pbrd: use flags to indicate active fields

Before now, PBRD used non-zero values to imply that a rule's match or action field was active. This approach was getting cumbersome for fields where 0 is a valid active value and various field-specific magic values had to be used. This commit changes PBRD to use a flag bit per field to indicate that the field is active. Signed-off-by: G. Paul Ziemba <paulz@labn.net>
2025-08-03 04:01:59 +00:00 · 2023-07-30 21:33:10 -07:00 · 2023-07-30 21:33:10 -07:00 · 887367a01c
commit 887367a01c
parent c47fd378f3
8 changed files with 719 additions and 386 deletions
--- a/lib/pbr.h
+++ b/lib/pbr.h
@ -57,7 +57,7 @@ struct pbr_filter {
 	struct prefix src_ip;
 	struct prefix dst_ip;

-	/* Source and Destination higher-layer (TCP/UDP) port numbers */
+	/* Source and Destination layer 4 (TCP/UDP/etc.) port numbers */
 	uint16_t src_port;
 	uint16_t dst_port;

@ -88,11 +88,11 @@ struct pbr_filter {
 struct pbr_action {
 	uint32_t flags;

-#define PBR_ACTION_TABLE      (1 << 0)
-#define PBR_ACTION_QUEUE_ID   (1 << 1)
-#define PBR_ACTION_PCP        (1 << 2)
-#define PBR_ACTION_VLAN_ID    (1 << 3)
-#define PBR_ACTION_VLAN_FLAGS (1 << 4)
+#define PBR_ACTION_TABLE		(1 << 0)
+#define PBR_ACTION_QUEUE_ID		(1 << 1)
+#define PBR_ACTION_PCP			(1 << 2)
+#define PBR_ACTION_VLAN_ID		(1 << 3)
+#define PBR_ACTION_VLAN_STRIP_INNER_ANY (1 << 4)

 	uint32_t table;
 	uint32_t queue_id;
@ -100,7 +100,6 @@ struct pbr_action {
 	/* VLAN */
 	uint8_t pcp;
 	uint16_t vlan_id;
-	uint16_t vlan_flags;


 };
--- a/lib/zclient.c
+++ b/lib/zclient.c
@ -1631,40 +1631,79 @@ static void zapi_pbr_rule_filter_encode(struct stream *s, struct pbr_filter *f)
 	assert((f->src_ip.family == AF_INET) || (f->src_ip.family == AF_INET6));

 	stream_putl(s, f->filter_bm);
-	stream_putc(s, f->ip_proto);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_IP_PROTOCOL))
+		stream_putc(s, f->ip_proto);

 	/* addresses */
-	zapi_encode_prefix(s, &f->src_ip, f->src_ip.family);
-	zapi_encode_prefix(s, &f->dst_ip, f->dst_ip.family);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_SRC_IP))
+		zapi_encode_prefix(s, &f->src_ip, f->src_ip.family);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_DST_IP))
+		zapi_encode_prefix(s, &f->dst_ip, f->dst_ip.family);

 	/* port numbers */
-	stream_putw(s, f->src_port);
-	stream_putw(s, f->dst_port);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_SRC_PORT))
+		stream_putw(s, f->src_port);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_DST_PORT))
+		stream_putw(s, f->dst_port);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_DSCP))
+		stream_putc(s, f->dsfield & PBR_DSFIELD_DSCP);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_ECN))
+		stream_putc(s, f->dsfield & PBR_DSFIELD_ECN);

 	/* vlan */
-	stream_putc(s, f->pcp);
-	stream_putw(s, f->vlan_id);
-	stream_putw(s, f->vlan_flags);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_PCP))
+		stream_putc(s, f->pcp);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_VLAN_ID))
+		stream_putw(s, f->vlan_id);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_VLAN_FLAGS))
+		stream_putw(s, f->vlan_flags);

-	stream_putc(s, f->dsfield);
-	stream_putl(s, f->fwmark);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_FWMARK))
+		stream_putl(s, f->fwmark);
 }

 static bool zapi_pbr_rule_filter_decode(struct stream *s, struct pbr_filter *f)
 {
+	uint8_t dscp = 0;
+	uint8_t ecn = 0;
+
 	STREAM_GETL(s, f->filter_bm);
-	STREAM_GETC(s, f->ip_proto);
-	if (!zapi_decode_prefix(s, &(f->src_ip)))
-		goto stream_failure;
-	if (!zapi_decode_prefix(s, &(f->dst_ip)))
-		goto stream_failure;
-	STREAM_GETW(s, f->src_port);
-	STREAM_GETW(s, f->dst_port);
-	STREAM_GETC(s, f->pcp);
-	STREAM_GETW(s, f->vlan_id);
-	STREAM_GETW(s, f->vlan_flags);
-	STREAM_GETC(s, f->dsfield);
-	STREAM_GETL(s, f->fwmark);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_IP_PROTOCOL))
+		STREAM_GETC(s, f->ip_proto);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_SRC_IP))
+		if (!zapi_decode_prefix(s, &(f->src_ip)))
+			goto stream_failure;
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_DST_IP))
+		if (!zapi_decode_prefix(s, &(f->dst_ip)))
+			goto stream_failure;
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_SRC_PORT))
+		STREAM_GETW(s, f->src_port);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_DST_PORT))
+		STREAM_GETW(s, f->dst_port);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_DSCP))
+		STREAM_GETC(s, dscp);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_ECN))
+		STREAM_GETC(s, ecn);
+	f->dsfield = (dscp & PBR_DSFIELD_DSCP) | (ecn & PBR_DSFIELD_ECN);
+
+	/* vlan */
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_PCP))
+		STREAM_GETC(s, f->pcp);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_VLAN_ID))
+		STREAM_GETW(s, f->vlan_id);
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_VLAN_FLAGS))
+		STREAM_GETW(s, f->vlan_flags);
+
+	if (CHECK_FLAG(f->filter_bm, PBR_FILTER_FWMARK))
+		STREAM_GETL(s, f->fwmark);
+
 	return true;

 stream_failure:
@ -1674,21 +1713,34 @@ stream_failure:
 static void zapi_pbr_rule_action_encode(struct stream *s, struct pbr_action *a)
 {
 	stream_putl(s, a->flags);
-	stream_putl(s, a->table);
-	stream_putl(s, a->queue_id);
-	stream_putc(s, a->pcp);
-	stream_putw(s, a->vlan_id);
-	stream_putw(s, a->vlan_flags);
+
+	if (CHECK_FLAG(a->flags, PBR_ACTION_TABLE))
+		stream_putl(s, a->table);
+	if (CHECK_FLAG(a->flags, PBR_ACTION_QUEUE_ID))
+		stream_putl(s, a->queue_id);
+
+	/* L2 */
+	if (CHECK_FLAG(a->flags, PBR_ACTION_PCP))
+		stream_putc(s, a->pcp);
+	if (CHECK_FLAG(a->flags, PBR_ACTION_VLAN_ID))
+		stream_putw(s, a->vlan_id);
 }

 static bool zapi_pbr_rule_action_decode(struct stream *s, struct pbr_action *a)
 {
 	STREAM_GETL(s, a->flags);
-	STREAM_GETL(s, a->table);
-	STREAM_GETL(s, a->queue_id);
-	STREAM_GETC(s, a->pcp);
-	STREAM_GETW(s, a->vlan_id);
-	STREAM_GETW(s, a->vlan_flags);
+
+	if (CHECK_FLAG(a->flags, PBR_ACTION_TABLE))
+		STREAM_GETL(s, a->table);
+	if (CHECK_FLAG(a->flags, PBR_ACTION_QUEUE_ID))
+		STREAM_GETL(s, a->queue_id);
+
+	/* L2 */
+	if (CHECK_FLAG(a->flags, PBR_ACTION_PCP))
+		STREAM_GETC(s, a->pcp);
+	if (CHECK_FLAG(a->flags, PBR_ACTION_VLAN_ID))
+		STREAM_GETW(s, a->vlan_id);
+
 	return true;

 stream_failure:
--- a/pbrd/pbr_map.c
+++ b/pbrd/pbr_map.c
@ -105,38 +105,6 @@ static bool pbrms_is_installed(const struct pbr_map_sequence *pbrms,
 	return false;
 }

-void pbr_set_match_clause_for_pcp(struct pbr_map_sequence *pbrms, bool set,
-				  uint8_t pcp)
-{
-	bool changed = false;
-
-	if (set) {
-		if (!CHECK_FLAG(pbrms->filter_bm, PBR_FILTER_PCP) ||
-		    (pcp != pbrms->match_pcp)) {
-			SET_FLAG(pbrms->filter_bm, PBR_FILTER_PCP);
-			pbrms->match_pcp = pcp;
-			changed = true;
-		}
-	} else {
-		if (CHECK_FLAG(pbrms->filter_bm, PBR_FILTER_PCP)) {
-			UNSET_FLAG(pbrms->filter_bm, PBR_FILTER_PCP);
-			changed = true;
-		}
-	}
-	if (changed)
-		pbr_map_check(pbrms, true);
-}
-
-void pbr_set_match_clause_for_vlan(struct pbr_map_sequence *pbrms,
-				   uint16_t vlan_id, uint16_t vlan_flags)
-{
-	if (pbrms) {
-		pbrms->match_vlan_id = vlan_id;
-		pbrms->match_vlan_flags = vlan_flags;
-		pbr_map_check(pbrms, true);
-	}
-}
-
 /* If any sequence is installed on the interface, assume installed */
 static bool
 pbr_map_interface_is_installed(const struct pbr_map *pbrm,
@ -562,14 +530,6 @@ struct pbr_map_sequence *pbrms_get(const char *name, uint32_t seqno)
 		pbrms->ruleno = pbr_nht_get_next_rule(seqno);
 		pbrms->parent = pbrm;

-		pbrms->match_vlan_id = 0;
-		pbrms->match_vlan_flags = 0;
-		pbrms->match_pcp = 0;
-
-		pbrms->action_vlan_id = 0;
-		pbrms->action_vlan_flags = 0;
-		pbrms->action_pcp = 0;
-
 		pbrms->action_queue_id = PBR_MAP_UNDEFINED_QUEUE_ID;

 		pbrms->reason =
@ -634,13 +594,35 @@ pbr_map_sequence_check_nexthops_valid(struct pbr_map_sequence *pbrms)

 static void pbr_map_sequence_check_not_empty(struct pbr_map_sequence *pbrms)
 {
-	if (!pbrms->src && !pbrms->dst && !pbrms->mark && !pbrms->dsfield &&
-	    !CHECK_FLAG(pbrms->filter_bm, PBR_FILTER_PCP) &&
-	    !pbrms->action_pcp && !pbrms->match_vlan_id &&
-	    !pbrms->match_vlan_flags && !pbrms->action_vlan_id &&
-	    !pbrms->action_vlan_flags &&
-	    pbrms->action_queue_id == PBR_MAP_UNDEFINED_QUEUE_ID)
+	/* clang-format off */
+	if (
+		!CHECK_FLAG(pbrms->filter_bm, (
+			PBR_FILTER_SRC_IP |
+			PBR_FILTER_DST_IP |
+			PBR_FILTER_SRC_PORT |
+			PBR_FILTER_DST_PORT |
+
+			PBR_FILTER_IP_PROTOCOL |
+			PBR_FILTER_DSCP |
+			PBR_FILTER_ECN |
+
+			PBR_FILTER_FWMARK |
+			PBR_FILTER_PCP |
+			PBR_FILTER_VLAN_ID |
+			PBR_FILTER_VLAN_FLAGS
+		)) &&
+		!CHECK_FLAG(pbrms->action_bm, (
+
+			PBR_ACTION_PCP |
+			PBR_ACTION_VLAN_ID |
+			PBR_ACTION_VLAN_STRIP_INNER_ANY |
+
+			PBR_ACTION_QUEUE_ID
+		))
+	) {
 		pbrms->reason |= PBR_MAP_INVALID_EMPTY;
+	}
+	/* clang-format on */
 }

 static void pbr_map_sequence_check_vlan_actions(struct pbr_map_sequence *pbrms)
@ -653,7 +635,8 @@ static void pbr_map_sequence_check_vlan_actions(struct pbr_map_sequence *pbrms)
 	 * The strip vlan action removes any inner tag, so it is invalid to
 	 * specify both a set and strip action.
 	 */
-	if ((pbrms->action_vlan_id != 0) && (pbrms->action_vlan_flags != 0))
+	if (CHECK_FLAG(pbrms->action_bm, PBR_ACTION_VLAN_ID) &&
+	    (CHECK_FLAG(pbrms->action_bm, PBR_ACTION_VLAN_STRIP_INNER_ANY)))
 		pbrms->reason |= PBR_MAP_INVALID_SET_STRIP_VLAN;
 }

--- a/pbrd/pbr_map.h
+++ b/pbrd/pbr_map.h
@ -3,7 +3,9 @@
 * PBR-map Header
 * Copyright (C) 2018 Cumulus Networks, Inc.
 *               Donald Sharp
- * Copyright (c) 2023 LabN Consulting, L.L.C.
+ * Portions:
+ *	Copyright (c) 2023 LabN Consulting, L.L.C.
+ *	Copyright (c) 2021 The MITRE Corporation
 */
 #ifndef __PBR_MAP_H__
 #define __PBR_MAP_H__
@ -54,6 +56,14 @@ struct pbr_map_interface {
 	bool delete;
 };

+enum pbr_forwarding_type {
+	PBR_FT_UNSPEC = 0,
+	PBR_FT_VRF_UNCHANGED,
+	PBR_FT_SETVRF,
+	PBR_FT_NEXTHOP_GROUP,
+	PBR_FT_NEXTHOP_SINGLE,
+};
+
 struct pbr_map_sequence {
 	struct pbr_map *parent;

@ -109,14 +119,19 @@ struct pbr_map_sequence {
 	 * Action fields
 	 *****************************************************************/

+	/*
+	 * same bit definitions as in lib/pbr.h
+	 */
+	uint32_t action_bm;
+
 	uint8_t action_pcp;
 	uint8_t action_vlan_id;
-#define PBR_MAP_STRIP_INNER_ANY (1 << 0)
-	uint8_t action_vlan_flags;

 #define PBR_MAP_UNDEFINED_QUEUE_ID 0
 	uint32_t action_queue_id;

+	enum pbr_forwarding_type forwarding_type;
+
 	/*
 	 * Use interface's vrf.
 	 */
@ -233,9 +248,4 @@ extern void pbr_map_check_vrf_nh_group_change(const char *nh_group,
 extern void pbr_map_check_interface_nh_group_change(const char *nh_group,
 						    struct interface *ifp,
 						    ifindex_t oldifindex);
-extern void pbr_set_match_clause_for_vlan(struct pbr_map_sequence *pbrms,
-					  uint16_t vlan_id,
-					  uint16_t vlan_flags);
-extern void pbr_set_match_clause_for_pcp(struct pbr_map_sequence *pbrms,
-					 bool set, uint8_t pcp);
 #endif
--- a/pbrd/pbr_nht.c
+++ b/pbrd/pbr_nht.c
@ -549,6 +549,7 @@ void pbr_nht_set_seq_nhg(struct pbr_map_sequence *pbrms, const char *name)
 		return;

 	pbrms->nhgrp_name = XSTRDUP(MTYPE_TMP, name);
+	pbrms->forwarding_type = PBR_FT_NEXTHOP_GROUP;

 	nhgc = nhgc_find(name);
 	if (!nhgc)
@ -572,6 +573,7 @@ void pbr_nht_add_individual_nexthop(struct pbr_map_sequence *pbrms,
 		MTYPE_TMP,
 		pbr_nht_nexthop_make_name(pbrms->parent->name, PBR_NHC_NAMELEN,
 					  pbrms->seqno, buf));
+	pbrms->forwarding_type = PBR_FT_NEXTHOP_SINGLE;

 	nh = nexthop_new();
 	memcpy(nh, nhop, sizeof(*nh));
--- a/pbrd/pbr_vty.c
+++ b/pbrd/pbr_vty.c
--- a/pbrd/pbr_zebra.c
+++ b/pbrd/pbr_zebra.c
@ -564,44 +564,18 @@ static bool pbr_encode_pbr_map_sequence(struct stream *s,
 	r.filter.fwmark = pbrms->mark;
 	r.filter.ip_proto = pbrms->ip_proto;

-	/*
-	 * Fix up filter flags for now, since PBRD doesn't maintain
-	 * them yet (aside from PBR_FILTER_PCP)
-	 */
-	if (!is_default_prefix(&r.filter.src_ip))
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_SRC_IP);
-	if (!is_default_prefix(&r.filter.dst_ip))
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_DST_IP);
-	if (r.filter.src_port)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_SRC_PORT);
-	if (r.filter.dst_port)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_DST_PORT);
-	if (r.filter.vlan_id)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_VLAN_ID);
-	if (r.filter.vlan_flags)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_VLAN_FLAGS);
-	if (r.filter.dsfield)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_DSFIELD);
-	if (r.filter.fwmark)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_FWMARK);
-	if (r.filter.ip_proto)
-		SET_FLAG(r.filter.filter_bm, PBR_FILTER_IP_PROTOCOL);
+	r.filter.filter_bm = pbrms->filter_bm;

 	/* actions */

+	SET_FLAG(r.action.flags, PBR_ACTION_TABLE); /* always valid */
+
 	/*
 	 * PBR should maintain its own set of action flags that we
 	 * can copy here instead of trying to infer from magic values.
 	 */
-	SET_FLAG(r.action.flags, PBR_ACTION_TABLE); /* always valid */
-	if (pbrms->action_queue_id != PBR_MAP_UNDEFINED_QUEUE_ID)
-		SET_FLAG(r.action.flags, PBR_ACTION_QUEUE_ID);
-	if (pbrms->action_pcp != 0)
-		SET_FLAG(r.action.flags, PBR_ACTION_PCP);
-	if (pbrms->action_vlan_id != 0)
-		SET_FLAG(r.action.flags, PBR_ACTION_VLAN_ID);
-	if (pbrms->action_vlan_flags != 0)
-		SET_FLAG(r.action.flags, PBR_ACTION_VLAN_FLAGS);
+
+	r.action.flags = pbrms->action_bm;

 	/*
 	 * if the user does not use the command "set vrf name unchanged"
@ -619,9 +593,9 @@ static bool pbr_encode_pbr_map_sequence(struct stream *s,
 	}

 	r.action.queue_id = pbrms->action_queue_id;
+
 	r.action.pcp = pbrms->action_pcp;
 	r.action.vlan_id = pbrms->action_vlan_id;
-	r.action.vlan_flags = pbrms->action_vlan_flags;

 	strlcpy(r.ifname, ifp->name, sizeof(r.ifname));

--- a/zebra/zapi_msg.c
+++ b/zebra/zapi_msg.c
@ -3188,10 +3188,32 @@ static inline void zread_rule(ZAPI_HANDLER_ARGS)

 		strlcpy(zpr.ifname, zpr.rule.ifname, sizeof(zpr.ifname));

+		if ((zpr.rule.family != AF_INET) &&
+		    (zpr.rule.family != AF_INET6)) {
+			zlog_warn("Unsupported PBR source IP family: %s (%hhu)",
+				  family2str(zpr.rule.family), zpr.rule.family);
+			return;
+		}
+
+		/*
+		 * Fixup filter src/dst IP addresses if they are unset
+		 * because the netlink code currently obtains address family
+		 * from them. Address family is used to specify which
+		 * kernel database to use when adding/deleting rule.
+		 *
+		 * TBD: propagate zpr.rule.family into dataplane and
+		 * netlink code so they can stop using filter src/dst addrs.
+		 */
+		if (!CHECK_FLAG(zpr.rule.filter.filter_bm, PBR_FILTER_SRC_IP))
+			zpr.rule.filter.src_ip.family = zpr.rule.family;
+		if (!CHECK_FLAG(zpr.rule.filter.filter_bm, PBR_FILTER_DST_IP))
+			zpr.rule.filter.dst_ip.family = zpr.rule.family;
+
+		/* TBD delete below block when netlink code gets family from zpr.rule.family */
 		if (!(zpr.rule.filter.src_ip.family == AF_INET
 		      || zpr.rule.filter.src_ip.family == AF_INET6)) {
 			zlog_warn(
-				"Unsupported PBR source IP family: %s (%hhu)",
+				"Unsupported PBR source IP family: %s (%u)",
 				family2str(zpr.rule.filter.src_ip.family),
 				zpr.rule.filter.src_ip.family);
 			return;
@ -3199,11 +3221,12 @@ static inline void zread_rule(ZAPI_HANDLER_ARGS)
 		if (!(zpr.rule.filter.dst_ip.family == AF_INET
 		      || zpr.rule.filter.dst_ip.family == AF_INET6)) {
 			zlog_warn(
-				"Unsupported PBR destination IP family: %s (%hhu)",
+				"Unsupported PBR destination IP family: %s (%u)",
 				family2str(zpr.rule.filter.dst_ip.family),
 				zpr.rule.filter.dst_ip.family);
 			return;
 		}
+		/* TBD delete above block when netlink code gets family from zpr.rule.family */


 		zpr.vrf_id = zvrf->vrf->vrf_id;