summaryrefslogtreecommitdiffstats
path: root/bgpd/bgp_pbr.h (follow)
Commit message (Collapse)AuthorAgeFilesLines
* bgp, zebra, lib: add protocol support for iptablesPhilippe Guibert2019-07-081-0/+1
| | | | | | | in addition to support for tcpflags, it is possible to filter on any protocol. the filtering can then be based with iptables. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* lib: hashing functions should take const argumentsQuentin Young2019-05-141-4/+4
| | | | | | | | | | It doesn't make much sense for a hash function to modify its argument, so const the hash input. BGP does it in a couple places, those cast away the const. Not great but not any worse than it was. Signed-off-by: Quentin Young <qlyoung@cumulusnetworks.com>
* bgpd: display the list of iprules attached to a fs entryPhilippe Guibert2019-01-291-0/+1
| | | | | | | the list of iprules is displayed in the 'show bgp ipv4 flowspec detail' The list of iprules is displayed, only if it is installed. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: change priority of fs pbr rulesPhilippe Guibert2019-01-291-0/+1
| | | | | | | | | | two kind of rules are being set from bgp flowspec: ipset based rules, and ip rule rules. default route rules may have a lower priority than the other rules ( that do not support default rules). so, if an ipset rule without fwmark is being requested, then priority is arbitrarily set to 1. the other case, priority is set to 0. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: notify callback when ip rule from/to rule has been configuredPhilippe Guibert2019-01-291-0/+3
| | | | | | | | because ip rule creation is used to not only handle traffic marked by fwmark; but also for conveying traffic with from/to rules, a check of the creation must be done in the linked list of ip rules. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: an hash list of pbr iprule is createdPhilippe Guibert2019-01-291-0/+14
| | | | | | | that iprule list stands for the list of fs entries that are created, based only on ip rule from/to rule. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: upon bgp fs study, determine if iprule can be usedPhilippe Guibert2019-01-291-0/+4
| | | | | | | | | instead of using ipset based mechanism to forward packets, there are cases where it is possible to use ip rule based mechanisms (without ipset). Here, this applies to simple fs rules with only 'from any' or 'to any'. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: remove useless fields in bgp_pbr_entry_mainPhilippe Guibert2019-01-291-13/+0
| | | | | | | main bgp structure that contains fs information is being cleaned. some fields are removed. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: flowspec redirect IP info is retrieved into nh trackingPhilippe Guibert2018-12-281-0/+3
| | | | | | | | | redirect IP nh of flowspec entry is retrieved so that the nexthop IP information is injected into the nexthop tracking, and is associated to the bgp_path structure. This permits validating or unvalidating the bgp_path for injection in zebra or not. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* *: Replace hash_cmp function return value to a boolDonald Sharp2018-10-191-3/+3
| | | | | | | | | The ->hash_cmp and linked list ->cmp functions were sometimes being used interchangeably and this really is not a good thing. So let's modify the hash_cmp function pointer to return a boolean and convert everything to use the new syntax. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
* bgpd: Convert binfo to pathDonald Sharp2018-10-091-1/+1
| | | | | | Convert the binfo variable to path. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
* bgpd: Convert `struct bgp_info` to `struct bgp_path_info`Donald Sharp2018-10-091-4/+3
| | | | | | | | | | | | Do a straight conversion of `struct bgp_info` to `struct bgp_path_info`. This commit will setup the rename of variables as well. This is being done because `struct bgp_info` is not descriptive of what this data actually is. It is path information for routes that we keep to build the actual routes nexthops plus some extra information. Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
* bgpd: Cleanup of bgp daemon codePascal Mathis2018-07-071-5/+1
| | | | | | | | This commit removes various parts of the bgpd implementation code which are unused/useless, e.g. unused functions, unused variable initializations, unused structs, ... Signed-off-by: Pascal Mathis <mail@pascalmathis.com>
* bgpd: support for flowspec fragment list into policy routingPhilippe Guibert2018-06-281-0/+1
| | | | | | | | The flowspec fragment attribute is taken into account to be pushed in BGP policy routing entries. Valid values are enumerate list of 1, 2, 4, or 8 values. no combined value is supported yet. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: align fragment flowspec decoding with tcpflagsPhilippe Guibert2018-06-281-2/+2
| | | | | | | | | As fragment bitmask and tcpflags bitmask in flowspec protocol is encoded in the same way, it is not necessary to differentiate those two fields. Moreover, it overrides the initial fragment limit set to 1. It is now possible to handle multiple framgent values. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* *: add flowspec dscp handlingPhilippe Guibert2018-06-281-0/+1
| | | | | | Only one dscp value is accepted as filtering option. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd, lib: share flags values for iptable configurationPhilippe Guibert2018-06-281-6/+0
| | | | | | | Those flags can be shared between BGP and Zebra. That is why those flags are moved to common pbr.h header file. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: support for flowspec tcp flagsPhilippe Guibert2018-06-281-0/+3
| | | | | | Ability to handle flowspec tcp flags. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: add support of bgp flowspec filtering per packet lengthPhilippe Guibert2018-06-281-0/+3
| | | | | | | It is possible to do filtering based on packet length value or a range of packet-length. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: handle ICMP type and code from flowspecPhilippe Guibert2018-06-281-0/+1
| | | | | | | | | | | | | | | | | | It is possible for flowspec entries containing ICMP rule to insert PBR entries based on ICMP type and ICMP code. Flowspec ICMP filtering can either have icmp type or icmp code or both. Not all combinations are permitted: - if icmp code is provided, then it is not possible to derive the correct icmp value. This will not be installed - range of ICMP is authorised or list of ICMP, but not both. - on receiving a list of ICMPtype/code, each ICMP type is attempted to be associated to ICMP code. If not found, then ICMPtype is combined with all known ICMP code values associated to that ICMP type. - if a specific ICMP type/code is needed, despite the ICMP code/type combination does not exist, then it is possible to do it by forging a FS ICMP type/code specific for that. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: add vty command to restrict FS policy routing to a defined interfacePhilippe Guibert2018-05-251-0/+25
| | | | | | | | | | | policy routing is configurable via address-family ipv4 flowspec subfamily node. This is then possible to restrict flowspec operation through the BGP instance, to a single or some interfaces, but not all. Two commands available: [no] local-install [IFNAME] Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: display if FS entry is installed in PBR or notPhilippe Guibert2018-05-251-0/+2
| | | | | | | Once PBR rules installed, an information is printed in the main show bgp ipv4 flowspec detail information. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: pbr support for port redirectingPhilippe Guibert2018-05-251-0/+6
| | | | | | | Ability for BGP FS to convert some rules containining at least one address and one port information into a pbr_match_entry rule. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: add 3 fields to ipset_entry : src,dst port, and protoPhilippe Guibert2018-05-251-0/+6
| | | | | | | | | | | | Those 3 fields are read and written between zebra and bgpd. This permits extending the ipset_entry structure. Combinatories will be possible: - filtering with one of the src/dst port. - filtering with one of the range src/ range dst port usage of src or dst is exclusive in a FS entry. - filtering a port or a port range based on either src or dst port. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: handle bgp pbr hash list destroy upon BGP destroyPhilippe Guibert2018-04-301-1/+3
| | | | | | | | | | | | Upon BGP destroy, the hash list related to PBR are removed. The pbr_match entries, as well as the contained pbr_match_entries entries. Then the pbr_action entries. The order is important, since the former are referencing pbr_action. So the references must be removed, prior to remove pbr action. Also, the zebra associated contexts are removed. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: hash lookup for iprule entriesPhilippe Guibert2018-04-301-1/+2
| | | | | | | once an iprule has been created, a notification is sent back, and the context of bgp_action is searched. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: hash_lookup for iptablesPhilippe Guibert2018-04-301-0/+2
| | | | | | | | | This commit is reading the installed2 value from bgp_pbr_match hash set. Once value matches with the one received, the walk stops and the last bgp_pbr_match structure is stored in a static entry, so that the entry is obtained. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: add function handling flowspec entries to pass to zebraPhilippe Guibert2018-04-301-0/+7
| | | | | | | | | | | | Add a policy-route API to handle flowspec entry. The entry is analysed, converted, and selected if it is possible to inject the flowspec entry in local policy routing entries. redirect IP and redirect VRF actions are handled. The former extracts the IPv4 address to redirect traffic to. The latter calculates the matching VRF to redirect traffic to. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: add bgp_pbr_route structurePhilippe Guibert2018-04-301-2/+130
| | | | | | | | | | | This structure is the model exchange between some bgp services like flowspec and the policy routing service. This structure reflects what the nlri entry means. To handle that structure, a dump routine is made available. Also, a validation function is here to cancel a policy route installation, whenever it is not possible to install the requested policy routing. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: initialise hash lists for pbrPhilippe Guibert2018-04-301-1/+35
| | | | | | | bgp structure is being extended with hash sets that will be used by flowspec to give policy routing facilities. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: communication with zebra for ipset & iprule handlingPhilippe Guibert2018-04-301-0/+1
| | | | | | | The APIs that handle ipset and iprule contexts from zebra are being handled in this commit. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
* bgpd: support for policy-routing context used with flowspecPhilippe Guibert2018-04-301-0/+81
BGP flowspec will be able to inject or remove policy-routing contexts, thanks to some protocols like flowspec. This commit adds some the APIS necessary to create/delete policy routing contexts that will be injected then into zebra. Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>