doc/user/filter.rst

   1 *********
   2 Filtering
   3 *********
   4
   5 FRR provides many very flexible filtering features. Filtering is used
   6 for both input and output of the routing information. Once filtering is
   7 defined, it can be applied in any direction.
   8
   9 IP Access List
  10 ==============
  11
  12 .. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK
  13
  14 .. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
  15
  16    seq
  17       seq `number` can be set either automatically or manually. In the
  18       case that sequential numbers are set manually, the user may pick any
  19       number less than 4294967295. In the case that sequential number are set
  20       automatically, the sequential number will increase by a unit of five (5)
  21       per list. If a list with no specified sequential number is created
  22       after a list with a specified sequential number, the list will
  23       automatically pick the next multiple of five (5) as the list number.
  24       For example, if a list with number 2 already exists and a new list with
  25       no specified number is created, the next list will be numbered 5. If
  26       lists 2 and 7 already exist and a new list with no specified number is
  27       created, the new list will be numbered 10.
  28
  29    Basic filtering is done by `access-list` as shown in the
  30    following example.
  31
  32    .. code-block:: frr
  33
  34       access-list filter deny 10.0.0.0/9
  35       access-list filter permit 10.0.0.0/8
  36       access-list filter seq 13 permit 10.0.0.0/7
  37
  38 .. clicmd:: show <ip|ipv6> access-list [json]
  39
  40    Display all IPv4 or IPv6 access lists.
  41
  42    If the ``json`` option is specified, output is displayed in JSON format.
  43
  44 .. clicmd:: show <ip|ipv6> access-list WORD [json]
  45
  46    Display the specified IPv4 or IPv6 access list.
  47
  48    If the ``json`` option is specified, output is displayed in JSON format.
  49
  50
  51 IP Prefix List
  52 ==============
  53
  54 *ip prefix-list* provides the most powerful prefix based
  55 filtering mechanism. In addition to *access-list* functionality,
  56 *ip prefix-list* has prefix length range specification and
  57 sequential number specification. You can add or delete prefix based
  58 filters to arbitrary points of prefix-list using sequential number specification.
  59
  60 If no ip prefix-list is specified, it acts as permit. If *ip prefix-list*
  61 is defined, and no match is found, default deny is applied.
  62
  63 .. clicmd:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]
  64
  65 .. clicmd:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]
  66
  67    You can create *ip prefix-list* using above commands.
  68
  69    seq
  70       seq `number` can be set either automatically or manually. In the
  71       case that sequential numbers are set manually, the user may pick any
  72       number less than 4294967295. In the case that sequential number are set
  73       automatically, the sequential number will increase by a unit of five (5)
  74       per list. If a list with no specified sequential number is created
  75       after a list with a specified sequential number, the list will
  76       automatically pick the next multiple of five (5) as the list number.
  77       For example, if a list with number 2 already exists and a new list with
  78       no specified number is created, the next list will be numbered 5. If
  79       lists 2 and 7 already exist and a new list with no specified number is
  80       created, the new list will be numbered 10.
  81
  82    le
  83       Specifies prefix length. The prefix list will be applied if the prefix
  84       length is less than or equal to the le prefix length.
  85
  86    ge
  87       Specifies prefix length. The prefix list will be applied if the prefix
  88       length is greater than or equal to the ge prefix length.
  89
  90
  91    Less than or equal to prefix numbers and greater than or equal to
  92    prefix numbers can be used together. The order of the le and ge
  93    commands does not matter.
  94
  95    If a prefix list with a different sequential number but with the exact
  96    same rules as a previous list is created, an error will result.
  97    However, in the case that the sequential number and the rules are
  98    exactly similar, no error will result.
  99
 100    If a list with the same sequential number as a previous list is created,
 101    the new list will overwrite the old list.
 102
 103    Matching of IP Prefix is performed from the smaller sequential number to the
 104    larger. The matching will stop once any rule has been applied.
 105
 106    In the case of no le or ge command, the prefix length must match exactly the
 107    length specified in the prefix list.
 108
 109
 110 .. _ip-prefix-list-description:
 111
 112 ip prefix-list description
 113 --------------------------
 114
 115 .. clicmd:: ip prefix-list NAME description DESC
 116
 117    Descriptions may be added to prefix lists. This command adds a
 118    description to the prefix list.
 119
 120
 121 .. _showing-ip-prefix-list:
 122
 123 Showing ip prefix-list
 124 ----------------------
 125
 126 .. clicmd:: show ip prefix-list [json]
 127
 128    Display all IP prefix lists.
 129
 130    If the ``json`` option is specified, output is displayed in JSON format.
 131
 132 .. clicmd:: show ip prefix-list NAME [json]
 133
 134    Show IP prefix list can be used with a prefix list name.
 135
 136    If the ``json`` option is specified, output is displayed in JSON format.
 137
 138 .. clicmd:: show ip prefix-list NAME seq NUM [json]
 139
 140    Show IP prefix list can be used with a prefix list name and sequential
 141    number.
 142
 143    If the ``json`` option is specified, output is displayed in JSON format.
 144
 145 .. clicmd:: show ip prefix-list NAME A.B.C.D/M
 146
 147    If the command longer is used, all prefix lists with prefix lengths equal to
 148    or longer than the specified length will be displayed. If the command first
 149    match is used, the first prefix length match will be displayed.
 150
 151 .. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
 152 .. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
 153 .. clicmd:: show ip prefix-list summary [json]
 154 .. clicmd:: show ip prefix-list summary NAME [json]
 155 .. clicmd:: show ip prefix-list detail [json]
 156 .. clicmd:: show ip prefix-list detail NAME [json]
 157
 158 .. clicmd:: debug prefix-list NAME match <A.B.C.D/M|X:X::X:X/M> [address-mode]
 159
 160    Execute the prefix list matching code for the specified list and prefix.
 161    Shows which entry matched, if any.  (``address-mode`` is used for
 162    PIM RP lookups and skips prefix length checks.)
 163
 164    The return value from this command is success only if the prefix-list
 165    result is to permit the prefix, so the command can be used in scripting.
 166
 167 Clear counter of ip prefix-list
 168 -------------------------------
 169
 170 .. clicmd:: clear ip prefix-list [NAME [A.B.C.D/M]]
 171
 172    Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
 173    with a specified NAME or NAME and prefix.