From 245e5d076edceb0457a6ad8954f149e2b353596f Mon Sep 17 00:00:00 2001 From: claudio Date: Wed, 11 Jan 2023 17:10:25 +0000 Subject: [PATCH] Add the validation state to the filterstate struct. Removes vstate argument from rde_filter(). Rename prefix_vstate() to prefix_roa_vstate(). OK tb@ --- usr.sbin/bgpd/rde.c | 39 +++++++++++++++++++------------------- usr.sbin/bgpd/rde.h | 9 +++++---- usr.sbin/bgpd/rde_filter.c | 15 ++++++++------- usr.sbin/bgpd/rde_update.c | 32 ++++++++++++++++--------------- 4 files changed, 50 insertions(+), 45 deletions(-) diff --git a/usr.sbin/bgpd/rde.c b/usr.sbin/bgpd/rde.c index 104764fb633..5f0029e2f0f 100644 --- a/usr.sbin/bgpd/rde.c +++ b/usr.sbin/bgpd/rde.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.c,v 1.583 2023/01/11 13:53:17 claudio Exp $ */ +/* $OpenBSD: rde.c,v 1.584 2023/01/11 17:10:25 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -463,7 +463,7 @@ rde_dispatch_imsg_session(struct imsgbuf *ibuf) memcpy(&netconf_s, imsg.data, sizeof(netconf_s)); TAILQ_INIT(&netconf_s.attrset); rde_filterstate_prep(&netconf_state, NULL, NULL, NULL, - 0); + 0, 0); asp = &netconf_state.aspath; asp->aspath = aspath_get(NULL, 0); asp->origin = ORIGIN_IGP; @@ -802,7 +802,7 @@ rde_dispatch_imsg_parent(struct imsgbuf *ibuf) case IMSG_NETWORK_DONE: TAILQ_CONCAT(&netconf_p.attrset, &parent_set, entry); - rde_filterstate_prep(&state, NULL, NULL, NULL, 0); + rde_filterstate_prep(&state, NULL, NULL, NULL, 0, 0); asp = &state.aspath; asp->aspath = aspath_get(NULL, 0); asp->origin = ORIGIN_IGP; @@ -1235,7 +1235,7 @@ rde_update_dispatch(struct rde_peer *peer, struct imsg *imsg) } memset(&mpa, 0, sizeof(mpa)); - rde_filterstate_prep(&state, NULL, NULL, NULL, 0); + rde_filterstate_prep(&state, NULL, NULL, NULL, 0, 0); if (attrpath_len != 0) { /* 0 = no NLRI information in this message */ /* parse path attributes */ while (len > 0) { @@ -1666,20 +1666,19 @@ rde_update_update(struct rde_peer *peer, uint32_t path_id, { struct filterstate state; enum filter_actions action; - uint8_t vstate; uint16_t i; uint32_t path_id_tx; const char *wmsg = "filtered, withdraw"; peer->prefix_rcvd_update++; - vstate = rde_roa_validity(&rde_roa, prefix, prefixlen, + in->vstate = rde_roa_validity(&rde_roa, prefix, prefixlen, aspath_origin(in->aspath.aspath)); path_id_tx = pathid_assign(peer, path_id, prefix, prefixlen); /* add original path to the Adj-RIB-In */ if (prefix_update(rib_byid(RIB_ADJ_IN), peer, path_id, path_id_tx, - in, prefix, prefixlen, vstate) == 1) + in, prefix, prefixlen, in->vstate) == 1) peer->prefix_cnt++; /* max prefix checker */ @@ -1698,17 +1697,17 @@ rde_update_update(struct rde_peer *peer, uint32_t path_id, if (rib == NULL) continue; rde_filterstate_prep(&state, &in->aspath, &in->communities, - in->nexthop, in->nhflags); + in->nexthop, in->nhflags, in->vstate); /* input filter */ action = rde_filter(rib->in_rules, peer, peer, prefix, - prefixlen, vstate, &state); + prefixlen, &state); if (action == ACTION_ALLOW) { rde_update_log("update", i, peer, &state.nexthop->exit_nexthop, prefix, prefixlen); prefix_update(rib, peer, path_id, path_id_tx, &state, - prefix, prefixlen, vstate); + prefix, prefixlen, in->vstate); } else if (prefix_withdraw(rib, peer, path_id, prefix, prefixlen)) { rde_update_log(wmsg, i, peer, @@ -2541,7 +2540,7 @@ rde_dump_rib_as(struct prefix *p, struct rde_aspath *asp, pid_t pid, int flags, pt_getaddr(p->pt, &rib.prefix); rib.prefixlen = p->pt->prefixlen; rib.origin = asp->origin; - rib.validation_state = p->validation_state; + rib.validation_state = prefix_roa_vstate(p); rib.dmetric = p->dmetric; rib.flags = 0; if (!adjout) { @@ -3776,16 +3775,17 @@ rde_softreconfig_in(struct rib_entry *re, void *bula) continue; rde_filterstate_prep(&state, asp, prefix_communities(p), - prefix_nexthop(p), prefix_nhflags(p)); + prefix_nexthop(p), prefix_nhflags(p), + prefix_roa_vstate(p)); action = rde_filter(rib->in_rules, peer, peer, &prefix, - pt->prefixlen, p->validation_state, &state); + pt->prefixlen, &state); if (action == ACTION_ALLOW) { /* update Local-RIB */ prefix_update(rib, peer, p->path_id, p->path_id_tx, &state, &prefix, pt->prefixlen, - p->validation_state); + prefix_roa_vstate(p)); } else if (action == ACTION_DENY) { /* remove from Local-RIB */ prefix_withdraw(rib, peer, p->path_id, &prefix, @@ -3902,7 +3902,7 @@ rde_roa_softreload(struct rib_entry *re, void *bula) /* ROA validation state update */ vstate = rde_roa_validity(&rde_roa, &prefix, pt->prefixlen, aspath_origin(asp->aspath)); - if (vstate == p->validation_state) + if (vstate == prefix_roa_vstate(p)) continue; p->validation_state = vstate; @@ -3916,16 +3916,17 @@ rde_roa_softreload(struct rib_entry *re, void *bula) continue; rde_filterstate_prep(&state, asp, prefix_communities(p), - prefix_nexthop(p), prefix_nhflags(p)); + prefix_nexthop(p), prefix_nhflags(p), + prefix_roa_vstate(p)); action = rde_filter(rib->in_rules, peer, peer, &prefix, - pt->prefixlen, p->validation_state, &state); + pt->prefixlen, &state); if (action == ACTION_ALLOW) { /* update Local-RIB */ prefix_update(rib, peer, p->path_id, p->path_id_tx, &state, &prefix, pt->prefixlen, - p->validation_state); + prefix_roa_vstate(p)); } else if (action == ACTION_DENY) { /* remove from Local-RIB */ prefix_withdraw(rib, peer, p->path_id, &prefix, @@ -4383,7 +4384,7 @@ int ovs_match(struct prefix *p, uint32_t flag) { if (flag & (F_CTL_OVS_VALID|F_CTL_OVS_INVALID|F_CTL_OVS_NOTFOUND)) { - switch (prefix_vstate(p)) { + switch (prefix_roa_vstate(p)) { case ROA_VALID: if (!(flag & F_CTL_OVS_VALID)) return 0; diff --git a/usr.sbin/bgpd/rde.h b/usr.sbin/bgpd/rde.h index df36a2f602d..cae7baafc2f 100644 --- a/usr.sbin/bgpd/rde.h +++ b/usr.sbin/bgpd/rde.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rde.h,v 1.276 2023/01/11 13:53:17 claudio Exp $ */ +/* $OpenBSD: rde.h,v 1.277 2023/01/11 17:10:26 claudio Exp $ */ /* * Copyright (c) 2003, 2004 Claudio Jeker and @@ -362,6 +362,7 @@ struct filterstate { struct rde_community communities; struct nexthop *nexthop; uint8_t nhflags; + uint8_t vstate; }; enum eval_mode { @@ -533,13 +534,13 @@ void prefix_evaluate_nexthop(struct prefix *, enum nexthop_state, void rde_apply_set(struct filter_set_head *, struct rde_peer *, struct rde_peer *, struct filterstate *, uint8_t); void rde_filterstate_prep(struct filterstate *, struct rde_aspath *, - struct rde_community *, struct nexthop *, uint8_t); + struct rde_community *, struct nexthop *, uint8_t, uint8_t); void rde_filterstate_clean(struct filterstate *); int rde_filter_equal(struct filter_head *, struct filter_head *, struct rde_peer *); void rde_filter_calc_skip_steps(struct filter_head *); enum filter_actions rde_filter(struct filter_head *, struct rde_peer *, - struct rde_peer *, struct bgpd_addr *, uint8_t, uint8_t, + struct rde_peer *, struct bgpd_addr *, uint8_t, struct filterstate *); /* rde_prefix.c */ @@ -685,7 +686,7 @@ prefix_nhvalid(struct prefix *p) } static inline uint8_t -prefix_vstate(struct prefix *p) +prefix_roa_vstate(struct prefix *p) { return (p->validation_state & ROA_MASK); } diff --git a/usr.sbin/bgpd/rde_filter.c b/usr.sbin/bgpd/rde_filter.c index 123b23ba41e..abf4fc32397 100644 --- a/usr.sbin/bgpd/rde_filter.c +++ b/usr.sbin/bgpd/rde_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_filter.c,v 1.129 2022/07/28 13:11:51 deraadt Exp $ */ +/* $OpenBSD: rde_filter.c,v 1.130 2023/01/11 17:10:26 claudio Exp $ */ /* * Copyright (c) 2004 Claudio Jeker @@ -212,7 +212,7 @@ rde_prefix_match(struct filter_prefix *fp, struct bgpd_addr *prefix, static int rde_filter_match(struct filter_rule *f, struct rde_peer *peer, struct rde_peer *from, struct filterstate *state, - struct bgpd_addr *prefix, uint8_t plen, uint8_t vstate) + struct bgpd_addr *prefix, uint8_t plen) { struct rde_aspath *asp = &state->aspath; int i; @@ -223,7 +223,7 @@ rde_filter_match(struct filter_rule *f, struct rde_peer *peer, return (0); if (f->match.ovs.is_set) { - if (vstate != f->match.ovs.validity) + if (state->vstate != f->match.ovs.validity) return (0); } @@ -427,7 +427,8 @@ rde_filter_equal(struct filter_head *a, struct filter_head *b, void rde_filterstate_prep(struct filterstate *state, struct rde_aspath *asp, - struct rde_community *communities, struct nexthop *nh, uint8_t nhflags) + struct rde_community *communities, struct nexthop *nh, uint8_t nhflags, + uint8_t vstate) { memset(state, 0, sizeof(*state)); @@ -438,6 +439,7 @@ rde_filterstate_prep(struct filterstate *state, struct rde_aspath *asp, communities_copy(&state->communities, communities); state->nexthop = nexthop_ref(nh); state->nhflags = nhflags; + state->vstate = vstate; } void @@ -784,7 +786,7 @@ rde_filter_calc_skip_steps(struct filter_head *rules) enum filter_actions rde_filter(struct filter_head *rules, struct rde_peer *peer, struct rde_peer *from, struct bgpd_addr *prefix, uint8_t plen, - uint8_t vstate, struct filterstate *state) + struct filterstate *state) { struct filter_rule *f; enum filter_actions action = ACTION_DENY; /* default deny */ @@ -814,8 +816,7 @@ rde_filter(struct filter_head *rules, struct rde_peer *peer, f->peer.peerid != peer->conf.id), f->skip[RDE_FILTER_SKIP_PEERID]); - if (rde_filter_match(f, peer, from, state, prefix, plen, - vstate)) { + if (rde_filter_match(f, peer, from, state, prefix, plen)) { rde_apply_set(&f->set, peer, from, state, prefix->aid); if (f->action != ACTION_NONE) action = f->action; diff --git a/usr.sbin/bgpd/rde_update.c b/usr.sbin/bgpd/rde_update.c index 35f75a0317e..db44894d0c4 100644 --- a/usr.sbin/bgpd/rde_update.c +++ b/usr.sbin/bgpd/rde_update.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rde_update.c,v 1.149 2023/01/11 13:53:17 claudio Exp $ */ +/* $OpenBSD: rde_update.c,v 1.150 2023/01/11 17:10:26 claudio Exp $ */ /* * Copyright (c) 2004 Claudio Jeker @@ -178,9 +178,9 @@ up_generate_updates(struct filter_head *rules, struct rde_peer *peer, rde_filterstate_prep(&state, prefix_aspath(new), prefix_communities(new), prefix_nexthop(new), - prefix_nhflags(new)); + prefix_nhflags(new), prefix_roa_vstate(new)); if (rde_filter(rules, peer, prefix_peer(new), &addr, - prefixlen, prefix_vstate(new), &state) == ACTION_DENY) { + prefixlen, &state) == ACTION_DENY) { rde_filterstate_clean(&state); if (peer->flags & PEERFLAG_EVALUATE_ALL) { new = TAILQ_NEXT(new, entry.list.rib); @@ -208,7 +208,8 @@ up_generate_updates(struct filter_head *rules, struct rde_peer *peer, up_prep_adjout(peer, &state, addr.aid); prefix_adjout_update(p, peer, &state, &addr, - new->pt->prefixlen, new->path_id_tx, prefix_vstate(new)); + new->pt->prefixlen, new->path_id_tx, + prefix_roa_vstate(new)); rde_filterstate_clean(&state); /* max prefix checker outbound */ @@ -319,9 +320,9 @@ up_generate_addpath(struct filter_head *rules, struct rde_peer *peer, rde_filterstate_prep(&state, prefix_aspath(new), prefix_communities(new), prefix_nexthop(new), - prefix_nhflags(new)); + prefix_nhflags(new), prefix_roa_vstate(new)); if (rde_filter(rules, peer, prefix_peer(new), &addr, - prefixlen, prefix_vstate(new), &state) == ACTION_DENY) { + prefixlen, &state) == ACTION_DENY) { rde_filterstate_clean(&state); continue; } @@ -340,7 +341,8 @@ up_generate_addpath(struct filter_head *rules, struct rde_peer *peer, up_prep_adjout(peer, &state, addr.aid); prefix_adjout_update(p, peer, &state, &addr, - new->pt->prefixlen, new->path_id_tx, prefix_vstate(new)); + new->pt->prefixlen, new->path_id_tx, + prefix_roa_vstate(new)); rde_filterstate_clean(&state); /* max prefix checker outbound */ @@ -428,9 +430,9 @@ up_generate_addpath_all(struct filter_head *rules, struct rde_peer *peer, rde_filterstate_prep(&state, prefix_aspath(new), prefix_communities(new), prefix_nexthop(new), - prefix_nhflags(new)); + prefix_nhflags(new), prefix_roa_vstate(new)); if (rde_filter(rules, peer, prefix_peer(new), &addr, - prefixlen, prefix_vstate(new), &state) == ACTION_DENY) { + prefixlen, &state) == ACTION_DENY) { rde_filterstate_clean(&state); continue; } @@ -445,7 +447,7 @@ up_generate_addpath_all(struct filter_head *rules, struct rde_peer *peer, up_prep_adjout(peer, &state, addr.aid); prefix_adjout_update(p, peer, &state, &addr, - prefixlen, new->path_id_tx, prefix_vstate(new)); + prefixlen, new->path_id_tx, prefix_roa_vstate(new)); rde_filterstate_clean(&state); /* max prefix checker outbound */ @@ -486,7 +488,7 @@ up_generate_default(struct filter_head *rules, struct rde_peer *peer, if (peer->capa.mp[aid] == 0) return; - rde_filterstate_prep(&state, NULL, NULL, NULL, 0); + rde_filterstate_prep(&state, NULL, NULL, NULL, 0, ROA_NOTFOUND); asp = &state.aspath; asp->aspath = aspath_get(NULL, 0); asp->origin = ORIGIN_IGP; @@ -506,8 +508,8 @@ up_generate_default(struct filter_head *rules, struct rde_peer *peer, p = prefix_adjout_lookup(peer, &addr, 0); /* outbound filter as usual */ - if (rde_filter(rules, peer, peerself, &addr, 0, ROA_NOTFOUND, - &state) == ACTION_DENY) { + if (rde_filter(rules, peer, peerself, &addr, 0, &state) == + ACTION_DENY) { rde_filterstate_clean(&state); return; } @@ -1032,7 +1034,7 @@ up_dump_attrnlri(u_char *buf, int len, struct rde_peer *peer) goto done; rde_filterstate_prep(&state, prefix_aspath(p), prefix_communities(p), - prefix_nexthop(p), prefix_nhflags(p)); + prefix_nexthop(p), prefix_nhflags(p), prefix_roa_vstate(p)); r = up_generate_attr(buf + 2, len - 2, peer, &state, AID_INET); rde_filterstate_clean(&state); @@ -1171,7 +1173,7 @@ up_dump_mp_reach(u_char *buf, int len, struct rde_peer *peer, uint8_t aid) wpos = 4; /* reserve space for length fields */ rde_filterstate_prep(&state, prefix_aspath(p), prefix_communities(p), - prefix_nexthop(p), prefix_nhflags(p)); + prefix_nexthop(p), prefix_nhflags(p), prefix_roa_vstate(p)); /* write regular path attributes */ r = up_generate_attr(buf + wpos, len - wpos, peer, &state, aid); -- 2.20.1