From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id B55B11FF136
	for <inbox@lore.proxmox.com>; Mon, 04 May 2026 18:25:29 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 5CD819555;
	Mon,  4 May 2026 18:25:17 +0200 (CEST)
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH proxmox-ve-rs v2 02/18] frr: add support for extcommunity
 lists
Date: Mon,  4 May 2026 18:24:41 +0200
Message-ID: <20260504162501.425135-3-s.hanreich@proxmox.com>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260504162501.425135-1-s.hanreich@proxmox.com>
References: <20260504162501.425135-1-s.hanreich@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1777911802795
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.661 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: LDUD7Q4AITUQ3XPUHU36UIS3KISPEB4F
X-Message-ID-Hash: LDUD7Q4AITUQ3XPUHU36UIS3KISPEB4F
X-MailFrom: s.hanreich@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

Extended Communities are used for encoding Route Targets in the EVPN
AF, among other things. FRR provides a mechanism to match based on
them via the extcommunity lists. Implement support for creating them,
so they can be used by the SDN stack for matching extended communities
in route maps. Initially, this will be used to filter outgoing routes
in EVPN controllers, but in the future it is planned to expose
creating extcommunity lists via our API / UI as well.

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 proxmox-frr/src/ser/bgp.rs       | 74 +++++++++++++++++++++++++++++++-
 proxmox-frr/src/ser/mod.rs       | 23 +++++++++-
 proxmox-frr/src/ser/route_map.rs | 43 ++++++++++++++-----
 3 files changed, 127 insertions(+), 13 deletions(-)

diff --git a/proxmox-frr/src/ser/bgp.rs b/proxmox-frr/src/ser/bgp.rs
index 79bc920..c1b4466 100644
--- a/proxmox-frr/src/ser/bgp.rs
+++ b/proxmox-frr/src/ser/bgp.rs
@@ -1,10 +1,11 @@
+use std::fmt::Display;
 use std::net::{IpAddr, Ipv4Addr};
 
 use proxmox_network_types::ip_address::{Ipv4Cidr, Ipv6Cidr};
 use serde::{Deserialize, Serialize};
 
 use crate::ser::route_map::RouteMapName;
-use crate::ser::{FrrWord, InterfaceName, IpRoute};
+use crate::ser::{AccessAction, FrrWord, InterfaceName, IpRoute};
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)]
 pub struct BgpRouterName {
@@ -195,3 +196,74 @@ pub struct BgpRouter {
     #[serde(default)]
     pub custom_frr_config: Vec<String>,
 }
+
+#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
+pub struct CommunityListName(String);
+
+impl Display for CommunityListName {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        Display::fmt(&self.0, f)
+    }
+}
+
+impl CommunityListName {
+    pub fn new(name: String) -> Self {
+        Self(name)
+    }
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
+pub struct ExtCommunityRouteTarget {
+    asn: u16,
+    value: u32,
+}
+
+impl std::str::FromStr for ExtCommunityRouteTarget {
+    type Err = anyhow::Error;
+
+    fn from_str(value: &str) -> Result<Self, Self::Err> {
+        if let Some((asn, value)) = value.split_once(':') {
+            return Ok(Self {
+                asn: asn.parse()?,
+                value: value.parse()?,
+            });
+        }
+
+        anyhow::bail!("can not parse route target: {value}")
+    }
+}
+
+impl Display for ExtCommunityRouteTarget {
+    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
+        write!(f, "{}:{}", self.asn, self.value)
+    }
+}
+
+proxmox_serde::forward_serialize_to_display!(ExtCommunityRouteTarget);
+proxmox_serde::forward_deserialize_to_from_str!(ExtCommunityRouteTarget);
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)]
+#[serde(tag = "type", content = "value")]
+pub enum StandardExtCommunityListMatch {
+    #[serde(rename = "rt")]
+    RouteTarget(ExtCommunityRouteTarget),
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)]
+pub struct ExpandedExtCommunityListEntry {
+    pub action: AccessAction,
+    pub match_entry: String,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)]
+pub struct StandardExtCommunityListEntry {
+    pub action: AccessAction,
+    pub match_entry: StandardExtCommunityListMatch,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Serialize, Deserialize)]
+#[serde(tag = "type", content = "entries", rename_all = "kebab-case")]
+pub enum ExtCommunityList {
+    Standard(Vec<StandardExtCommunityListEntry>),
+    Expanded(Vec<ExpandedExtCommunityListEntry>),
+}
diff --git a/proxmox-frr/src/ser/mod.rs b/proxmox-frr/src/ser/mod.rs
index 74190ec..cf7ae19 100644
--- a/proxmox-frr/src/ser/mod.rs
+++ b/proxmox-frr/src/ser/mod.rs
@@ -9,8 +9,11 @@ use std::collections::BTreeMap;
 use std::net::IpAddr;
 use std::str::FromStr;
 
-use crate::ser::route_map::{
-    AccessListName, AccessListRule, PrefixListName, PrefixListRule, RouteMapEntry, RouteMapName,
+use crate::ser::{
+    bgp::{CommunityListName, ExtCommunityList},
+    route_map::{
+        AccessListName, AccessListRule, PrefixListName, PrefixListRule, RouteMapEntry, RouteMapName,
+    },
 };
 
 use proxmox_network_types::{
@@ -21,6 +24,19 @@ use proxmox_serde::forward_deserialize_to_from_str;
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
+/// The action for a [`AccessListRule`] or [`ExtCommunityList`].
+///
+/// The default is Permit. Deny can be used to create a NOT match (e.g. match all routes that are
+/// NOT in 10.10.10.0/24 using `ip access-list TEST deny 10.10.10.0/24`).
+#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum AccessAction {
+    Permit,
+    Deny,
+}
+
+proxmox_serde::forward_display_to_serialize!(AccessAction);
+
 #[derive(Error, Debug)]
 pub enum FrrWordError {
     #[error("word is empty")]
@@ -255,4 +271,7 @@ pub struct BgpFrrConfig {
 
     #[serde(default)]
     pub vrfs: BTreeMap<InterfaceName, bgp::Vrf>,
+
+    #[serde(default)]
+    pub ext_community_lists: BTreeMap<CommunityListName, ExtCommunityList>,
 }
diff --git a/proxmox-frr/src/ser/route_map.rs b/proxmox-frr/src/ser/route_map.rs
index 7a3a30d..7e2bbb2 100644
--- a/proxmox-frr/src/ser/route_map.rs
+++ b/proxmox-frr/src/ser/route_map.rs
@@ -7,16 +7,8 @@ use proxmox_sdn_types::{
 };
 use serde::{Deserialize, Serialize};
 
-/// The action for a [`AccessListRule`].
-///
-/// The default is Permit. Deny can be used to create a NOT match (e.g. match all routes that are
-/// NOT in 10.10.10.0/24 using `ip access-list TEST deny 10.10.10.0/24`).
-#[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Serialize, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub enum AccessAction {
-    Permit,
-    Deny,
-}
+use crate::ser::bgp::CommunityListName;
+pub use crate::ser::AccessAction;
 
 /// A single [`AccessList`] rule.
 ///
@@ -66,6 +58,35 @@ pub struct PrefixListRule {
     pub is_ipv6: bool,
 }
 
+#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize, Serialize)]
+#[serde(rename_all = "kebab-case")]
+pub enum CommunityMatchMode {
+    ExactMatch,
+    Any,
+}
+
+proxmox_serde::forward_display_to_serialize!(CommunityMatchMode);
+
+#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash, Deserialize)]
+pub struct ExtendedCommunityMatch {
+    pub name: CommunityListName,
+    pub mode: Option<CommunityMatchMode>,
+}
+
+impl std::fmt::Display for ExtendedCommunityMatch {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mode = self
+            .mode
+            .as_ref()
+            .map(|mode| format!(" {mode}"))
+            .unwrap_or_else(|| String::new());
+
+        write!(f, "{}{mode}", self.name)
+    }
+}
+
+proxmox_serde::forward_serialize_to_display!(ExtendedCommunityMatch);
+
 /// A match statement inside a route-map.
 ///
 /// A route-map has one or more match statements which decide on which routes the route-map will
@@ -102,6 +123,8 @@ pub enum RouteMapMatch {
     Peer(String),
     #[serde(rename = "tag")]
     Tag(SetTagValue),
+    #[serde(rename = "extcommunity")]
+    ExtendedCommunity(ExtendedCommunityMatch),
 }
 
 /// Defines the Action a route-map takes when it matches on a route.
-- 
2.47.3