bgpd: the fs entry is valid for any rule only, by using ipruleset cmd

Before, it was not possible to create any rules. Now, it is possible to
have flowspec rules relying only on ip rule command. The check is done
here.

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

1 files changed, 36 insertions, 4 deletions

diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c
index 96c1c6d40..88991b676 100644
--- a/bgpd/bgp_pbr.c
+++ b/bgpd/bgp_pbr.c
@@ -618,13 +618,45 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
 				 " too complex. ignoring.");
 		return 0;
 	}
-	if (!(api->match_bitmask & PREFIX_SRC_PRESENT) &&
-	    !(api->match_bitmask & PREFIX_DST_PRESENT)) {
+	/* iprule only supports redirect IP */
+	if (api->type == BGP_PBR_IPRULE) {
+		int i;
+
+		for (i = 0; i < api->action_num; i++) {
+			if (api->actions[i].action == ACTION_TRAFFICRATE &&
+			    api->actions[i].u.r.rate == 0) {
+				if (BGP_DEBUG(pbr, PBR)) {
+					bgp_pbr_print_policy_route(api);
+					zlog_debug("BGP: iprule match actions"
+						   " drop not supported");
+				}
+				return 0;
+			}
+			if (api->actions[i].action == ACTION_MARKING) {
+				if (BGP_DEBUG(pbr, PBR)) {
+					bgp_pbr_print_policy_route(api);
+					zlog_warn("PBR: iprule set DSCP %u"
+						  " not supported",
+						api->actions[i].u.marking_dscp);
+				}
+			}
+			if (api->actions[i].action == ACTION_REDIRECT) {
+				if (BGP_DEBUG(pbr, PBR)) {
+					bgp_pbr_print_policy_route(api);
+					zlog_warn("PBR: iprule redirect VRF %u"
+						" not supported",
+						api->actions[i].u.redirect_vrf);
+				}
+			}
+		}
+
+	} else if (!(api->match_bitmask & PREFIX_SRC_PRESENT) &&
+		   !(api->match_bitmask & PREFIX_DST_PRESENT)) {
 		if (BGP_DEBUG(pbr, PBR)) {
 			bgp_pbr_print_policy_route(api);
 			zlog_debug("BGP: match actions without src"
-				 " or dst address can not operate."
-				 " ignoring.");
+				   " or dst address can not operate."
+				   " ignoring.");
 		}
 		return 0;
 	}