diff options
| author | Philippe Guibert <philippe.guibert@6wind.com> | 2018-11-29 15:04:52 +0100 |
|---|---|---|
| committer | Philippe Guibert <philippe.guibert@6wind.com> | 2019-01-29 14:15:09 +0100 |
| commit | 5fa779c9688fa01be8f5f8702de600afc1ba931a (patch) | |
| tree | c95766f5a2930aad9b499ad99cfcd9accf7261eb | |
| parent | ce239ce000963d8eb6c78471f696f1b127660c6c (diff) | |
bgpd: upon bgp fs study, determine if iprule can be used
instead of using ipset based mechanism to forward packets, there are
cases where it is possible to use ip rule based mechanisms (without
ipset). Here, this applies to simple fs rules with only 'from any' or
'to any'.
Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
| -rw-r--r-- | bgpd/bgp_flowspec_util.c | 19 | ||||
| -rw-r--r-- | bgpd/bgp_pbr.c | 5 | ||||
| -rw-r--r-- | bgpd/bgp_pbr.h | 4 |
3 files changed, 26 insertions, 2 deletions
diff --git a/bgpd/bgp_flowspec_util.c b/bgpd/bgp_flowspec_util.c index cd5bec6267..b9a0d81cc5 100644 --- a/bgpd/bgp_flowspec_util.c +++ b/bgpd/bgp_flowspec_util.c @@ -456,8 +456,7 @@ int bgp_flowspec_match_rules_fill(uint8_t *nlri_content, int len, */ if (prefix->family == AF_INET && prefix->u.prefix4.s_addr == 0) - memset(prefix, 0, - sizeof(struct prefix)); + bpem->match_bitmask_iprule |= bitmask; else bpem->match_bitmask |= bitmask; } @@ -580,6 +579,22 @@ int bgp_flowspec_match_rules_fill(uint8_t *nlri_content, int len, __func__, type); } } + if (bpem->match_packet_length_num || bpem->match_fragment_num || + bpem->match_tcpflags_num || bpem->match_dscp_num || + bpem->match_packet_length_num || bpem->match_icmp_code_num || + bpem->match_icmp_type_num || bpem->match_port_num || + bpem->match_src_port_num || bpem->match_dst_port_num || + bpem->match_protocol_num || bpem->match_bitmask) + bpem->type = BGP_PBR_IPSET; + else if ((bpem->match_bitmask_iprule & PREFIX_SRC_PRESENT) || + (bpem->match_bitmask_iprule & PREFIX_DST_PRESENT)) + /* the extracted policy rule may not need an + * iptables/ipset filtering. check this may not be + * a standard ip rule : permit any to any ( eg) + */ + bpem->type = BGP_PBR_IPRULE; + else + bpem->type = BGP_PBR_UNDEFINED; return error; } diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c index f002154701..03c2d9d601 100644 --- a/bgpd/bgp_pbr.c +++ b/bgpd/bgp_pbr.c @@ -448,6 +448,11 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api) { bool enumerate_icmp = false; + if (api->type == BGP_PBR_UNDEFINED) { + if (BGP_DEBUG(pbr, PBR)) + zlog_debug("BGP: pbr entry undefined. cancel."); + return 0; + } /* because bgp pbr entry may contain unsupported * combinations, a message will be displayed here if * not supported. diff --git a/bgpd/bgp_pbr.h b/bgpd/bgp_pbr.h index f59aeea8b2..eebfdf3715 100644 --- a/bgpd/bgp_pbr.h +++ b/bgpd/bgp_pbr.h @@ -87,6 +87,9 @@ struct bgp_pbr_entry_action { /* BGP Policy Route structure */ struct bgp_pbr_entry_main { +#define BGP_PBR_UNDEFINED 0 +#define BGP_PBR_IPSET 1 +#define BGP_PBR_IPRULE 2 uint8_t type; /* @@ -98,6 +101,7 @@ struct bgp_pbr_entry_main { #define PREFIX_SRC_PRESENT (1 << 0) #define PREFIX_DST_PRESENT (1 << 1) + uint8_t match_bitmask_iprule; uint8_t match_bitmask; uint8_t match_src_port_num; |