pimd,yang: Extend multicast boundary functionality

Add new interface command ip multicast boundary ACCESSLIST4_NAME. This
allows filtering on both source and group using the extended access-list
syntax vs. group-only as with the existing "ip multicast boundary oil"
command, which uses prefix-lists. If both are configured, the prefix-
list is evaluated first. The default behavior for both prefix-lists and
access-lists remains "deny", so the prefix-list must have a terminating
"permit" statement in order to also evaluate against the access-list.

The following example denies groups in range 229.1.1.0/24 and groups in
range 232.1.1.0/24 with source 10.0.20.2:

!
ip prefix-list pim-oil-plist seq 10 deny 229.1.1.0/24
ip prefix-list pim-oil-plist seq 20 permit any
!
access-list pim-acl seq 10 deny ip host 10.0.20.2 232.1.1.0 0.0.0.255
access-list pim-acl seq 20 permit ip any any
!
interface r1-eth0
 ip address 10.0.20.1/24
 ip igmp
 ip pim
 ip multicast boundary oil pim-oil-plist
 ip multicast boundary pim-acl
!

Signed-off-by: Corey Siltala <csiltala@atcorp.com>

1 files changed, 9 insertions, 0 deletions

diff --git a/pimd/pim_iface.c b/pimd/pim_iface.c
index 19460aa44..f92a42dd8 100644
--- a/pimd/pim_iface.c
+++ b/pimd/pim_iface.c
@@ -38,6 +38,7 @@
 #include "pim_igmp_join.h"
 #include "pim_vxlan.h"
 #include "pim_tib.h"
+#include "pim_util.h"
 
 #include "pim6_mld.h"
 
@@ -1258,6 +1259,14 @@ static int gm_join_sock(const char *ifname, ifindex_t ifindex,
 {
 	int join_fd;
 
+	if (pim_is_group_filtered(pim_ifp, &group_addr, &source_addr)) {
+		if (PIM_DEBUG_GM_EVENTS) {
+			zlog_debug("%s: join failed for (S,G)=(%pPAs,%pPAs) due to multicast boundary filtering",
+				   __func__, &source_addr, &group_addr);
+		}
+		return -1;
+	}
+
 	pim_ifp->igmp_ifstat_joins_sent++;
 
 	join_fd = pim_socket_raw(IPPROTO_GM);