diff options
| author | Corey Siltala <csiltala@atcorp.com> | 2024-11-25 10:36:54 -0600 |
|---|---|---|
| committer | Corey Siltala <csiltala@atcorp.com> | 2024-12-06 14:44:17 -0600 |
| commit | 4de4017d64ccaaa5a0f768873bc36aad4a8912a6 (patch) | |
| tree | 7bb032b90c4c08f3f65f188f60220e267f0a89a4 /pimd/pim_util.c | |
| parent | a9bee74ea2ed6e91a7a49d291ad1a8d3c2c1bec0 (diff) | |
pimd,yang: Extend multicast boundary functionality
Add new interface command ip multicast boundary ACCESSLIST4_NAME. This
allows filtering on both source and group using the extended access-list
syntax vs. group-only as with the existing "ip multicast boundary oil"
command, which uses prefix-lists. If both are configured, the prefix-
list is evaluated first. The default behavior for both prefix-lists and
access-lists remains "deny", so the prefix-list must have a terminating
"permit" statement in order to also evaluate against the access-list.
The following example denies groups in range 229.1.1.0/24 and groups in
range 232.1.1.0/24 with source 10.0.20.2:
!
ip prefix-list pim-oil-plist seq 10 deny 229.1.1.0/24
ip prefix-list pim-oil-plist seq 20 permit any
!
access-list pim-acl seq 10 deny ip host 10.0.20.2 232.1.1.0 0.0.0.255
access-list pim-acl seq 20 permit ip any any
!
interface r1-eth0
ip address 10.0.20.1/24
ip igmp
ip pim
ip multicast boundary oil pim-oil-plist
ip multicast boundary pim-acl
!
Signed-off-by: Corey Siltala <csiltala@atcorp.com>
Diffstat (limited to 'pimd/pim_util.c')
| -rw-r--r-- | pimd/pim_util.c | 43 |
1 files changed, 36 insertions, 7 deletions
diff --git a/pimd/pim_util.c b/pimd/pim_util.c index 49ae6949a2..b6f3be52fc 100644 --- a/pimd/pim_util.c +++ b/pimd/pim_util.c @@ -10,6 +10,8 @@ #include "prefix.h" #include "plist.h" +#include "pimd.h" +#include "pim_instance.h" #include "pim_util.h" /* @@ -167,20 +169,47 @@ enum filter_type pim_access_list_apply(struct access_list *access, const struct return access_list_apply(access, &group_prefix); } -bool pim_is_group_filtered(struct pim_interface *pim_ifp, pim_addr *grp) +bool pim_is_group_filtered(struct pim_interface *pim_ifp, pim_addr *grp, pim_addr *src) { - struct prefix grp_pfx; - struct prefix_list *pl; + bool is_filtered = false; +#if PIM_IPV == 4 + struct prefix grp_pfx = {}; + struct prefix_list *pl = NULL; + pim_addr any_src = PIMADDR_ANY; - if (!pim_ifp->boundary_oil_plist) + if (!pim_ifp->boundary_oil_plist && !pim_ifp->boundary_acl) return false; pim_addr_to_prefix(&grp_pfx, *grp); pl = prefix_list_lookup(PIM_AFI, pim_ifp->boundary_oil_plist); - return pl ? prefix_list_apply_ext(pl, NULL, &grp_pfx, true) == - PREFIX_DENY - : false; + + /* Filter if either group or (S,G) are denied */ + if (pl) { + is_filtered = prefix_list_apply_ext(pl, NULL, &grp_pfx, true) == PREFIX_DENY; + if (is_filtered && PIM_DEBUG_EVENTS) { + zlog_debug("Filtering group %pI4 per prefix-list %s", grp, + pim_ifp->boundary_oil_plist); + } + } + if (!is_filtered && pim_ifp->boundary_acl) { + /* If src not provided, set to "any" (*)? */ + if (!src) + src = &any_src; + /* S,G filtering using extended access-list syntax */ + is_filtered = pim_access_list_apply(pim_ifp->boundary_acl, src, grp) == FILTER_DENY; + if (is_filtered && PIM_DEBUG_EVENTS) { + if (pim_addr_is_any(*src)) { + zlog_debug("Filtering (S,G)=(*, %pI4) per access-list %s", grp, + pim_ifp->boundary_acl->name); + } else { + zlog_debug("Filtering (S,G)=(%pI4, %pI4) per access-list %s", src, + grp, pim_ifp->boundary_acl->name); + } + } + } +#endif + return is_filtered; } |