bgpd: limit policy routing with flowlabel, fragment, and prefix offset

the following 3 options are not supported in current implementation of
policy routing. for that, inform the user that the flowspec entry is
invalid when attempting to use :
- prefix offset with src, or dst ipv6 address ( see [1])
- flowlabel value - limitation due to [0]
- fragment ( implementation not done today).

[0] https://bugzilla.netfilter.org/show_bug.cgi?id=1375
[1] https://bugzilla.netfilter.org/show_bug.cgi?id=1373

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c
index 552f6a51fe9dcbf593db6aff82c99eae2ee53022..945a2e494a7e335e2c48080d8cbd94c80225c189 100644 (file)
--- a/bgpd/bgp_pbr.c
+++ b/bgpd/bgp_pbr.c
@@ -44,6 +44,7 @@ DEFINE_MTYPE_STATIC(BGPD, PBR_VALMASK, "BGP PBR Val Mask Value")
 
 /* chain strings too long to fit in one line */
 #define FSPEC_ACTION_EXCEED_LIMIT "flowspec actions exceeds limit"
+#define IPV6_FRAGMENT_INVALID "fragment not valid for IPv6 for this implementation"
 
 RB_GENERATE(bgp_pbr_interface_head, bgp_pbr_interface,
            id_entry, bgp_pbr_interface_compare);
@@ -525,6 +526,13 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
                                 api->match_protocol_num);
                return 0;
        }
+       if (api->src_prefix_offset > 0 ||
+           api->dst_prefix_offset > 0) {
+               if (BGP_DEBUG(pbr, PBR))
+                       zlog_debug("BGP: match prefix offset:"
+                                  "implementation does not support it.");
+               return 0;
+       }
        if (api->match_protocol_num == 1 &&
            api->protocol[0].value != PROTOCOL_UDP &&
            api->protocol[0].value != PROTOCOL_ICMP &&
@@ -626,6 +634,10 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
                                           "too complex. ignoring.");
                        return 0;
                }
+               if (BGP_DEBUG(pbr, PBR))
+                       zlog_debug("BGP: match FlowLabel operations "
+                                  "not supported. ignoring.");
+               return 0;
        }
        if (api->match_fragment_num) {
                char fail_str[64];
@@ -658,6 +670,11 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
                                                 api->fragment[i].value);
                                }
                        }
+                       if (api->afi == AFI_IP6) {
+                               success = false;
+                               snprintf(fail_str, sizeof(fail_str),
+                                        "%s", IPV6_FRAGMENT_INVALID);
+                       }
                } else
                        snprintf(fail_str, sizeof(fail_str),
                                 "too complex. ignoring");