1 /* Route filtering function.
2 * Copyright (C) 1998, 1999 Kunihiro Ishiguro
4 * This file is part of GNU Zebra.
6 * GNU Zebra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published
8 * by the Free Software Foundation; either version 2, or (at your
9 * option) any later version.
11 * GNU Zebra is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include "sockunion.h"
33 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST
, "Access List")
34 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST_STR
, "Access List Str")
35 DEFINE_MTYPE_STATIC(LIB
, ACCESS_FILTER
, "Access Filter")
38 /* Cisco access-list */
41 struct in_addr addr_mask
;
43 struct in_addr mask_mask
;
47 /* If this filter is "exact" match then this flag is set. */
50 /* Prefix information. */
54 /* Filter element of access list */
56 /* For doubly linked list. */
60 /* Filter type information. */
61 enum filter_type type
;
63 /* Cisco access-list */
67 struct filter_cisco cfilter
;
68 struct filter_zebra zfilter
;
72 /* List of access_list. */
73 struct access_list_list
{
74 struct access_list
*head
;
75 struct access_list
*tail
;
78 /* Master structure of access_list. */
79 struct access_master
{
80 /* List of access_list which name is number. */
81 struct access_list_list num
;
83 /* List of access_list which name is string. */
84 struct access_list_list str
;
86 /* Hook function which is executed when new access_list is added. */
87 void (*add_hook
)(struct access_list
*);
89 /* Hook function which is executed when access_list is deleted. */
90 void (*delete_hook
)(struct access_list
*);
93 /* Static structure for mac access_list's master. */
94 static struct access_master access_master_mac
= {
101 /* Static structure for IPv4 access_list's master. */
102 static struct access_master access_master_ipv4
= {
109 /* Static structure for IPv6 access_list's master. */
110 static struct access_master access_master_ipv6
= {
117 static struct access_master
*access_master_get(afi_t afi
)
120 return &access_master_ipv4
;
121 else if (afi
== AFI_IP6
)
122 return &access_master_ipv6
;
123 else if (afi
== AFI_L2VPN
)
124 return &access_master_mac
;
128 /* Allocate new filter structure. */
129 static struct filter
*filter_new(void)
131 return XCALLOC(MTYPE_ACCESS_FILTER
, sizeof(struct filter
));
134 static void filter_free(struct filter
*filter
)
136 XFREE(MTYPE_ACCESS_FILTER
, filter
);
139 /* Return string of filter_type. */
140 static const char *filter_type_str(struct filter
*filter
)
142 switch (filter
->type
) {
158 /* If filter match to the prefix then return 1. */
159 static int filter_match_cisco(struct filter
*mfilter
, const struct prefix
*p
)
161 struct filter_cisco
*filter
;
166 filter
= &mfilter
->u
.cfilter
;
167 check_addr
= p
->u
.prefix4
.s_addr
& ~filter
->addr_mask
.s_addr
;
169 if (filter
->extended
) {
170 masklen2ip(p
->prefixlen
, &mask
);
171 check_mask
= mask
.s_addr
& ~filter
->mask_mask
.s_addr
;
173 if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0
174 && memcmp(&check_mask
, &filter
->mask
.s_addr
, 4) == 0)
176 } else if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0)
182 /* If filter match to the prefix then return 1. */
183 static int filter_match_zebra(struct filter
*mfilter
, const struct prefix
*p
)
185 struct filter_zebra
*filter
= NULL
;
187 filter
= &mfilter
->u
.zfilter
;
189 if (filter
->prefix
.family
== p
->family
) {
191 if (filter
->prefix
.prefixlen
== p
->prefixlen
)
192 return prefix_match(&filter
->prefix
, p
);
196 return prefix_match(&filter
->prefix
, p
);
201 /* Allocate new access list structure. */
202 static struct access_list
*access_list_new(void)
204 return XCALLOC(MTYPE_ACCESS_LIST
, sizeof(struct access_list
));
207 /* Free allocated access_list. */
208 static void access_list_free(struct access_list
*access
)
210 XFREE(MTYPE_ACCESS_LIST
, access
);
213 /* Delete access_list from access_master and free it. */
214 static void access_list_delete(struct access_list
*access
)
216 struct filter
*filter
;
218 struct access_list_list
*list
;
219 struct access_master
*master
;
221 for (filter
= access
->head
; filter
; filter
= next
) {
226 master
= access
->master
;
228 if (access
->type
== ACCESS_TYPE_NUMBER
)
234 access
->next
->prev
= access
->prev
;
236 list
->tail
= access
->prev
;
239 access
->prev
->next
= access
->next
;
241 list
->head
= access
->next
;
243 XFREE(MTYPE_ACCESS_LIST_STR
, access
->name
);
245 XFREE(MTYPE_TMP
, access
->remark
);
247 access_list_free(access
);
250 /* Insert new access list to list of access_list. Each acceess_list
251 is sorted by the name. */
252 static struct access_list
*access_list_insert(afi_t afi
, const char *name
)
256 struct access_list
*access
;
257 struct access_list
*point
;
258 struct access_list_list
*alist
;
259 struct access_master
*master
;
261 master
= access_master_get(afi
);
265 /* Allocate new access_list and copy given name. */
266 access
= access_list_new();
267 access
->name
= XSTRDUP(MTYPE_ACCESS_LIST_STR
, name
);
268 access
->master
= master
;
270 /* If name is made by all digit character. We treat it as
272 for (number
= 0, i
= 0; i
< strlen(name
); i
++) {
273 if (isdigit((int)name
[i
]))
274 number
= (number
* 10) + (name
[i
] - '0');
279 /* In case of name is all digit character */
280 if (i
== strlen(name
)) {
281 access
->type
= ACCESS_TYPE_NUMBER
;
283 /* Set access_list to number list. */
284 alist
= &master
->num
;
286 for (point
= alist
->head
; point
; point
= point
->next
)
287 if (atol(point
->name
) >= number
)
290 access
->type
= ACCESS_TYPE_STRING
;
292 /* Set access_list to string list. */
293 alist
= &master
->str
;
295 /* Set point to insertion point. */
296 for (point
= alist
->head
; point
; point
= point
->next
)
297 if (strcmp(point
->name
, name
) >= 0)
301 /* In case of this is the first element of master. */
302 if (alist
->head
== NULL
) {
303 alist
->head
= alist
->tail
= access
;
307 /* In case of insertion is made at the tail of access_list. */
309 access
->prev
= alist
->tail
;
310 alist
->tail
->next
= access
;
311 alist
->tail
= access
;
315 /* In case of insertion is made at the head of access_list. */
316 if (point
== alist
->head
) {
317 access
->next
= alist
->head
;
318 alist
->head
->prev
= access
;
319 alist
->head
= access
;
323 /* Insertion is made at middle of the access_list. */
324 access
->next
= point
;
325 access
->prev
= point
->prev
;
328 point
->prev
->next
= access
;
329 point
->prev
= access
;
334 /* Lookup access_list from list of access_list by name. */
335 struct access_list
*access_list_lookup(afi_t afi
, const char *name
)
337 struct access_list
*access
;
338 struct access_master
*master
;
343 master
= access_master_get(afi
);
347 for (access
= master
->num
.head
; access
; access
= access
->next
)
348 if (strcmp(access
->name
, name
) == 0)
351 for (access
= master
->str
.head
; access
; access
= access
->next
)
352 if (strcmp(access
->name
, name
) == 0)
358 /* Get access list from list of access_list. If there isn't matched
359 access_list create new one and return it. */
360 static struct access_list
*access_list_get(afi_t afi
, const char *name
)
362 struct access_list
*access
;
364 access
= access_list_lookup(afi
, name
);
366 access
= access_list_insert(afi
, name
);
370 /* Apply access list to object (which should be struct prefix *). */
371 enum filter_type
access_list_apply(struct access_list
*access
,
374 struct filter
*filter
;
375 const struct prefix
*p
= (const struct prefix
*)object
;
380 for (filter
= access
->head
; filter
; filter
= filter
->next
) {
382 if (filter_match_cisco(filter
, p
))
385 if (filter_match_zebra(filter
, p
))
393 /* Add hook function. */
394 void access_list_add_hook(void (*func
)(struct access_list
*access
))
396 access_master_ipv4
.add_hook
= func
;
397 access_master_ipv6
.add_hook
= func
;
398 access_master_mac
.add_hook
= func
;
401 /* Delete hook function. */
402 void access_list_delete_hook(void (*func
)(struct access_list
*access
))
404 access_master_ipv4
.delete_hook
= func
;
405 access_master_ipv6
.delete_hook
= func
;
406 access_master_mac
.delete_hook
= func
;
409 /* Add new filter to the end of specified access_list. */
410 static void access_list_filter_add(struct access_list
*access
,
411 struct filter
*filter
)
414 filter
->prev
= access
->tail
;
417 access
->tail
->next
= filter
;
419 access
->head
= filter
;
420 access
->tail
= filter
;
422 /* Run hook function. */
423 if (access
->master
->add_hook
)
424 (*access
->master
->add_hook
)(access
);
425 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_ADDED
);
428 /* If access_list has no filter then return 1. */
429 static int access_list_empty(struct access_list
*access
)
431 if (access
->head
== NULL
&& access
->tail
== NULL
)
437 /* Delete filter from specified access_list. If there is hook
438 function execute it. */
439 static void access_list_filter_delete(struct access_list
*access
,
440 struct filter
*filter
)
442 struct access_master
*master
;
444 master
= access
->master
;
447 filter
->next
->prev
= filter
->prev
;
449 access
->tail
= filter
->prev
;
452 filter
->prev
->next
= filter
->next
;
454 access
->head
= filter
->next
;
458 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
459 /* Run hook function. */
460 if (master
->delete_hook
)
461 (*master
->delete_hook
)(access
);
463 /* If access_list becomes empty delete it from access_master. */
464 if (access_list_empty(access
))
465 access_list_delete(access
);
469 deny Specify packets to reject
470 permit Specify packets to forward
475 Hostname or A.B.C.D Address to match
477 host A single host address
480 static struct filter
*filter_lookup_cisco(struct access_list
*access
,
483 struct filter
*mfilter
;
484 struct filter_cisco
*filter
;
485 struct filter_cisco
*new;
487 new = &mnew
->u
.cfilter
;
489 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
490 filter
= &mfilter
->u
.cfilter
;
492 if (filter
->extended
) {
493 if (mfilter
->type
== mnew
->type
494 && filter
->addr
.s_addr
== new->addr
.s_addr
495 && filter
->addr_mask
.s_addr
== new->addr_mask
.s_addr
496 && filter
->mask
.s_addr
== new->mask
.s_addr
497 && filter
->mask_mask
.s_addr
498 == new->mask_mask
.s_addr
)
501 if (mfilter
->type
== mnew
->type
502 && filter
->addr
.s_addr
== new->addr
.s_addr
503 && filter
->addr_mask
.s_addr
504 == new->addr_mask
.s_addr
)
512 static struct filter
*filter_lookup_zebra(struct access_list
*access
,
515 struct filter
*mfilter
;
516 struct filter_zebra
*filter
;
517 struct filter_zebra
*new;
519 new = &mnew
->u
.zfilter
;
521 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
522 filter
= &mfilter
->u
.zfilter
;
524 if (filter
->exact
== new->exact
525 && mfilter
->type
== mnew
->type
) {
526 if (prefix_same(&filter
->prefix
, &new->prefix
))
533 static int vty_access_list_remark_unset(struct vty
*vty
, afi_t afi
,
536 struct access_list
*access
;
538 access
= access_list_lookup(afi
, name
);
540 vty_out(vty
, "%% access-list %s doesn't exist\n", name
);
541 return CMD_WARNING_CONFIG_FAILED
;
544 if (access
->remark
) {
545 XFREE(MTYPE_TMP
, access
->remark
);
546 access
->remark
= NULL
;
549 if (access
->head
== NULL
&& access
->tail
== NULL
)
550 access_list_delete(access
);
555 static int filter_set_cisco(struct vty
*vty
, const char *name_str
,
556 const char *type_str
, const char *addr_str
,
557 const char *addr_mask_str
, const char *mask_str
,
558 const char *mask_mask_str
, int extended
, int set
)
561 enum filter_type type
;
562 struct filter
*mfilter
;
563 struct filter_cisco
*filter
;
564 struct access_list
*access
;
566 struct in_addr addr_mask
;
568 struct in_addr mask_mask
;
570 /* Check of filter type. */
571 if (strncmp(type_str
, "p", 1) == 0)
572 type
= FILTER_PERMIT
;
573 else if (strncmp(type_str
, "d", 1) == 0)
576 vty_out(vty
, "%% filter type must be permit or deny\n");
577 return CMD_WARNING_CONFIG_FAILED
;
580 ret
= inet_aton(addr_str
, &addr
);
582 vty_out(vty
, "%%Inconsistent address and mask\n");
583 return CMD_WARNING_CONFIG_FAILED
;
586 ret
= inet_aton(addr_mask_str
, &addr_mask
);
588 vty_out(vty
, "%%Inconsistent address and mask\n");
589 return CMD_WARNING_CONFIG_FAILED
;
593 ret
= inet_aton(mask_str
, &mask
);
595 vty_out(vty
, "%%Inconsistent address and mask\n");
596 return CMD_WARNING_CONFIG_FAILED
;
599 ret
= inet_aton(mask_mask_str
, &mask_mask
);
601 vty_out(vty
, "%%Inconsistent address and mask\n");
602 return CMD_WARNING_CONFIG_FAILED
;
606 mfilter
= filter_new();
607 mfilter
->type
= type
;
609 filter
= &mfilter
->u
.cfilter
;
610 filter
->extended
= extended
;
611 filter
->addr
.s_addr
= addr
.s_addr
& ~addr_mask
.s_addr
;
612 filter
->addr_mask
.s_addr
= addr_mask
.s_addr
;
615 filter
->mask
.s_addr
= mask
.s_addr
& ~mask_mask
.s_addr
;
616 filter
->mask_mask
.s_addr
= mask_mask
.s_addr
;
619 /* Install new filter to the access_list. */
620 access
= access_list_get(AFI_IP
, name_str
);
623 if (filter_lookup_cisco(access
, mfilter
))
624 filter_free(mfilter
);
626 access_list_filter_add(access
, mfilter
);
628 struct filter
*delete_filter
;
630 delete_filter
= filter_lookup_cisco(access
, mfilter
);
632 access_list_filter_delete(access
, delete_filter
);
634 filter_free(mfilter
);
640 /* Standard access-list */
641 DEFUN (access_list_standard
,
642 access_list_standard_cmd
,
643 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
644 "Add an access list entry\n"
645 "IP standard access list\n"
646 "IP standard access list (expanded range)\n"
647 "Specify packets to reject\n"
648 "Specify packets to forward\n"
653 int idx_permit_deny
= 2;
656 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
657 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
658 argv
[idx_ipv4_2
]->arg
, NULL
, NULL
, 0, 1);
661 DEFUN (access_list_standard_nomask
,
662 access_list_standard_nomask_cmd
,
663 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
664 "Add an access list entry\n"
665 "IP standard access list\n"
666 "IP standard access list (expanded range)\n"
667 "Specify packets to reject\n"
668 "Specify packets to forward\n"
669 "Address to match\n")
672 int idx_permit_deny
= 2;
674 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
675 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
676 "0.0.0.0", NULL
, NULL
, 0, 1);
679 DEFUN (access_list_standard_host
,
680 access_list_standard_host_cmd
,
681 "access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
682 "Add an access list entry\n"
683 "IP standard access list\n"
684 "IP standard access list (expanded range)\n"
685 "Specify packets to reject\n"
686 "Specify packets to forward\n"
687 "A single host address\n"
688 "Address to match\n")
691 int idx_permit_deny
= 2;
693 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
694 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
695 "0.0.0.0", NULL
, NULL
, 0, 1);
698 DEFUN (access_list_standard_any
,
699 access_list_standard_any_cmd
,
700 "access-list <(1-99)|(1300-1999)> <deny|permit> any",
701 "Add an access list entry\n"
702 "IP standard access list\n"
703 "IP standard access list (expanded range)\n"
704 "Specify packets to reject\n"
705 "Specify packets to forward\n"
709 int idx_permit_deny
= 2;
710 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
711 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
712 "255.255.255.255", NULL
, NULL
, 0, 1);
715 DEFUN (no_access_list_standard
,
716 no_access_list_standard_cmd
,
717 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
719 "Add an access list entry\n"
720 "IP standard access list\n"
721 "IP standard access list (expanded range)\n"
722 "Specify packets to reject\n"
723 "Specify packets to forward\n"
728 int idx_permit_deny
= 3;
731 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
732 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
733 argv
[idx_ipv4_2
]->arg
, NULL
, NULL
, 0, 0);
736 DEFUN (no_access_list_standard_nomask
,
737 no_access_list_standard_nomask_cmd
,
738 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
740 "Add an access list entry\n"
741 "IP standard access list\n"
742 "IP standard access list (expanded range)\n"
743 "Specify packets to reject\n"
744 "Specify packets to forward\n"
745 "Address to match\n")
748 int idx_permit_deny
= 3;
750 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
751 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
752 "0.0.0.0", NULL
, NULL
, 0, 0);
755 DEFUN (no_access_list_standard_host
,
756 no_access_list_standard_host_cmd
,
757 "no access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
759 "Add an access list entry\n"
760 "IP standard access list\n"
761 "IP standard access list (expanded range)\n"
762 "Specify packets to reject\n"
763 "Specify packets to forward\n"
764 "A single host address\n"
765 "Address to match\n")
768 int idx_permit_deny
= 3;
770 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
771 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
772 "0.0.0.0", NULL
, NULL
, 0, 0);
775 DEFUN (no_access_list_standard_any
,
776 no_access_list_standard_any_cmd
,
777 "no access-list <(1-99)|(1300-1999)> <deny|permit> any",
779 "Add an access list entry\n"
780 "IP standard access list\n"
781 "IP standard access list (expanded range)\n"
782 "Specify packets to reject\n"
783 "Specify packets to forward\n"
787 int idx_permit_deny
= 3;
788 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
789 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
790 "255.255.255.255", NULL
, NULL
, 0, 0);
793 /* Extended access-list */
794 DEFUN (access_list_extended
,
795 access_list_extended_cmd
,
796 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
797 "Add an access list entry\n"
798 "IP extended access list\n"
799 "IP extended access list (expanded range)\n"
800 "Specify packets to reject\n"
801 "Specify packets to forward\n"
802 "Any Internet Protocol\n"
804 "Source wildcard bits\n"
805 "Destination address\n"
806 "Destination Wildcard bits\n")
809 int idx_permit_deny
= 2;
814 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
815 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
816 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
817 argv
[idx_ipv4_4
]->arg
, 1, 1);
820 DEFUN (access_list_extended_mask_any
,
821 access_list_extended_mask_any_cmd
,
822 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
823 "Add an access list entry\n"
824 "IP extended access list\n"
825 "IP extended access list (expanded range)\n"
826 "Specify packets to reject\n"
827 "Specify packets to forward\n"
828 "Any Internet Protocol\n"
830 "Source wildcard bits\n"
831 "Any destination host\n")
834 int idx_permit_deny
= 2;
837 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
838 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
839 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
840 "255.255.255.255", 1, 1);
843 DEFUN (access_list_extended_any_mask
,
844 access_list_extended_any_mask_cmd
,
845 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
846 "Add an access list entry\n"
847 "IP extended access list\n"
848 "IP extended access list (expanded range)\n"
849 "Specify packets to reject\n"
850 "Specify packets to forward\n"
851 "Any Internet Protocol\n"
853 "Destination address\n"
854 "Destination Wildcard bits\n")
857 int idx_permit_deny
= 2;
860 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
861 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
862 "255.255.255.255", argv
[idx_ipv4
]->arg
,
863 argv
[idx_ipv4_2
]->arg
, 1, 1);
866 DEFUN (access_list_extended_any_any
,
867 access_list_extended_any_any_cmd
,
868 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
869 "Add an access list entry\n"
870 "IP extended access list\n"
871 "IP extended access list (expanded range)\n"
872 "Specify packets to reject\n"
873 "Specify packets to forward\n"
874 "Any Internet Protocol\n"
876 "Any destination host\n")
879 int idx_permit_deny
= 2;
880 return filter_set_cisco(
881 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
882 "255.255.255.255", "0.0.0.0", "255.255.255.255", 1, 1);
885 DEFUN (access_list_extended_mask_host
,
886 access_list_extended_mask_host_cmd
,
887 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
888 "Add an access list entry\n"
889 "IP extended access list\n"
890 "IP extended access list (expanded range)\n"
891 "Specify packets to reject\n"
892 "Specify packets to forward\n"
893 "Any Internet Protocol\n"
895 "Source wildcard bits\n"
896 "A single destination host\n"
897 "Destination address\n")
900 int idx_permit_deny
= 2;
904 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
905 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
906 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
910 DEFUN (access_list_extended_host_mask
,
911 access_list_extended_host_mask_cmd
,
912 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
913 "Add an access list entry\n"
914 "IP extended access list\n"
915 "IP extended access list (expanded range)\n"
916 "Specify packets to reject\n"
917 "Specify packets to forward\n"
918 "Any Internet Protocol\n"
919 "A single source host\n"
921 "Destination address\n"
922 "Destination Wildcard bits\n")
925 int idx_permit_deny
= 2;
929 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
930 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
931 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
932 argv
[idx_ipv4_3
]->arg
, 1, 1);
935 DEFUN (access_list_extended_host_host
,
936 access_list_extended_host_host_cmd
,
937 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
938 "Add an access list entry\n"
939 "IP extended access list\n"
940 "IP extended access list (expanded range)\n"
941 "Specify packets to reject\n"
942 "Specify packets to forward\n"
943 "Any Internet Protocol\n"
944 "A single source host\n"
946 "A single destination host\n"
947 "Destination address\n")
950 int idx_permit_deny
= 2;
953 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
954 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
955 "0.0.0.0", argv
[idx_ipv4_2
]->arg
, "0.0.0.0", 1,
959 DEFUN (access_list_extended_any_host
,
960 access_list_extended_any_host_cmd
,
961 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
962 "Add an access list entry\n"
963 "IP extended access list\n"
964 "IP extended access list (expanded range)\n"
965 "Specify packets to reject\n"
966 "Specify packets to forward\n"
967 "Any Internet Protocol\n"
969 "A single destination host\n"
970 "Destination address\n")
973 int idx_permit_deny
= 2;
975 return filter_set_cisco(
976 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
977 "255.255.255.255", argv
[idx_ipv4
]->arg
, "0.0.0.0", 1, 1);
980 DEFUN (access_list_extended_host_any
,
981 access_list_extended_host_any_cmd
,
982 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
983 "Add an access list entry\n"
984 "IP extended access list\n"
985 "IP extended access list (expanded range)\n"
986 "Specify packets to reject\n"
987 "Specify packets to forward\n"
988 "Any Internet Protocol\n"
989 "A single source host\n"
991 "Any destination host\n")
994 int idx_permit_deny
= 2;
996 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
997 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
998 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 1);
1001 DEFUN (no_access_list_extended
,
1002 no_access_list_extended_cmd
,
1003 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
1005 "Add an access list entry\n"
1006 "IP extended access list\n"
1007 "IP extended access list (expanded range)\n"
1008 "Specify packets to reject\n"
1009 "Specify packets to forward\n"
1010 "Any Internet Protocol\n"
1012 "Source wildcard bits\n"
1013 "Destination address\n"
1014 "Destination Wildcard bits\n")
1017 int idx_permit_deny
= 3;
1022 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1023 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1024 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1025 argv
[idx_ipv4_4
]->arg
, 1, 0);
1028 DEFUN (no_access_list_extended_mask_any
,
1029 no_access_list_extended_mask_any_cmd
,
1030 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
1032 "Add an access list entry\n"
1033 "IP extended access list\n"
1034 "IP extended access list (expanded range)\n"
1035 "Specify packets to reject\n"
1036 "Specify packets to forward\n"
1037 "Any Internet Protocol\n"
1039 "Source wildcard bits\n"
1040 "Any destination host\n")
1043 int idx_permit_deny
= 3;
1046 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1047 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1048 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
1049 "255.255.255.255", 1, 0);
1052 DEFUN (no_access_list_extended_any_mask
,
1053 no_access_list_extended_any_mask_cmd
,
1054 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
1056 "Add an access list entry\n"
1057 "IP extended access list\n"
1058 "IP extended access list (expanded range)\n"
1059 "Specify packets to reject\n"
1060 "Specify packets to forward\n"
1061 "Any Internet Protocol\n"
1063 "Destination address\n"
1064 "Destination Wildcard bits\n")
1067 int idx_permit_deny
= 3;
1070 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1071 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1072 "255.255.255.255", argv
[idx_ipv4
]->arg
,
1073 argv
[idx_ipv4_2
]->arg
, 1, 0);
1076 DEFUN (no_access_list_extended_any_any
,
1077 no_access_list_extended_any_any_cmd
,
1078 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
1080 "Add an access list entry\n"
1081 "IP extended access list\n"
1082 "IP extended access list (expanded range)\n"
1083 "Specify packets to reject\n"
1084 "Specify packets to forward\n"
1085 "Any Internet Protocol\n"
1087 "Any destination host\n")
1090 int idx_permit_deny
= 3;
1091 return filter_set_cisco(
1092 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1093 "255.255.255.255", "0.0.0.0", "255.255.255.255", 1, 0);
1096 DEFUN (no_access_list_extended_mask_host
,
1097 no_access_list_extended_mask_host_cmd
,
1098 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
1100 "Add an access list entry\n"
1101 "IP extended access list\n"
1102 "IP extended access list (expanded range)\n"
1103 "Specify packets to reject\n"
1104 "Specify packets to forward\n"
1105 "Any Internet Protocol\n"
1107 "Source wildcard bits\n"
1108 "A single destination host\n"
1109 "Destination address\n")
1112 int idx_permit_deny
= 3;
1116 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1117 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1118 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1122 DEFUN (no_access_list_extended_host_mask
,
1123 no_access_list_extended_host_mask_cmd
,
1124 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
1126 "Add an access list entry\n"
1127 "IP extended access list\n"
1128 "IP extended access list (expanded range)\n"
1129 "Specify packets to reject\n"
1130 "Specify packets to forward\n"
1131 "Any Internet Protocol\n"
1132 "A single source host\n"
1134 "Destination address\n"
1135 "Destination Wildcard bits\n")
1138 int idx_permit_deny
= 3;
1142 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1143 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1144 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
1145 argv
[idx_ipv4_3
]->arg
, 1, 0);
1148 DEFUN (no_access_list_extended_host_host
,
1149 no_access_list_extended_host_host_cmd
,
1150 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
1152 "Add an access list entry\n"
1153 "IP extended access list\n"
1154 "IP extended access list (expanded range)\n"
1155 "Specify packets to reject\n"
1156 "Specify packets to forward\n"
1157 "Any Internet Protocol\n"
1158 "A single source host\n"
1160 "A single destination host\n"
1161 "Destination address\n")
1164 int idx_permit_deny
= 3;
1167 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1168 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1169 "0.0.0.0", argv
[idx_ipv4_2
]->arg
, "0.0.0.0", 1,
1173 DEFUN (no_access_list_extended_any_host
,
1174 no_access_list_extended_any_host_cmd
,
1175 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
1177 "Add an access list entry\n"
1178 "IP extended access list\n"
1179 "IP extended access list (expanded range)\n"
1180 "Specify packets to reject\n"
1181 "Specify packets to forward\n"
1182 "Any Internet Protocol\n"
1184 "A single destination host\n"
1185 "Destination address\n")
1188 int idx_permit_deny
= 3;
1190 return filter_set_cisco(
1191 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1192 "255.255.255.255", argv
[idx_ipv4
]->arg
, "0.0.0.0", 1, 0);
1195 DEFUN (no_access_list_extended_host_any
,
1196 no_access_list_extended_host_any_cmd
,
1197 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
1199 "Add an access list entry\n"
1200 "IP extended access list\n"
1201 "IP extended access list (expanded range)\n"
1202 "Specify packets to reject\n"
1203 "Specify packets to forward\n"
1204 "Any Internet Protocol\n"
1205 "A single source host\n"
1207 "Any destination host\n")
1210 int idx_permit_deny
= 3;
1212 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1213 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1214 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 0);
1217 static int filter_set_zebra(struct vty
*vty
, const char *name_str
,
1218 const char *type_str
, afi_t afi
,
1219 const char *prefix_str
, int exact
, int set
)
1222 enum filter_type type
;
1223 struct filter
*mfilter
;
1224 struct filter_zebra
*filter
;
1225 struct access_list
*access
;
1228 if (strlen(name_str
) > ACL_NAMSIZ
) {
1230 "%% ACL name %s is invalid: length exceeds "
1232 name_str
, ACL_NAMSIZ
);
1233 return CMD_WARNING_CONFIG_FAILED
;
1236 /* Check of filter type. */
1237 if (strncmp(type_str
, "p", 1) == 0)
1238 type
= FILTER_PERMIT
;
1239 else if (strncmp(type_str
, "d", 1) == 0)
1242 vty_out(vty
, "filter type must be [permit|deny]\n");
1243 return CMD_WARNING_CONFIG_FAILED
;
1246 /* Check string format of prefix and prefixlen. */
1247 if (afi
== AFI_IP
) {
1248 ret
= str2prefix_ipv4(prefix_str
, (struct prefix_ipv4
*)&p
);
1251 "IP address prefix/prefixlen is malformed\n");
1252 return CMD_WARNING_CONFIG_FAILED
;
1254 } else if (afi
== AFI_IP6
) {
1255 ret
= str2prefix_ipv6(prefix_str
, (struct prefix_ipv6
*)&p
);
1258 "IPv6 address prefix/prefixlen is malformed\n");
1259 return CMD_WARNING_CONFIG_FAILED
;
1261 } else if (afi
== AFI_L2VPN
) {
1262 ret
= str2prefix_eth(prefix_str
, (struct prefix_eth
*)&p
);
1264 vty_out(vty
, "MAC address is malformed\n");
1268 return CMD_WARNING_CONFIG_FAILED
;
1270 mfilter
= filter_new();
1271 mfilter
->type
= type
;
1272 filter
= &mfilter
->u
.zfilter
;
1273 prefix_copy(&filter
->prefix
, &p
);
1279 /* Install new filter to the access_list. */
1280 access
= access_list_get(afi
, name_str
);
1283 if (filter_lookup_zebra(access
, mfilter
))
1284 filter_free(mfilter
);
1286 access_list_filter_add(access
, mfilter
);
1288 struct filter
*delete_filter
;
1289 delete_filter
= filter_lookup_zebra(access
, mfilter
);
1291 access_list_filter_delete(access
, delete_filter
);
1293 filter_free(mfilter
);
1299 DEFUN (mac_access_list
,
1300 mac_access_list_cmd
,
1301 "mac access-list WORD <deny|permit> X:X:X:X:X:X",
1302 "Add a mac access-list\n"
1303 "Add an access list entry\n"
1304 "MAC zebra access-list name\n"
1305 "Specify packets to reject\n"
1306 "Specify packets to forward\n"
1307 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1309 return filter_set_zebra(vty
, argv
[2]->arg
, argv
[3]->arg
, AFI_L2VPN
,
1310 argv
[4]->arg
, 0, 1);
1313 DEFUN (no_mac_access_list
,
1314 no_mac_access_list_cmd
,
1315 "no mac access-list WORD <deny|permit> X:X:X:X:X:X",
1317 "Remove a mac access-list\n"
1318 "Remove an access list entry\n"
1319 "MAC zebra access-list name\n"
1320 "Specify packets to reject\n"
1321 "Specify packets to forward\n"
1322 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1324 return filter_set_zebra(vty
, argv
[3]->arg
, argv
[4]->arg
, AFI_L2VPN
,
1325 argv
[5]->arg
, 0, 0);
1328 DEFUN (mac_access_list_any
,
1329 mac_access_list_any_cmd
,
1330 "mac access-list WORD <deny|permit> any",
1331 "Add a mac access-list\n"
1332 "Add an access list entry\n"
1333 "MAC zebra access-list name\n"
1334 "Specify packets to reject\n"
1335 "Specify packets to forward\n"
1336 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1338 return filter_set_zebra(vty
, argv
[2]->arg
, argv
[3]->arg
, AFI_L2VPN
,
1339 "00:00:00:00:00:00", 0, 1);
1342 DEFUN (no_mac_access_list_any
,
1343 no_mac_access_list_any_cmd
,
1344 "no mac access-list WORD <deny|permit> any",
1346 "Remove a mac access-list\n"
1347 "Remove an access list entry\n"
1348 "MAC zebra access-list name\n"
1349 "Specify packets to reject\n"
1350 "Specify packets to forward\n"
1351 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1353 return filter_set_zebra(vty
, argv
[3]->arg
, argv
[4]->arg
, AFI_L2VPN
,
1354 "00:00:00:00:00:00", 0, 0);
1357 DEFUN (access_list_exact
,
1358 access_list_exact_cmd
,
1359 "access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1360 "Add an access list entry\n"
1361 "IP zebra access-list name\n"
1362 "Specify packets to reject\n"
1363 "Specify packets to forward\n"
1364 "Prefix to match. e.g. 10.0.0.0/8\n"
1365 "Exact match of the prefixes\n")
1370 int idx_permit_deny
= 2;
1371 int idx_ipv4_prefixlen
= 3;
1372 idx
= idx_ipv4_prefixlen
;
1374 if (argv_find(argv
, argc
, "exact-match", &idx
))
1377 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1378 argv
[idx_permit_deny
]->arg
, AFI_IP
,
1379 argv
[idx_ipv4_prefixlen
]->arg
, exact
, 1);
1382 DEFUN (access_list_any
,
1383 access_list_any_cmd
,
1384 "access-list WORD <deny|permit> any",
1385 "Add an access list entry\n"
1386 "IP zebra access-list name\n"
1387 "Specify packets to reject\n"
1388 "Specify packets to forward\n"
1389 "Prefix to match. e.g. 10.0.0.0/8\n")
1392 int idx_permit_deny
= 2;
1393 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1394 argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0",
1398 DEFUN (no_access_list_exact
,
1399 no_access_list_exact_cmd
,
1400 "no access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1402 "Add an access list entry\n"
1403 "IP zebra access-list name\n"
1404 "Specify packets to reject\n"
1405 "Specify packets to forward\n"
1406 "Prefix to match. e.g. 10.0.0.0/8\n"
1407 "Exact match of the prefixes\n")
1412 int idx_permit_deny
= 3;
1413 int idx_ipv4_prefixlen
= 4;
1414 idx
= idx_ipv4_prefixlen
;
1416 if (argv_find(argv
, argc
, "exact-match", &idx
))
1419 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1420 argv
[idx_permit_deny
]->arg
, AFI_IP
,
1421 argv
[idx_ipv4_prefixlen
]->arg
, exact
, 0);
1424 DEFUN (no_access_list_any
,
1425 no_access_list_any_cmd
,
1426 "no access-list WORD <deny|permit> any",
1428 "Add an access list entry\n"
1429 "IP zebra access-list name\n"
1430 "Specify packets to reject\n"
1431 "Specify packets to forward\n"
1432 "Prefix to match. e.g. 10.0.0.0/8\n")
1435 int idx_permit_deny
= 3;
1436 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1437 argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0",
1441 DEFUN (no_access_list_all
,
1442 no_access_list_all_cmd
,
1443 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1445 "Add an access list entry\n"
1446 "IP standard access list\n"
1447 "IP extended access list\n"
1448 "IP standard access list (expanded range)\n"
1449 "IP extended access list (expanded range)\n"
1450 "IP zebra access-list name\n")
1453 struct access_list
*access
;
1454 struct access_master
*master
;
1456 /* Looking up access_list. */
1457 access
= access_list_lookup(AFI_IP
, argv
[idx_acl
]->arg
);
1458 if (access
== NULL
) {
1459 vty_out(vty
, "%% access-list %s doesn't exist\n",
1460 argv
[idx_acl
]->arg
);
1461 return CMD_WARNING_CONFIG_FAILED
;
1464 master
= access
->master
;
1466 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1467 /* Run hook function. */
1468 if (master
->delete_hook
)
1469 (*master
->delete_hook
)(access
);
1471 /* Delete all filter from access-list. */
1472 access_list_delete(access
);
1477 DEFUN (access_list_remark
,
1478 access_list_remark_cmd
,
1479 "access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1480 "Add an access list entry\n"
1481 "IP standard access list\n"
1482 "IP extended access list\n"
1483 "IP standard access list (expanded range)\n"
1484 "IP extended access list (expanded range)\n"
1485 "IP zebra access-list\n"
1486 "Access list entry comment\n"
1487 "Comment up to 100 characters\n")
1491 struct access_list
*access
;
1493 access
= access_list_get(AFI_IP
, argv
[idx_acl
]->arg
);
1495 if (access
->remark
) {
1496 XFREE(MTYPE_TMP
, access
->remark
);
1497 access
->remark
= NULL
;
1499 access
->remark
= argv_concat(argv
, argc
, idx_remark
);
1504 DEFUN (no_access_list_remark
,
1505 no_access_list_remark_cmd
,
1506 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark",
1508 "Add an access list entry\n"
1509 "IP standard access list\n"
1510 "IP extended access list\n"
1511 "IP standard access list (expanded range)\n"
1512 "IP extended access list (expanded range)\n"
1513 "IP zebra access-list\n"
1514 "Access list entry comment\n")
1517 return vty_access_list_remark_unset(vty
, AFI_IP
, argv
[idx_acl
]->arg
);
1521 DEFUN (no_access_list_remark_comment
,
1522 no_access_list_remark_comment_cmd
,
1523 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1525 "Add an access list entry\n"
1526 "IP standard access list\n"
1527 "IP extended access list\n"
1528 "IP standard access list (expanded range)\n"
1529 "IP extended access list (expanded range)\n"
1530 "IP zebra access-list\n"
1531 "Access list entry comment\n"
1532 "Comment up to 100 characters\n")
1534 return no_access_list_remark(self
, vty
, argc
, argv
);
1537 DEFUN (ipv6_access_list_exact
,
1538 ipv6_access_list_exact_cmd
,
1539 "ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1541 "Add an access list entry\n"
1542 "IPv6 zebra access-list\n"
1543 "Specify packets to reject\n"
1544 "Specify packets to forward\n"
1546 "Exact match of the prefixes\n")
1555 if (argv_find(argv
, argc
, "exact-match", &idx
))
1558 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, argv
[idx_allow
]->text
,
1559 AFI_IP6
, argv
[idx_addr
]->arg
, exact
, 1);
1562 DEFUN (ipv6_access_list_any
,
1563 ipv6_access_list_any_cmd
,
1564 "ipv6 access-list WORD <deny|permit> any",
1566 "Add an access list entry\n"
1567 "IPv6 zebra access-list\n"
1568 "Specify packets to reject\n"
1569 "Specify packets to forward\n"
1570 "Any prefixi to match\n")
1573 int idx_permit_deny
= 3;
1574 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1575 argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0,
1579 DEFUN (no_ipv6_access_list_exact
,
1580 no_ipv6_access_list_exact_cmd
,
1581 "no ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1584 "Add an access list entry\n"
1585 "IPv6 zebra access-list\n"
1586 "Specify packets to reject\n"
1587 "Specify packets to forward\n"
1588 "Prefix to match. e.g. 3ffe:506::/32\n"
1589 "Exact match of the prefixes\n")
1594 int idx_permit_deny
= 4;
1595 int idx_ipv6_prefixlen
= 5;
1596 idx
= idx_ipv6_prefixlen
;
1598 if (argv_find(argv
, argc
, "exact-match", &idx
))
1601 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1602 argv
[idx_permit_deny
]->arg
, AFI_IP6
,
1603 argv
[idx_ipv6_prefixlen
]->arg
, exact
, 0);
1606 DEFUN (no_ipv6_access_list_any
,
1607 no_ipv6_access_list_any_cmd
,
1608 "no ipv6 access-list WORD <deny|permit> any",
1611 "Add an access list entry\n"
1612 "IPv6 zebra access-list\n"
1613 "Specify packets to reject\n"
1614 "Specify packets to forward\n"
1615 "Any prefixi to match\n")
1618 int idx_permit_deny
= 4;
1619 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1620 argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0,
1625 DEFUN (no_ipv6_access_list_all
,
1626 no_ipv6_access_list_all_cmd
,
1627 "no ipv6 access-list WORD",
1630 "Add an access list entry\n"
1631 "IPv6 zebra access-list\n")
1634 struct access_list
*access
;
1635 struct access_master
*master
;
1637 /* Looking up access_list. */
1638 access
= access_list_lookup(AFI_IP6
, argv
[idx_word
]->arg
);
1639 if (access
== NULL
) {
1640 vty_out(vty
, "%% access-list %s doesn't exist\n",
1641 argv
[idx_word
]->arg
);
1642 return CMD_WARNING_CONFIG_FAILED
;
1645 master
= access
->master
;
1647 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1648 /* Run hook function. */
1649 if (master
->delete_hook
)
1650 (*master
->delete_hook
)(access
);
1652 /* Delete all filter from access-list. */
1653 access_list_delete(access
);
1658 DEFUN (ipv6_access_list_remark
,
1659 ipv6_access_list_remark_cmd
,
1660 "ipv6 access-list WORD remark LINE...",
1662 "Add an access list entry\n"
1663 "IPv6 zebra access-list\n"
1664 "Access list entry comment\n"
1665 "Comment up to 100 characters\n")
1669 struct access_list
*access
;
1671 access
= access_list_get(AFI_IP6
, argv
[idx_word
]->arg
);
1673 if (access
->remark
) {
1674 XFREE(MTYPE_TMP
, access
->remark
);
1675 access
->remark
= NULL
;
1677 access
->remark
= argv_concat(argv
, argc
, idx_line
);
1682 DEFUN (no_ipv6_access_list_remark
,
1683 no_ipv6_access_list_remark_cmd
,
1684 "no ipv6 access-list WORD remark",
1687 "Add an access list entry\n"
1688 "IPv6 zebra access-list\n"
1689 "Access list entry comment\n")
1692 return vty_access_list_remark_unset(vty
, AFI_IP6
, argv
[idx_word
]->arg
);
1696 DEFUN (no_ipv6_access_list_remark_comment
,
1697 no_ipv6_access_list_remark_comment_cmd
,
1698 "no ipv6 access-list WORD remark LINE...",
1701 "Add an access list entry\n"
1702 "IPv6 zebra access-list\n"
1703 "Access list entry comment\n"
1704 "Comment up to 100 characters\n")
1706 return no_ipv6_access_list_remark(self
, vty
, argc
, argv
);
1709 void config_write_access_zebra(struct vty
*, struct filter
*);
1710 void config_write_access_cisco(struct vty
*, struct filter
*);
1712 /* show access-list command. */
1713 static int filter_show(struct vty
*vty
, const char *name
, afi_t afi
)
1715 struct access_list
*access
;
1716 struct access_master
*master
;
1717 struct filter
*mfilter
;
1718 struct filter_cisco
*filter
;
1721 master
= access_master_get(afi
);
1725 /* Print the name of the protocol */
1726 vty_out(vty
, "%s:\n", frr_protoname
);
1728 for (access
= master
->num
.head
; access
; access
= access
->next
) {
1729 if (name
&& strcmp(access
->name
, name
) != 0)
1734 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1735 filter
= &mfilter
->u
.cfilter
;
1738 vty_out(vty
, "%s %s access list %s\n",
1739 mfilter
->cisco
? (filter
->extended
1745 : ((afi
== AFI_IP6
) ? ("IPv6 ")
1751 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
1752 mfilter
->type
== FILTER_DENY
? " " : "");
1754 if (!mfilter
->cisco
)
1755 config_write_access_zebra(vty
, mfilter
);
1756 else if (filter
->extended
)
1757 config_write_access_cisco(vty
, mfilter
);
1759 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1760 vty_out(vty
, " any\n");
1763 inet_ntoa(filter
->addr
));
1764 if (filter
->addr_mask
.s_addr
!= 0)
1766 ", wildcard bits %s",
1768 filter
->addr_mask
));
1775 for (access
= master
->str
.head
; access
; access
= access
->next
) {
1776 if (name
&& strcmp(access
->name
, name
) != 0)
1781 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1782 filter
= &mfilter
->u
.cfilter
;
1785 vty_out(vty
, "%s %s access list %s\n",
1786 mfilter
->cisco
? (filter
->extended
1792 : ((afi
== AFI_IP6
) ? ("IPv6 ")
1798 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
1799 mfilter
->type
== FILTER_DENY
? " " : "");
1801 if (!mfilter
->cisco
)
1802 config_write_access_zebra(vty
, mfilter
);
1803 else if (filter
->extended
)
1804 config_write_access_cisco(vty
, mfilter
);
1806 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1807 vty_out(vty
, " any\n");
1810 inet_ntoa(filter
->addr
));
1811 if (filter
->addr_mask
.s_addr
!= 0)
1813 ", wildcard bits %s",
1815 filter
->addr_mask
));
1824 /* show MAC access list - this only has MAC filters for now*/
1825 DEFUN (show_mac_access_list
,
1826 show_mac_access_list_cmd
,
1827 "show mac access-list",
1829 "mac access lists\n"
1830 "List mac access lists\n")
1832 return filter_show(vty
, NULL
, AFI_L2VPN
);
1835 DEFUN (show_mac_access_list_name
,
1836 show_mac_access_list_name_cmd
,
1837 "show mac access-list WORD",
1839 "mac access lists\n"
1840 "List mac access lists\n"
1843 return filter_show(vty
, argv
[3]->arg
, AFI_L2VPN
);
1846 DEFUN (show_ip_access_list
,
1847 show_ip_access_list_cmd
,
1848 "show ip access-list",
1851 "List IP access lists\n")
1853 return filter_show(vty
, NULL
, AFI_IP
);
1856 DEFUN (show_ip_access_list_name
,
1857 show_ip_access_list_name_cmd
,
1858 "show ip access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1861 "List IP access lists\n"
1862 "IP standard access list\n"
1863 "IP extended access list\n"
1864 "IP standard access list (expanded range)\n"
1865 "IP extended access list (expanded range)\n"
1866 "IP zebra access-list\n")
1869 return filter_show(vty
, argv
[idx_acl
]->arg
, AFI_IP
);
1872 DEFUN (show_ipv6_access_list
,
1873 show_ipv6_access_list_cmd
,
1874 "show ipv6 access-list",
1877 "List IPv6 access lists\n")
1879 return filter_show(vty
, NULL
, AFI_IP6
);
1882 DEFUN (show_ipv6_access_list_name
,
1883 show_ipv6_access_list_name_cmd
,
1884 "show ipv6 access-list WORD",
1887 "List IPv6 access lists\n"
1888 "IPv6 zebra access-list\n")
1891 return filter_show(vty
, argv
[idx_word
]->arg
, AFI_IP6
);
1894 void config_write_access_cisco(struct vty
*vty
, struct filter
*mfilter
)
1896 struct filter_cisco
*filter
;
1898 filter
= &mfilter
->u
.cfilter
;
1900 if (filter
->extended
) {
1901 vty_out(vty
, " ip");
1902 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1903 vty_out(vty
, " any");
1904 else if (filter
->addr_mask
.s_addr
== 0)
1905 vty_out(vty
, " host %s", inet_ntoa(filter
->addr
));
1907 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
1908 vty_out(vty
, " %s", inet_ntoa(filter
->addr_mask
));
1911 if (filter
->mask_mask
.s_addr
== 0xffffffff)
1912 vty_out(vty
, " any");
1913 else if (filter
->mask_mask
.s_addr
== 0)
1914 vty_out(vty
, " host %s", inet_ntoa(filter
->mask
));
1916 vty_out(vty
, " %s", inet_ntoa(filter
->mask
));
1917 vty_out(vty
, " %s", inet_ntoa(filter
->mask_mask
));
1921 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1922 vty_out(vty
, " any\n");
1924 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
1925 if (filter
->addr_mask
.s_addr
!= 0)
1927 inet_ntoa(filter
->addr_mask
));
1933 void config_write_access_zebra(struct vty
*vty
, struct filter
*mfilter
)
1935 struct filter_zebra
*filter
;
1939 filter
= &mfilter
->u
.zfilter
;
1940 p
= &filter
->prefix
;
1942 if (p
->prefixlen
== 0 && !filter
->exact
)
1943 vty_out(vty
, " any");
1944 else if (p
->family
== AF_INET6
|| p
->family
== AF_INET
)
1945 vty_out(vty
, " %s/%d%s",
1946 inet_ntop(p
->family
, &p
->u
.prefix
, buf
, BUFSIZ
),
1947 p
->prefixlen
, filter
->exact
? " exact-match" : "");
1948 else if (p
->family
== AF_ETHERNET
) {
1949 if (p
->prefixlen
== 0)
1950 vty_out(vty
, " any");
1952 vty_out(vty
, " %s", prefix_mac2str(&(p
->u
.prefix_eth
),
1959 static int config_write_access(struct vty
*vty
, afi_t afi
)
1961 struct access_list
*access
;
1962 struct access_master
*master
;
1963 struct filter
*mfilter
;
1966 master
= access_master_get(afi
);
1970 for (access
= master
->num
.head
; access
; access
= access
->next
) {
1971 if (access
->remark
) {
1972 vty_out(vty
, "%saccess-list %s remark %s\n",
1973 (afi
== AFI_IP
) ? ("")
1974 : ((afi
== AFI_IP6
) ? ("ipv6 ")
1976 access
->name
, access
->remark
);
1980 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1981 vty_out(vty
, "%saccess-list %s %s",
1982 (afi
== AFI_IP
) ? ("")
1983 : ((afi
== AFI_IP6
) ? ("ipv6 ")
1985 access
->name
, filter_type_str(mfilter
));
1988 config_write_access_cisco(vty
, mfilter
);
1990 config_write_access_zebra(vty
, mfilter
);
1996 for (access
= master
->str
.head
; access
; access
= access
->next
) {
1997 if (access
->remark
) {
1998 vty_out(vty
, "%saccess-list %s remark %s\n",
1999 (afi
== AFI_IP
) ? ("")
2000 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2002 access
->name
, access
->remark
);
2006 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
2007 vty_out(vty
, "%saccess-list %s %s",
2008 (afi
== AFI_IP
) ? ("")
2009 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2011 access
->name
, filter_type_str(mfilter
));
2014 config_write_access_cisco(vty
, mfilter
);
2016 config_write_access_zebra(vty
, mfilter
);
2024 static struct cmd_node access_mac_node
= {
2025 ACCESS_MAC_NODE
, "", /* Access list has no interface. */
2028 static int config_write_access_mac(struct vty
*vty
)
2030 return config_write_access(vty
, AFI_L2VPN
);
2033 static void access_list_reset_mac(void)
2035 struct access_list
*access
;
2036 struct access_list
*next
;
2037 struct access_master
*master
;
2039 master
= access_master_get(AFI_L2VPN
);
2043 for (access
= master
->num
.head
; access
; access
= next
) {
2044 next
= access
->next
;
2045 access_list_delete(access
);
2047 for (access
= master
->str
.head
; access
; access
= next
) {
2048 next
= access
->next
;
2049 access_list_delete(access
);
2052 assert(master
->num
.head
== NULL
);
2053 assert(master
->num
.tail
== NULL
);
2055 assert(master
->str
.head
== NULL
);
2056 assert(master
->str
.tail
== NULL
);
2059 /* Install vty related command. */
2060 static void access_list_init_mac(void)
2062 install_node(&access_mac_node
, config_write_access_mac
);
2064 install_element(ENABLE_NODE
, &show_mac_access_list_cmd
);
2065 install_element(ENABLE_NODE
, &show_mac_access_list_name_cmd
);
2067 /* Zebra access-list */
2068 install_element(CONFIG_NODE
, &mac_access_list_cmd
);
2069 install_element(CONFIG_NODE
, &no_mac_access_list_cmd
);
2070 install_element(CONFIG_NODE
, &mac_access_list_any_cmd
);
2071 install_element(CONFIG_NODE
, &no_mac_access_list_any_cmd
);
2074 /* Access-list node. */
2075 static struct cmd_node access_node
= {ACCESS_NODE
,
2076 "", /* Access list has no interface. */
2079 static int config_write_access_ipv4(struct vty
*vty
)
2081 return config_write_access(vty
, AFI_IP
);
2084 static void access_list_reset_ipv4(void)
2086 struct access_list
*access
;
2087 struct access_list
*next
;
2088 struct access_master
*master
;
2090 master
= access_master_get(AFI_IP
);
2094 for (access
= master
->num
.head
; access
; access
= next
) {
2095 next
= access
->next
;
2096 access_list_delete(access
);
2098 for (access
= master
->str
.head
; access
; access
= next
) {
2099 next
= access
->next
;
2100 access_list_delete(access
);
2103 assert(master
->num
.head
== NULL
);
2104 assert(master
->num
.tail
== NULL
);
2106 assert(master
->str
.head
== NULL
);
2107 assert(master
->str
.tail
== NULL
);
2110 /* Install vty related command. */
2111 static void access_list_init_ipv4(void)
2113 install_node(&access_node
, config_write_access_ipv4
);
2115 install_element(ENABLE_NODE
, &show_ip_access_list_cmd
);
2116 install_element(ENABLE_NODE
, &show_ip_access_list_name_cmd
);
2118 /* Zebra access-list */
2119 install_element(CONFIG_NODE
, &access_list_exact_cmd
);
2120 install_element(CONFIG_NODE
, &access_list_any_cmd
);
2121 install_element(CONFIG_NODE
, &no_access_list_exact_cmd
);
2122 install_element(CONFIG_NODE
, &no_access_list_any_cmd
);
2124 /* Standard access-list */
2125 install_element(CONFIG_NODE
, &access_list_standard_cmd
);
2126 install_element(CONFIG_NODE
, &access_list_standard_nomask_cmd
);
2127 install_element(CONFIG_NODE
, &access_list_standard_host_cmd
);
2128 install_element(CONFIG_NODE
, &access_list_standard_any_cmd
);
2129 install_element(CONFIG_NODE
, &no_access_list_standard_cmd
);
2130 install_element(CONFIG_NODE
, &no_access_list_standard_nomask_cmd
);
2131 install_element(CONFIG_NODE
, &no_access_list_standard_host_cmd
);
2132 install_element(CONFIG_NODE
, &no_access_list_standard_any_cmd
);
2134 /* Extended access-list */
2135 install_element(CONFIG_NODE
, &access_list_extended_cmd
);
2136 install_element(CONFIG_NODE
, &access_list_extended_any_mask_cmd
);
2137 install_element(CONFIG_NODE
, &access_list_extended_mask_any_cmd
);
2138 install_element(CONFIG_NODE
, &access_list_extended_any_any_cmd
);
2139 install_element(CONFIG_NODE
, &access_list_extended_host_mask_cmd
);
2140 install_element(CONFIG_NODE
, &access_list_extended_mask_host_cmd
);
2141 install_element(CONFIG_NODE
, &access_list_extended_host_host_cmd
);
2142 install_element(CONFIG_NODE
, &access_list_extended_any_host_cmd
);
2143 install_element(CONFIG_NODE
, &access_list_extended_host_any_cmd
);
2144 install_element(CONFIG_NODE
, &no_access_list_extended_cmd
);
2145 install_element(CONFIG_NODE
, &no_access_list_extended_any_mask_cmd
);
2146 install_element(CONFIG_NODE
, &no_access_list_extended_mask_any_cmd
);
2147 install_element(CONFIG_NODE
, &no_access_list_extended_any_any_cmd
);
2148 install_element(CONFIG_NODE
, &no_access_list_extended_host_mask_cmd
);
2149 install_element(CONFIG_NODE
, &no_access_list_extended_mask_host_cmd
);
2150 install_element(CONFIG_NODE
, &no_access_list_extended_host_host_cmd
);
2151 install_element(CONFIG_NODE
, &no_access_list_extended_any_host_cmd
);
2152 install_element(CONFIG_NODE
, &no_access_list_extended_host_any_cmd
);
2154 install_element(CONFIG_NODE
, &access_list_remark_cmd
);
2155 install_element(CONFIG_NODE
, &no_access_list_all_cmd
);
2156 install_element(CONFIG_NODE
, &no_access_list_remark_cmd
);
2157 install_element(CONFIG_NODE
, &no_access_list_remark_comment_cmd
);
2160 static struct cmd_node access_ipv6_node
= {ACCESS_IPV6_NODE
, "", 1};
2162 static int config_write_access_ipv6(struct vty
*vty
)
2164 return config_write_access(vty
, AFI_IP6
);
2167 static void access_list_reset_ipv6(void)
2169 struct access_list
*access
;
2170 struct access_list
*next
;
2171 struct access_master
*master
;
2173 master
= access_master_get(AFI_IP6
);
2177 for (access
= master
->num
.head
; access
; access
= next
) {
2178 next
= access
->next
;
2179 access_list_delete(access
);
2181 for (access
= master
->str
.head
; access
; access
= next
) {
2182 next
= access
->next
;
2183 access_list_delete(access
);
2186 assert(master
->num
.head
== NULL
);
2187 assert(master
->num
.tail
== NULL
);
2189 assert(master
->str
.head
== NULL
);
2190 assert(master
->str
.tail
== NULL
);
2193 static void access_list_init_ipv6(void)
2195 install_node(&access_ipv6_node
, config_write_access_ipv6
);
2197 install_element(ENABLE_NODE
, &show_ipv6_access_list_cmd
);
2198 install_element(ENABLE_NODE
, &show_ipv6_access_list_name_cmd
);
2200 install_element(CONFIG_NODE
, &ipv6_access_list_exact_cmd
);
2201 install_element(CONFIG_NODE
, &ipv6_access_list_any_cmd
);
2202 install_element(CONFIG_NODE
, &no_ipv6_access_list_exact_cmd
);
2203 install_element(CONFIG_NODE
, &no_ipv6_access_list_any_cmd
);
2205 install_element(CONFIG_NODE
, &no_ipv6_access_list_all_cmd
);
2206 install_element(CONFIG_NODE
, &ipv6_access_list_remark_cmd
);
2207 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_cmd
);
2208 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_comment_cmd
);
2211 void access_list_init(void)
2213 access_list_init_ipv4();
2214 access_list_init_ipv6();
2215 access_list_init_mac();
2218 void access_list_reset(void)
2220 access_list_reset_ipv4();
2221 access_list_reset_ipv6();
2222 access_list_reset_mac();