flowspec: comply with new draft RFC5575bis normalized operators

1 files changed, 28 insertions, 6 deletions

diff --git a/docs/sources/flowspec.md b/docs/sources/flowspec.md
index e2b02fcb..bb498a48 100644
--- a/docs/sources/flowspec.md
+++ b/docs/sources/flowspec.md
@@ -50,7 +50,7 @@ CLI syntax to add ipv4/ipv6 flowspec rule is
    <PROTO> : ospf, pim, igp, udp, igmp, tcp, egp, rsvp, gre, ipip, unknown, icmp, sctp, <VALUE>
    <FRAGMENT_TYPE> : dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment
    <TCPFLAG> : U, C, E, F, S, R, P, A
-   <ITEM> : &?{<|>|=}<value>
+   <ITEM> : &?{<|>|>=|<=|==|!=}<value>
    <THEN_EXPR> : { accept | discard | rate-limit <value> | redirect <RT> | mark <value> | action { sample | terminal | sample-terminal } | rt <RT>... }...
    <RT> : xxx:yyy, xx.xx.xx.xx:yyy, xxx.xxx:yyy
 ```
@@ -61,11 +61,29 @@ that for l2vpn flowspec rule is
 % global rib add match <MATCH_EXPR> then <THEN_EXPR> -a [l2vpn-flowspec]
    <MATCH_EXPR> : { { destination-mac | source-mac } <MAC> | ether-type <ETHER_TYPE> | { llc-dsap | llc-ssap | llc-control | snap | vid | cos | inner-vid | inner-cos } <ITEM>... }...
    <ETHER_TYPE> : arp, vmtp, ipx, snmp, net-bios, xtp, pppoe-discovery, ipv4, rarp, ipv6, pppoe-session, loopback, apple-talk, aarp
-   <ITEM> : &?{<|>|=}<value>
+   <ITEM> : &?{<|>|>=|<=|==|!=}<value>
    <THEN_EXPR> : { accept | discard | rate-limit <value> | redirect <RT> | mark <value> | action { sample | terminal | sample-terminal } | rt <RT>... }...
    <RT> : xxx:yyy, xx.xx.xx.xx:yyy, xxx.xxx:yyy
 ```
+### Decimal values and Operators
 
+Gobgp comply with the following draft: https://tools.ietf.org/html/draft-hr-idr-rfc5575bis-03
+
+All decimal values like ports, destination port, source port, procotol number can be married with the following operators:
+```
+            +----+----+----+----------------------------------+
+            | lt | gt | eq | Resulting operation              |
+            +----+----+----+----------------------------------+
+            | 0  | 0  | 0  | true (independent of the value)  |
+            | 0  | 0  | 1  | == (equal)                       |
+            | 0  | 1  | 0  | > (greater than)                 |
+            | 0  | 1  | 1  | >= (greater than or equal)       |
+            | 1  | 0  | 0  | < (less than)                    |
+            | 1  | 0  | 1  | <= (less than or equal)          |
+            | 1  | 1  | 0  | != (not equal value)             |
+            | 1  | 1  | 1  | false (independent of the value) |
+            +----+----+----+----------------------------------+
+```
 ### Examples
 
 ```shell
@@ -73,7 +91,7 @@ that for l2vpn flowspec rule is
 % gobgp global rib -a ipv4-flowspec add match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10
 
 # add a flowspec rule wich discard flows with dst 2001::2/128 and port equals 80 and with TCP flags not match SA (SYN/ACK) and not match U (URG)
-% gobgp global rib -a ipv6-flowspec add match destination 2001::2/128 port '=80' tcp-flags '=!SA&=!U' then discard
+% gobgp global rib -a ipv6-flowspec add match destination 2001::2/128 port '==80' tcp-flags '=!SA&=!U' then discard
 
 # show flowspec table
 % gobgp global rib -a ipv4-flowspec
@@ -81,17 +99,21 @@ that for l2vpn flowspec rule is
 *> [destination:10.0.0.0/24][source:20.0.0.0/24] 0.0.0.0                                   00:00:04   [{Origin: i} {Extcomms: [redirect: 10:10]}]
 
 # add another flowspec rule which discard flows whose ip protocol is tcp and destination port is 80 or greater than or equal to 8080 and lesser than or equal to 8888
-% gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '=80' '>=8080&<=8888' then discard
+% gobgp global rib -a ipv4-flowspec add match protocol tcp destination-port '==80' '>=8080&<=8888' then discard
+
+# add flowspec rule to drop traffic not going to destination port 80, 443 or 22
+
+gobgp global rib -a ipv4-flowspec add match destination 2.2.2.2/32 dest-port '!=80&!=443&!=22' then discard
 
 % gobgp global rib -a ipv4-flowspec
    Network                                              Next Hop             AS_PATH              Age        Attrs
 *> [destination:10.0.0.0/24][source:20.0.0.0/24]        0.0.0.0                                   00:03:19   [{Origin: i} {Extcomms: [redirect: 10:10]}]
-*> [protocol: tcp][destination-port: =80 >=8080&<=8888] 0.0.0.0                                   00:00:03   [{Origin: i} {Extcomms: [discard]}]
+*> [protocol: tcp][destination-port: ==80 >=8080&<=8888] 0.0.0.0                                   00:00:03   [{Origin: i} {Extcomms: [discard]}]
 
 # delete a flowspec rule
 % gobgp global rib -a ipv4-flowspec del match destination 10.0.0.0/24 source 20.0.0.0/24 then redirect 10:10
 
 % gobgp global rib -a ipv4-flowspec
    Network                                              Next Hop             AS_PATH              Age        Attrs
-*> [protocol: tcp][destination-port: =80 >=8080&<=8888] 0.0.0.0                                   00:00:03   [{Origin: i} {Extcomms: [discard]}]
+*> [protocol: tcp][destination-port: ==80 >=8080&<=8888] 0.0.0.0                                   00:00:03   [{Origin: i} {Extcomms: [discard]}]
 ```