diff --git a/lib/flowspec.c b/lib/flowspec.c index df5c8da3..6bf1f14b 100644 --- a/lib/flowspec.c +++ b/lib/flowspec.c @@ -293,13 +293,9 @@ flow_read_ip4_part(const byte *part) static inline ip6_addr flow_read_ip6(const byte *px, uint pxlen, uint pxoffset) { - uint floor_offset = BYTES(pxoffset - (pxoffset % 8)); - uint ceil_len = BYTES(pxlen); ip6_addr ip = IP6_NONE; - - memcpy(((byte *) &ip) + floor_offset, px, ceil_len - floor_offset); - - return ip6_ntoh(ip); + memcpy(&ip, px, BYTES(pxlen - pxoffset)); + return ip6_shift_right(ip6_ntoh(ip), pxoffset); } ip6_addr @@ -476,7 +472,7 @@ flow_validate(const byte *nlri, uint len, int ipv6) uint pxoffset = *pos++; if (pxoffset > IP6_MAX_PREFIX_LENGTH || pxoffset > pxlen) return FLOW_ST_EXCEED_MAX_PREFIX_OFFSET; - bytes -= pxoffset / 8; + bytes = BYTES(pxlen - pxoffset); } pos += bytes; @@ -749,12 +745,12 @@ flow_builder6_add_pfx(struct flow_builder *fb, const net_addr_ip6 *n6, u32 pxoff if (!builder_add_prepare(fb)) return 0; - ip6_addr ip6 = ip6_hton(n6->prefix); + ip6_addr ip6 = ip6_hton(ip6_shift_left(n6->prefix, pxoffset)); BUFFER_PUSH(fb->data) = fb->this_type; BUFFER_PUSH(fb->data) = n6->pxlen; BUFFER_PUSH(fb->data) = pxoffset; - push_pfx_to_buffer(fb, BYTES(n6->pxlen) - (pxoffset / 8), ((byte *) &ip6) + (pxoffset / 8)); + push_pfx_to_buffer(fb, BYTES(n6->pxlen - pxoffset), ((byte *) &ip6)); builder_add_finish(fb); return 1; diff --git a/lib/flowspec_test.c b/lib/flowspec_test.c index 03649b99..df2a7194 100644 --- a/lib/flowspec_test.c +++ b/lib/flowspec_test.c @@ -9,21 +9,37 @@ #include "test/birdtest.h" #include "lib/flowspec.h" -#define NET_ADDR_FLOW4_(what,prefix,pxlen,data_) \ - do \ - { \ - what = alloca(sizeof(net_addr_flow4) + 128); \ - *what = NET_ADDR_FLOW4(prefix, pxlen, sizeof(data_)); \ - memcpy(what->data, &(data_), sizeof(data_)); \ - } while(0) +#define NET_ADDR_FLOW4_(prefix,pxlen,nlri) \ + ({ \ + uint _len = sizeof(nlri); \ + net_addr_flow4 *_n = tmp_alloc(sizeof(net_addr_flow4) + _len); \ + *_n = NET_ADDR_FLOW4(prefix, pxlen, _len); \ + memcpy(_n->data, &(nlri), _len); \ + if (_n->data[0] == 0) _n->data[0] = _len - 1; \ + _n; \ + }) -#define NET_ADDR_FLOW6_(what,prefix,pxlen,data_) \ - do \ - { \ - what = alloca(sizeof(net_addr_flow6) + 128); \ - *what = NET_ADDR_FLOW6(prefix, pxlen, sizeof(data_)); \ - memcpy(what->data, &(data_), sizeof(data_)); \ - } while(0) +#define NET_ADDR_FLOW4_NLRI(...) \ + ({ \ + const byte _nlri[] = { __VA_ARGS__ }; \ + NET_ADDR_FLOW4_(flow_read_ip4_part(_nlri + 1), _nlri[2], _nlri); \ + }) + +#define NET_ADDR_FLOW6_(prefix,pxlen,nlri) \ + ({ \ + uint _len = sizeof(nlri); \ + net_addr_flow6 *_n = tmp_alloc(sizeof(net_addr_flow6) + _len); \ + *_n = NET_ADDR_FLOW6(prefix, pxlen, _len); \ + memcpy(_n->data, &(nlri), _len); \ + if (_n->data[0] == 0) _n->data[0] = _len - 1; \ + _n; \ + }) + +#define NET_ADDR_FLOW6_NLRI(...) \ + ({ \ + const byte _nlri[] = { __VA_ARGS__ }; \ + NET_ADDR_FLOW6_(flow_read_ip6_part(_nlri + 1), _nlri[2], _nlri); \ + }) static int t_read_length(void) @@ -67,13 +83,13 @@ t_write_length(void) static int t_first_part(void) { - net_addr_flow4 *f; - NET_ADDR_FLOW4_(f, ip4_build(10,0,0,1), 24, ((byte[]) { 0x00, 0x00, 0xab })); + net_addr_flow4 *f = NET_ADDR_FLOW4_(IP4_NONE, 0, ((byte[]) { 0x00, 0x00, 0xab })); const byte *under240 = &f->data[1]; const byte *above240 = &f->data[2]; /* Case 0x00 0x00 */ + f->data[0] = 0x00; bt_assert(flow4_first_part(f) == NULL); /* Case 0x01 0x00 */ @@ -103,15 +119,14 @@ t_first_part(void) static int t_iterators4(void) { - net_addr_flow4 *f; - NET_ADDR_FLOW4_(f, ip4_build(5,6,7,0), 24, ((byte[]) { + const net_addr_flow4 *f = NET_ADDR_FLOW4_NLRI( 25, /* Length */ FLOW_TYPE_DST_PREFIX, 24, 5, 6, 7, FLOW_TYPE_SRC_PREFIX, 32, 10, 11, 12, 13, FLOW_TYPE_IP_PROTOCOL, 0x81, 0x06, FLOW_TYPE_PORT, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, FLOW_TYPE_TCP_FLAGS, 0x80, 0x55, - })); + ); const byte *start = f->data; const byte *p1_dst_pfx = &f->data[1]; @@ -136,15 +151,14 @@ t_iterators4(void) static int t_iterators6(void) { - net_addr_flow6 *f; - NET_ADDR_FLOW6_(f, ip6_build(0,0,0x12345678,0x9a000000), 0x68, ((byte[]) { + const net_addr_flow6 *f = NET_ADDR_FLOW6_NLRI( 26, /* Length */ FLOW_TYPE_DST_PREFIX, 0x68, 0x40, 0x12, 0x34, 0x56, 0x78, 0x9a, FLOW_TYPE_SRC_PREFIX, 0x08, 0x0, 0xc0, FLOW_TYPE_NEXT_HEADER, 0x81, 0x06, FLOW_TYPE_PORT, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, FLOW_TYPE_LABEL, 0x80, 0x55, - })); + ); const byte *start = f->data; const byte *p1_dst_pfx = &f->data[1]; @@ -169,15 +183,14 @@ t_iterators6(void) static int t_accessors4(void) { - net_addr_flow4 *f; - NET_ADDR_FLOW4_(f, ip4_build(5,6,7,0), 24, ((byte[]) { + const net_addr_flow4 *f = NET_ADDR_FLOW4_NLRI( 25, /* Length */ FLOW_TYPE_DST_PREFIX, 24, 5, 6, 7, FLOW_TYPE_SRC_PREFIX, 32, 10, 11, 12, 13, FLOW_TYPE_IP_PROTOCOL, 0x81, 0x06, FLOW_TYPE_PORT, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, FLOW_TYPE_TCP_FLAGS, 0x80, 0x55, - })); + ); const byte *p1_dst_px = &f->data[1]; const ip4_addr p1_dst_addr = ip4_build(5,6,7,0); @@ -194,15 +207,14 @@ t_accessors4(void) static int t_accessors6(void) { - net_addr_flow6 *f; - NET_ADDR_FLOW6_(f, ip6_build(0,0,0x12345678,0x9a000000), 0x68, ((byte[]) { + const net_addr_flow6 *f = NET_ADDR_FLOW6_NLRI( 26, /* Length */ FLOW_TYPE_DST_PREFIX, 0x68, 0x40, 0x12, 0x34, 0x56, 0x78, 0x9a, FLOW_TYPE_SRC_PREFIX, 0x08, 0x0, 0xc0, FLOW_TYPE_NEXT_HEADER, 0x81, 0x06, FLOW_TYPE_PORT, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, FLOW_TYPE_LABEL, 0x80, 0x55, - })); + ); const byte *p1_dst_px = &f->data[1]; const ip6_addr p1_dst_addr = ip6_build(0,0,0x12345678,0x9a000000); @@ -450,17 +462,14 @@ t_builder4(void) /* Expectation */ - static byte nlri[] = { - 25, + const net_addr_flow4 *expect = NET_ADDR_FLOW4_NLRI( + 0, FLOW_TYPE_DST_PREFIX, 24, 5, 6, 7, FLOW_TYPE_SRC_PREFIX, 32, 10, 11, 12, 13, FLOW_TYPE_IP_PROTOCOL, 0x80, 0x06, FLOW_TYPE_PORT, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, - FLOW_TYPE_TCP_FLAGS, 0x80, 0x55 - }; - - net_addr_flow4 *expect; - NET_ADDR_FLOW4_(expect, ip4_build(5, 6, 7, 0), 24, nlri); + FLOW_TYPE_TCP_FLAGS, 0x80, 0x55, + ); /* Normal order */ @@ -531,17 +540,14 @@ t_builder6(void) /* Expectation */ - byte nlri[] = { - 27, - FLOW_TYPE_DST_PREFIX, 103, 61, 0x01, 0x12, 0x34, 0x56, 0x78, 0x98, + const net_addr_flow6 *expect = NET_ADDR_FLOW6_NLRI( + 0, + FLOW_TYPE_DST_PREFIX, 103, 61, 0x22, 0x46, 0x8a, 0xcf, 0x13, 0x00, FLOW_TYPE_SRC_PREFIX, 8, 0, 0xc0, FLOW_TYPE_NEXT_HEADER, 0x80, 0x06, FLOW_TYPE_PORT, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, FLOW_TYPE_LABEL, 0x80, 0x55, - }; - - net_addr_flow6 *expect; - NET_ADDR_FLOW6_(expect, ip6_build(0, 1, 0x12345678, 0x98000000), 103, nlri); + ); /* Normal order */ @@ -605,9 +611,11 @@ t_builder6(void) static int t_formatting4(void) { - char b[1024]; + const net_addr_flow4 *input[4]; + const char *expect[4]; - byte nlri[] = { + expect[0] = "flow4 { dst 10.0.0.0/8; proto 23; dport > 24 && < 30 || 40..50,60..70,80 && >= 90; sport > 24 && < 30 || 40,50,60..70,80; icmp type 80; icmp code 90; tcp flags 0x3/0x3 && 0x0/0xc; length 0..65535; dscp 63; fragment dont_fragment || !is_fragment; }"; + input[0] = NET_ADDR_FLOW4_NLRI( 0, FLOW_TYPE_DST_PREFIX, 0x08, 10, FLOW_TYPE_IP_PROTOCOL, 0x81, 23, @@ -618,18 +626,44 @@ t_formatting4(void) FLOW_TYPE_TCP_FLAGS, 0x01, 0x03, 0xc2, 0x0c, FLOW_TYPE_PACKET_LENGTH, 0x03, 0, 0xd5, 0xff, 0xff, FLOW_TYPE_DSCP, 0x81, 63, - FLOW_TYPE_FRAGMENT, 0x01, 0x01, 0x82, 0x02 - }; - *nlri = (u8) sizeof(nlri); + FLOW_TYPE_FRAGMENT, 0x01, 0x01, 0x82, 0x02, + ); - net_addr_flow4 *input; - NET_ADDR_FLOW4_(input, ip4_build(5, 6, 7, 0), 24, nlri); + /* RFC 8955 4.3.1 Example 1 */ + expect[1] = "flow4 { dst 192.0.2.0/24; proto 6; port 25; }"; + input[1] = NET_ADDR_FLOW4_NLRI( + 0x0b, + 0x01, 0x18, 0xc0, 0x00, 0x02, + 0x03, 0x81, 0x06, + 0x04, 0x81, 0x19, + ); - const char *expect = "flow4 { dst 10.0.0.0/8; proto 23; dport > 24 && < 30 || 40..50,60..70,80 && >= 90; sport > 24 && < 30 || 40,50,60..70,80; icmp type 80; icmp code 90; tcp flags 0x3/0x3 && 0x0/0xc; length 0..65535; dscp 63; fragment dont_fragment || !is_fragment; }"; + /* RFC 8955 4.3.2 Example 2 */ + expect[2] = "flow4 { dst 192.0.2.0/24; src 203.0.113.0/24; port 137..139,8080; }"; + input[2] = NET_ADDR_FLOW4_NLRI( + 0x12, + 0x01, 0x18, 0xc0, 0x00, 0x02, + 0x02, 0x18, 0xcb, 0x00, 0x71, + 0x04, 0x03, 0x89, 0x45, 0x8b, 0x91, 0x1f, 0x90, + ); - bt_assert(flow4_net_format(b, sizeof(b), input) == strlen(expect)); - bt_debug(" expect: '%s',\n output: '%s'\n", expect, b); - bt_assert(strcmp(b, expect) == 0); + /* RFC 8955 4.3.3 Example 3 */ + expect[3] = "flow4 { dst 192.0.2.1/32; fragment !0x0/0x5; }"; + input[3] = NET_ADDR_FLOW4_NLRI( + 0x09, + 0x01, 0x20, 0xc0, 0x00, 0x02, 0x01, + 0x0c, 0x80, 0x05, + ); + + /* Run the tests */ + for (uint i = 0; i < ARRAY_SIZE(input); i++) + { + char buf[1024]; + uint len = flow4_net_format(buf, sizeof(buf), input[i]); + bt_debug(" expect: '%s',\n output: '%s'\n", expect[i], buf); + bt_assert(!strcmp(buf, expect[i])); + bt_assert(len == strlen(expect[i])); + } return 1; } @@ -637,26 +671,46 @@ t_formatting4(void) static int t_formatting6(void) { - char b[1024]; + const net_addr_flow6 *input[3]; + const char *expect[3]; - byte nlri[] = { +// (ip6_build(0, 1, 0x12345678, 0x98000000), 103, nlri0); + expect[0] = "flow6 { dst ::1:1234:5678:9800:0/103 offset 61; src c000::/8; next header 6; port 20..40,273; label < 500000; }"; + input[0] = NET_ADDR_FLOW6_NLRI( 0, - FLOW_TYPE_DST_PREFIX, 103, 61, 0x01, 0x12, 0x34, 0x56, 0x78, 0x98, + FLOW_TYPE_DST_PREFIX, 103, 61, 0x22, 0x46, 0x8a, 0xcf, 0x13, 0x00, FLOW_TYPE_SRC_PREFIX, 8, 0, 0xc0, FLOW_TYPE_NEXT_HEADER, 0x81, 0x06, FLOW_TYPE_PORT, 0x03, 20, 0x45, 40, 0x91, 0x01, 0x11, FLOW_TYPE_LABEL, 0xa4, 0x00, 0x07, 0xa1, 0x20, - }; - *nlri = (u8) sizeof(nlri); + ); - net_addr_flow6 *input; - NET_ADDR_FLOW6_(input, ip6_build(0, 1, 0x12345678, 0x98000000), 103, nlri); + /* RFC 8956 3.8.1 Example 1 */ + expect[1] = "flow6 { dst 2001:db8::/32; src ::1234:5678:9a00:0/104 offset 64; next header 6; }"; + input[1] = NET_ADDR_FLOW6_(ip6_build(0x20010db8, 0, 0, 0), 32, ((const byte[]) { + 0x12, + 0x01, 0x20, 0x00, 0x20, 0x01, 0x0d, 0xb8, + 0x02, 0x68, 0x40, 0x12, 0x34, 0x56, 0x78, 0x9a, + 0x03, 0x81, 0x06, + })); - const char *expect = "flow6 { dst ::1:1234:5678:9800:0/103 offset 61; src c000::/8; next header 6; port 20..40,273; label < 500000; }"; + /* RFC 8956 3.8.2 Example 2 */ + expect[2] = "flow6 { dst 2001:db8::/32; src ::1234:5678:9a00:0/104 offset 65; }"; + input[2] = NET_ADDR_FLOW6_(ip6_build(0x20010db8, 0, 0, 0), 32, ((const byte[]) { + 0x0f, + 0x01, 0x20, 0x00, 0x20, 0x01, 0x0d, 0xb8, + 0x02, 0x68, 0x41, 0x24, 0x68, 0xac, 0xf1, 0x34, + })); - bt_assert(flow6_net_format(b, sizeof(b), input) == strlen(expect)); - bt_debug(" expect: '%s',\n output: '%s'\n", expect, b); - bt_assert(strcmp(b, expect) == 0); + /* Run the tests */ + for (uint i = 0; i < ARRAY_SIZE(input); i++) + { + char buf[1024]; + uint len = flow6_net_format(buf, sizeof(buf), input[i]); + bt_debug(" expect: '%s',\n output: '%s'\n", expect[i], buf); + bt_assert(!strcmp(buf, expect[i])); + bt_assert(len == strlen(expect[i])); + } return 1; } diff --git a/lib/ip.c b/lib/ip.c index 4c5fa47f..4b28451c 100644 --- a/lib/ip.c +++ b/lib/ip.c @@ -156,6 +156,54 @@ ip6_classify(ip6_addr *a) } +/* + * IPv6 bit shifting + */ + +ip6_addr +ip6_shift_left(ip6_addr a, uint bits) +{ + if (bits == 0) + return a; + + if (bits > 127) + return IP6_NONE; + + int words = bits / 32; + int rem = bits % 32; + + for (int i = 0; i < 3 - words; i++) + a.addr[i] = (a.addr[i + words] << rem) | + (rem ? (a.addr[i + words + 1] >> (32 - rem)) : 0); + + a.addr[3 - words] = a.addr[3] << rem; + memset(&a.addr[4 - words], 0, words * 4); + + return a; +} + +ip6_addr +ip6_shift_right(ip6_addr a, uint bits) +{ + if (bits == 0) + return a; + + if (bits > 127) + return IP6_NONE; + + int words = bits / 32; + int rem = bits % 32; + + for (int i = 3; i > words; i--) + a.addr[i] = (a.addr[i - words] >> rem) | + (rem ? (a.addr[i - words - 1] << (32 - rem)) : 0); + + a.addr[words] = a.addr[0] >> rem; + memset(&a.addr[0], 0, words * 4); + + return a; +} + /* * Conversion of IPv6 address to presentation format and vice versa. diff --git a/lib/ip.h b/lib/ip.h index f9aa7f66..49f28079 100644 --- a/lib/ip.h +++ b/lib/ip.h @@ -354,6 +354,9 @@ static inline ip4_addr ip4_setbits(ip4_addr a, uint pos, uint val) static inline ip6_addr ip6_setbits(ip6_addr a, uint pos, uint val) { a.addr[pos / 32] |= val << (31 - pos % 32); return a; } +ip6_addr ip6_shift_left(ip6_addr a, uint bits); +ip6_addr ip6_shift_right(ip6_addr a, uint bits); + static inline ip4_addr ip4_opposite_m1(ip4_addr a) { return _MI4(_I(a) ^ 1); } diff --git a/lib/ip_test.c b/lib/ip_test.c index eee0a427..057c2ef7 100644 --- a/lib/ip_test.c +++ b/lib/ip_test.c @@ -231,6 +231,66 @@ t_ip6_prefix_equal(void) return 1; } +static int +t_ip6_shift_left(void) +{ + ip6_addr a = ip6_build(0x8D0D8BDC, 0x1F04DB92, 0xE5117673, 0x70E54449); + + struct { int n; ip6_addr val; } test_vectors[] = { + 0, ip6_build(0x8D0D8BDC, 0x1F04DB92, 0xE5117673, 0x70E54449), + 9, ip6_build(0x1B17B83E, 0x09B725CA, 0x22ECE6E1, 0xCA889200), + 18, ip6_build(0x2F707C13, 0x6E4B9445, 0xD9CDC395, 0x11240000), + 27, ip6_build(0xE0F826DC, 0x97288BB3, 0x9B872A22, 0x48000000), + 36, ip6_build(0xF04DB92E, 0x51176737, 0x0E544490, 0x00000000), + 45, ip6_build(0x9B725CA2, 0x2ECE6E1C, 0xA8892000, 0x00000000), + 54, ip6_build(0xE4B9445D, 0x9CDC3951, 0x12400000, 0x00000000), + 63, ip6_build(0x7288BB39, 0xB872A224, 0x80000000, 0x00000000), + 72, ip6_build(0x11767370, 0xE5444900, 0x00000000, 0x00000000), + 81, ip6_build(0xECE6E1CA, 0x88920000, 0x00000000, 0x00000000), + 90, ip6_build(0xCDC39511, 0x24000000, 0x00000000, 0x00000000), + 99, ip6_build(0x872A2248, 0x00000000, 0x00000000, 0x00000000), + 108, ip6_build(0x54449000, 0x00000000, 0x00000000, 0x00000000), + 117, ip6_build(0x89200000, 0x00000000, 0x00000000, 0x00000000), + 126, ip6_build(0x40000000, 0x00000000, 0x00000000, 0x00000000), + 128, ip6_build(0x00000000, 0x00000000, 0x00000000, 0x00000000), + }; + + for (uint i = 0; i < ARRAY_SIZE(test_vectors); i++) + bt_assert(ip6_equal(ip6_shift_left(a, test_vectors[i].n), test_vectors[i].val)); + + return 1; +} + +static int +t_ip6_shift_right(void) +{ + ip6_addr a = ip6_build(0x8D0D8BDC, 0x1F04DB92, 0xE5117673, 0x70E54449); + + struct { int n; ip6_addr val; } test_vectors[] = { + 0, ip6_build(0x8D0D8BDC, 0x1F04DB92, 0xE5117673, 0x70E54449), + 9, ip6_build(0x004686C5, 0xEE0F826D, 0xC97288BB, 0x39B872A2), + 18, ip6_build(0x00002343, 0x62F707C1, 0x36E4B944, 0x5D9CDC39), + 27, ip6_build(0x00000011, 0xA1B17B83, 0xE09B725C, 0xA22ECE6E), + 36, ip6_build(0x00000000, 0x08D0D8BD, 0xC1F04DB9, 0x2E511767), + 45, ip6_build(0x00000000, 0x0004686C, 0x5EE0F826, 0xDC97288B), + 54, ip6_build(0x00000000, 0x00000234, 0x362F707C, 0x136E4B94), + 63, ip6_build(0x00000000, 0x00000001, 0x1A1B17B8, 0x3E09B725), + 72, ip6_build(0x00000000, 0x00000000, 0x008D0D8B, 0xDC1F04DB), + 81, ip6_build(0x00000000, 0x00000000, 0x00004686, 0xC5EE0F82), + 90, ip6_build(0x00000000, 0x00000000, 0x00000023, 0x4362F707), + 99, ip6_build(0x00000000, 0x00000000, 0x00000000, 0x11A1B17B), + 108, ip6_build(0x00000000, 0x00000000, 0x00000000, 0x0008D0D8), + 117, ip6_build(0x00000000, 0x00000000, 0x00000000, 0x00000468), + 126, ip6_build(0x00000000, 0x00000000, 0x00000000, 0x00000002), + 128, ip6_build(0x00000000, 0x00000000, 0x00000000, 0x00000000), + }; + + for (uint i = 0; i < ARRAY_SIZE(test_vectors); i++) + bt_assert(ip6_equal(ip6_shift_right(a, test_vectors[i].n), test_vectors[i].val)); + + return 1; +} + int main(int argc, char *argv[]) { @@ -242,6 +302,8 @@ main(int argc, char *argv[]) bt_test_suite(t_ip6_ntop, "Converting ip6_addr struct to IPv6 string"); bt_test_suite(t_ip4_prefix_equal, "Testing ip4_prefix_equal()"); bt_test_suite(t_ip6_prefix_equal, "Testing ip6_prefix_equal()"); + bt_test_suite(t_ip6_shift_left, "Testing ip6_shift_left()"); + bt_test_suite(t_ip6_shift_right, "Testing ip6_shift_right()"); return bt_exit_value(); }