[mirror_frr.git] / doc / user / filter.rst

*********
Filtering
*********

FRR provides many very flexible filtering features. Filtering is used
for both input and output of the routing information. Once filtering is
defined, it can be applied in any direction.

IP Access List
==============

.. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK

.. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK

   seq
      seq `number` can be set either automatically or manually. In the
      case that sequential numbers are set manually, the user may pick any
      number less than 4294967295. In the case that sequential number are set
      automatically, the sequential number will increase by a unit of five (5)
      per list. If a list with no specified sequential number is created
      after a list with a specified sequential number, the list will
      automatically pick the next multiple of five (5) as the list number.
      For example, if a list with number 2 already exists and a new list with
      no specified number is created, the next list will be numbered 5. If
      lists 2 and 7 already exist and a new list with no specified number is
      created, the new list will be numbered 10.

   Basic filtering is done by `access-list` as shown in the
   following example.

   .. code-block:: frr

      access-list filter deny 10.0.0.0/9
      access-list filter permit 10.0.0.0/8
      access-list filter seq 13 permit 10.0.0.0/7

.. clicmd:: show <ip|ipv6> access-list [json]

   Display all IPv4 or IPv6 access lists.

   If the ``json`` option is specified, output is displayed in JSON format.

.. clicmd:: show <ip|ipv6> access-list WORD [json]

   Display the specified IPv4 or IPv6 access list.

   If the ``json`` option is specified, output is displayed in JSON format.


IP Prefix List
==============

*ip prefix-list* provides the most powerful prefix based
filtering mechanism. In addition to *access-list* functionality,
*ip prefix-list* has prefix length range specification and
sequential number specification. You can add or delete prefix based
filters to arbitrary points of prefix-list using sequential number specification.

If no ip prefix-list is specified, it acts as permit. If *ip prefix-list*
is defined, and no match is found, default deny is applied.

.. clicmd:: ip prefix-list NAME (permit|deny) PREFIX [le LEN] [ge LEN]

.. clicmd:: ip prefix-list NAME seq NUMBER (permit|deny) PREFIX [le LEN] [ge LEN]

   You can create *ip prefix-list* using above commands.

   seq
      seq `number` can be set either automatically or manually. In the
      case that sequential numbers are set manually, the user may pick any
      number less than 4294967295. In the case that sequential number are set
      automatically, the sequential number will increase by a unit of five (5)
      per list. If a list with no specified sequential number is created
      after a list with a specified sequential number, the list will
      automatically pick the next multiple of five (5) as the list number.
      For example, if a list with number 2 already exists and a new list with
      no specified number is created, the next list will be numbered 5. If
      lists 2 and 7 already exist and a new list with no specified number is
      created, the new list will be numbered 10.

   le
      Specifies prefix length. The prefix list will be applied if the prefix
      length is less than or equal to the le prefix length.

   ge
      Specifies prefix length. The prefix list will be applied if the prefix
      length is greater than or equal to the ge prefix length.


   Less than or equal to prefix numbers and greater than or equal to
   prefix numbers can be used together. The order of the le and ge
   commands does not matter.

   If a prefix list with a different sequential number but with the exact
   same rules as a previous list is created, an error will result.
   However, in the case that the sequential number and the rules are
   exactly similar, no error will result.

   If a list with the same sequential number as a previous list is created,
   the new list will overwrite the old list.

   Matching of IP Prefix is performed from the smaller sequential number to the
   larger. The matching will stop once any rule has been applied.

   In the case of no le or ge command, the prefix length must match exactly the
   length specified in the prefix list.


.. _ip-prefix-list-description:

ip prefix-list description
--------------------------

.. clicmd:: ip prefix-list NAME description DESC

   Descriptions may be added to prefix lists. This command adds a
   description to the prefix list.


.. _showing-ip-prefix-list:

Showing ip prefix-list
----------------------

.. clicmd:: show ip prefix-list [json]

   Display all IP prefix lists.

   If the ``json`` option is specified, output is displayed in JSON format.

.. clicmd:: show ip prefix-list NAME [json]

   Show IP prefix list can be used with a prefix list name.

   If the ``json`` option is specified, output is displayed in JSON format.

.. clicmd:: show ip prefix-list NAME seq NUM [json]

   Show IP prefix list can be used with a prefix list name and sequential
   number.

   If the ``json`` option is specified, output is displayed in JSON format.

.. clicmd:: show ip prefix-list NAME A.B.C.D/M

   If the command longer is used, all prefix lists with prefix lengths equal to
   or longer than the specified length will be displayed. If the command first
   match is used, the first prefix length match will be displayed.

.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
.. clicmd:: show ip prefix-list summary [json]
.. clicmd:: show ip prefix-list summary NAME [json]
.. clicmd:: show ip prefix-list detail [json]
.. clicmd:: show ip prefix-list detail NAME [json]

.. clicmd:: debug prefix-list NAME match <A.B.C.D/M|X:X::X:X/M> [address-mode]

   Execute the prefix list matching code for the specified list and prefix.
   Shows which entry matched, if any.  (``address-mode`` is used for
   PIM RP lookups and skips prefix length checks.)

   The return value from this command is success only if the prefix-list
   result is to permit the prefix, so the command can be used in scripting.

Clear counter of ip prefix-list
-------------------------------

.. clicmd:: clear ip prefix-list [NAME [A.B.C.D/M]]

   Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
   with a specified NAME or NAME and prefix.
Commit	Line	Data
42fc5d26 QY	1	*********
	2	Filtering
	3	*********
	4
c1a54c05 QY	5	FRR provides many very flexible filtering features. Filtering is used
c1a54c05 QY	6	for both input and output of the routing information. Once filtering is
42fc5d26 QY	7	defined, it can be applied in any direction.
42fc5d26 QY	8
42fc5d26 QY	9	IP Access List
	10	==============
	11
fc830a81 DA	12	.. clicmd:: access-list NAME [seq (1-4294967295)] permit IPV4-NETWORK
fc830a81 DA	13
fc830a81 DA	14	.. clicmd:: access-list NAME [seq (1-4294967295)] deny IPV4-NETWORK
	15
	16	seq
	17	seq `number` can be set either automatically or manually. In the
	18	case that sequential numbers are set manually, the user may pick any
	19	number less than 4294967295. In the case that sequential number are set
	20	automatically, the sequential number will increase by a unit of five (5)
	21	per list. If a list with no specified sequential number is created
	22	after a list with a specified sequential number, the list will
	23	automatically pick the next multiple of five (5) as the list number.
	24	For example, if a list with number 2 already exists and a new list with
	25	no specified number is created, the next list will be numbered 5. If
	26	lists 2 and 7 already exist and a new list with no specified number is
	27	created, the new list will be numbered 10.
42fc5d26	28
c1a54c05 QY	29	Basic filtering is done by `access-list` as shown in the
c1a54c05 QY	30	following example.
42fc5d26	31
9eb95b3b	32	.. code-block:: frr
42fc5d26	33
c1a54c05 QY	34	access-list filter deny 10.0.0.0/9
c1a54c05 QY	35	access-list filter permit 10.0.0.0/8
fc830a81	36	access-list filter seq 13 permit 10.0.0.0/7
a8c90e15	37
068ab901 RW	38	.. clicmd:: show <ip\|ipv6> access-list [json]
	39
	40	Display all IPv4 or IPv6 access lists.
	41
	42	If the ``json`` option is specified, output is displayed in JSON format.
	43
	44	.. clicmd:: show <ip\|ipv6> access-list WORD [json]
	45
	46	Display the specified IPv4 or IPv6 access list.
	47
	48	If the ``json`` option is specified, output is displayed in JSON format.
	49
42fc5d26	50
42fc5d26 QY	51	IP Prefix List
	52	==============
	53
	54	ip prefix-list provides the most powerful prefix based
c1a54c05	55	filtering mechanism. In addition to access-list functionality,
42fc5d26	56	ip prefix-list has prefix length range specification and
c1a54c05	57	sequential number specification. You can add or delete prefix based
42fc5d26 QY	58	filters to arbitrary points of prefix-list using sequential number specification.
42fc5d26 QY	59
c1a54c05	60	If no ip prefix-list is specified, it acts as permit. If ip prefix-list
42fc5d26 QY	61	is defined, and no match is found, default deny is applied.
42fc5d26 QY	62
c1a54c05	63	.. clicmd:: ip prefix-list NAME (permit\|deny) PREFIX [le LEN] [ge LEN]
42fc5d26	64
c1a54c05	65	.. clicmd:: ip prefix-list NAME seq NUMBER (permit\|deny) PREFIX [le LEN] [ge LEN]
42fc5d26	66
c1a54c05	67	You can create ip prefix-list using above commands.
42fc5d26	68
c1a54c05 QY	69	seq
c1a54c05 QY	70	seq `number` can be set either automatically or manually. In the
42fc5d26	71	case that sequential numbers are set manually, the user may pick any
c1a54c05	72	number less than 4294967295. In the case that sequential number are set
42fc5d26	73	automatically, the sequential number will increase by a unit of five (5)
c1a54c05	74	per list. If a list with no specified sequential number is created
42fc5d26 QY	75	after a list with a specified sequential number, the list will
	76	automatically pick the next multiple of five (5) as the list number.
	77	For example, if a list with number 2 already exists and a new list with
c1a54c05	78	no specified number is created, the next list will be numbered 5. If
42fc5d26 QY	79	lists 2 and 7 already exist and a new list with no specified number is
	80	created, the new list will be numbered 10.
	81
c1a54c05 QY	82	le
	83	Specifies prefix length. The prefix list will be applied if the prefix
	84	length is less than or equal to the le prefix length.
42fc5d26	85
c1a54c05 QY	86	ge
	87	Specifies prefix length. The prefix list will be applied if the prefix
	88	length is greater than or equal to the ge prefix length.
42fc5d26	89
42fc5d26	90
c1a54c05 QY	91	Less than or equal to prefix numbers and greater than or equal to
	92	prefix numbers can be used together. The order of the le and ge
	93	commands does not matter.
42fc5d26	94
c1a54c05 QY	95	If a prefix list with a different sequential number but with the exact
	96	same rules as a previous list is created, an error will result.
	97	However, in the case that the sequential number and the rules are
	98	exactly similar, no error will result.
42fc5d26	99
c1a54c05 QY	100	If a list with the same sequential number as a previous list is created,
c1a54c05 QY	101	the new list will overwrite the old list.
42fc5d26	102
c1a54c05 QY	103	Matching of IP Prefix is performed from the smaller sequential number to the
c1a54c05 QY	104	larger. The matching will stop once any rule has been applied.
42fc5d26	105
c1a54c05 QY	106	In the case of no le or ge command, the prefix length must match exactly the
c1a54c05 QY	107	length specified in the prefix list.
42fc5d26	108
42fc5d26	109
0efdf0fe	110	.. _ip-prefix-list-description:
42fc5d26 QY	111
	112	ip prefix-list description
	113	--------------------------
	114
c1a54c05	115	.. clicmd:: ip prefix-list NAME description DESC
42fc5d26	116
c1a54c05 QY	117	Descriptions may be added to prefix lists. This command adds a
c1a54c05 QY	118	description to the prefix list.
42fc5d26	119
42fc5d26	120
11ab5329	121	.. _showing-ip-prefix-list:
42fc5d26 QY	122
	123	Showing ip prefix-list
	124	----------------------
	125
58e2857d	126	.. clicmd:: show ip prefix-list [json]
42fc5d26	127
c1a54c05	128	Display all IP prefix lists.
42fc5d26	129
58e2857d RW	130	If the ``json`` option is specified, output is displayed in JSON format.
	131
	132	.. clicmd:: show ip prefix-list NAME [json]
42fc5d26	133
c1a54c05	134	Show IP prefix list can be used with a prefix list name.
42fc5d26	135
58e2857d RW	136	If the ``json`` option is specified, output is displayed in JSON format.
	137
	138	.. clicmd:: show ip prefix-list NAME seq NUM [json]
42fc5d26	139
c1a54c05 QY	140	Show IP prefix list can be used with a prefix list name and sequential
c1a54c05 QY	141	number.
42fc5d26	142
58e2857d RW	143	If the ``json`` option is specified, output is displayed in JSON format.
58e2857d RW	144
c1a54c05	145	.. clicmd:: show ip prefix-list NAME A.B.C.D/M
42fc5d26	146
c1a54c05 QY	147	If the command longer is used, all prefix lists with prefix lengths equal to
	148	or longer than the specified length will be displayed. If the command first
	149	match is used, the first prefix length match will be displayed.
42fc5d26	150
c1a54c05	151	.. clicmd:: show ip prefix-list NAME A.B.C.D/M longer
c1a54c05	152	.. clicmd:: show ip prefix-list NAME A.B.C.D/M first-match
58e2857d RW	153	.. clicmd:: show ip prefix-list summary [json]
	154	.. clicmd:: show ip prefix-list summary NAME [json]
	155	.. clicmd:: show ip prefix-list detail [json]
	156	.. clicmd:: show ip prefix-list detail NAME [json]
42fc5d26	157
19cf3fc5 DL	158	.. clicmd:: debug prefix-list NAME match <A.B.C.D/M\|X:X::X:X/M> [address-mode]
	159
	160	Execute the prefix list matching code for the specified list and prefix.
	161	Shows which entry matched, if any. (``address-mode`` is used for
	162	PIM RP lookups and skips prefix length checks.)
	163
	164	The return value from this command is success only if the prefix-list
	165	result is to permit the prefix, so the command can be used in scripting.
	166
42fc5d26 QY	167	Clear counter of ip prefix-list
	168	-------------------------------
	169
a65a2f4c	170	.. clicmd:: clear ip prefix-list [NAME [A.B.C.D/M]]
42fc5d26	171
c1a54c05	172	Clears the counters of all IP prefix lists. Clear IP Prefix List can be used
a65a2f4c	173	with a specified NAME or NAME and prefix.