New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flowspec other options #2594
Flowspec other options #2594
Conversation
The API of that function that converts ipset types is externalised. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The icmp type/code is displayed. Also, the flags are correctly set in case ICMP protocol is elected. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
It is possible for flowspec entries containing ICMP rule to insert PBR entries based on ICMP type and ICMP code. Flowspec ICMP filtering can either have icmp type or icmp code or both. Not all combinations are permitted: - if icmp code is provided, then it is not possible to derive the correct icmp value. This will not be installed - range of ICMP is authorised or list of ICMP, but not both. - on receiving a list of ICMPtype/code, each ICMP type is attempted to be associated to ICMP code. If not found, then ICMPtype is combined with all known ICMP code values associated to that ICMP type. - if a specific ICMP type/code is needed, despite the ICMP code/type combination does not exist, then it is possible to do it by forging a FS ICMP type/code specific for that. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Generic ipset entry structure will be reused to host icmp information. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
It is possible to do filtering based on packet length value or a range of packet-length. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
To know which entry is set/unset, a debug handler is present, that displays which entry is injected/removed to/from zebra. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The packet length is added to iptable zapi message. Then the iptable structure is taking into account the pkt_len field. The show pbr iptable command displays the packet length used if any. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
To handle FS params between FS RIB and BGP PBR entities, a structure intermediate named bgp_pbr_filter is used, and contains all filtering information that was before passed as a parameter. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
When displaying RIB FS summary, the TCP option is not displayed. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Ability to handle flowspec tcp flags. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Those flags can be shared between BGP and Zebra. That is why those flags are moved to common pbr.h header file. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Because the Flowspec entries are parsed first, then injected to Zebra, there are cases where the install feedback from zebra is not received. This leads to unnecessary add route events, whereas one should be enough. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The flowspec enumerate list can either be and values or or values. In the latter case, a list is created that will be used later. Also, the API supports the check for both and or or operations. This API does not permit to handle both and and or operations at the same time. The list will have to be either and or or. An other API retrieves the operator unary value that is used: and or or. or 0 is the two operators are used at the same time. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
tcp flags combinations ( or enumerates) are hosted in a structure that will be analysed later, when wanting to inject that information to zebra. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Before adding/removing to zebra, flowspec entries parses the list of combinations or avaialble and creates contexts in order to be injected to zebra. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Only one dscp value is accepted as filtering option. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The iptable configured with dscp displays the dscp value configured. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
If one dscp value or an enumerate list of or values of dscp are provided, then the bgp pbr entries created will take into account the dscp values. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
So as to add or remove entries with flowspec or operations like tcp flags or dscp enum list, a mechanism is put in place that adds recursivity. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The packet length can be injected from fs entry with an enumerate list; the negation of the value is also taken into account. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
As fragment bitmask and tcpflags bitmask in flowspec protocol is encoded in the same way, it is not necessary to differentiate those two fields. Moreover, it overrides the initial fragment limit set to 1. It is now possible to handle multiple framgent values. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The flowspec fragment attribute is taken into account to be pushed in BGP policy routing entries. Valid values are enumerate list of 1, 2, 4, or 8 values. no combined value is supported yet. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
incoming iptable entries with fragment parameter is handled. An iptable context is created for each fragment value received from BGP. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The recursive algorithm was taking into account the fact that all the bpof structures were filled in. Because the dscp value was not given, the pkt_len parsing could not be achieved. Now the iteration takes into account each type according to the previous one, thus guaranting all parameters to be parsed. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
As the other enumerate list, icmp type and code are handled as the other combinations. The icmp type and code options are the last options to be injected into PBR. If icmp type is present only, all the filtering will apply to this icmp type. if icmp code is present only, then all the combination will be done with icmp type ranging from 0 to 255 values. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Some values for icmp type/code can not be encoded like port source or port destination. This is the case of 0 value that is authorized for icmp. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
The handling of reverse values is in a separate function. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
Continuous Integration Result: SUCCESSFULCongratulations, this patch passed basic tests Tested-by: NetDEF / OpenSourceRouting.org CI System CI System Testrun URL: https://ci1.netdef.org/browse/FRR-FRRPULLREQ-4319/ This is a comment from an EXPERIMENTAL automated CI system. Warnings Generated during build:Checkout code: Successful with additional warnings:
CLANG Static Analyzer Summary
No Changes in Static Analysis warnings compared to base15 Static Analyzer issues remaining.See details at |
💚 Basic BGPD CI results: SUCCESS, 0 tests failedResults table
For details, please contact louberger |
support for:
the enumerate is a OR list.
that implies that there is a demultiplexer in BGP that creates as many pbr ipset and pbr iptable entries as needed.