pimd: Extend multicast boundary/ACL functionality #17461
Conversation
| /* if we are filtering this group, skip the prune */ | ||
| if (filtered) | ||
| continue; | ||
|
|
There was a problem hiding this comment.
Is the reasoning here is that we should always scan the prune sources regardless of filtering rules?
There was a problem hiding this comment.
Prunes for flows for which we have no state have no effect, but if we begin filtering a (S,G) that is already being forwarded, then we'll want to continue processing prunes for that flow if it tries to prune before the flow state times out.
|
Is there any particular reason you don't actually have any commit message? Make it easier for the person coming behind you to look at what you were doing / thinking about the functionality. |
|
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
csiltala
force-pushed
the
multicast-boundary-acl
branch
from
7927e7e
to
0488c55
Compare
Jafaral
changed the title
Add new interface command ip multicast boundary ACCESSLIST4_NAME. This allows filtering on both source and group using the extended access-list syntax vs. group-only as with the existing "ip multicast boundary oil" command, which uses prefix-lists. If both are configured, the prefix- list is evaluated first. The default behavior for both prefix-lists and access-lists remains "deny", so the prefix-list must have a terminating "permit" statement in order to also evaluate against the access-list. The following example denies groups in range 229.1.1.0/24 and groups in range 232.1.1.0/24 with source 10.0.20.2: ! ip prefix-list pim-oil-plist seq 10 deny 229.1.1.0/24 ip prefix-list pim-oil-plist seq 20 permit any ! access-list pim-acl seq 10 deny ip host 10.0.20.2 232.1.1.0 0.0.0.255 access-list pim-acl seq 20 permit ip any any ! interface r1-eth0 ip address 10.0.20.1/24 ip igmp ip pim ip multicast boundary oil pim-oil-plist ip multicast boundary pim-acl ! Also move the extended access-list handling from pim_msdp_packet.c to pim_util.c to allow use elsewhere in the daemon. Signed-off-by: Corey Siltala <csiltala@atcorp.com>
Add simple test to show filtering of IGMP joins using new "ip multicast boundary" filtering with access-lists, include test of existing prefix- list based "ip multicast boundary oil" command. Signed-off-by: Corey Siltala <csiltala@atcorp.com>
Add documentation for existing extended access-list functionality and the new "ip multicast boundary" command leveraging that functionality. Signed-off-by: Corey Siltala <csiltala@atcorp.com>
csiltala
force-pushed
the
multicast-boundary-acl
branch
from
0488c55
to
4bb592e
Compare
@donaldsharp I've updated the commit messages; let me know if you'd like any further changes. |
ip multicast boundary ACCESSLIST4_NAME. This allows filtering on both source and group vs. group-only as with the existingip multicast boundary oil WORDcommand, which uses prefix-lists. If both are configured, the prefix-list is evaluated first.