[mirror_frr.git] / doc / user / filter.rst

*********
Filtering
*********

FRR provides many very flexible filtering features. Filtering is used
for both input and output of the routing information. Once filtering is
defined, it can be applied in any direction.

IP Access List
==============

.. index:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK
.. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK

.. index:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
.. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK

   seq
      seq `number` can be set either automatically or manually. In the
      case that sequential numbers are set manually, the user may pick any
      number less than 4294967295. In the case that sequential number are set
      automatically, the sequential number will increase by a unit of five (5)
      per list. If a list with no specified sequential number is created
      after a list with a specified sequential number, the list will
      automatically pick the next multiple of five (5) as the list number.
      For example, if a list with number 2 already exists and a new list with
      no specified number is created, the next list will be numbered 5. If
      lists 2 and 7 already exist and a new list with no specified number is
      created, the new list will be numbered 10.

   Basic filtering is done by `access-list` as shown in the
   following example.

   .. code-block:: frr

      access-list filter deny 10.0.0.0/9
      access-list filter permit 10.0.0.0/8
      access-list filter seq 13 permit 10.0.0.0/7


IP Prefix List
==============

*ip prefix-list* provides the most powerful prefix based
filtering mechanism. In addition to *access-list* functionality,
*ip prefix-list* has prefix length range specification and
sequential number specification. You can add or delete prefix based
filters to arbitrary points of prefix-list using sequential number specification.

If no ip prefix-list is specified, it acts as permit. If *ip prefix-list*
is defined, and no match is found, default deny is applied.

.. index:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]
.. clicmd:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]

.. index:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]
.. clicmd:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]

   You can create *ip prefix-list* using above commands.

   seq
      seq `number` can be set either automatically or manually. In the
      case that sequential numbers are set manually, the user may pick any
      number less than 4294967295. In the case that sequential number are set
      automatically, the sequential number will increase by a unit of five (5)
      per list. If a list with no specified sequential number is created
      after a list with a specified sequential number, the list will
      automatically pick the next multiple of five (5) as the list number.
      For example, if a list with number 2 already exists and a new list with
      no specified number is created, the next list will be numbered 5. If
      lists 2 and 7 already exist and a new list with no specified number is
      created, the new list will be numbered 10.

   le
      Specifies prefix length. The prefix list will be applied if the prefix
      length is less than or equal to the le prefix length.

   ge
      Specifies prefix length. The prefix list will be applied if the prefix
      length is greater than or equal to the ge prefix length.


   Less than or equal to prefix numbers and greater than or equal to
   prefix numbers can be used together. The order of the le and ge
   commands does not matter.

   If a prefix list with a different sequential number but with the exact
   same rules as a previous list is created, an error will result.
   However, in the case that the sequential number and the rules are
   exactly similar, no error will result.

   If a list with the same sequential number as a previous list is created,
   the new list will overwrite the old list.

   Matching of IP Prefix is performed from the smaller sequential number to the
   larger. The matching will stop once any rule has been applied.

   In the case of no le or ge command, the prefix length must match exactly the
   length specified in the prefix list.

.. index:: no ip prefix-list NAME
.. clicmd:: no ip prefix-list NAME

.. _ip-prefix-list-description:

ip prefix-list description
--------------------------

.. index:: ip prefix-list NAME description DESC
.. clicmd:: ip prefix-list NAME description DESC

   Descriptions may be added to prefix lists. This command adds a
   description to the prefix list.

.. index:: no ip prefix-list NAME description [DESC]
.. clicmd:: no ip prefix-list NAME description [DESC]

   Deletes the description from a prefix list. It is possible to use the
   command without the full description.

.. _ip-prefix-list-sequential-number-control:

ip prefix-list sequential number control
----------------------------------------

.. index:: ip prefix-list sequence-number
.. clicmd:: ip prefix-list sequence-number

   With this command, the IP prefix list sequential number is displayed.
   This is the default behavior.

.. index:: no ip prefix-list sequence-number
.. clicmd:: no ip prefix-list sequence-number

   With this command, the IP prefix list sequential number is not
   displayed.

.. _showing-ip-prefix-list:

Showing ip prefix-list
----------------------

.. index:: show ip prefix-list
.. clicmd:: show ip prefix-list

   Display all IP prefix lists.

.. index:: show ip prefix-list NAME
.. clicmd:: show ip prefix-list NAME

   Show IP prefix list can be used with a prefix list name.

.. index:: show ip prefix-list NAME seq NUM
.. clicmd:: show ip prefix-list NAME seq NUM

   Show IP prefix list can be used with a prefix list name and sequential
   number.

.. index:: show ip prefix-list NAME A.B.C.D/M
.. clicmd:: show ip prefix-list NAME A.B.C.D/M

   If the command longer is used, all prefix lists with prefix lengths equal to
   or longer than the specified length will be displayed. If the command first
   match is used, the first prefix length match will be displayed.

.. index:: show ip prefix-list NAME A.B.C.D/M longer
.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
.. index:: show ip prefix-list NAME A.B.C.D/M first-match
.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
.. index:: show ip prefix-list summary
.. clicmd:: show ip prefix-list summary
.. index:: show ip prefix-list summary NAME
.. clicmd:: show ip prefix-list summary NAME
.. index:: show ip prefix-list detail
.. clicmd:: show ip prefix-list detail
.. index:: show ip prefix-list detail NAME
.. clicmd:: show ip prefix-list detail NAME

Clear counter of ip prefix-list
-------------------------------

.. index:: clear ip prefix-list [NAME [A.B.C.D/M]]
.. clicmd:: clear ip prefix-list [NAME [A.B.C.D/M]]

   Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
   with a specified NAME or NAME and prefix.
Commit	Line	Data
42fc5d26 QY	1	*********
	2	Filtering
	3	*********
	4
c1a54c05 QY	5	FRR provides many very flexible filtering features. Filtering is used
c1a54c05 QY	6	for both input and output of the routing information. Once filtering is
42fc5d26 QY	7	defined, it can be applied in any direction.
42fc5d26 QY	8
42fc5d26 QY	9	IP Access List
	10	==============
	11
fc830a81 DA	12	.. index:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK
	13	.. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK
	14
	15	.. index:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
	16	.. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
	17
	18	seq
	19	seq `number` can be set either automatically or manually. In the
	20	case that sequential numbers are set manually, the user may pick any
	21	number less than 4294967295. In the case that sequential number are set
	22	automatically, the sequential number will increase by a unit of five (5)
	23	per list. If a list with no specified sequential number is created
	24	after a list with a specified sequential number, the list will
	25	automatically pick the next multiple of five (5) as the list number.
	26	For example, if a list with number 2 already exists and a new list with
	27	no specified number is created, the next list will be numbered 5. If
	28	lists 2 and 7 already exist and a new list with no specified number is
	29	created, the new list will be numbered 10.
42fc5d26	30
c1a54c05 QY	31	Basic filtering is done by `access-list` as shown in the
c1a54c05 QY	32	following example.
42fc5d26	33
9eb95b3b	34	.. code-block:: frr
42fc5d26	35
c1a54c05 QY	36	access-list filter deny 10.0.0.0/9
c1a54c05 QY	37	access-list filter permit 10.0.0.0/8
fc830a81	38	access-list filter seq 13 permit 10.0.0.0/7
a8c90e15	39
42fc5d26	40
42fc5d26 QY	41	IP Prefix List
	42	==============
	43
	44	ip prefix-list provides the most powerful prefix based
c1a54c05	45	filtering mechanism. In addition to access-list functionality,
42fc5d26	46	ip prefix-list has prefix length range specification and
c1a54c05	47	sequential number specification. You can add or delete prefix based
42fc5d26 QY	48	filters to arbitrary points of prefix-list using sequential number specification.
42fc5d26 QY	49
c1a54c05	50	If no ip prefix-list is specified, it acts as permit. If ip prefix-list
42fc5d26 QY	51	is defined, and no match is found, default deny is applied.
42fc5d26 QY	52
c1a54c05 QY	53	.. index:: ip prefix-list NAME (permit\|deny) PREFIX [le LEN] [ge LEN]
c1a54c05 QY	54	.. clicmd:: ip prefix-list NAME (permit\|deny) PREFIX [le LEN] [ge LEN]
42fc5d26	55
c1a54c05 QY	56	.. index:: ip prefix-list NAME seq NUMBER (permit\|deny) PREFIX [le LEN] [ge LEN]
c1a54c05 QY	57	.. clicmd:: ip prefix-list NAME seq NUMBER (permit\|deny) PREFIX [le LEN] [ge LEN]
42fc5d26	58
c1a54c05	59	You can create ip prefix-list using above commands.
42fc5d26	60
c1a54c05 QY	61	seq
c1a54c05 QY	62	seq `number` can be set either automatically or manually. In the
42fc5d26	63	case that sequential numbers are set manually, the user may pick any
c1a54c05	64	number less than 4294967295. In the case that sequential number are set
42fc5d26	65	automatically, the sequential number will increase by a unit of five (5)
c1a54c05	66	per list. If a list with no specified sequential number is created
42fc5d26 QY	67	after a list with a specified sequential number, the list will
	68	automatically pick the next multiple of five (5) as the list number.
	69	For example, if a list with number 2 already exists and a new list with
c1a54c05	70	no specified number is created, the next list will be numbered 5. If
42fc5d26 QY	71	lists 2 and 7 already exist and a new list with no specified number is
	72	created, the new list will be numbered 10.
	73
c1a54c05 QY	74	le
	75	Specifies prefix length. The prefix list will be applied if the prefix
	76	length is less than or equal to the le prefix length.
42fc5d26	77
c1a54c05 QY	78	ge
	79	Specifies prefix length. The prefix list will be applied if the prefix
	80	length is greater than or equal to the ge prefix length.
42fc5d26	81
42fc5d26	82
c1a54c05 QY	83	Less than or equal to prefix numbers and greater than or equal to
	84	prefix numbers can be used together. The order of the le and ge
	85	commands does not matter.
42fc5d26	86
c1a54c05 QY	87	If a prefix list with a different sequential number but with the exact
	88	same rules as a previous list is created, an error will result.
	89	However, in the case that the sequential number and the rules are
	90	exactly similar, no error will result.
42fc5d26	91
c1a54c05 QY	92	If a list with the same sequential number as a previous list is created,
c1a54c05 QY	93	the new list will overwrite the old list.
42fc5d26	94
c1a54c05 QY	95	Matching of IP Prefix is performed from the smaller sequential number to the
c1a54c05 QY	96	larger. The matching will stop once any rule has been applied.
42fc5d26	97
c1a54c05 QY	98	In the case of no le or ge command, the prefix length must match exactly the
c1a54c05 QY	99	length specified in the prefix list.
42fc5d26	100
c1a54c05 QY	101	.. index:: no ip prefix-list NAME
c1a54c05 QY	102	.. clicmd:: no ip prefix-list NAME
42fc5d26	103
0efdf0fe	104	.. _ip-prefix-list-description:
42fc5d26 QY	105
	106	ip prefix-list description
	107	--------------------------
	108
c1a54c05 QY	109	.. index:: ip prefix-list NAME description DESC
c1a54c05 QY	110	.. clicmd:: ip prefix-list NAME description DESC
42fc5d26	111
c1a54c05 QY	112	Descriptions may be added to prefix lists. This command adds a
c1a54c05 QY	113	description to the prefix list.
42fc5d26	114
c1a54c05 QY	115	.. index:: no ip prefix-list NAME description [DESC]
c1a54c05 QY	116	.. clicmd:: no ip prefix-list NAME description [DESC]
42fc5d26	117
c1a54c05 QY	118	Deletes the description from a prefix list. It is possible to use the
c1a54c05 QY	119	command without the full description.
42fc5d26	120
0efdf0fe	121	.. _ip-prefix-list-sequential-number-control:
42fc5d26 QY	122
	123	ip prefix-list sequential number control
	124	----------------------------------------
	125
c1a54c05 QY	126	.. index:: ip prefix-list sequence-number
c1a54c05 QY	127	.. clicmd:: ip prefix-list sequence-number
42fc5d26	128
c1a54c05 QY	129	With this command, the IP prefix list sequential number is displayed.
c1a54c05 QY	130	This is the default behavior.
42fc5d26	131
c1a54c05 QY	132	.. index:: no ip prefix-list sequence-number
c1a54c05 QY	133	.. clicmd:: no ip prefix-list sequence-number
42fc5d26	134
c1a54c05 QY	135	With this command, the IP prefix list sequential number is not
c1a54c05 QY	136	displayed.
42fc5d26	137
11ab5329	138	.. _showing-ip-prefix-list:
42fc5d26 QY	139
	140	Showing ip prefix-list
	141	----------------------
	142
c1a54c05 QY	143	.. index:: show ip prefix-list
c1a54c05 QY	144	.. clicmd:: show ip prefix-list
42fc5d26	145
c1a54c05	146	Display all IP prefix lists.
42fc5d26	147
c1a54c05 QY	148	.. index:: show ip prefix-list NAME
c1a54c05 QY	149	.. clicmd:: show ip prefix-list NAME
42fc5d26	150
c1a54c05	151	Show IP prefix list can be used with a prefix list name.
42fc5d26	152
c1a54c05 QY	153	.. index:: show ip prefix-list NAME seq NUM
c1a54c05 QY	154	.. clicmd:: show ip prefix-list NAME seq NUM
42fc5d26	155
c1a54c05 QY	156	Show IP prefix list can be used with a prefix list name and sequential
c1a54c05 QY	157	number.
42fc5d26	158
c1a54c05 QY	159	.. index:: show ip prefix-list NAME A.B.C.D/M
c1a54c05 QY	160	.. clicmd:: show ip prefix-list NAME A.B.C.D/M
42fc5d26	161
c1a54c05 QY	162	If the command longer is used, all prefix lists with prefix lengths equal to
	163	or longer than the specified length will be displayed. If the command first
	164	match is used, the first prefix length match will be displayed.
42fc5d26	165
c1a54c05 QY	166	.. index:: show ip prefix-list NAME A.B.C.D/M longer
	167	.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
	168	.. index:: show ip prefix-list NAME A.B.C.D/M first-match
	169	.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
	170	.. index:: show ip prefix-list summary
	171	.. clicmd:: show ip prefix-list summary
	172	.. index:: show ip prefix-list summary NAME
	173	.. clicmd:: show ip prefix-list summary NAME
	174	.. index:: show ip prefix-list detail
	175	.. clicmd:: show ip prefix-list detail
	176	.. index:: show ip prefix-list detail NAME
	177	.. clicmd:: show ip prefix-list detail NAME
42fc5d26 QY	178
	179	Clear counter of ip prefix-list
	180	-------------------------------
	181
a65a2f4c DS	182	.. index:: clear ip prefix-list [NAME [A.B.C.D/M]]
a65a2f4c DS	183	.. clicmd:: clear ip prefix-list [NAME [A.B.C.D/M]]
42fc5d26	184
c1a54c05	185	Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
a65a2f4c	186	with a specified NAME or NAME and prefix.