From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id 000491FF13B
	for <inbox@lore.proxmox.com>; Wed, 25 Mar 2026 10:42:55 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 0F6DAF65C;
	Wed, 25 Mar 2026 10:42:21 +0100 (CET)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 08/13] evpn controller: add route_map_{in,out}
 parameter
Date: Wed, 25 Mar 2026 10:41:33 +0100
Message-ID: <20260325094142.174364-23-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260325094142.174364-1-s.hanreich@proxmox.com>
References: <20260325094142.174364-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1774431664578
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.718 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: UJKR7RSORQR4RGEZD3L462QLO4LWWISD
X-Message-ID-Hash: UJKR7RSORQR4RGEZD3L462QLO4LWWISD
X-MailFrom: s.hanreich@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

This parameter allows overriding the default MAP_VTEP_{IN,OUT} route
maps by specifying a custom route map configured in route-maps.cfg.
This can be used for filtering incoming and outgoing routes, e.g. for
only advertising type-5 routes to external peers or only allow
importing routes with specific route targets.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 19 +++++++++++++------
 src/PVE/Network/SDN/Controllers/Plugin.pm     | 14 ++++++++++++++
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 3e643b1..d7b838b 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -45,6 +45,8 @@ sub options {
         'asn' => { optional => 0 },
         'peers' => { optional => 1 },
         'fabric' => { optional => 1 },
+        'route-map-in' => { optional => 1 },
+        'route-map-out' => { optional => 1 },
     };
 }
 
@@ -153,23 +155,28 @@ sub generate_frr_config {
 
     push @{ $bgp_router->{neighbor_groups} }, $neighbor_group;
 
+    my $route_map_in = $plugin_config->{'route-map-in'} // 'MAP_VTEP_IN';
+    my $route_map_out = $plugin_config->{'route-map-out'} // 'MAP_VTEP_OUT';
+
     # Configure l2vpn evpn address family
     $bgp_router->{address_families}->{l2vpn_evpn} //= {
         neighbors => [{
             name => "VTEP",
-            route_map_in => 'MAP_VTEP_IN',
-            route_map_out => 'MAP_VTEP_OUT',
+            route_map_in => $route_map_in,
+            route_map_out => $route_map_out,
         }],
         advertise_all_vni => 1,
     };
 
     $bgp_router->{address_families}->{l2vpn_evpn}->{autort_as} = $autortas if $autortas;
 
-    my $routemap_in = { seq => 1, action => "permit" };
-    my $routemap_out = { seq => 1, action => "permit" };
+    if ($route_map_in eq 'MAP_VTEP_IN' && !$config->{frr}->{routemaps}->{'MAP_VTEP_IN'}) {
+        push($config->{frr}->{routemaps}->{'MAP_VTEP_IN'}->@*, { seq => 1, action => "permit" });
+    }
 
-    push($config->{frr}->{routemaps}->{'MAP_VTEP_IN'}->@*, $routemap_in);
-    push($config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}->@*, $routemap_out);
+    if ($route_map_out eq 'MAP_VTEP_OUT' && !$config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}) {
+        push($config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}->@*, { seq => 1, action => "permit" });
+    }
 
     return $config;
 }
diff --git a/src/PVE/Network/SDN/Controllers/Plugin.pm b/src/PVE/Network/SDN/Controllers/Plugin.pm
index d70e518..5f9f1ef 100644
--- a/src/PVE/Network/SDN/Controllers/Plugin.pm
+++ b/src/PVE/Network/SDN/Controllers/Plugin.pm
@@ -7,6 +7,8 @@ use PVE::Tools;
 use PVE::JSONSchema;
 use PVE::Cluster;
 
+use PVE::Network::SDN::RouteMaps;
+
 use PVE::JSONSchema qw(get_standard_option);
 use base qw(PVE::SectionConfig);
 
@@ -51,6 +53,18 @@ my $defaultData = {
             'pve-sdn-controller-id',
             { completion => \&PVE::Network::SDN::complete_sdn_controller },
         ),
+        'route-map-in' => {
+            description => "Route Map that should be applied for incoming routes",
+            type => 'string',
+            format => 'pve-sdn-route-map-id',
+            optional => 1,
+        },
+        'route-map-out' => {
+            description => "Route Map that should be applied for outgoing routes",
+            type => 'string',
+            format => 'pve-sdn-route-map-id',
+            optional => 1,
+        },
     },
 };
 
-- 
2.47.3