diff options
| author | Jan Moskyto Matejka <mq@ucw.cz> | 2016-12-07 15:30:46 +0100 |
|---|---|---|
| committer | Jan Moskyto Matejka <mq@ucw.cz> | 2016-12-07 15:30:46 +0100 |
| commit | ad88b94bca78e010357a6c7806e1d5e01701d4a7 (patch) | |
| tree | 9c06e9c1b0c87f372dcf27cc832d5692db112e80 /filter | |
| parent | d15b0b0a1b494c14b139d2d28706d82cd6e2f139 (diff) | |
| parent | af62c0f9f1f6382fe88c8ae5e514f70c0b5b6d05 (diff) | |
Merge branch 'int-new-rpki-squashed' (early part) into int-new
Diffstat (limited to 'filter')
| -rw-r--r-- | filter/config.Y | 6 | ||||
| -rw-r--r-- | filter/filter.c | 31 | ||||
| -rw-r--r-- | filter/test.conf | 92 |
3 files changed, 102 insertions, 27 deletions
diff --git a/filter/config.Y b/filter/config.Y index eecebf61..7b4178be 100644 --- a/filter/config.Y +++ b/filter/config.Y @@ -399,8 +399,8 @@ CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN, TRUE, FALSE, RT, RO, UNKNOWN, GENERIC, FROM, GW, NET, MASK, PROTO, SOURCE, SCOPE, CAST, DEST, IFNAME, IFINDEX, PREFERENCE, - ROA_CHECK, - LEN, + ROA_CHECK, ASN, + LEN, MAXLEN, DEFINED, ADD, DELETE, CONTAINS, RESET, PREPEND, FIRST, LAST, LAST_NONAGGREGATED, MATCH, @@ -891,6 +891,8 @@ term: | term '.' IP { $$ = f_new_inst(); $$->code = P('c','p'); $$->a1.p = $1; $$->aux = T_IP; } | term '.' LEN { $$ = f_new_inst(); $$->code = 'L'; $$->a1.p = $1; } + | term '.' MAXLEN { $$ = f_new_inst(); $$->code = P('R','m'); $$->a1.p = $1; } + | term '.' ASN { $$ = f_new_inst(); $$->code = P('R','a'); $$->a1.p = $1; } | term '.' MASK '(' term ')' { $$ = f_new_inst(); $$->code = P('i','M'); $$->a1.p = $1; $$->a2.p = $5; } | term '.' FIRST { $$ = f_new_inst(); $$->code = P('a','f'); $$->a1.p = $1; } | term '.' LAST { $$ = f_new_inst(); $$->code = P('a','l'); $$->a1.p = $1; } diff --git a/filter/filter.c b/filter/filter.c index 3bd425ac..4ec04554 100644 --- a/filter/filter.c +++ b/filter/filter.c @@ -1183,6 +1183,26 @@ interpret(struct f_inst *what) default: runtime( "Prefix, path, clist or eclist expected" ); } break; + case P('R','m'): /* Get ROA max prefix length */ + ONEARG; + if (v1.type != T_NET || !net_is_roa(v1.val.net)) + runtime( "ROA expected" ); + + res.type = T_INT; + res.val.i = (v1.val.net->type == NET_ROA4) ? + ((net_addr_roa4 *) v1.val.net)->max_pxlen : + ((net_addr_roa6 *) v1.val.net)->max_pxlen; + break; + case P('R','a'): /* Get ROA ASN */ + ONEARG; + if (v1.type != T_NET || !net_is_roa(v1.val.net)) + runtime( "ROA expected" ); + + res.type = T_INT; + res.val.i = (v1.val.net->type == NET_ROA4) ? + ((net_addr_roa4 *) v1.val.net)->asn : + ((net_addr_roa6 *) v1.val.net)->asn; + break; case P('c','p'): /* Convert prefix to ... */ ONEARG; if (v1.type != T_NET) @@ -1476,12 +1496,15 @@ interpret(struct f_inst *what) if (!table) runtime("Missing ROA table"); - /* Table type is either NET_ROA4 or NET_ROA6, checked in parser */ - if (v1.val.net->type != ((table->addr_type == NET_ROA4) ? NET_IP4 : NET_IP6)) - runtime("Incompatible net type"); + if (table->addr_type != NET_ROA4 && table->addr_type != NET_ROA6) + runtime("Table type must be either ROA4 or ROA6"); res.type = T_ENUM_ROA; - res.val.i = net_roa_check(table, v1.val.net, as); + + if (table->addr_type != (v1.val.net->type == NET_IP4 ? NET_ROA4 : NET_ROA6)) + res.val.i = ROA_UNKNOWN; /* Prefix and table type mismatch */ + else + res.val.i = net_roa_check(table, v1.val.net, as); break; diff --git a/filter/test.conf b/filter/test.conf index 16ef7a86..18aeaae1 100644 --- a/filter/test.conf +++ b/filter/test.conf @@ -1139,30 +1139,80 @@ int j; accept "ok I take that"; } -/* -roa table rl +roa4 table r4; +roa6 table r6; + +protocol static +{ + roa4 { table r4; }; + route 10.110.0.0/16 max 16 as 1000 blackhole; + route 10.120.0.0/16 max 24 as 1000 blackhole ; + route 10.130.0.0/16 max 24 as 2000 blackhole; + route 10.130.128.0/18 max 24 as 3000 blackhole; +} + +protocol static { - roa 10.110.0.0/16 max 16 as 1000; - roa 10.120.0.0/16 max 24 as 1000; - roa 10.130.0.0/16 max 24 as 2000; - roa 10.130.128.0/18 max 24 as 3000; + roa6 { table r6; }; + route 2001:0db8:85a3:8a2e::/64 max 96 as 1000 blackhole; } -function test_roa() +function test_roa_check() { # cannot be tested in __startup(), sorry - print "Testing ROA"; - print "Should be true: ", roa_check(rl, 10.10.0.0/16, 1000) = ROA_UNKNOWN, - " ", roa_check(rl, 10.0.0.0/8, 1000) = ROA_UNKNOWN, - " ", roa_check(rl, 10.110.0.0/16, 1000) = ROA_VALID, - " ", roa_check(rl, 10.110.0.0/16, 2000) = ROA_INVALID, - " ", roa_check(rl, 10.110.32.0/20, 1000) = ROA_INVALID, - " ", roa_check(rl, 10.120.32.0/20, 1000) = ROA_VALID; - print "Should be true: ", roa_check(rl, 10.120.32.0/20, 2000) = ROA_INVALID, - " ", roa_check(rl, 10.120.32.32/28, 1000) = ROA_INVALID, - " ", roa_check(rl, 10.130.130.0/24, 1000) = ROA_INVALID, - " ", roa_check(rl, 10.130.130.0/24, 2000) = ROA_VALID, - " ", roa_check(rl, 10.130.30.0/24, 3000) = ROA_INVALID, - " ", roa_check(rl, 10.130.130.0/24, 3000) = ROA_VALID; + print "Should be true: ", roa_check(r4, 10.10.0.0/16, 1000) = ROA_UNKNOWN, + " ", roa_check(r4, 10.0.0.0/8, 1000) = ROA_UNKNOWN, + " ", roa_check(r4, 10.110.0.0/16, 1000) = ROA_VALID, + " ", roa_check(r4, 10.110.0.0/16, 2000) = ROA_INVALID, + " ", roa_check(r4, 10.110.32.0/20, 1000) = ROA_INVALID, + " ", roa_check(r4, 10.120.32.0/20, 1000) = ROA_VALID; + print "Should be true: ", roa_check(r4, 10.120.32.0/20, 2000) = ROA_INVALID, + " ", roa_check(r4, 10.120.32.32/28, 1000) = ROA_INVALID, + " ", roa_check(r4, 10.130.130.0/24, 1000) = ROA_INVALID, + " ", roa_check(r4, 10.130.130.0/24, 2000) = ROA_VALID, + " ", roa_check(r4, 10.130.30.0/24, 3000) = ROA_INVALID, + " ", roa_check(r4, 10.130.130.0/24, 3000) = ROA_VALID; + print "Should be true: ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_VALID, + " ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID, + " ", roa_check(r6, 2001:0db8:85a3:8a2e::/64, 1000) = ROA_VALID, + " ", roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_UNKNOWN; + + print "Should be true: ", roa_check(r4, 10.10.0.0/16, 1000) = ROA_UNKNOWN, + " ", roa_check(r4, 10.0.0.0/8, 1000) = ROA_UNKNOWN, + " ", roa_check(r4, 10.110.0.0/16, 1000) = ROA_VALID, + " ", roa_check(r4, 10.110.0.0/16, 2000) = ROA_INVALID, + " ", roa_check(r4, 10.110.32.0/20, 1000) = ROA_INVALID, + " ", roa_check(r4, 10.120.32.0/20, 1000) = ROA_VALID; + + print "Should be true: ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_VALID, + " ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID, + " ", roa_check(r6, 2001:0db8:85a3:8a2e::/64, 1000) = ROA_VALID, + " ", roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_UNKNOWN; + + print "Should be true: ", roa_check(r4, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID || + roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID; + + print "Should be false: ", roa_check(r4, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_INVALID || + roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_INVALID, + " ", roa_check(r4, 2001:0db8:85a3::/48, 1000) = ROA_INVALID || + roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_INVALID; + + print "Should be true: ", 10.130.130.0/24 ~ 0.0.0.0/0, + " ", 2001:0db8:85a3:8a2e::/64 ~ ::/0; + print "Should be false: ", 10.130.130.0/24 ~ ::/0, + " ", 2001:0db8:85a3:8a2e::/64 ~ 0.0.0.0/0; +} + +function roa_operators_test() +prefix pfx; +{ + print "Testing ROA prefix operators '.maxlen' and '.asn':"; + + pfx = 12.13.0.0/16 max 24 as 1234; + print pfx; + print "Should be true: ", pfx.len = 16, " ", pfx.maxlen = 24, " ", pfx.asn = 1234; + + pfx = 1000::/8 max 32 as 1234; + print pfx; + print "Should be true: ", pfx.len = 8, " ", pfx.maxlen = 32, " ", pfx.asn = 1234; } -*/
\ No newline at end of file |