mirrors/bird
mirrors/bird
0
0
Fork 0
mirror of https://gitlab.nic.cz/labs/bird.git synced 2024-12-22 17:51:53 +00:00
Code Releases Activity

Moved flowspec configuration checks to the config file

Browse Source 
Functions flow_check_cf_bmk_values, flow_check_cf_value_length,
flow4_validate_cf and flow6_validate_cf are now not built with lib but
with conf to enable for better semantic separation.
This commit is contained in:
Maria Matejka 2024-08-22 18:13:53 +02:00
parent e787a9210f
commit 6485a74a5c
3 changed files with 89 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
conf/flowspec.Y
View File

@ -18,6 +18,93 @@ CF_DEFINES
struct flow_builder *this_flow; struct flow_builder *this_flow;
/**
* flow_check_cf_value_length - check value by flowspec component type
* @fb: flow builder instance
* @val: value
*
* This function checks if the value is in range of component's type support.
* If some problem will appear, the function calls cf_error() function with
* a textual description of reason to failing of validation.
*/
static void
flow_check_cf_value_length(struct flow_builder *fb, u32 val)
{
enum flow_type t = fb->this_type;
u8 max = flow_max_value_length(t, fb->ipv6);
if (t == FLOW_TYPE_DSCP && val > 0x3f)
cf_error("%s value %u out of range (0-63)", flow_type_str(t, fb->ipv6), val);
if (max == 1 && (val > 0xff))
cf_error("%s value %u out of range (0-255)", flow_type_str(t, fb->ipv6), val);
if (max == 2 && (val > 0xffff))
cf_error("%s value %u out of range (0-65535)", flow_type_str(t, fb->ipv6), val);
}
/**
* flow_check_cf_bmk_values - check value/bitmask part of flowspec component
* @fb: flow builder instance
* @neg: negation operand
* @val: value from value/mask pair
* @mask: bitmap mask from value/mask pair
*
* This function checks value/bitmask pair. If some problem will appear, the
* function calls cf_error() function with a textual description of reason
* to failing of validation.
*/
static void
flow_check_cf_bmk_values(struct flow_builder *fb, u8 neg, u32 val, u32 mask)
{
flow_check_cf_value_length(fb, val);
flow_check_cf_value_length(fb, mask);
if (neg && !(val == 0 || val == mask))
cf_error("For negation, value must be zero or bitmask");
if ((fb->this_type == FLOW_TYPE_TCP_FLAGS) && (mask & 0xf000))
cf_error("Invalid mask 0x%x, must not exceed 0xfff", mask);
if ((fb->this_type == FLOW_TYPE_FRAGMENT) && fb->ipv6 && (mask & 0x01))
cf_error("Invalid mask 0x%x, bit 0 must be 0", mask);
if (val & ~mask)
cf_error("Value 0x%x outside bitmask 0x%x", val, mask);
}
/**
* flow4_validate_cf - validate flowspec data structure &net_addr_flow4 in parsing time
* @f: flowspec data structure &net_addr_flow4
*
* Check if @f is valid flowspec data structure. Can call cf_error() function
* with a textual description of reason to failing of validation.
*/
static void
flow4_validate_cf(net_addr_flow4 *f)
{
enum flow_validated_state r = flow4_validate(flow4_first_part(f), flow_read_length(f->data));
if (r != FLOW_ST_VALID)
cf_error("Invalid flow route: %s", flow_validated_state_str(r));
}
/**
* flow6_validate_cf - validate flowspec data structure &net_addr_flow6 in parsing time
* @f: flowspec data structure &net_addr_flow6
*
* Check if @f is valid flowspec data structure. Can call cf_error() function
* with a textual description of reason to failing of validation.
*/
static void
flow6_validate_cf(net_addr_flow6 *f)
{
enum flow_validated_state r = flow6_validate(flow6_first_part(f), flow_read_length(f->data));
if (r != FLOW_ST_VALID)
cf_error("Invalid flow route: %s", flow_validated_state_str(r));
}
CF_DECLS CF_DECLS

89
lib/flowspec.c
View File

@ -386,67 +386,12 @@ static const u8 flow6_max_value_length[] = {
[FLOW_TYPE_LABEL] = 4 [FLOW_TYPE_LABEL] = 4
}; };
static u8 u8
flow_max_value_length(enum flow_type type, int ipv6) flow_max_value_length(enum flow_type type, int ipv6)
{ {
return ipv6 ? flow6_max_value_length[type] : flow4_max_value_length[type]; return ipv6 ? flow6_max_value_length[type] : flow4_max_value_length[type];
} }
/**
* flow_check_cf_bmk_values - check value/bitmask part of flowspec component
* @fb: flow builder instance
* @neg: negation operand
* @val: value from value/mask pair
* @mask: bitmap mask from value/mask pair
*
* This function checks value/bitmask pair. If some problem will appear, the
* function calls cf_error() function with a textual description of reason
* to failing of validation.
*/
void
flow_check_cf_bmk_values(struct flow_builder *fb, u8 neg, u32 val, u32 mask)
{
flow_check_cf_value_length(fb, val);
flow_check_cf_value_length(fb, mask);
if (neg && !(val == 0 || val == mask))
cf_error("For negation, value must be zero or bitmask");
if ((fb->this_type == FLOW_TYPE_TCP_FLAGS) && (mask & 0xf000))
cf_error("Invalid mask 0x%x, must not exceed 0xfff", mask);
if ((fb->this_type == FLOW_TYPE_FRAGMENT) && fb->ipv6 && (mask & 0x01))
cf_error("Invalid mask 0x%x, bit 0 must be 0", mask);
if (val & ~mask)
cf_error("Value 0x%x outside bitmask 0x%x", val, mask);
}
/**
* flow_check_cf_value_length - check value by flowspec component type
* @fb: flow builder instance
* @val: value
*
* This function checks if the value is in range of component's type support.
* If some problem will appear, the function calls cf_error() function with
* a textual description of reason to failing of validation.
*/
void
flow_check_cf_value_length(struct flow_builder *fb, u32 val)
{
enum flow_type t = fb->this_type;
u8 max = flow_max_value_length(t, fb->ipv6);
if (t == FLOW_TYPE_DSCP && val > 0x3f)
cf_error("%s value %u out of range (0-63)", flow_type_str(t, fb->ipv6), val);
if (max == 1 && (val > 0xff))
cf_error("%s value %u out of range (0-255)", flow_type_str(t, fb->ipv6), val);
if (max == 2 && (val > 0xffff))
cf_error("%s value %u out of range (0-65535)", flow_type_str(t, fb->ipv6), val);
}
static enum flow_validated_state static enum flow_validated_state
flow_validate(const byte *nlri, uint len, int ipv6) flow_validate(const byte *nlri, uint len, int ipv6)
{ {
@ -603,38 +548,6 @@ flow6_validate(const byte *nlri, uint len)
return flow_validate(nlri, len, 1); return flow_validate(nlri, len, 1);
} }
/**
* flow4_validate_cf - validate flowspec data structure &net_addr_flow4 in parsing time
* @f: flowspec data structure &net_addr_flow4
*
* Check if @f is valid flowspec data structure. Can call cf_error() function
* with a textual description of reason to failing of validation.
*/
void
flow4_validate_cf(net_addr_flow4 *f)
{
enum flow_validated_state r = flow4_validate(flow4_first_part(f), flow_read_length(f->data));
if (r != FLOW_ST_VALID)
cf_error("Invalid flow route: %s", flow_validated_state_str(r));
}
/**
* flow6_validate_cf - validate flowspec data structure &net_addr_flow6 in parsing time
* @f: flowspec data structure &net_addr_flow6
*
* Check if @f is valid flowspec data structure. Can call cf_error() function
* with a textual description of reason to failing of validation.
*/
void
flow6_validate_cf(net_addr_flow6 *f)
{
enum flow_validated_state r = flow6_validate(flow6_first_part(f), flow_read_length(f->data));
if (r != FLOW_ST_VALID)
cf_error("Invalid flow route: %s", flow_validated_state_str(r));
}
/* /*
* Flowspec Builder * Flowspec Builder

6
lib/flowspec.h
View File

@ -147,11 +147,7 @@ enum flow_validated_state {
const char *flow_validated_state_str(enum flow_validated_state code); const char *flow_validated_state_str(enum flow_validated_state code);
enum flow_validated_state flow4_validate(const byte *nlri, uint len); enum flow_validated_state flow4_validate(const byte *nlri, uint len);
enum flow_validated_state flow6_validate(const byte *nlri, uint len); enum flow_validated_state flow6_validate(const byte *nlri, uint len);
void flow_check_cf_value_length(struct flow_builder *fb, u32 expr); u8 flow_max_value_length(enum flow_type type, int ipv6);
void flow_check_cf_bmk_values(struct flow_builder *fb, u8 neg, u32 val, u32 mask);
void flow4_validate_cf(net_addr_flow4 *f);
void flow6_validate_cf(net_addr_flow6 *f);
/* /*
* Net Formatting * Net Formatting