bgpd: the fs entry is valid for any rule only, by using ipruleset cmd

Before, it was not possible to create any rules. Now, it is possible to
have flowspec rules relying only on ip rule command. The check is done
here.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c
index 96c1c6d4088d073f29bce33b021595cdecd69713..88991b67604a8411a2374281b61a4da8f2771225 100644 (file)
--- a/bgpd/bgp_pbr.c
+++ b/bgpd/bgp_pbr.c
@@ -618,13 +618,45 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
                                 " too complex. ignoring.");
                return 0;
        }
-       if (!(api->match_bitmask & PREFIX_SRC_PRESENT) &&
-           !(api->match_bitmask & PREFIX_DST_PRESENT)) {
+       /* iprule only supports redirect IP */
+       if (api->type == BGP_PBR_IPRULE) {
+               int i;
+
+               for (i = 0; i < api->action_num; i++) {
+                       if (api->actions[i].action == ACTION_TRAFFICRATE &&
+                           api->actions[i].u.r.rate == 0) {
+                               if (BGP_DEBUG(pbr, PBR)) {
+                                       bgp_pbr_print_policy_route(api);
+                                       zlog_debug("BGP: iprule match actions"
+                                                  " drop not supported");
+                               }
+                               return 0;
+                       }
+                       if (api->actions[i].action == ACTION_MARKING) {
+                               if (BGP_DEBUG(pbr, PBR)) {
+                                       bgp_pbr_print_policy_route(api);
+                                       zlog_warn("PBR: iprule set DSCP %u"
+                                                 " not supported",
+                                               api->actions[i].u.marking_dscp);
+                               }
+                       }
+                       if (api->actions[i].action == ACTION_REDIRECT) {
+                               if (BGP_DEBUG(pbr, PBR)) {
+                                       bgp_pbr_print_policy_route(api);
+                                       zlog_warn("PBR: iprule redirect VRF %u"
+                                               " not supported",
+                                               api->actions[i].u.redirect_vrf);
+                               }
+                       }
+               }
+
+       } else if (!(api->match_bitmask & PREFIX_SRC_PRESENT) &&
+                  !(api->match_bitmask & PREFIX_DST_PRESENT)) {
                if (BGP_DEBUG(pbr, PBR)) {
                        bgp_pbr_print_policy_route(api);
                        zlog_debug("BGP: match actions without src"
-                                " or dst address can not operate."
-                                " ignoring.");
+                                  " or dst address can not operate."
+                                  " ignoring.");
                }
                return 0;
        }