1 /* Route filtering function.
2 * Copyright (C) 1998, 1999 Kunihiro Ishiguro
4 * This file is part of GNU Zebra.
6 * GNU Zebra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published
8 * by the Free Software Foundation; either version 2, or (at your
9 * option) any later version.
11 * GNU Zebra is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include "sockunion.h"
33 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST
, "Access List")
34 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST_STR
, "Access List Str")
35 DEFINE_MTYPE_STATIC(LIB
, ACCESS_FILTER
, "Access Filter")
38 /* Cisco access-list */
41 struct in_addr addr_mask
;
43 struct in_addr mask_mask
;
47 /* If this filter is "exact" match then this flag is set. */
50 /* Prefix information. */
54 /* Filter element of access list */
56 /* For doubly linked list. */
60 /* Filter type information. */
61 enum filter_type type
;
63 /* Cisco access-list */
67 struct filter_cisco cfilter
;
68 struct filter_zebra zfilter
;
72 /* List of access_list. */
73 struct access_list_list
{
74 struct access_list
*head
;
75 struct access_list
*tail
;
78 /* Master structure of access_list. */
79 struct access_master
{
80 /* List of access_list which name is number. */
81 struct access_list_list num
;
83 /* List of access_list which name is string. */
84 struct access_list_list str
;
86 /* Hook function which is executed when new access_list is added. */
87 void (*add_hook
)(struct access_list
*);
89 /* Hook function which is executed when access_list is deleted. */
90 void (*delete_hook
)(struct access_list
*);
93 /* Static structure for mac access_list's master. */
94 static struct access_master access_master_mac
= {
101 /* Static structure for IPv4 access_list's master. */
102 static struct access_master access_master_ipv4
= {
109 /* Static structure for IPv6 access_list's master. */
110 static struct access_master access_master_ipv6
= {
117 static struct access_master
*access_master_get(afi_t afi
)
120 return &access_master_ipv4
;
121 else if (afi
== AFI_IP6
)
122 return &access_master_ipv6
;
123 else if (afi
== AFI_L2VPN
)
124 return &access_master_mac
;
128 /* Allocate new filter structure. */
129 static struct filter
*filter_new(void)
131 return (struct filter
*)XCALLOC(MTYPE_ACCESS_FILTER
,
132 sizeof(struct filter
));
135 static void filter_free(struct filter
*filter
)
137 XFREE(MTYPE_ACCESS_FILTER
, filter
);
140 /* Return string of filter_type. */
141 static const char *filter_type_str(struct filter
*filter
)
143 switch (filter
->type
) {
159 /* If filter match to the prefix then return 1. */
160 static int filter_match_cisco(struct filter
*mfilter
, const struct prefix
*p
)
162 struct filter_cisco
*filter
;
167 filter
= &mfilter
->u
.cfilter
;
168 check_addr
= p
->u
.prefix4
.s_addr
& ~filter
->addr_mask
.s_addr
;
170 if (filter
->extended
) {
171 masklen2ip(p
->prefixlen
, &mask
);
172 check_mask
= mask
.s_addr
& ~filter
->mask_mask
.s_addr
;
174 if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0
175 && memcmp(&check_mask
, &filter
->mask
.s_addr
, 4) == 0)
177 } else if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0)
183 /* If filter match to the prefix then return 1. */
184 static int filter_match_zebra(struct filter
*mfilter
, const struct prefix
*p
)
186 struct filter_zebra
*filter
= NULL
;
188 filter
= &mfilter
->u
.zfilter
;
190 if (filter
->prefix
.family
== p
->family
) {
192 if (filter
->prefix
.prefixlen
== p
->prefixlen
)
193 return prefix_match(&filter
->prefix
, p
);
197 return prefix_match(&filter
->prefix
, p
);
202 /* Allocate new access list structure. */
203 static struct access_list
*access_list_new(void)
205 return (struct access_list
*)XCALLOC(MTYPE_ACCESS_LIST
,
206 sizeof(struct access_list
));
209 /* Free allocated access_list. */
210 static void access_list_free(struct access_list
*access
)
212 XFREE(MTYPE_ACCESS_LIST
, access
);
215 /* Delete access_list from access_master and free it. */
216 static void access_list_delete(struct access_list
*access
)
218 struct filter
*filter
;
220 struct access_list_list
*list
;
221 struct access_master
*master
;
223 for (filter
= access
->head
; filter
; filter
= next
) {
228 master
= access
->master
;
230 if (access
->type
== ACCESS_TYPE_NUMBER
)
236 access
->next
->prev
= access
->prev
;
238 list
->tail
= access
->prev
;
241 access
->prev
->next
= access
->next
;
243 list
->head
= access
->next
;
246 XFREE(MTYPE_ACCESS_LIST_STR
, access
->name
);
249 XFREE(MTYPE_TMP
, access
->remark
);
251 access_list_free(access
);
254 /* Insert new access list to list of access_list. Each acceess_list
255 is sorted by the name. */
256 static struct access_list
*access_list_insert(afi_t afi
, const char *name
)
260 struct access_list
*access
;
261 struct access_list
*point
;
262 struct access_list_list
*alist
;
263 struct access_master
*master
;
265 master
= access_master_get(afi
);
269 /* Allocate new access_list and copy given name. */
270 access
= access_list_new();
271 access
->name
= XSTRDUP(MTYPE_ACCESS_LIST_STR
, name
);
272 access
->master
= master
;
274 /* If name is made by all digit character. We treat it as
276 for (number
= 0, i
= 0; i
< strlen(name
); i
++) {
277 if (isdigit((int)name
[i
]))
278 number
= (number
* 10) + (name
[i
] - '0');
283 /* In case of name is all digit character */
284 if (i
== strlen(name
)) {
285 access
->type
= ACCESS_TYPE_NUMBER
;
287 /* Set access_list to number list. */
288 alist
= &master
->num
;
290 for (point
= alist
->head
; point
; point
= point
->next
)
291 if (atol(point
->name
) >= number
)
294 access
->type
= ACCESS_TYPE_STRING
;
296 /* Set access_list to string list. */
297 alist
= &master
->str
;
299 /* Set point to insertion point. */
300 for (point
= alist
->head
; point
; point
= point
->next
)
301 if (strcmp(point
->name
, name
) >= 0)
305 /* In case of this is the first element of master. */
306 if (alist
->head
== NULL
) {
307 alist
->head
= alist
->tail
= access
;
311 /* In case of insertion is made at the tail of access_list. */
313 access
->prev
= alist
->tail
;
314 alist
->tail
->next
= access
;
315 alist
->tail
= access
;
319 /* In case of insertion is made at the head of access_list. */
320 if (point
== alist
->head
) {
321 access
->next
= alist
->head
;
322 alist
->head
->prev
= access
;
323 alist
->head
= access
;
327 /* Insertion is made at middle of the access_list. */
328 access
->next
= point
;
329 access
->prev
= point
->prev
;
332 point
->prev
->next
= access
;
333 point
->prev
= access
;
338 /* Lookup access_list from list of access_list by name. */
339 struct access_list
*access_list_lookup(afi_t afi
, const char *name
)
341 struct access_list
*access
;
342 struct access_master
*master
;
347 master
= access_master_get(afi
);
351 for (access
= master
->num
.head
; access
; access
= access
->next
)
352 if (strcmp(access
->name
, name
) == 0)
355 for (access
= master
->str
.head
; access
; access
= access
->next
)
356 if (strcmp(access
->name
, name
) == 0)
362 /* Get access list from list of access_list. If there isn't matched
363 access_list create new one and return it. */
364 static struct access_list
*access_list_get(afi_t afi
, const char *name
)
366 struct access_list
*access
;
368 access
= access_list_lookup(afi
, name
);
370 access
= access_list_insert(afi
, name
);
374 /* Apply access list to object (which should be struct prefix *). */
375 enum filter_type
access_list_apply(struct access_list
*access
,
378 struct filter
*filter
;
379 const struct prefix
*p
= (const struct prefix
*)object
;
384 for (filter
= access
->head
; filter
; filter
= filter
->next
) {
386 if (filter_match_cisco(filter
, p
))
389 if (filter_match_zebra(filter
, p
))
397 /* Add hook function. */
398 void access_list_add_hook(void (*func
)(struct access_list
*access
))
400 access_master_ipv4
.add_hook
= func
;
401 access_master_ipv6
.add_hook
= func
;
402 access_master_mac
.add_hook
= func
;
405 /* Delete hook function. */
406 void access_list_delete_hook(void (*func
)(struct access_list
*access
))
408 access_master_ipv4
.delete_hook
= func
;
409 access_master_ipv6
.delete_hook
= func
;
410 access_master_mac
.delete_hook
= func
;
413 /* Add new filter to the end of specified access_list. */
414 static void access_list_filter_add(struct access_list
*access
,
415 struct filter
*filter
)
418 filter
->prev
= access
->tail
;
421 access
->tail
->next
= filter
;
423 access
->head
= filter
;
424 access
->tail
= filter
;
426 /* Run hook function. */
427 if (access
->master
->add_hook
)
428 (*access
->master
->add_hook
)(access
);
429 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_ADDED
);
432 /* If access_list has no filter then return 1. */
433 static int access_list_empty(struct access_list
*access
)
435 if (access
->head
== NULL
&& access
->tail
== NULL
)
441 /* Delete filter from specified access_list. If there is hook
442 function execute it. */
443 static void access_list_filter_delete(struct access_list
*access
,
444 struct filter
*filter
)
446 struct access_master
*master
;
448 master
= access
->master
;
451 filter
->next
->prev
= filter
->prev
;
453 access
->tail
= filter
->prev
;
456 filter
->prev
->next
= filter
->next
;
458 access
->head
= filter
->next
;
462 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
463 /* Run hook function. */
464 if (master
->delete_hook
)
465 (*master
->delete_hook
)(access
);
467 /* If access_list becomes empty delete it from access_master. */
468 if (access_list_empty(access
))
469 access_list_delete(access
);
473 deny Specify packets to reject
474 permit Specify packets to forward
479 Hostname or A.B.C.D Address to match
481 host A single host address
484 static struct filter
*filter_lookup_cisco(struct access_list
*access
,
487 struct filter
*mfilter
;
488 struct filter_cisco
*filter
;
489 struct filter_cisco
*new;
491 new = &mnew
->u
.cfilter
;
493 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
494 filter
= &mfilter
->u
.cfilter
;
496 if (filter
->extended
) {
497 if (mfilter
->type
== mnew
->type
498 && filter
->addr
.s_addr
== new->addr
.s_addr
499 && filter
->addr_mask
.s_addr
== new->addr_mask
.s_addr
500 && filter
->mask
.s_addr
== new->mask
.s_addr
501 && filter
->mask_mask
.s_addr
502 == new->mask_mask
.s_addr
)
505 if (mfilter
->type
== mnew
->type
506 && filter
->addr
.s_addr
== new->addr
.s_addr
507 && filter
->addr_mask
.s_addr
508 == new->addr_mask
.s_addr
)
516 static struct filter
*filter_lookup_zebra(struct access_list
*access
,
519 struct filter
*mfilter
;
520 struct filter_zebra
*filter
;
521 struct filter_zebra
*new;
523 new = &mnew
->u
.zfilter
;
525 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
526 filter
= &mfilter
->u
.zfilter
;
528 if (filter
->exact
== new->exact
529 && mfilter
->type
== mnew
->type
) {
530 if (prefix_same(&filter
->prefix
, &new->prefix
))
537 static int vty_access_list_remark_unset(struct vty
*vty
, afi_t afi
,
540 struct access_list
*access
;
542 access
= access_list_lookup(afi
, name
);
544 vty_out(vty
, "%% access-list %s doesn't exist\n", name
);
545 return CMD_WARNING_CONFIG_FAILED
;
548 if (access
->remark
) {
549 XFREE(MTYPE_TMP
, access
->remark
);
550 access
->remark
= NULL
;
553 if (access
->head
== NULL
&& access
->tail
== NULL
)
554 access_list_delete(access
);
559 static int filter_set_cisco(struct vty
*vty
, const char *name_str
,
560 const char *type_str
, const char *addr_str
,
561 const char *addr_mask_str
, const char *mask_str
,
562 const char *mask_mask_str
, int extended
, int set
)
565 enum filter_type type
;
566 struct filter
*mfilter
;
567 struct filter_cisco
*filter
;
568 struct access_list
*access
;
570 struct in_addr addr_mask
;
572 struct in_addr mask_mask
;
574 /* Check of filter type. */
575 if (strncmp(type_str
, "p", 1) == 0)
576 type
= FILTER_PERMIT
;
577 else if (strncmp(type_str
, "d", 1) == 0)
580 vty_out(vty
, "%% filter type must be permit or deny\n");
581 return CMD_WARNING_CONFIG_FAILED
;
584 ret
= inet_aton(addr_str
, &addr
);
586 vty_out(vty
, "%%Inconsistent address and mask\n");
587 return CMD_WARNING_CONFIG_FAILED
;
590 ret
= inet_aton(addr_mask_str
, &addr_mask
);
592 vty_out(vty
, "%%Inconsistent address and mask\n");
593 return CMD_WARNING_CONFIG_FAILED
;
597 ret
= inet_aton(mask_str
, &mask
);
599 vty_out(vty
, "%%Inconsistent address and mask\n");
600 return CMD_WARNING_CONFIG_FAILED
;
603 ret
= inet_aton(mask_mask_str
, &mask_mask
);
605 vty_out(vty
, "%%Inconsistent address and mask\n");
606 return CMD_WARNING_CONFIG_FAILED
;
610 mfilter
= filter_new();
611 mfilter
->type
= type
;
613 filter
= &mfilter
->u
.cfilter
;
614 filter
->extended
= extended
;
615 filter
->addr
.s_addr
= addr
.s_addr
& ~addr_mask
.s_addr
;
616 filter
->addr_mask
.s_addr
= addr_mask
.s_addr
;
619 filter
->mask
.s_addr
= mask
.s_addr
& ~mask_mask
.s_addr
;
620 filter
->mask_mask
.s_addr
= mask_mask
.s_addr
;
623 /* Install new filter to the access_list. */
624 access
= access_list_get(AFI_IP
, name_str
);
627 if (filter_lookup_cisco(access
, mfilter
))
628 filter_free(mfilter
);
630 access_list_filter_add(access
, mfilter
);
632 struct filter
*delete_filter
;
634 delete_filter
= filter_lookup_cisco(access
, mfilter
);
636 access_list_filter_delete(access
, delete_filter
);
638 filter_free(mfilter
);
644 /* Standard access-list */
645 DEFUN (access_list_standard
,
646 access_list_standard_cmd
,
647 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
648 "Add an access list entry\n"
649 "IP standard access list\n"
650 "IP standard access list (expanded range)\n"
651 "Specify packets to reject\n"
652 "Specify packets to forward\n"
657 int idx_permit_deny
= 2;
660 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
661 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
662 argv
[idx_ipv4_2
]->arg
, NULL
, NULL
, 0, 1);
665 DEFUN (access_list_standard_nomask
,
666 access_list_standard_nomask_cmd
,
667 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
668 "Add an access list entry\n"
669 "IP standard access list\n"
670 "IP standard access list (expanded range)\n"
671 "Specify packets to reject\n"
672 "Specify packets to forward\n"
673 "Address to match\n")
676 int idx_permit_deny
= 2;
678 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
679 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
680 "0.0.0.0", NULL
, NULL
, 0, 1);
683 DEFUN (access_list_standard_host
,
684 access_list_standard_host_cmd
,
685 "access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
686 "Add an access list entry\n"
687 "IP standard access list\n"
688 "IP standard access list (expanded range)\n"
689 "Specify packets to reject\n"
690 "Specify packets to forward\n"
691 "A single host address\n"
692 "Address to match\n")
695 int idx_permit_deny
= 2;
697 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
698 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
699 "0.0.0.0", NULL
, NULL
, 0, 1);
702 DEFUN (access_list_standard_any
,
703 access_list_standard_any_cmd
,
704 "access-list <(1-99)|(1300-1999)> <deny|permit> any",
705 "Add an access list entry\n"
706 "IP standard access list\n"
707 "IP standard access list (expanded range)\n"
708 "Specify packets to reject\n"
709 "Specify packets to forward\n"
713 int idx_permit_deny
= 2;
714 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
715 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
716 "255.255.255.255", NULL
, NULL
, 0, 1);
719 DEFUN (no_access_list_standard
,
720 no_access_list_standard_cmd
,
721 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
723 "Add an access list entry\n"
724 "IP standard access list\n"
725 "IP standard access list (expanded range)\n"
726 "Specify packets to reject\n"
727 "Specify packets to forward\n"
732 int idx_permit_deny
= 3;
735 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
736 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
737 argv
[idx_ipv4_2
]->arg
, NULL
, NULL
, 0, 0);
740 DEFUN (no_access_list_standard_nomask
,
741 no_access_list_standard_nomask_cmd
,
742 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
744 "Add an access list entry\n"
745 "IP standard access list\n"
746 "IP standard access list (expanded range)\n"
747 "Specify packets to reject\n"
748 "Specify packets to forward\n"
749 "Address to match\n")
752 int idx_permit_deny
= 3;
754 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
755 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
756 "0.0.0.0", NULL
, NULL
, 0, 0);
759 DEFUN (no_access_list_standard_host
,
760 no_access_list_standard_host_cmd
,
761 "no access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
763 "Add an access list entry\n"
764 "IP standard access list\n"
765 "IP standard access list (expanded range)\n"
766 "Specify packets to reject\n"
767 "Specify packets to forward\n"
768 "A single host address\n"
769 "Address to match\n")
772 int idx_permit_deny
= 3;
774 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
775 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
776 "0.0.0.0", NULL
, NULL
, 0, 0);
779 DEFUN (no_access_list_standard_any
,
780 no_access_list_standard_any_cmd
,
781 "no access-list <(1-99)|(1300-1999)> <deny|permit> any",
783 "Add an access list entry\n"
784 "IP standard access list\n"
785 "IP standard access list (expanded range)\n"
786 "Specify packets to reject\n"
787 "Specify packets to forward\n"
791 int idx_permit_deny
= 3;
792 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
793 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
794 "255.255.255.255", NULL
, NULL
, 0, 0);
797 /* Extended access-list */
798 DEFUN (access_list_extended
,
799 access_list_extended_cmd
,
800 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
801 "Add an access list entry\n"
802 "IP extended access list\n"
803 "IP extended access list (expanded range)\n"
804 "Specify packets to reject\n"
805 "Specify packets to forward\n"
806 "Any Internet Protocol\n"
808 "Source wildcard bits\n"
809 "Destination address\n"
810 "Destination Wildcard bits\n")
813 int idx_permit_deny
= 2;
818 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
819 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
820 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
821 argv
[idx_ipv4_4
]->arg
, 1, 1);
824 DEFUN (access_list_extended_mask_any
,
825 access_list_extended_mask_any_cmd
,
826 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
827 "Add an access list entry\n"
828 "IP extended access list\n"
829 "IP extended access list (expanded range)\n"
830 "Specify packets to reject\n"
831 "Specify packets to forward\n"
832 "Any Internet Protocol\n"
834 "Source wildcard bits\n"
835 "Any destination host\n")
838 int idx_permit_deny
= 2;
841 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
842 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
843 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
844 "255.255.255.255", 1, 1);
847 DEFUN (access_list_extended_any_mask
,
848 access_list_extended_any_mask_cmd
,
849 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
850 "Add an access list entry\n"
851 "IP extended access list\n"
852 "IP extended access list (expanded range)\n"
853 "Specify packets to reject\n"
854 "Specify packets to forward\n"
855 "Any Internet Protocol\n"
857 "Destination address\n"
858 "Destination Wildcard bits\n")
861 int idx_permit_deny
= 2;
864 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
865 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
866 "255.255.255.255", argv
[idx_ipv4
]->arg
,
867 argv
[idx_ipv4_2
]->arg
, 1, 1);
870 DEFUN (access_list_extended_any_any
,
871 access_list_extended_any_any_cmd
,
872 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
873 "Add an access list entry\n"
874 "IP extended access list\n"
875 "IP extended access list (expanded range)\n"
876 "Specify packets to reject\n"
877 "Specify packets to forward\n"
878 "Any Internet Protocol\n"
880 "Any destination host\n")
883 int idx_permit_deny
= 2;
884 return filter_set_cisco(
885 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
886 "255.255.255.255", "0.0.0.0", "255.255.255.255", 1, 1);
889 DEFUN (access_list_extended_mask_host
,
890 access_list_extended_mask_host_cmd
,
891 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
892 "Add an access list entry\n"
893 "IP extended access list\n"
894 "IP extended access list (expanded range)\n"
895 "Specify packets to reject\n"
896 "Specify packets to forward\n"
897 "Any Internet Protocol\n"
899 "Source wildcard bits\n"
900 "A single destination host\n"
901 "Destination address\n")
904 int idx_permit_deny
= 2;
908 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
909 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
910 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
914 DEFUN (access_list_extended_host_mask
,
915 access_list_extended_host_mask_cmd
,
916 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
917 "Add an access list entry\n"
918 "IP extended access list\n"
919 "IP extended access list (expanded range)\n"
920 "Specify packets to reject\n"
921 "Specify packets to forward\n"
922 "Any Internet Protocol\n"
923 "A single source host\n"
925 "Destination address\n"
926 "Destination Wildcard bits\n")
929 int idx_permit_deny
= 2;
933 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
934 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
935 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
936 argv
[idx_ipv4_3
]->arg
, 1, 1);
939 DEFUN (access_list_extended_host_host
,
940 access_list_extended_host_host_cmd
,
941 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
942 "Add an access list entry\n"
943 "IP extended access list\n"
944 "IP extended access list (expanded range)\n"
945 "Specify packets to reject\n"
946 "Specify packets to forward\n"
947 "Any Internet Protocol\n"
948 "A single source host\n"
950 "A single destination host\n"
951 "Destination address\n")
954 int idx_permit_deny
= 2;
957 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
958 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
959 "0.0.0.0", argv
[idx_ipv4_2
]->arg
, "0.0.0.0", 1,
963 DEFUN (access_list_extended_any_host
,
964 access_list_extended_any_host_cmd
,
965 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
966 "Add an access list entry\n"
967 "IP extended access list\n"
968 "IP extended access list (expanded range)\n"
969 "Specify packets to reject\n"
970 "Specify packets to forward\n"
971 "Any Internet Protocol\n"
973 "A single destination host\n"
974 "Destination address\n")
977 int idx_permit_deny
= 2;
979 return filter_set_cisco(
980 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
981 "255.255.255.255", argv
[idx_ipv4
]->arg
, "0.0.0.0", 1, 1);
984 DEFUN (access_list_extended_host_any
,
985 access_list_extended_host_any_cmd
,
986 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
987 "Add an access list entry\n"
988 "IP extended access list\n"
989 "IP extended access list (expanded range)\n"
990 "Specify packets to reject\n"
991 "Specify packets to forward\n"
992 "Any Internet Protocol\n"
993 "A single source host\n"
995 "Any destination host\n")
998 int idx_permit_deny
= 2;
1000 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1001 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1002 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 1);
1005 DEFUN (no_access_list_extended
,
1006 no_access_list_extended_cmd
,
1007 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
1009 "Add an access list entry\n"
1010 "IP extended access list\n"
1011 "IP extended access list (expanded range)\n"
1012 "Specify packets to reject\n"
1013 "Specify packets to forward\n"
1014 "Any Internet Protocol\n"
1016 "Source wildcard bits\n"
1017 "Destination address\n"
1018 "Destination Wildcard bits\n")
1021 int idx_permit_deny
= 3;
1026 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1027 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1028 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1029 argv
[idx_ipv4_4
]->arg
, 1, 0);
1032 DEFUN (no_access_list_extended_mask_any
,
1033 no_access_list_extended_mask_any_cmd
,
1034 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
1036 "Add an access list entry\n"
1037 "IP extended access list\n"
1038 "IP extended access list (expanded range)\n"
1039 "Specify packets to reject\n"
1040 "Specify packets to forward\n"
1041 "Any Internet Protocol\n"
1043 "Source wildcard bits\n"
1044 "Any destination host\n")
1047 int idx_permit_deny
= 3;
1050 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1051 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1052 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
1053 "255.255.255.255", 1, 0);
1056 DEFUN (no_access_list_extended_any_mask
,
1057 no_access_list_extended_any_mask_cmd
,
1058 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
1060 "Add an access list entry\n"
1061 "IP extended access list\n"
1062 "IP extended access list (expanded range)\n"
1063 "Specify packets to reject\n"
1064 "Specify packets to forward\n"
1065 "Any Internet Protocol\n"
1067 "Destination address\n"
1068 "Destination Wildcard bits\n")
1071 int idx_permit_deny
= 3;
1074 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1075 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1076 "255.255.255.255", argv
[idx_ipv4
]->arg
,
1077 argv
[idx_ipv4_2
]->arg
, 1, 0);
1080 DEFUN (no_access_list_extended_any_any
,
1081 no_access_list_extended_any_any_cmd
,
1082 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
1084 "Add an access list entry\n"
1085 "IP extended access list\n"
1086 "IP extended access list (expanded range)\n"
1087 "Specify packets to reject\n"
1088 "Specify packets to forward\n"
1089 "Any Internet Protocol\n"
1091 "Any destination host\n")
1094 int idx_permit_deny
= 3;
1095 return filter_set_cisco(
1096 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1097 "255.255.255.255", "0.0.0.0", "255.255.255.255", 1, 0);
1100 DEFUN (no_access_list_extended_mask_host
,
1101 no_access_list_extended_mask_host_cmd
,
1102 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
1104 "Add an access list entry\n"
1105 "IP extended access list\n"
1106 "IP extended access list (expanded range)\n"
1107 "Specify packets to reject\n"
1108 "Specify packets to forward\n"
1109 "Any Internet Protocol\n"
1111 "Source wildcard bits\n"
1112 "A single destination host\n"
1113 "Destination address\n")
1116 int idx_permit_deny
= 3;
1120 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1121 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1122 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1126 DEFUN (no_access_list_extended_host_mask
,
1127 no_access_list_extended_host_mask_cmd
,
1128 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
1130 "Add an access list entry\n"
1131 "IP extended access list\n"
1132 "IP extended access list (expanded range)\n"
1133 "Specify packets to reject\n"
1134 "Specify packets to forward\n"
1135 "Any Internet Protocol\n"
1136 "A single source host\n"
1138 "Destination address\n"
1139 "Destination Wildcard bits\n")
1142 int idx_permit_deny
= 3;
1146 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1147 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1148 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
1149 argv
[idx_ipv4_3
]->arg
, 1, 0);
1152 DEFUN (no_access_list_extended_host_host
,
1153 no_access_list_extended_host_host_cmd
,
1154 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
1156 "Add an access list entry\n"
1157 "IP extended access list\n"
1158 "IP extended access list (expanded range)\n"
1159 "Specify packets to reject\n"
1160 "Specify packets to forward\n"
1161 "Any Internet Protocol\n"
1162 "A single source host\n"
1164 "A single destination host\n"
1165 "Destination address\n")
1168 int idx_permit_deny
= 3;
1171 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1172 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1173 "0.0.0.0", argv
[idx_ipv4_2
]->arg
, "0.0.0.0", 1,
1177 DEFUN (no_access_list_extended_any_host
,
1178 no_access_list_extended_any_host_cmd
,
1179 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
1181 "Add an access list entry\n"
1182 "IP extended access list\n"
1183 "IP extended access list (expanded range)\n"
1184 "Specify packets to reject\n"
1185 "Specify packets to forward\n"
1186 "Any Internet Protocol\n"
1188 "A single destination host\n"
1189 "Destination address\n")
1192 int idx_permit_deny
= 3;
1194 return filter_set_cisco(
1195 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1196 "255.255.255.255", argv
[idx_ipv4
]->arg
, "0.0.0.0", 1, 0);
1199 DEFUN (no_access_list_extended_host_any
,
1200 no_access_list_extended_host_any_cmd
,
1201 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
1203 "Add an access list entry\n"
1204 "IP extended access list\n"
1205 "IP extended access list (expanded range)\n"
1206 "Specify packets to reject\n"
1207 "Specify packets to forward\n"
1208 "Any Internet Protocol\n"
1209 "A single source host\n"
1211 "Any destination host\n")
1214 int idx_permit_deny
= 3;
1216 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1217 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1218 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 0);
1221 static int filter_set_zebra(struct vty
*vty
, const char *name_str
,
1222 const char *type_str
, afi_t afi
,
1223 const char *prefix_str
, int exact
, int set
)
1226 enum filter_type type
;
1227 struct filter
*mfilter
;
1228 struct filter_zebra
*filter
;
1229 struct access_list
*access
;
1232 if (strlen(name_str
) > ACL_NAMSIZ
) {
1234 "%% ACL name %s is invalid: length exceeds "
1236 name_str
, ACL_NAMSIZ
);
1237 return CMD_WARNING_CONFIG_FAILED
;
1240 /* Check of filter type. */
1241 if (strncmp(type_str
, "p", 1) == 0)
1242 type
= FILTER_PERMIT
;
1243 else if (strncmp(type_str
, "d", 1) == 0)
1246 vty_out(vty
, "filter type must be [permit|deny]\n");
1247 return CMD_WARNING_CONFIG_FAILED
;
1250 /* Check string format of prefix and prefixlen. */
1251 if (afi
== AFI_IP
) {
1252 ret
= str2prefix_ipv4(prefix_str
, (struct prefix_ipv4
*)&p
);
1255 "IP address prefix/prefixlen is malformed\n");
1256 return CMD_WARNING_CONFIG_FAILED
;
1258 } else if (afi
== AFI_IP6
) {
1259 ret
= str2prefix_ipv6(prefix_str
, (struct prefix_ipv6
*)&p
);
1262 "IPv6 address prefix/prefixlen is malformed\n");
1263 return CMD_WARNING_CONFIG_FAILED
;
1265 } else if (afi
== AFI_L2VPN
) {
1266 ret
= str2prefix_eth(prefix_str
, (struct prefix_eth
*)&p
);
1268 vty_out(vty
, "MAC address is malformed\n");
1272 return CMD_WARNING_CONFIG_FAILED
;
1274 mfilter
= filter_new();
1275 mfilter
->type
= type
;
1276 filter
= &mfilter
->u
.zfilter
;
1277 prefix_copy(&filter
->prefix
, &p
);
1283 /* Install new filter to the access_list. */
1284 access
= access_list_get(afi
, name_str
);
1287 if (filter_lookup_zebra(access
, mfilter
))
1288 filter_free(mfilter
);
1290 access_list_filter_add(access
, mfilter
);
1292 struct filter
*delete_filter
;
1293 delete_filter
= filter_lookup_zebra(access
, mfilter
);
1295 access_list_filter_delete(access
, delete_filter
);
1297 filter_free(mfilter
);
1303 DEFUN (mac_access_list
,
1304 mac_access_list_cmd
,
1305 "mac access-list WORD <deny|permit> X:X:X:X:X:X",
1306 "Add a mac access-list\n"
1307 "Add an access list entry\n"
1308 "MAC zebra access-list name\n"
1309 "Specify packets to reject\n"
1310 "Specify packets to forward\n"
1311 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1313 return filter_set_zebra(vty
, argv
[2]->arg
, argv
[3]->arg
, AFI_L2VPN
,
1314 argv
[4]->arg
, 0, 1);
1317 DEFUN (no_mac_access_list
,
1318 no_mac_access_list_cmd
,
1319 "no mac access-list WORD <deny|permit> X:X:X:X:X:X",
1321 "Remove a mac access-list\n"
1322 "Remove an access list entry\n"
1323 "MAC zebra access-list name\n"
1324 "Specify packets to reject\n"
1325 "Specify packets to forward\n"
1326 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1328 return filter_set_zebra(vty
, argv
[3]->arg
, argv
[4]->arg
, AFI_L2VPN
,
1329 argv
[5]->arg
, 0, 0);
1332 DEFUN (mac_access_list_any
,
1333 mac_access_list_any_cmd
,
1334 "mac access-list WORD <deny|permit> any",
1335 "Add a mac access-list\n"
1336 "Add an access list entry\n"
1337 "MAC zebra access-list name\n"
1338 "Specify packets to reject\n"
1339 "Specify packets to forward\n"
1340 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1342 return filter_set_zebra(vty
, argv
[2]->arg
, argv
[3]->arg
, AFI_L2VPN
,
1343 "00:00:00:00:00:00", 0, 1);
1346 DEFUN (no_mac_access_list_any
,
1347 no_mac_access_list_any_cmd
,
1348 "no mac access-list WORD <deny|permit> any",
1350 "Remove a mac access-list\n"
1351 "Remove an access list entry\n"
1352 "MAC zebra access-list name\n"
1353 "Specify packets to reject\n"
1354 "Specify packets to forward\n"
1355 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1357 return filter_set_zebra(vty
, argv
[3]->arg
, argv
[4]->arg
, AFI_L2VPN
,
1358 "00:00:00:00:00:00", 0, 0);
1361 DEFUN (access_list_exact
,
1362 access_list_exact_cmd
,
1363 "access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1364 "Add an access list entry\n"
1365 "IP zebra access-list name\n"
1366 "Specify packets to reject\n"
1367 "Specify packets to forward\n"
1368 "Prefix to match. e.g. 10.0.0.0/8\n"
1369 "Exact match of the prefixes\n")
1374 int idx_permit_deny
= 2;
1375 int idx_ipv4_prefixlen
= 3;
1376 idx
= idx_ipv4_prefixlen
;
1378 if (argv_find(argv
, argc
, "exact-match", &idx
))
1381 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1382 argv
[idx_permit_deny
]->arg
, AFI_IP
,
1383 argv
[idx_ipv4_prefixlen
]->arg
, exact
, 1);
1386 DEFUN (access_list_any
,
1387 access_list_any_cmd
,
1388 "access-list WORD <deny|permit> any",
1389 "Add an access list entry\n"
1390 "IP zebra access-list name\n"
1391 "Specify packets to reject\n"
1392 "Specify packets to forward\n"
1393 "Prefix to match. e.g. 10.0.0.0/8\n")
1396 int idx_permit_deny
= 2;
1397 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1398 argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0",
1402 DEFUN (no_access_list_exact
,
1403 no_access_list_exact_cmd
,
1404 "no access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1406 "Add an access list entry\n"
1407 "IP zebra access-list name\n"
1408 "Specify packets to reject\n"
1409 "Specify packets to forward\n"
1410 "Prefix to match. e.g. 10.0.0.0/8\n"
1411 "Exact match of the prefixes\n")
1416 int idx_permit_deny
= 3;
1417 int idx_ipv4_prefixlen
= 4;
1418 idx
= idx_ipv4_prefixlen
;
1420 if (argv_find(argv
, argc
, "exact-match", &idx
))
1423 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1424 argv
[idx_permit_deny
]->arg
, AFI_IP
,
1425 argv
[idx_ipv4_prefixlen
]->arg
, exact
, 0);
1428 DEFUN (no_access_list_any
,
1429 no_access_list_any_cmd
,
1430 "no access-list WORD <deny|permit> any",
1432 "Add an access list entry\n"
1433 "IP zebra access-list name\n"
1434 "Specify packets to reject\n"
1435 "Specify packets to forward\n"
1436 "Prefix to match. e.g. 10.0.0.0/8\n")
1439 int idx_permit_deny
= 3;
1440 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1441 argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0",
1445 DEFUN (no_access_list_all
,
1446 no_access_list_all_cmd
,
1447 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1449 "Add an access list entry\n"
1450 "IP standard access list\n"
1451 "IP extended access list\n"
1452 "IP standard access list (expanded range)\n"
1453 "IP extended access list (expanded range)\n"
1454 "IP zebra access-list name\n")
1457 struct access_list
*access
;
1458 struct access_master
*master
;
1460 /* Looking up access_list. */
1461 access
= access_list_lookup(AFI_IP
, argv
[idx_acl
]->arg
);
1462 if (access
== NULL
) {
1463 vty_out(vty
, "%% access-list %s doesn't exist\n",
1464 argv
[idx_acl
]->arg
);
1465 return CMD_WARNING_CONFIG_FAILED
;
1468 master
= access
->master
;
1470 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1471 /* Run hook function. */
1472 if (master
->delete_hook
)
1473 (*master
->delete_hook
)(access
);
1475 /* Delete all filter from access-list. */
1476 access_list_delete(access
);
1481 DEFUN (access_list_remark
,
1482 access_list_remark_cmd
,
1483 "access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1484 "Add an access list entry\n"
1485 "IP standard access list\n"
1486 "IP extended access list\n"
1487 "IP standard access list (expanded range)\n"
1488 "IP extended access list (expanded range)\n"
1489 "IP zebra access-list\n"
1490 "Access list entry comment\n"
1491 "Comment up to 100 characters\n")
1495 struct access_list
*access
;
1497 access
= access_list_get(AFI_IP
, argv
[idx_acl
]->arg
);
1499 if (access
->remark
) {
1500 XFREE(MTYPE_TMP
, access
->remark
);
1501 access
->remark
= NULL
;
1503 access
->remark
= argv_concat(argv
, argc
, idx_remark
);
1508 DEFUN (no_access_list_remark
,
1509 no_access_list_remark_cmd
,
1510 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark",
1512 "Add an access list entry\n"
1513 "IP standard access list\n"
1514 "IP extended access list\n"
1515 "IP standard access list (expanded range)\n"
1516 "IP extended access list (expanded range)\n"
1517 "IP zebra access-list\n"
1518 "Access list entry comment\n")
1521 return vty_access_list_remark_unset(vty
, AFI_IP
, argv
[idx_acl
]->arg
);
1525 DEFUN (no_access_list_remark_comment
,
1526 no_access_list_remark_comment_cmd
,
1527 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1529 "Add an access list entry\n"
1530 "IP standard access list\n"
1531 "IP extended access list\n"
1532 "IP standard access list (expanded range)\n"
1533 "IP extended access list (expanded range)\n"
1534 "IP zebra access-list\n"
1535 "Access list entry comment\n"
1536 "Comment up to 100 characters\n")
1538 return no_access_list_remark(self
, vty
, argc
, argv
);
1541 DEFUN (ipv6_access_list_exact
,
1542 ipv6_access_list_exact_cmd
,
1543 "ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1545 "Add an access list entry\n"
1546 "IPv6 zebra access-list\n"
1547 "Specify packets to reject\n"
1548 "Specify packets to forward\n"
1550 "Exact match of the prefixes\n")
1559 if (argv_find(argv
, argc
, "exact-match", &idx
))
1562 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, argv
[idx_allow
]->text
,
1563 AFI_IP6
, argv
[idx_addr
]->arg
, exact
, 1);
1566 DEFUN (ipv6_access_list_any
,
1567 ipv6_access_list_any_cmd
,
1568 "ipv6 access-list WORD <deny|permit> any",
1570 "Add an access list entry\n"
1571 "IPv6 zebra access-list\n"
1572 "Specify packets to reject\n"
1573 "Specify packets to forward\n"
1574 "Any prefixi to match\n")
1577 int idx_permit_deny
= 3;
1578 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1579 argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0,
1583 DEFUN (no_ipv6_access_list_exact
,
1584 no_ipv6_access_list_exact_cmd
,
1585 "no ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1588 "Add an access list entry\n"
1589 "IPv6 zebra access-list\n"
1590 "Specify packets to reject\n"
1591 "Specify packets to forward\n"
1592 "Prefix to match. e.g. 3ffe:506::/32\n"
1593 "Exact match of the prefixes\n")
1598 int idx_permit_deny
= 4;
1599 int idx_ipv6_prefixlen
= 5;
1600 idx
= idx_ipv6_prefixlen
;
1602 if (argv_find(argv
, argc
, "exact-match", &idx
))
1605 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1606 argv
[idx_permit_deny
]->arg
, AFI_IP6
,
1607 argv
[idx_ipv6_prefixlen
]->arg
, exact
, 0);
1610 DEFUN (no_ipv6_access_list_any
,
1611 no_ipv6_access_list_any_cmd
,
1612 "no ipv6 access-list WORD <deny|permit> any",
1615 "Add an access list entry\n"
1616 "IPv6 zebra access-list\n"
1617 "Specify packets to reject\n"
1618 "Specify packets to forward\n"
1619 "Any prefixi to match\n")
1622 int idx_permit_deny
= 4;
1623 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1624 argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0,
1629 DEFUN (no_ipv6_access_list_all
,
1630 no_ipv6_access_list_all_cmd
,
1631 "no ipv6 access-list WORD",
1634 "Add an access list entry\n"
1635 "IPv6 zebra access-list\n")
1638 struct access_list
*access
;
1639 struct access_master
*master
;
1641 /* Looking up access_list. */
1642 access
= access_list_lookup(AFI_IP6
, argv
[idx_word
]->arg
);
1643 if (access
== NULL
) {
1644 vty_out(vty
, "%% access-list %s doesn't exist\n",
1645 argv
[idx_word
]->arg
);
1646 return CMD_WARNING_CONFIG_FAILED
;
1649 master
= access
->master
;
1651 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1652 /* Run hook function. */
1653 if (master
->delete_hook
)
1654 (*master
->delete_hook
)(access
);
1656 /* Delete all filter from access-list. */
1657 access_list_delete(access
);
1662 DEFUN (ipv6_access_list_remark
,
1663 ipv6_access_list_remark_cmd
,
1664 "ipv6 access-list WORD remark LINE...",
1666 "Add an access list entry\n"
1667 "IPv6 zebra access-list\n"
1668 "Access list entry comment\n"
1669 "Comment up to 100 characters\n")
1673 struct access_list
*access
;
1675 access
= access_list_get(AFI_IP6
, argv
[idx_word
]->arg
);
1677 if (access
->remark
) {
1678 XFREE(MTYPE_TMP
, access
->remark
);
1679 access
->remark
= NULL
;
1681 access
->remark
= argv_concat(argv
, argc
, idx_line
);
1686 DEFUN (no_ipv6_access_list_remark
,
1687 no_ipv6_access_list_remark_cmd
,
1688 "no ipv6 access-list WORD remark",
1691 "Add an access list entry\n"
1692 "IPv6 zebra access-list\n"
1693 "Access list entry comment\n")
1696 return vty_access_list_remark_unset(vty
, AFI_IP6
, argv
[idx_word
]->arg
);
1700 DEFUN (no_ipv6_access_list_remark_comment
,
1701 no_ipv6_access_list_remark_comment_cmd
,
1702 "no ipv6 access-list WORD remark LINE...",
1705 "Add an access list entry\n"
1706 "IPv6 zebra access-list\n"
1707 "Access list entry comment\n"
1708 "Comment up to 100 characters\n")
1710 return no_ipv6_access_list_remark(self
, vty
, argc
, argv
);
1713 void config_write_access_zebra(struct vty
*, struct filter
*);
1714 void config_write_access_cisco(struct vty
*, struct filter
*);
1716 /* show access-list command. */
1717 static int filter_show(struct vty
*vty
, const char *name
, afi_t afi
)
1719 struct access_list
*access
;
1720 struct access_master
*master
;
1721 struct filter
*mfilter
;
1722 struct filter_cisco
*filter
;
1725 master
= access_master_get(afi
);
1729 /* Print the name of the protocol */
1730 vty_out(vty
, "%s:\n", frr_protoname
);
1732 for (access
= master
->num
.head
; access
; access
= access
->next
) {
1733 if (name
&& strcmp(access
->name
, name
) != 0)
1738 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1739 filter
= &mfilter
->u
.cfilter
;
1742 vty_out(vty
, "%s %s access list %s\n",
1743 mfilter
->cisco
? (filter
->extended
1749 : ((afi
== AFI_IP6
) ? ("IPv6 ")
1755 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
1756 mfilter
->type
== FILTER_DENY
? " " : "");
1758 if (!mfilter
->cisco
)
1759 config_write_access_zebra(vty
, mfilter
);
1760 else if (filter
->extended
)
1761 config_write_access_cisco(vty
, mfilter
);
1763 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1764 vty_out(vty
, " any\n");
1767 inet_ntoa(filter
->addr
));
1768 if (filter
->addr_mask
.s_addr
!= 0)
1770 ", wildcard bits %s",
1772 filter
->addr_mask
));
1779 for (access
= master
->str
.head
; access
; access
= access
->next
) {
1780 if (name
&& strcmp(access
->name
, name
) != 0)
1785 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1786 filter
= &mfilter
->u
.cfilter
;
1789 vty_out(vty
, "%s %s access list %s\n",
1790 mfilter
->cisco
? (filter
->extended
1796 : ((afi
== AFI_IP6
) ? ("IPv6 ")
1802 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
1803 mfilter
->type
== FILTER_DENY
? " " : "");
1805 if (!mfilter
->cisco
)
1806 config_write_access_zebra(vty
, mfilter
);
1807 else if (filter
->extended
)
1808 config_write_access_cisco(vty
, mfilter
);
1810 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1811 vty_out(vty
, " any\n");
1814 inet_ntoa(filter
->addr
));
1815 if (filter
->addr_mask
.s_addr
!= 0)
1817 ", wildcard bits %s",
1819 filter
->addr_mask
));
1828 /* show MAC access list - this only has MAC filters for now*/
1829 DEFUN (show_mac_access_list
,
1830 show_mac_access_list_cmd
,
1831 "show mac access-list",
1833 "mac access lists\n"
1834 "List mac access lists\n")
1836 return filter_show(vty
, NULL
, AFI_L2VPN
);
1839 DEFUN (show_mac_access_list_name
,
1840 show_mac_access_list_name_cmd
,
1841 "show mac access-list WORD",
1843 "mac access lists\n"
1844 "List mac access lists\n"
1847 return filter_show(vty
, argv
[3]->arg
, AFI_L2VPN
);
1850 DEFUN (show_ip_access_list
,
1851 show_ip_access_list_cmd
,
1852 "show ip access-list",
1855 "List IP access lists\n")
1857 return filter_show(vty
, NULL
, AFI_IP
);
1860 DEFUN (show_ip_access_list_name
,
1861 show_ip_access_list_name_cmd
,
1862 "show ip access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1865 "List IP access lists\n"
1866 "IP standard access list\n"
1867 "IP extended access list\n"
1868 "IP standard access list (expanded range)\n"
1869 "IP extended access list (expanded range)\n"
1870 "IP zebra access-list\n")
1873 return filter_show(vty
, argv
[idx_acl
]->arg
, AFI_IP
);
1876 DEFUN (show_ipv6_access_list
,
1877 show_ipv6_access_list_cmd
,
1878 "show ipv6 access-list",
1881 "List IPv6 access lists\n")
1883 return filter_show(vty
, NULL
, AFI_IP6
);
1886 DEFUN (show_ipv6_access_list_name
,
1887 show_ipv6_access_list_name_cmd
,
1888 "show ipv6 access-list WORD",
1891 "List IPv6 access lists\n"
1892 "IPv6 zebra access-list\n")
1895 return filter_show(vty
, argv
[idx_word
]->arg
, AFI_IP6
);
1898 void config_write_access_cisco(struct vty
*vty
, struct filter
*mfilter
)
1900 struct filter_cisco
*filter
;
1902 filter
= &mfilter
->u
.cfilter
;
1904 if (filter
->extended
) {
1905 vty_out(vty
, " ip");
1906 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1907 vty_out(vty
, " any");
1908 else if (filter
->addr_mask
.s_addr
== 0)
1909 vty_out(vty
, " host %s", inet_ntoa(filter
->addr
));
1911 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
1912 vty_out(vty
, " %s", inet_ntoa(filter
->addr_mask
));
1915 if (filter
->mask_mask
.s_addr
== 0xffffffff)
1916 vty_out(vty
, " any");
1917 else if (filter
->mask_mask
.s_addr
== 0)
1918 vty_out(vty
, " host %s", inet_ntoa(filter
->mask
));
1920 vty_out(vty
, " %s", inet_ntoa(filter
->mask
));
1921 vty_out(vty
, " %s", inet_ntoa(filter
->mask_mask
));
1925 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1926 vty_out(vty
, " any\n");
1928 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
1929 if (filter
->addr_mask
.s_addr
!= 0)
1931 inet_ntoa(filter
->addr_mask
));
1937 void config_write_access_zebra(struct vty
*vty
, struct filter
*mfilter
)
1939 struct filter_zebra
*filter
;
1943 filter
= &mfilter
->u
.zfilter
;
1944 p
= &filter
->prefix
;
1946 if (p
->prefixlen
== 0 && !filter
->exact
)
1947 vty_out(vty
, " any");
1948 else if (p
->family
== AF_INET6
|| p
->family
== AF_INET
)
1949 vty_out(vty
, " %s/%d%s",
1950 inet_ntop(p
->family
, &p
->u
.prefix
, buf
, BUFSIZ
),
1951 p
->prefixlen
, filter
->exact
? " exact-match" : "");
1952 else if (p
->family
== AF_ETHERNET
) {
1953 if (p
->prefixlen
== 0)
1954 vty_out(vty
, " any");
1956 vty_out(vty
, " %s", prefix_mac2str(&(p
->u
.prefix_eth
),
1963 static int config_write_access(struct vty
*vty
, afi_t afi
)
1965 struct access_list
*access
;
1966 struct access_master
*master
;
1967 struct filter
*mfilter
;
1970 master
= access_master_get(afi
);
1974 for (access
= master
->num
.head
; access
; access
= access
->next
) {
1975 if (access
->remark
) {
1976 vty_out(vty
, "%saccess-list %s remark %s\n",
1977 (afi
== AFI_IP
) ? ("")
1978 : ((afi
== AFI_IP6
) ? ("ipv6 ")
1980 access
->name
, access
->remark
);
1984 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1985 vty_out(vty
, "%saccess-list %s %s",
1986 (afi
== AFI_IP
) ? ("")
1987 : ((afi
== AFI_IP6
) ? ("ipv6 ")
1989 access
->name
, filter_type_str(mfilter
));
1992 config_write_access_cisco(vty
, mfilter
);
1994 config_write_access_zebra(vty
, mfilter
);
2000 for (access
= master
->str
.head
; access
; access
= access
->next
) {
2001 if (access
->remark
) {
2002 vty_out(vty
, "%saccess-list %s remark %s\n",
2003 (afi
== AFI_IP
) ? ("")
2004 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2006 access
->name
, access
->remark
);
2010 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
2011 vty_out(vty
, "%saccess-list %s %s",
2012 (afi
== AFI_IP
) ? ("")
2013 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2015 access
->name
, filter_type_str(mfilter
));
2018 config_write_access_cisco(vty
, mfilter
);
2020 config_write_access_zebra(vty
, mfilter
);
2028 static struct cmd_node access_mac_node
= {
2029 ACCESS_MAC_NODE
, "", /* Access list has no interface. */
2032 static int config_write_access_mac(struct vty
*vty
)
2034 return config_write_access(vty
, AFI_L2VPN
);
2037 static void access_list_reset_mac(void)
2039 struct access_list
*access
;
2040 struct access_list
*next
;
2041 struct access_master
*master
;
2043 master
= access_master_get(AFI_L2VPN
);
2047 for (access
= master
->num
.head
; access
; access
= next
) {
2048 next
= access
->next
;
2049 access_list_delete(access
);
2051 for (access
= master
->str
.head
; access
; access
= next
) {
2052 next
= access
->next
;
2053 access_list_delete(access
);
2056 assert(master
->num
.head
== NULL
);
2057 assert(master
->num
.tail
== NULL
);
2059 assert(master
->str
.head
== NULL
);
2060 assert(master
->str
.tail
== NULL
);
2063 /* Install vty related command. */
2064 static void access_list_init_mac(void)
2066 install_node(&access_mac_node
, config_write_access_mac
);
2068 install_element(ENABLE_NODE
, &show_mac_access_list_cmd
);
2069 install_element(ENABLE_NODE
, &show_mac_access_list_name_cmd
);
2071 /* Zebra access-list */
2072 install_element(CONFIG_NODE
, &mac_access_list_cmd
);
2073 install_element(CONFIG_NODE
, &no_mac_access_list_cmd
);
2074 install_element(CONFIG_NODE
, &mac_access_list_any_cmd
);
2075 install_element(CONFIG_NODE
, &no_mac_access_list_any_cmd
);
2078 /* Access-list node. */
2079 static struct cmd_node access_node
= {ACCESS_NODE
,
2080 "", /* Access list has no interface. */
2083 static int config_write_access_ipv4(struct vty
*vty
)
2085 return config_write_access(vty
, AFI_IP
);
2088 static void access_list_reset_ipv4(void)
2090 struct access_list
*access
;
2091 struct access_list
*next
;
2092 struct access_master
*master
;
2094 master
= access_master_get(AFI_IP
);
2098 for (access
= master
->num
.head
; access
; access
= next
) {
2099 next
= access
->next
;
2100 access_list_delete(access
);
2102 for (access
= master
->str
.head
; access
; access
= next
) {
2103 next
= access
->next
;
2104 access_list_delete(access
);
2107 assert(master
->num
.head
== NULL
);
2108 assert(master
->num
.tail
== NULL
);
2110 assert(master
->str
.head
== NULL
);
2111 assert(master
->str
.tail
== NULL
);
2114 /* Install vty related command. */
2115 static void access_list_init_ipv4(void)
2117 install_node(&access_node
, config_write_access_ipv4
);
2119 install_element(ENABLE_NODE
, &show_ip_access_list_cmd
);
2120 install_element(ENABLE_NODE
, &show_ip_access_list_name_cmd
);
2122 /* Zebra access-list */
2123 install_element(CONFIG_NODE
, &access_list_exact_cmd
);
2124 install_element(CONFIG_NODE
, &access_list_any_cmd
);
2125 install_element(CONFIG_NODE
, &no_access_list_exact_cmd
);
2126 install_element(CONFIG_NODE
, &no_access_list_any_cmd
);
2128 /* Standard access-list */
2129 install_element(CONFIG_NODE
, &access_list_standard_cmd
);
2130 install_element(CONFIG_NODE
, &access_list_standard_nomask_cmd
);
2131 install_element(CONFIG_NODE
, &access_list_standard_host_cmd
);
2132 install_element(CONFIG_NODE
, &access_list_standard_any_cmd
);
2133 install_element(CONFIG_NODE
, &no_access_list_standard_cmd
);
2134 install_element(CONFIG_NODE
, &no_access_list_standard_nomask_cmd
);
2135 install_element(CONFIG_NODE
, &no_access_list_standard_host_cmd
);
2136 install_element(CONFIG_NODE
, &no_access_list_standard_any_cmd
);
2138 /* Extended access-list */
2139 install_element(CONFIG_NODE
, &access_list_extended_cmd
);
2140 install_element(CONFIG_NODE
, &access_list_extended_any_mask_cmd
);
2141 install_element(CONFIG_NODE
, &access_list_extended_mask_any_cmd
);
2142 install_element(CONFIG_NODE
, &access_list_extended_any_any_cmd
);
2143 install_element(CONFIG_NODE
, &access_list_extended_host_mask_cmd
);
2144 install_element(CONFIG_NODE
, &access_list_extended_mask_host_cmd
);
2145 install_element(CONFIG_NODE
, &access_list_extended_host_host_cmd
);
2146 install_element(CONFIG_NODE
, &access_list_extended_any_host_cmd
);
2147 install_element(CONFIG_NODE
, &access_list_extended_host_any_cmd
);
2148 install_element(CONFIG_NODE
, &no_access_list_extended_cmd
);
2149 install_element(CONFIG_NODE
, &no_access_list_extended_any_mask_cmd
);
2150 install_element(CONFIG_NODE
, &no_access_list_extended_mask_any_cmd
);
2151 install_element(CONFIG_NODE
, &no_access_list_extended_any_any_cmd
);
2152 install_element(CONFIG_NODE
, &no_access_list_extended_host_mask_cmd
);
2153 install_element(CONFIG_NODE
, &no_access_list_extended_mask_host_cmd
);
2154 install_element(CONFIG_NODE
, &no_access_list_extended_host_host_cmd
);
2155 install_element(CONFIG_NODE
, &no_access_list_extended_any_host_cmd
);
2156 install_element(CONFIG_NODE
, &no_access_list_extended_host_any_cmd
);
2158 install_element(CONFIG_NODE
, &access_list_remark_cmd
);
2159 install_element(CONFIG_NODE
, &no_access_list_all_cmd
);
2160 install_element(CONFIG_NODE
, &no_access_list_remark_cmd
);
2161 install_element(CONFIG_NODE
, &no_access_list_remark_comment_cmd
);
2164 static struct cmd_node access_ipv6_node
= {ACCESS_IPV6_NODE
, "", 1};
2166 static int config_write_access_ipv6(struct vty
*vty
)
2168 return config_write_access(vty
, AFI_IP6
);
2171 static void access_list_reset_ipv6(void)
2173 struct access_list
*access
;
2174 struct access_list
*next
;
2175 struct access_master
*master
;
2177 master
= access_master_get(AFI_IP6
);
2181 for (access
= master
->num
.head
; access
; access
= next
) {
2182 next
= access
->next
;
2183 access_list_delete(access
);
2185 for (access
= master
->str
.head
; access
; access
= next
) {
2186 next
= access
->next
;
2187 access_list_delete(access
);
2190 assert(master
->num
.head
== NULL
);
2191 assert(master
->num
.tail
== NULL
);
2193 assert(master
->str
.head
== NULL
);
2194 assert(master
->str
.tail
== NULL
);
2197 static void access_list_init_ipv6(void)
2199 install_node(&access_ipv6_node
, config_write_access_ipv6
);
2201 install_element(ENABLE_NODE
, &show_ipv6_access_list_cmd
);
2202 install_element(ENABLE_NODE
, &show_ipv6_access_list_name_cmd
);
2204 install_element(CONFIG_NODE
, &ipv6_access_list_exact_cmd
);
2205 install_element(CONFIG_NODE
, &ipv6_access_list_any_cmd
);
2206 install_element(CONFIG_NODE
, &no_ipv6_access_list_exact_cmd
);
2207 install_element(CONFIG_NODE
, &no_ipv6_access_list_any_cmd
);
2209 install_element(CONFIG_NODE
, &no_ipv6_access_list_all_cmd
);
2210 install_element(CONFIG_NODE
, &ipv6_access_list_remark_cmd
);
2211 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_cmd
);
2212 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_comment_cmd
);
2215 void access_list_init()
2217 access_list_init_ipv4();
2218 access_list_init_ipv6();
2219 access_list_init_mac();
2222 void access_list_reset()
2224 access_list_reset_ipv4();
2225 access_list_reset_ipv6();
2226 access_list_reset_mac();