Merge branch 'int-new-rpki-squashed' (early part) into int-new

filter/config.Y

@@ -399,8 +399,8 @@ CF_KEYWORDS(FUNCTION, PRINT, PRINTN, UNSET, RETURN,
 	TRUE, FALSE, RT, RO, UNKNOWN, GENERIC,
 	FROM, GW, NET, MASK, PROTO, SOURCE, SCOPE, CAST, DEST, IFNAME, IFINDEX,
 	PREFERENCE,
-	ROA_CHECK,
-	LEN,
+	ROA_CHECK, ASN,
+	LEN, MAXLEN,
 	DEFINED,
 	ADD, DELETE, CONTAINS, RESET,
 	PREPEND, FIRST, LAST, LAST_NONAGGREGATED, MATCH,
@@ -891,6 +891,8 @@ term:
 
  | term '.' IP { $$ = f_new_inst(); $$->code = P('c','p'); $$->a1.p = $1; $$->aux = T_IP; }
  | term '.' LEN { $$ = f_new_inst(); $$->code = 'L'; $$->a1.p = $1; }
+ | term '.' MAXLEN { $$ = f_new_inst(); $$->code = P('R','m'); $$->a1.p = $1; }
+ | term '.' ASN { $$ = f_new_inst(); $$->code = P('R','a'); $$->a1.p = $1; }
  | term '.' MASK '(' term ')' { $$ = f_new_inst(); $$->code = P('i','M'); $$->a1.p = $1; $$->a2.p = $5; }
  | term '.' FIRST { $$ = f_new_inst(); $$->code = P('a','f'); $$->a1.p = $1; }
  | term '.' LAST  { $$ = f_new_inst(); $$->code = P('a','l'); $$->a1.p = $1; }

filter/filter.c

@@ -1183,6 +1183,26 @@ interpret(struct f_inst *what)
     default: runtime( "Prefix, path, clist or eclist expected" );
     }
     break;
+  case P('R','m'): 	/* Get ROA max prefix length */
+    ONEARG;
+    if (v1.type != T_NET || !net_is_roa(v1.val.net))
+      runtime( "ROA expected" );
+
+    res.type = T_INT;
+    res.val.i = (v1.val.net->type == NET_ROA4) ?
+      ((net_addr_roa4 *) v1.val.net)->max_pxlen :
+      ((net_addr_roa6 *) v1.val.net)->max_pxlen;
+    break;
+  case P('R','a'): 	/* Get ROA ASN */
+    ONEARG;
+    if (v1.type != T_NET || !net_is_roa(v1.val.net))
+      runtime( "ROA expected" );
+
+    res.type = T_INT;
+    res.val.i = (v1.val.net->type == NET_ROA4) ?
+      ((net_addr_roa4 *) v1.val.net)->asn :
+      ((net_addr_roa6 *) v1.val.net)->asn;
+    break;
   case P('c','p'):	/* Convert prefix to ... */
     ONEARG;
     if (v1.type != T_NET)
@@ -1476,12 +1496,15 @@ interpret(struct f_inst *what)
     if (!table)
       runtime("Missing ROA table");
 
-    /* Table type is either NET_ROA4 or NET_ROA6, checked in parser */
-    if (v1.val.net->type != ((table->addr_type == NET_ROA4) ? NET_IP4 : NET_IP6))
-      runtime("Incompatible net type");
+    if (table->addr_type != NET_ROA4 && table->addr_type != NET_ROA6)
+      runtime("Table type must be either ROA4 or ROA6");
 
     res.type = T_ENUM_ROA;
-    res.val.i = net_roa_check(table, v1.val.net, as);
+
+    if (table->addr_type != (v1.val.net->type == NET_IP4 ? NET_ROA4 : NET_ROA6))
+      res.val.i = ROA_UNKNOWN; /* Prefix and table type mismatch */
+    else
+      res.val.i = net_roa_check(table, v1.val.net, as);
 
     break;
 

filter/test.conf

@@ -1139,30 +1139,80 @@ int j;
 	accept "ok I take that";
 }
 
-/*
-roa table rl
+roa4 table r4;
+roa6 table r6;
+
+protocol static
 {
-	roa 10.110.0.0/16 max 16 as 1000;
-	roa 10.120.0.0/16 max 24 as 1000;
-	roa 10.130.0.0/16 max 24 as 2000;
-	roa 10.130.128.0/18 max 24 as 3000;
+	roa4 { table r4; };
+	route 10.110.0.0/16 max 16 as 1000 blackhole;
+	route 10.120.0.0/16 max 24 as 1000 blackhole ;
+	route 10.130.0.0/16 max 24 as 2000 blackhole;
+	route 10.130.128.0/18 max 24 as 3000 blackhole;
 }
 
-function test_roa()
+protocol static
+{
+  roa6 { table r6; };
+  route 2001:0db8:85a3:8a2e::/64 max 96 as 1000 blackhole;
+}
+
+function test_roa_check()
 {
 	# cannot be tested in __startup(), sorry
-	print "Testing ROA";
-	print "Should be true: ", roa_check(rl, 10.10.0.0/16, 1000) = ROA_UNKNOWN,
-	      " ", roa_check(rl, 10.0.0.0/8, 1000) = ROA_UNKNOWN,
-	      " ", roa_check(rl, 10.110.0.0/16, 1000) = ROA_VALID,
-	      " ", roa_check(rl, 10.110.0.0/16, 2000) = ROA_INVALID,
-	      " ", roa_check(rl, 10.110.32.0/20, 1000) = ROA_INVALID,
-	      " ", roa_check(rl, 10.120.32.0/20, 1000) = ROA_VALID;
-	print "Should be true: ", roa_check(rl, 10.120.32.0/20, 2000) = ROA_INVALID,
-	      " ", roa_check(rl, 10.120.32.32/28, 1000) = ROA_INVALID,
-	      " ", roa_check(rl, 10.130.130.0/24, 1000) = ROA_INVALID,
-	      " ", roa_check(rl, 10.130.130.0/24, 2000) = ROA_VALID,
-	      " ", roa_check(rl, 10.130.30.0/24, 3000) = ROA_INVALID,
-	      " ", roa_check(rl, 10.130.130.0/24, 3000) = ROA_VALID;
+	print "Should be true: ", roa_check(r4, 10.10.0.0/16, 1000) = ROA_UNKNOWN,
+	      " ", roa_check(r4, 10.0.0.0/8, 1000) = ROA_UNKNOWN,
+	      " ", roa_check(r4, 10.110.0.0/16, 1000) = ROA_VALID,
+	      " ", roa_check(r4, 10.110.0.0/16, 2000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.110.32.0/20, 1000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.120.32.0/20, 1000) = ROA_VALID;
+	print "Should be true: ", roa_check(r4, 10.120.32.0/20, 2000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.120.32.32/28, 1000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.130.130.0/24, 1000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.130.130.0/24, 2000) = ROA_VALID,
+	      " ", roa_check(r4, 10.130.30.0/24, 3000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.130.130.0/24, 3000) = ROA_VALID;
+	print "Should be true: ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_VALID,
+	      " ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID,
+	      " ", roa_check(r6, 2001:0db8:85a3:8a2e::/64, 1000) = ROA_VALID,
+	      " ", roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_UNKNOWN;
+
+	print "Should be true: ", roa_check(r4, 10.10.0.0/16, 1000) = ROA_UNKNOWN,
+	      " ", roa_check(r4, 10.0.0.0/8, 1000) = ROA_UNKNOWN,
+	      " ", roa_check(r4, 10.110.0.0/16, 1000) = ROA_VALID,
+	      " ", roa_check(r4, 10.110.0.0/16, 2000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.110.32.0/20, 1000) = ROA_INVALID,
+	      " ", roa_check(r4, 10.120.32.0/20, 1000) = ROA_VALID;
+
+	print "Should be true: ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_VALID,
+	      " ", roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID,
+	      " ", roa_check(r6, 2001:0db8:85a3:8a2e::/64, 1000) = ROA_VALID,
+	      " ", roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_UNKNOWN;
+
+	print "Should be true: ", roa_check(r4, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID ||
+	      roa_check(r6, 2001:0db8:85a3:8a2e:1234::/97, 1000) = ROA_INVALID;
+
+	print "Should be false: ", roa_check(r4, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_INVALID ||
+	             roa_check(r6, 2001:0db8:85a3:8a2e:1234::/80, 1000) = ROA_INVALID,
+	        " ", roa_check(r4, 2001:0db8:85a3::/48, 1000) = ROA_INVALID ||
+	             roa_check(r6, 2001:0db8:85a3::/48, 1000) = ROA_INVALID;
+
+	print "Should be true: ", 10.130.130.0/24 ~ 0.0.0.0/0,
+	      " ", 2001:0db8:85a3:8a2e::/64 ~ ::/0;
+	print "Should be false: ", 10.130.130.0/24 ~ ::/0,
+	      " ", 2001:0db8:85a3:8a2e::/64 ~ 0.0.0.0/0;
+}
+
+function roa_operators_test()
+prefix pfx;
+{
+	print "Testing ROA prefix operators '.maxlen' and '.asn':";
+
+	pfx = 12.13.0.0/16 max 24 as 1234;
+	print pfx;
+	print "Should be true: ", pfx.len = 16, " ", pfx.maxlen = 24, " ", pfx.asn = 1234;
+
+	pfx = 1000::/8 max 32 as 1234;
+	print pfx;
+	print "Should be true: ", pfx.len = 8, " ", pfx.maxlen = 32, " ", pfx.asn = 1234;
 }
-*/