doc: Expand ACL and multicast boundary documentation

Add documentation for existing extended access-list functionality and
the new "ip multicast boundary" command leveraging that functionality.

Signed-off-by: Corey Siltala <csiltala@atcorp.com>

2 files changed, 65 insertions, 8 deletions

diff --git a/doc/user/filter.rst b/doc/user/filter.rst
index c1146e50aa..be63095166 100644
--- a/doc/user/filter.rst
+++ b/doc/user/filter.rst
@@ -9,9 +9,7 @@ defined, it can be applied in any direction.
 IP Access List
 ==============
 
-.. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK
-
-.. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
+.. clicmd:: access-list NAME [seq (1-4294967295)] <permit|deny> <A.B.C.D/M [exact-match]|any>
 
    seq
       seq `number` can be set either automatically or manually. In the
@@ -35,6 +33,29 @@ IP Access List
       access-list filter permit 10.0.0.0/8
       access-list filter seq 13 permit 10.0.0.0/7
 
+.. clicmd:: access-list NAME [seq (1-4294967295)] <deny|permit> ip <A.B.C.D A.B.C.D|host A.B.C.D|any> <A.B.C.D A.B.C.D|host A.B.C.D|any>
+
+   The extended access-list syntax enables filtering on both source and destination
+   IP addresses (or source and group, if used for multicast boundaries). The
+   source address is first in order in the command.
+
+   If providing a mask, note that the access-lists use wildcard masks (inverse
+   matching logic of subnet masks). If specifying ``host``, only the single address
+   given will be matched.
+
+   A basic example is as follows:
+
+   .. code-block:: frr
+
+      access-list filter seq 5 permit ip host 10.0.20.2 232.1.1.0 0.0.0.128
+      access-list filter seq 10 deny ip 10.0.20.0 0.0.0.255 232.1.1.0 0.0.0.255
+      access-list filter seq 15 permit ip any any
+
+   .. note ::
+
+      If an access-list is specified but no match is found, the default verdict
+      is deny.
+
 .. clicmd:: show <ip|ipv6> access-list [json]
 
    Display all IPv4 or IPv6 access lists.
diff --git a/doc/user/pim.rst b/doc/user/pim.rst
index 05418da5a9..ef49b076df 100644
--- a/doc/user/pim.rst
+++ b/doc/user/pim.rst
@@ -6,9 +6,9 @@ PIM
 
 PIM -- Protocol Independent Multicast
 
-*pimd* supports pim-sm as well as igmp v2 and v3. pim is
-vrf aware and can work within the context of vrf's in order to
-do S,G mrouting.  Additionally PIM can be used in the EVPN underlay
+*pimd* supports PIM-SM as well as IGMP v2 and v3. PIM is
+VRF aware and can work within the context of VRFs in order to
+do S,G mrouting. Additionally, PIM can be used in the EVPN underlay
 network for optimizing forwarding of overlay BUM traffic.
 
 .. note::
@@ -348,10 +348,46 @@ is in a vrf, enter the interface command with the vrf keyword at the end.
 
 .. clicmd:: ip multicast boundary oil WORD
 
-   Set a pim multicast boundary, based upon the WORD prefix-list. If a pim join
-   or IGMP report is received on this interface and the Group is denied by the
+   Set a PIM multicast boundary, based upon the WORD prefix-list. If a PIM join
+   or IGMP report is received on this interface and the group is denied by the
    prefix-list, PIM will ignore the join or report.
 
+   .. code-block:: frr
+
+      prefix-list multicast-acl seq 5 permit 232.1.1.1/32
+      prefix-list multicast-acl seq 10 deny 232.1.1.0/24
+      prefix-list multicast-acl seq 15 permit any
+      !
+      interface r1-eth0
+       ip pim
+       ip igmp
+       ip multicast boundary oil multicast-acl
+      exit
+
+.. clicmd:: ip multicast boundary ACCESS-LIST
+
+   Set a PIM multicast boundary, based upon the ACCESS-LIST. If a PIM join
+   or IGMP report is received on this interface and the (S,G) tuple is denied by the
+   access-list, PIM will ignore the join or report.
+
+   To filter on both source and group, the extended access-list syntax must be used.
+
+   If both a prefix-list and access-list are configured for multicast boundaries,
+   the prefix-list will be evaluated first (and must have a terminating "permit any"
+   in order to also evaluate against the access-list).
+
+   .. code-block:: frr
+
+      access-list multicast-acl seq 5 permit ip host 10.0.20.2 host 232.1.1.1
+      access-list multicast-acl seq 10 deny ip 10.0.20.0 0.0.0.255 232.1.1.0 0.0.0.255
+      access-list multicast-acl seq 15 permit ip any any
+      !
+      interface r1-eth0
+       ip pim
+       ip igmp
+       ip multicast boundary pim-acl
+      exit
+
 .. clicmd:: ip igmp last-member-query-count (1-255)
 
    Set the IGMP last member query count. The default value is 2. 'no' form of