From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1FACD1FF18C for ; Tue, 14 Apr 2026 18:34:55 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5D90B1F94F; Tue, 14 Apr 2026 18:34:05 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH proxmox-ve-rs 02/16] frr: add support for extcommunity lists Date: Tue, 14 Apr 2026 18:32:59 +0200 Message-ID: <20260414163315.419384-3-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260414163315.419384-1-s.hanreich@proxmox.com> References: <20260414163315.419384-1-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776184326203 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.694 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [bgp.rs,mod.rs] Message-ID-Hash: DSJREPZF3T4MD3IAUK6YIQGAS2FOCZZ3 X-Message-ID-Hash: DSJREPZF3T4MD3IAUK6YIQGAS2FOCZZ3 X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Extended Communities are used for encoding Route Targets in the EVPN AF, among other things. FRR provides a mechanism to match based on them via the extcommunity lists. Implement support for creating them, so they can be used by the SDN stack for matching extended communities in route maps. Initially, this will be used to filter outgoing routes in EVPN controllers, but in the future it is planned to expose creating extcommunity lists via our API / UI as well. Signed-off-by: Stefan Hanreich --- proxmox-frr/src/ser/bgp.rs | 81 +++++++++++++++++++++++++++++++- proxmox-frr/src/ser/mod.rs | 23 ++++++++- proxmox-frr/src/ser/route_map.rs | 43 +++++++++++++---- 3 files changed, 134 insertions(+), 13 deletions(-) diff --git a/proxmox-frr/src/ser/bgp.rs b/proxmox-frr/src/ser/bgp.rs index 79bc920..0bf4a1d 100644 --- a/proxmox-frr/src/ser/bgp.rs +++ b/proxmox-frr/src/ser/bgp.rs @@ -1,10 +1,11 @@ +use std::fmt::Display; use std::net::{IpAddr, Ipv4Addr}; use proxmox_network_types::ip_address::{Ipv4Cidr, Ipv6Cidr}; use serde::{Deserialize, Serialize}; use crate::ser::route_map::RouteMapName; -use crate::ser::{FrrWord, InterfaceName, IpRoute}; +use crate::ser::{AccessAction, FrrWord, InterfaceName, IpRoute}; #[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)] pub struct BgpRouterName { @@ -195,3 +196,81 @@ pub struct BgpRouter { #[serde(default)] pub custom_frr_config: Vec, } + +#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)] +pub struct CommunityListName(String); + +impl Display for CommunityListName { + fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { + Display::fmt(&self.0, f) + } +} + +impl CommunityListName { + pub fn new(name: String) -> Self { + Self(name) + } +} + +#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)] +pub struct ExtCommunityRouteTarget { + asn: u16, + value: u32, +} + +impl std::str::FromStr for ExtCommunityRouteTarget { + type Err = anyhow::Error; + + fn from_str(value: &str) -> Result { + if let Some((asn, value)) = value.split_once(':') { + return Ok(Self { + asn: asn.parse()?, + value: value.parse()?, + }); + } + + anyhow::bail!("can not parse route target: {value}") + } +} + +impl Display for ExtCommunityRouteTarget { + fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result { + write!(f, "{}:{}", self.asn, self.value) + } +} + +proxmox_serde::forward_serialize_to_display!(ExtCommunityRouteTarget); +proxmox_serde::forward_deserialize_to_from_str!(ExtCommunityRouteTarget); + +#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)] +#[serde(tag = "type", content = "value")] +pub enum StandardExtCommunityListMatch { + #[serde(rename = "rt")] + RouteTarget(ExtCommunityRouteTarget), +} + +#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)] +#[serde(tag = "type", content = "value")] +pub enum ExtendedExtCommunityListMatch { + #[serde(rename = "rt")] + RouteTarget(String), +} + +#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)] +pub struct ExtendedExtCommunityListEntry { + pub action: AccessAction, + pub match_entry: ExtendedExtCommunityListMatch, +} + +#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)] +pub struct StandardExtCommunityListEntry { + pub action: AccessAction, + pub match_entry: StandardExtCommunityListMatch, +} + +#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)] +#[serde(tag = "type", content = "entries", rename_all = "kebab-case")] +pub enum ExtCommunityList { + Standard(Vec), + Extended(Vec), +} diff --git a/proxmox-frr/src/ser/mod.rs b/proxmox-frr/src/ser/mod.rs index 7bb4836..2ff2011 100644 --- a/proxmox-frr/src/ser/mod.rs +++ b/proxmox-frr/src/ser/mod.rs @@ -9,8 +9,11 @@ use std::collections::BTreeMap; use std::net::IpAddr; use std::str::FromStr; -use crate::ser::route_map::{ - AccessListName, AccessListRule, PrefixListName, PrefixListRule, RouteMapEntry, RouteMapName, +use crate::ser::{ + bgp::{CommunityListName, ExtCommunityList}, + route_map::{ + AccessListName, AccessListRule, PrefixListName, PrefixListRule, RouteMapEntry, RouteMapName, + }, }; use proxmox_network_types::{ @@ -21,6 +24,19 @@ use proxmox_serde::forward_deserialize_to_from_str; use serde::{Deserialize, Serialize}; use thiserror::Error; +/// The action for a [`AccessListRule`] or [`ExtCommunityList`]. +/// +/// The default is Permit. Deny can be used to create a NOT match (e.g. match all routes that are +/// NOT in 10.10.10.0/24 using `ip access-list TEST deny 10.10.10.0/24`). +#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)] +#[serde(rename_all = "kebab-case")] +pub enum AccessAction { + Permit, + Deny, +} + +proxmox_serde::forward_display_to_serialize!(AccessAction); + #[derive(Error, Debug)] pub enum FrrWordError { #[error("word is empty")] @@ -255,4 +271,7 @@ pub struct BgpFrrConfig { #[serde(default)] pub vrfs: BTreeMap, + + #[serde(default)] + pub ext_community_lists: BTreeMap, } diff --git a/proxmox-frr/src/ser/route_map.rs b/proxmox-frr/src/ser/route_map.rs index 54d88e7..958a1c8 100644 --- a/proxmox-frr/src/ser/route_map.rs +++ b/proxmox-frr/src/ser/route_map.rs @@ -7,16 +7,8 @@ use proxmox_sdn_types::{ }; use serde::{Deserialize, Serialize}; -/// The action for a [`AccessListRule`]. -/// -/// The default is Permit. Deny can be used to create a NOT match (e.g. match all routes that are -/// NOT in 10.10.10.0/24 using `ip access-list TEST deny 10.10.10.0/24`). -#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)] -#[serde(rename_all = "kebab-case")] -pub enum AccessAction { - Permit, - Deny, -} +use crate::ser::bgp::CommunityListName; +pub use crate::ser::AccessAction; /// A single [`AccessList`] rule. /// @@ -66,6 +58,35 @@ pub struct PrefixListRule { pub is_ipv6: bool, } +#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize, Serialize)] +#[serde(rename_all = "kebab-case")] +pub enum CommunityMatchMode { + ExactMatch, + Any, +} + +proxmox_serde::forward_display_to_serialize!(CommunityMatchMode); + +#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize)] +pub struct ExtendedCommunityMatch { + pub name: CommunityListName, + pub mode: Option, +} + +impl std::fmt::Display for ExtendedCommunityMatch { + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { + let mode = self + .mode + .as_ref() + .map(|mode| format!(" {mode}")) + .unwrap_or_else(|| String::new()); + + write!(f, "{}{mode}", self.name) + } +} + +proxmox_serde::forward_serialize_to_display!(ExtendedCommunityMatch); + /// A match statement inside a route-map. /// /// A route-map has one or more match statements which decide on which routes the route-map will @@ -102,6 +123,8 @@ pub enum RouteMapMatch { Peer(String), #[serde(rename = "tag")] Tag(SetTagValue), + #[serde(rename = "extcommunity")] + ExtendedCommunity(ExtendedCommunityMatch), } /// Defines the Action a route-map takes when it matches on a route. -- 2.47.3