspec operations
45b2666 
So as to add or remove entries with flowspec or operations like tcp
flags or dscp enum list, a mechanism is put in place that adds
recursivity.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: support for enumerate pkt len
28fad15 
The packet length can be injected from fs entry with an enumerate list;
the negation of the value is also taken into account.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: align fragment flowspec decoding with tcpflags
8fdd7f7 
As fragment bitmask and tcpflags bitmask in flowspec protocol is encoded
in the same way, it is not necessary to differentiate those two fields.
Moreover, it overrides the initial fragment limit set to 1. It is now
possible to handle multiple framgent values.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: support for flowspec fragment list into policy routing
a197ea1 
The flowspec fragment attribute is taken into account to be pushed in
BGP policy routing entries. Valid values are enumerate list of 1, 2, 4,
or 8 values. no combined value is supported yet.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
zebra: handle policy routing fragment handling
b0f0c45 
incoming iptable entries with fragment parameter is handled.
An iptable context is created for each fragment value received from BGP.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: fix recursive call combination
67f51e9 
The recursive algorithm was taking into account the fact that all the
bpof structures were filled in. Because the dscp value was not given,
the pkt_len parsing could not be achieved. Now the iteration takes into
account each type according to the previous one, thus guaranting all
parameters to be parsed.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: rework icmp enumerate list
377f827 
As the other enumerate list, icmp type and code are handled as the other
combinations. The icmp type and code options are the last options to be
injected into PBR. If icmp type is present only, all the filtering will
apply to this icmp type. if icmp code is present only, then all the
combination will be done with icmp type ranging from 0 to 255 values.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: add an icmp flag for flowspec icmp entries
53dd0c1 
Some values for icmp type/code can not be encoded like port source or
port destination. This is the case of 0 value that is authorized for
icmp.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@pguibert6WIND
bgpd: rework enumerate function, handle not values
936f6d1 
The handling of reverse values is in a separate function.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
@NetDEF-CI
Copy link
Collaborator

Continuous Integration Result: SUCCESSFUL

Congratulations, this patch passed basic tests

Tested-by: NetDEF / OpenSourceRouting.org CI System

CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-4319/

This is a comment from an EXPERIMENTAL automated CI system.
For questions and feedback in regards to this CI system, please feel free to email
Martin Winter - mwinter (at) opensourcerouting.org.

Warnings Generated during build:

Checkout code: Successful with additional warnings:

Report for bgp_pbr.c
===============================================
< WARNING: quoted string split across lines
< #503: FILE: /tmp/f1-8940/bgp_pbr.c:503:
< +				zlog_debug("BGP: match icmp type operations:"
< +					   "too complex. ignoring.");
--
< WARNING: quoted string split across lines
< #515: FILE: /tmp/f1-8940/bgp_pbr.c:515:
< +				zlog_debug("BGP: match icmp code operations:"
< +					   "too complex. ignoring.");
--
< WARNING: quoted string split across lines
< #521: FILE: /tmp/f1-8940/bgp_pbr.c:521:
< +				zlog_debug("BGP: match icmp code is enumerate"
< +					   ", and icmp type is not."
--
< WARNING: quoted string split across lines
< #522: FILE: /tmp/f1-8940/bgp_pbr.c:522:
< +					   ", and icmp type is not."
< +					   " too complex. ignoring.");
--
< WARNING: quoted string split across lines
< #529: FILE: /tmp/f1-8940/bgp_pbr.c:529:
---
> #285: FILE: /tmp/f2-8940/bgp_pbr.c:285:
--
< WARNING: quoted string split across lines
< #556: FILE: /tmp/f1-8940/bgp_pbr.c:556:
< +				zlog_debug("BGP: match DSCP operations:"
< +					   "too complex. ignoring.");
--
< WARNING: quoted string split across lines
< #601: FILE: /tmp/f1-8940/bgp_pbr.c:601:
---
> #295: FILE: /tmp/f2-8940/bgp_pbr.c:295:
--
< WARNING: quoted string split across lines
< #617: FILE: /tmp/f1-8940/bgp_pbr.c:617:
---
> #303: FILE: /tmp/f2-8940/bgp_pbr.c:303:
--
< WARNING: line over 80 characters
< #1454: FILE: /tmp/f1-8940/bgp_pbr.c:1454:
< +				bgp_pbr_policyroute_add_to_zebra_unit(bgp, binfo,
<

CLANG Static Analyzer Summary

  • Github Pull Request 2594, comparing to Git base SHA 5ca75c5

No Changes in Static Analysis warnings compared to base

15 Static Analyzer issues remaining.

See details at
https://ci1.netdef.org/browse/FRR-FRRPULLREQ-4319/artifact/shared/static_analysis/index.html

@LabN-CI
Copy link
Collaborator

LabN-CI commented Jul 2, 2018

💚 Basic BGPD CI results: SUCCESS, 0 tests failed

Results table
_ _
Result SUCCESS git merge/2594 936f6d1
Date 07/02/2018
Start 03:45:12
Finish 04:08:50
Run-Time 23:38
Total 1816
Pass 1816
Fail 0
Valgrind-Errors 0
Valgrind-Loss 0
Details vncregress-2018-07-02-03:45:12.txt
Log autoscript-2018-07-02-03:46:17.log.bz2

For details, please contact louberger

@donaldsharp donaldsharp merged commit 75c3456 into FRRouting:stable/5.0 Jul 3, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@pguibert6WIND @NetDEF-CI @LabN-CI @donaldsharp