From b4232983a23073846165ec4b148b76364ca780f2 Mon Sep 17 00:00:00 2001
From: Thomas Mangin <thomas.mangin@exa.net.uk>
Date: Mon, 11 Oct 2021 16:24:14 +0100
Subject: [PATCH] backport of #1051 - fixing flow-spec tcp-flag for != and &!=

---
 etc/exabgp/conf-flow.conf                  | 15 +++++++++++++++
 lib/exabgp/bgp/message/update/nlri/flow.py |  1 +
 lib/exabgp/configuration/flow/parser.py    |  2 ++
 qa/ci/conf-flow.msg                        |  3 +++
 4 files changed, 21 insertions(+)

diff --git a/etc/exabgp/conf-flow.conf b/etc/exabgp/conf-flow.conf
index f4e66bbab..0ab51474d 100644
--- a/etc/exabgp/conf-flow.conf
+++ b/etc/exabgp/conf-flow.conf
@@ -142,5 +142,20 @@ neighbor 127.0.0.1 {
 				discard;
 			}
 		}
+
+
+		route check-tcp-flags {
+			match {
+				source 10.0.0.1/32;
+				destination 10.0.0.2/32;
+				destination-port =3128;
+				protocol tcp;
+				tcp-flags [SYN RST&FIN&!=push];
+			}
+			then {
+				discard;
+			}
+		}
+
 	}
 }
diff --git a/lib/exabgp/bgp/message/update/nlri/flow.py b/lib/exabgp/bgp/message/update/nlri/flow.py
index 919aab3bd..9a6a87e8a 100644
--- a/lib/exabgp/bgp/message/update/nlri/flow.py
+++ b/lib/exabgp/bgp/message/update/nlri/flow.py
@@ -97,6 +97,7 @@ class BinaryOperator(CommonOperator):
     INCLUDE = 0x00  # 0b00000000
     NOT = 0x02  # 0b00000010
     MATCH = 0x01  # 0b00000001
+    DIFF = NOT | MATCH
 
 
 def _len_to_bit(value):
diff --git a/lib/exabgp/configuration/flow/parser.py b/lib/exabgp/configuration/flow/parser.py
index 22eefc00b..02e5b294e 100644
--- a/lib/exabgp/configuration/flow/parser.py
+++ b/lib/exabgp/configuration/flow/parser.py
@@ -122,6 +122,8 @@ def _operator_binary(string):
         if string[0] == '=':
             return BinaryOperator.MATCH, string[1:]
         elif string[0] == '!':
+            if string.startswith('!='):
+                return BinaryOperator.DIFF, string[2:]
             return BinaryOperator.NOT, string[1:]
         else:
             return BinaryOperator.INCLUDE, string
diff --git a/qa/ci/conf-flow.msg b/qa/ci/conf-flow.msg
index e349fc6e2..845712f24 100644
--- a/qa/ci/conf-flow.msg
+++ b/qa/ci/conf-flow.msg
@@ -36,6 +36,9 @@
 # flow destination-ipv4 192.168.0.1/32 source-ipv4 10.0.0.10/32 protocol !=TCP port !=0 destination-port !=443 source-port !=80 !=8080 extended-community discard
 1:raw:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:0055:02:0000003E4001010040020040050400000064C010088006000000000000800E2200018500001C0120C0A8000102200A00000A038606048600059601BB060650961F90
 
+# flow source-ipv4 10.0.0.1/32 destination-ipv4 10.0.0.2/32 destination-port =3128 protocol tcp tcp-flags SYN RST&FIN&!=push extended-community discard 
+1:raw:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:0055:02:0000003E4001010040020040050400000064C010088006000000000000800E2200018500001C01200A00000202200A00000103810605910C3809000200044001C308
+
 # EOR
 1:raw:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:001E02:00000007900F0003000185
 1:raw:FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF:001E02:00000007900F0003000186