diff options
| author | Donald Sharp <sharpd@cumulusnetworks.com> | 2020-02-20 12:14:03 -0500 |
|---|---|---|
| committer | Donald Sharp <sharpd@cumulusnetworks.com> | 2020-03-06 16:27:01 -0500 |
| commit | f4e74bd0389c073d2940615b812bf397b9147dcc (patch) | |
| tree | 027688fde0603a5bc37ab1fcfb09fe977ff090f5 | |
| parent | 2ca35b64373e7efbe2541c77e0ebc07dfc1b25a5 (diff) | |
pimd: Add `ip pim register-accept-list PLIST` command
When pim receives a register packet, we will apply the
received source to the prefix list. If accepted normal
processing continues. If denied we will send a register
stop message to the source.
Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
| -rw-r--r-- | doc/user/pim.rst | 8 | ||||
| -rw-r--r-- | pimd/pim_cmd.c | 22 | ||||
| -rw-r--r-- | pimd/pim_instance.c | 1 | ||||
| -rw-r--r-- | pimd/pim_instance.h | 3 | ||||
| -rw-r--r-- | pimd/pim_register.c | 27 | ||||
| -rw-r--r-- | pimd/pim_vty.c | 5 |
6 files changed, 66 insertions, 0 deletions
diff --git a/doc/user/pim.rst b/doc/user/pim.rst index 9876216736..5b566f4405 100644 --- a/doc/user/pim.rst +++ b/doc/user/pim.rst @@ -66,6 +66,14 @@ Certain signals have special meanings to *pimd*. prefix of group ranges covered. This command is vrf aware, to configure for a vrf, enter the vrf submode. +.. index:: ip pim register-accept-list PLIST +.. clicmd:: ip pim register-accept-list PLIST + + When pim receives a register packet the source of the packet will be compared + to the prefix-list specified, PLIST, and if a permit is received normal + processing continues. If a deny is returned for the source address of the + register packet a register stop message is sent to the source. + .. index:: ip pim spt-switchover infinity-and-beyond .. clicmd:: ip pim spt-switchover infinity-and-beyond diff --git a/pimd/pim_cmd.c b/pimd/pim_cmd.c index 3633350a1d..137f68d72a 100644 --- a/pimd/pim_cmd.c +++ b/pimd/pim_cmd.c @@ -6650,6 +6650,26 @@ DEFUN (no_ip_pim_spt_switchover_infinity_plist, return pim_cmd_spt_switchover(pim, PIM_SPT_IMMEDIATE, NULL); } +DEFPY (pim_register_accept_list, + pim_register_accept_list_cmd, + "[no] ip pim register-accept-list WORD$word", + NO_STR + IP_STR + PIM_STR + "Only accept registers from a specific source prefix list\n" + "Prefix-List name\n") +{ + PIM_DECLVAR_CONTEXT(vrf, pim); + + if (no) + XFREE(MTYPE_PIM_PLIST_NAME, pim->register_plist); + else { + XFREE(MTYPE_PIM_PLIST_NAME, pim->register_plist); + pim->register_plist = XSTRDUP(MTYPE_PIM_PLIST_NAME, word); + } + return CMD_SUCCESS; +} + DEFUN (ip_pim_joinprune_time, ip_pim_joinprune_time_cmd, "ip pim join-prune-interval (60-600)", @@ -10743,6 +10763,8 @@ void pim_cmd_init(void) install_element(CONFIG_NODE, &no_ip_pim_spt_switchover_infinity_plist_cmd); install_element(VRF_NODE, &no_ip_pim_spt_switchover_infinity_plist_cmd); + install_element(CONFIG_NODE, &pim_register_accept_list_cmd); + install_element(VRF_NODE, &pim_register_accept_list_cmd); install_element(CONFIG_NODE, &ip_pim_joinprune_time_cmd); install_element(VRF_NODE, &ip_pim_joinprune_time_cmd); install_element(CONFIG_NODE, &no_ip_pim_joinprune_time_cmd); diff --git a/pimd/pim_instance.c b/pimd/pim_instance.c index 795f79b351..2cda628a90 100644 --- a/pimd/pim_instance.c +++ b/pimd/pim_instance.c @@ -70,6 +70,7 @@ static void pim_instance_terminate(struct pim_instance *pim) pim_msdp_exit(pim); XFREE(MTYPE_PIM_PLIST_NAME, pim->spt.plist); + XFREE(MTYPE_PIM_PLIST_NAME, pim->register_plist); XFREE(MTYPE_PIM_PIM_INSTANCE, pim); } diff --git a/pimd/pim_instance.h b/pimd/pim_instance.h index 7b1fd2e172..48dc2d9530 100644 --- a/pimd/pim_instance.h +++ b/pimd/pim_instance.h @@ -135,6 +135,9 @@ struct pim_instance { char *plist; } spt; + /* The name of the register-accept prefix-list */ + char *register_plist; + struct hash *rpf_hash; void *ssm_info; /* per-vrf SSM configuration */ diff --git a/pimd/pim_register.c b/pimd/pim_register.c index 3b58f6133c..7b0af89993 100644 --- a/pimd/pim_register.c +++ b/pimd/pim_register.c @@ -389,6 +389,33 @@ int pim_register_recv(struct interface *ifp, struct in_addr dest_addr, == ((RP(pim, sg.grp))->rpf_addr.u.prefix4.s_addr))) { sentRegisterStop = 0; + if (pim->register_plist) { + struct prefix_list *plist; + struct prefix src; + + plist = prefix_list_lookup(AFI_IP, pim->register_plist); + + src.family = AF_INET; + src.prefixlen = IPV4_MAX_PREFIXLEN; + src.u.prefix4 = sg.src; + + if (prefix_list_apply(plist, &src) == PREFIX_DENY) { + pim_register_stop_send(ifp, &sg, dest_addr, + src_addr); + if (PIM_DEBUG_PIM_PACKETS) { + char src_str[INET_ADDRSTRLEN]; + + pim_inet4_dump("<src?>", src_addr, + src_str, + sizeof(src_str)); + zlog_debug("%s: Sending register-stop to %s for %pSG4 due to prefix-list denial, dropping packet", + __func__, src_str, &sg); + } + + return 0; + } + } + if (*bits & PIM_REGISTER_BORDER_BIT) { struct in_addr pimbr = pim_br_get_pmbr(&sg); if (PIM_DEBUG_PIM_PACKETS) diff --git a/pimd/pim_vty.c b/pimd/pim_vty.c index b5a5089ae7..f8fc09717e 100644 --- a/pimd/pim_vty.c +++ b/pimd/pim_vty.c @@ -211,6 +211,11 @@ int pim_global_config_write_worker(struct pim_instance *pim, struct vty *vty) ssm->plist_name); ++writes; } + if (pim->register_plist) { + vty_out(vty, "%sip pim register-accept-list %s\n", spaces, + pim->register_plist); + ++writes; + } if (pim->spt.switchover == PIM_SPT_INFINITY) { if (pim->spt.plist) vty_out(vty, |