From 173ebf4784a50bc86c5148cfa5b69d740ee4a14d Mon Sep 17 00:00:00 2001
From: Philippe Guibert <philippe.guibert@6wind.com>
Date: Mon, 21 Oct 2019 11:05:44 +0200
Subject: [PATCH] bgpd: limit policy routing with flowlabel, fragment, and
 prefix offset

the following 3 options are not supported in current implementation of
policy routing. for that, inform the user that the flowspec entry is
invalid when attempting to use :
- prefix offset with src, or dst ipv6 address ( see [1])
- flowlabel value - limitation due to [0]
- fragment ( implementation not done today).

[0] https://bugzilla.netfilter.org/show_bug.cgi?id=1375
[1] https://bugzilla.netfilter.org/show_bug.cgi?id=1373

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
---
 bgpd/bgp_pbr.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c
index 552f6a51fe..945a2e494a 100644
--- a/bgpd/bgp_pbr.c
+++ b/bgpd/bgp_pbr.c
@@ -44,6 +44,7 @@ DEFINE_MTYPE_STATIC(BGPD, PBR_VALMASK, "BGP PBR Val Mask Value")
 
 /* chain strings too long to fit in one line */
 #define FSPEC_ACTION_EXCEED_LIMIT "flowspec actions exceeds limit"
+#define IPV6_FRAGMENT_INVALID "fragment not valid for IPv6 for this implementation"
 
 RB_GENERATE(bgp_pbr_interface_head, bgp_pbr_interface,
 	    id_entry, bgp_pbr_interface_compare);
@@ -525,6 +526,13 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
 				 api->match_protocol_num);
 		return 0;
 	}
+	if (api->src_prefix_offset > 0 ||
+	    api->dst_prefix_offset > 0) {
+		if (BGP_DEBUG(pbr, PBR))
+			zlog_debug("BGP: match prefix offset:"
+				   "implementation does not support it.");
+		return 0;
+	}
 	if (api->match_protocol_num == 1 &&
 	    api->protocol[0].value != PROTOCOL_UDP &&
 	    api->protocol[0].value != PROTOCOL_ICMP &&
@@ -626,6 +634,10 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
 					   "too complex. ignoring.");
 			return 0;
 		}
+		if (BGP_DEBUG(pbr, PBR))
+			zlog_debug("BGP: match FlowLabel operations "
+				   "not supported. ignoring.");
+		return 0;
 	}
 	if (api->match_fragment_num) {
 		char fail_str[64];
@@ -658,6 +670,11 @@ static int bgp_pbr_validate_policy_route(struct bgp_pbr_entry_main *api)
 						 api->fragment[i].value);
 				}
 			}
+			if (api->afi == AFI_IP6) {
+				success = false;
+				snprintf(fail_str, sizeof(fail_str),
+					 "%s", IPV6_FRAGMENT_INVALID);
+			}
 		} else
 			snprintf(fail_str, sizeof(fail_str),
 				 "too complex. ignoring");