1 /* Route filtering function.
2 * Copyright (C) 1998, 1999 Kunihiro Ishiguro
4 * This file is part of GNU Zebra.
6 * GNU Zebra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published
8 * by the Free Software Foundation; either version 2, or (at your
9 * option) any later version.
11 * GNU Zebra is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include "sockunion.h"
33 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST
, "Access List")
34 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST_STR
, "Access List Str")
35 DEFINE_MTYPE_STATIC(LIB
, ACCESS_FILTER
, "Access Filter")
38 /* Cisco access-list */
41 struct in_addr addr_mask
;
43 struct in_addr mask_mask
;
47 /* If this filter is "exact" match then this flag is set. */
50 /* Prefix information. */
54 /* Filter element of access list */
56 /* For doubly linked list. */
60 /* Filter type information. */
61 enum filter_type type
;
66 /* Cisco access-list */
70 struct filter_cisco cfilter
;
71 struct filter_zebra zfilter
;
75 /* List of access_list. */
76 struct access_list_list
{
77 struct access_list
*head
;
78 struct access_list
*tail
;
81 /* Master structure of access_list. */
82 struct access_master
{
83 /* List of access_list which name is number. */
84 struct access_list_list num
;
86 /* List of access_list which name is string. */
87 struct access_list_list str
;
89 /* Hook function which is executed when new access_list is added. */
90 void (*add_hook
)(struct access_list
*);
92 /* Hook function which is executed when access_list is deleted. */
93 void (*delete_hook
)(struct access_list
*);
96 /* Static structure for mac access_list's master. */
97 static struct access_master access_master_mac
= {
104 /* Static structure for IPv4 access_list's master. */
105 static struct access_master access_master_ipv4
= {
112 /* Static structure for IPv6 access_list's master. */
113 static struct access_master access_master_ipv6
= {
120 static struct access_master
*access_master_get(afi_t afi
)
123 return &access_master_ipv4
;
124 else if (afi
== AFI_IP6
)
125 return &access_master_ipv6
;
126 else if (afi
== AFI_L2VPN
)
127 return &access_master_mac
;
131 /* Allocate new filter structure. */
132 static struct filter
*filter_new(void)
134 return XCALLOC(MTYPE_ACCESS_FILTER
, sizeof(struct filter
));
137 static void filter_free(struct filter
*filter
)
139 XFREE(MTYPE_ACCESS_FILTER
, filter
);
142 /* Return string of filter_type. */
143 static const char *filter_type_str(struct filter
*filter
)
145 switch (filter
->type
) {
161 /* If filter match to the prefix then return 1. */
162 static int filter_match_cisco(struct filter
*mfilter
, const struct prefix
*p
)
164 struct filter_cisco
*filter
;
169 filter
= &mfilter
->u
.cfilter
;
170 check_addr
= p
->u
.prefix4
.s_addr
& ~filter
->addr_mask
.s_addr
;
172 if (filter
->extended
) {
173 masklen2ip(p
->prefixlen
, &mask
);
174 check_mask
= mask
.s_addr
& ~filter
->mask_mask
.s_addr
;
176 if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0
177 && memcmp(&check_mask
, &filter
->mask
.s_addr
, 4) == 0)
179 } else if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0)
185 /* If filter match to the prefix then return 1. */
186 static int filter_match_zebra(struct filter
*mfilter
, const struct prefix
*p
)
188 struct filter_zebra
*filter
= NULL
;
190 filter
= &mfilter
->u
.zfilter
;
192 if (filter
->prefix
.family
== p
->family
) {
194 if (filter
->prefix
.prefixlen
== p
->prefixlen
)
195 return prefix_match(&filter
->prefix
, p
);
199 return prefix_match(&filter
->prefix
, p
);
204 /* Allocate new access list structure. */
205 static struct access_list
*access_list_new(void)
207 return XCALLOC(MTYPE_ACCESS_LIST
, sizeof(struct access_list
));
210 /* Free allocated access_list. */
211 static void access_list_free(struct access_list
*access
)
213 XFREE(MTYPE_ACCESS_LIST
, access
);
216 /* Delete access_list from access_master and free it. */
217 static void access_list_delete(struct access_list
*access
)
219 struct filter
*filter
;
221 struct access_list_list
*list
;
222 struct access_master
*master
;
224 for (filter
= access
->head
; filter
; filter
= next
) {
229 master
= access
->master
;
231 if (access
->type
== ACCESS_TYPE_NUMBER
)
237 access
->next
->prev
= access
->prev
;
239 list
->tail
= access
->prev
;
242 access
->prev
->next
= access
->next
;
244 list
->head
= access
->next
;
246 XFREE(MTYPE_ACCESS_LIST_STR
, access
->name
);
248 XFREE(MTYPE_TMP
, access
->remark
);
250 access_list_free(access
);
253 /* Insert new access list to list of access_list. Each acceess_list
254 is sorted by the name. */
255 static struct access_list
*access_list_insert(afi_t afi
, const char *name
)
259 struct access_list
*access
;
260 struct access_list
*point
;
261 struct access_list_list
*alist
;
262 struct access_master
*master
;
264 master
= access_master_get(afi
);
268 /* Allocate new access_list and copy given name. */
269 access
= access_list_new();
270 access
->name
= XSTRDUP(MTYPE_ACCESS_LIST_STR
, name
);
271 access
->master
= master
;
273 /* If name is made by all digit character. We treat it as
275 for (number
= 0, i
= 0; i
< strlen(name
); i
++) {
276 if (isdigit((unsigned char)name
[i
]))
277 number
= (number
* 10) + (name
[i
] - '0');
282 /* In case of name is all digit character */
283 if (i
== strlen(name
)) {
284 access
->type
= ACCESS_TYPE_NUMBER
;
286 /* Set access_list to number list. */
287 alist
= &master
->num
;
289 for (point
= alist
->head
; point
; point
= point
->next
)
290 if (atol(point
->name
) >= number
)
293 access
->type
= ACCESS_TYPE_STRING
;
295 /* Set access_list to string list. */
296 alist
= &master
->str
;
298 /* Set point to insertion point. */
299 for (point
= alist
->head
; point
; point
= point
->next
)
300 if (strcmp(point
->name
, name
) >= 0)
304 /* In case of this is the first element of master. */
305 if (alist
->head
== NULL
) {
306 alist
->head
= alist
->tail
= access
;
310 /* In case of insertion is made at the tail of access_list. */
312 access
->prev
= alist
->tail
;
313 alist
->tail
->next
= access
;
314 alist
->tail
= access
;
318 /* In case of insertion is made at the head of access_list. */
319 if (point
== alist
->head
) {
320 access
->next
= alist
->head
;
321 alist
->head
->prev
= access
;
322 alist
->head
= access
;
326 /* Insertion is made at middle of the access_list. */
327 access
->next
= point
;
328 access
->prev
= point
->prev
;
331 point
->prev
->next
= access
;
332 point
->prev
= access
;
337 /* Lookup access_list from list of access_list by name. */
338 struct access_list
*access_list_lookup(afi_t afi
, const char *name
)
340 struct access_list
*access
;
341 struct access_master
*master
;
346 master
= access_master_get(afi
);
350 for (access
= master
->num
.head
; access
; access
= access
->next
)
351 if (strcmp(access
->name
, name
) == 0)
354 for (access
= master
->str
.head
; access
; access
= access
->next
)
355 if (strcmp(access
->name
, name
) == 0)
361 /* Get access list from list of access_list. If there isn't matched
362 access_list create new one and return it. */
363 static struct access_list
*access_list_get(afi_t afi
, const char *name
)
365 struct access_list
*access
;
367 access
= access_list_lookup(afi
, name
);
369 access
= access_list_insert(afi
, name
);
373 /* Apply access list to object (which should be struct prefix *). */
374 enum filter_type
access_list_apply(struct access_list
*access
,
377 struct filter
*filter
;
378 const struct prefix
*p
= (const struct prefix
*)object
;
383 for (filter
= access
->head
; filter
; filter
= filter
->next
) {
385 if (filter_match_cisco(filter
, p
))
388 if (filter_match_zebra(filter
, p
))
396 /* Add hook function. */
397 void access_list_add_hook(void (*func
)(struct access_list
*access
))
399 access_master_ipv4
.add_hook
= func
;
400 access_master_ipv6
.add_hook
= func
;
401 access_master_mac
.add_hook
= func
;
404 /* Delete hook function. */
405 void access_list_delete_hook(void (*func
)(struct access_list
*access
))
407 access_master_ipv4
.delete_hook
= func
;
408 access_master_ipv6
.delete_hook
= func
;
409 access_master_mac
.delete_hook
= func
;
412 /* Calculate new sequential number. */
413 static int64_t filter_new_seq_get(struct access_list
*access
)
417 struct filter
*filter
;
421 for (filter
= access
->head
; filter
; filter
= filter
->next
) {
422 if (maxseq
< filter
->seq
)
423 maxseq
= filter
->seq
;
426 newseq
= ((maxseq
/ 5) * 5) + 5;
428 return (newseq
> UINT_MAX
) ? UINT_MAX
: newseq
;
431 /* Return access list entry which has same seq number. */
432 static struct filter
*filter_seq_check(struct access_list
*access
,
435 struct filter
*filter
;
437 for (filter
= access
->head
; filter
; filter
= filter
->next
)
438 if (filter
->seq
== seq
)
443 /* If access_list has no filter then return 1. */
444 static int access_list_empty(struct access_list
*access
)
446 if (access
->head
== NULL
&& access
->tail
== NULL
)
452 /* Delete filter from specified access_list. If there is hook
453 function execute it. */
454 static void access_list_filter_delete(struct access_list
*access
,
455 struct filter
*filter
)
457 struct access_master
*master
;
459 master
= access
->master
;
462 filter
->next
->prev
= filter
->prev
;
464 access
->tail
= filter
->prev
;
467 filter
->prev
->next
= filter
->next
;
469 access
->head
= filter
->next
;
473 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
474 /* Run hook function. */
475 if (master
->delete_hook
)
476 (*master
->delete_hook
)(access
);
478 /* If access_list becomes empty delete it from access_master. */
479 if (access_list_empty(access
))
480 access_list_delete(access
);
483 /* Add new filter to the end of specified access_list. */
484 static void access_list_filter_add(struct access_list
*access
,
485 struct filter
*filter
)
487 struct filter
*replace
;
488 struct filter
*point
;
490 /* Automatic asignment of seq no. */
491 if (filter
->seq
== -1)
492 filter
->seq
= filter_new_seq_get(access
);
494 if (access
->tail
&& filter
->seq
> access
->tail
->seq
)
497 /* Is there any same seq access list filter? */
498 replace
= filter_seq_check(access
, filter
->seq
);
500 access_list_filter_delete(access
, replace
);
502 /* Check insert point. */
503 for (point
= access
->head
; point
; point
= point
->next
)
504 if (point
->seq
>= filter
->seq
)
508 /* In case of this is the first element of the list. */
509 filter
->next
= point
;
513 point
->prev
->next
= filter
;
515 access
->head
= filter
;
517 filter
->prev
= point
->prev
;
518 point
->prev
= filter
;
521 access
->tail
->next
= filter
;
523 access
->head
= filter
;
525 filter
->prev
= access
->tail
;
526 access
->tail
= filter
;
529 /* Run hook function. */
530 if (access
->master
->add_hook
)
531 (*access
->master
->add_hook
)(access
);
532 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_ADDED
);
536 deny Specify packets to reject
537 permit Specify packets to forward
542 Hostname or A.B.C.D Address to match
544 host A single host address
547 static struct filter
*filter_lookup_cisco(struct access_list
*access
,
550 struct filter
*mfilter
;
551 struct filter_cisco
*filter
;
552 struct filter_cisco
*new;
554 new = &mnew
->u
.cfilter
;
556 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
557 filter
= &mfilter
->u
.cfilter
;
559 if (filter
->extended
) {
560 if (mfilter
->type
== mnew
->type
561 && filter
->addr
.s_addr
== new->addr
.s_addr
562 && filter
->addr_mask
.s_addr
== new->addr_mask
.s_addr
563 && filter
->mask
.s_addr
== new->mask
.s_addr
564 && filter
->mask_mask
.s_addr
565 == new->mask_mask
.s_addr
)
568 if (mfilter
->type
== mnew
->type
569 && filter
->addr
.s_addr
== new->addr
.s_addr
570 && filter
->addr_mask
.s_addr
571 == new->addr_mask
.s_addr
)
579 static struct filter
*filter_lookup_zebra(struct access_list
*access
,
582 struct filter
*mfilter
;
583 struct filter_zebra
*filter
;
584 struct filter_zebra
*new;
586 new = &mnew
->u
.zfilter
;
588 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
589 filter
= &mfilter
->u
.zfilter
;
591 if (filter
->exact
== new->exact
592 && mfilter
->type
== mnew
->type
) {
593 if (prefix_same(&filter
->prefix
, &new->prefix
))
600 static int vty_access_list_remark_unset(struct vty
*vty
, afi_t afi
,
603 struct access_list
*access
;
605 access
= access_list_lookup(afi
, name
);
607 vty_out(vty
, "%% access-list %s doesn't exist\n", name
);
608 return CMD_WARNING_CONFIG_FAILED
;
611 if (access
->remark
) {
612 XFREE(MTYPE_TMP
, access
->remark
);
613 access
->remark
= NULL
;
616 if (access
->head
== NULL
&& access
->tail
== NULL
)
617 access_list_delete(access
);
622 static int filter_set_cisco(struct vty
*vty
, const char *name_str
,
623 const char *seq
, const char *type_str
,
624 const char *addr_str
, const char *addr_mask_str
,
625 const char *mask_str
, const char *mask_mask_str
,
626 int extended
, int set
)
629 enum filter_type type
= FILTER_DENY
;
630 struct filter
*mfilter
;
631 struct filter_cisco
*filter
;
632 struct access_list
*access
;
634 struct in_addr addr_mask
;
636 struct in_addr mask_mask
;
640 seqnum
= (int64_t)atol(seq
);
642 /* Check of filter type. */
644 if (strncmp(type_str
, "p", 1) == 0)
645 type
= FILTER_PERMIT
;
646 else if (strncmp(type_str
, "d", 1) == 0)
649 vty_out(vty
, "%% filter type must be permit or deny\n");
650 return CMD_WARNING_CONFIG_FAILED
;
654 ret
= inet_aton(addr_str
, &addr
);
656 vty_out(vty
, "%%Inconsistent address and mask\n");
657 return CMD_WARNING_CONFIG_FAILED
;
660 ret
= inet_aton(addr_mask_str
, &addr_mask
);
662 vty_out(vty
, "%%Inconsistent address and mask\n");
663 return CMD_WARNING_CONFIG_FAILED
;
667 ret
= inet_aton(mask_str
, &mask
);
669 vty_out(vty
, "%%Inconsistent address and mask\n");
670 return CMD_WARNING_CONFIG_FAILED
;
673 ret
= inet_aton(mask_mask_str
, &mask_mask
);
675 vty_out(vty
, "%%Inconsistent address and mask\n");
676 return CMD_WARNING_CONFIG_FAILED
;
680 mfilter
= filter_new();
681 mfilter
->type
= type
;
683 mfilter
->seq
= seqnum
;
684 filter
= &mfilter
->u
.cfilter
;
685 filter
->extended
= extended
;
686 filter
->addr
.s_addr
= addr
.s_addr
& ~addr_mask
.s_addr
;
687 filter
->addr_mask
.s_addr
= addr_mask
.s_addr
;
690 filter
->mask
.s_addr
= mask
.s_addr
& ~mask_mask
.s_addr
;
691 filter
->mask_mask
.s_addr
= mask_mask
.s_addr
;
694 /* Install new filter to the access_list. */
695 access
= access_list_get(AFI_IP
, name_str
);
698 if (filter_lookup_cisco(access
, mfilter
))
699 filter_free(mfilter
);
701 access_list_filter_add(access
, mfilter
);
703 struct filter
*delete_filter
;
705 delete_filter
= filter_lookup_cisco(access
, mfilter
);
707 access_list_filter_delete(access
, delete_filter
);
709 filter_free(mfilter
);
715 /* Standard access-list */
716 DEFUN (access_list_standard
,
717 access_list_standard_cmd
,
718 "access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> A.B.C.D A.B.C.D",
719 "Add an access list entry\n"
720 "IP standard access list\n"
721 "IP standard access list (expanded range)\n"
722 "Sequence number of an entry\n"
724 "Specify packets to reject\n"
725 "Specify packets to forward\n"
732 char *permit_deny
= NULL
;
733 char *address
= NULL
;
734 char *wildcard
= NULL
;
736 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
738 seq
= argv
[idx
]->arg
;
741 argv_find(argv
, argc
, "permit", &idx
);
742 argv_find(argv
, argc
, "deny", &idx
);
744 permit_deny
= argv
[idx
]->arg
;
747 argv_find(argv
, argc
, "A.B.C.D", &idx
);
749 address
= argv
[idx
]->arg
;
750 wildcard
= argv
[idx
+ 1]->arg
;
753 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
754 address
, wildcard
, NULL
, NULL
, 0, 1);
757 DEFUN (access_list_standard_nomask
,
758 access_list_standard_nomask_cmd
,
759 "access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> A.B.C.D",
760 "Add an access list entry\n"
761 "IP standard access list\n"
762 "IP standard access list (expanded range)\n"
763 "Sequence number of an entry\n"
765 "Specify packets to reject\n"
766 "Specify packets to forward\n"
767 "Address to match\n")
772 char *permit_deny
= NULL
;
773 char *address
= NULL
;
775 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
777 seq
= argv
[idx
]->arg
;
780 argv_find(argv
, argc
, "permit", &idx
);
781 argv_find(argv
, argc
, "deny", &idx
);
783 permit_deny
= argv
[idx
]->arg
;
786 argv_find(argv
, argc
, "A.B.C.D", &idx
);
788 address
= argv
[idx
]->arg
;
790 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
791 address
, "0.0.0.0", NULL
, NULL
, 0, 1);
794 DEFUN (access_list_standard_host
,
795 access_list_standard_host_cmd
,
796 "access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> host A.B.C.D",
797 "Add an access list entry\n"
798 "IP standard access list\n"
799 "IP standard access list (expanded range)\n"
800 "Sequence number of an entry\n"
802 "Specify packets to reject\n"
803 "Specify packets to forward\n"
804 "A single host address\n"
805 "Address to match\n")
810 char *permit_deny
= NULL
;
811 char *address
= NULL
;
813 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
815 seq
= argv
[idx
]->arg
;
818 argv_find(argv
, argc
, "permit", &idx
);
819 argv_find(argv
, argc
, "deny", &idx
);
821 permit_deny
= argv
[idx
]->arg
;
824 argv_find(argv
, argc
, "A.B.C.D", &idx
);
826 address
= argv
[idx
]->arg
;
828 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
829 address
, "0.0.0.0", NULL
, NULL
, 0, 1);
832 DEFUN (access_list_standard_any
,
833 access_list_standard_any_cmd
,
834 "access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> any",
835 "Add an access list entry\n"
836 "IP standard access list\n"
837 "IP standard access list (expanded range)\n"
838 "Sequence number of an entry\n"
840 "Specify packets to reject\n"
841 "Specify packets to forward\n"
847 char *permit_deny
= NULL
;
849 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
851 seq
= argv
[idx
]->arg
;
854 argv_find(argv
, argc
, "permit", &idx
);
855 argv_find(argv
, argc
, "deny", &idx
);
857 permit_deny
= argv
[idx
]->arg
;
859 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
860 "0.0.0.0", "255.255.255.255", NULL
, NULL
, 0, 1);
863 DEFUN (no_access_list_standard
,
864 no_access_list_standard_cmd
,
865 "no access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> A.B.C.D A.B.C.D",
867 "Add an access list entry\n"
868 "IP standard access list\n"
869 "IP standard access list (expanded range)\n"
870 "Sequence number of an entry\n"
872 "Specify packets to reject\n"
873 "Specify packets to forward\n"
880 char *permit_deny
= NULL
;
881 char *address
= NULL
;
882 char *wildcard
= NULL
;
884 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
886 seq
= argv
[idx
]->arg
;
889 argv_find(argv
, argc
, "permit", &idx
);
890 argv_find(argv
, argc
, "deny", &idx
);
892 permit_deny
= argv
[idx
]->arg
;
895 argv_find(argv
, argc
, "A.B.C.D", &idx
);
897 address
= argv
[idx
]->arg
;
898 wildcard
= argv
[idx
+ 1]->arg
;
901 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
902 address
, wildcard
, NULL
, NULL
, 0, 0);
905 DEFUN (no_access_list_standard_nomask
,
906 no_access_list_standard_nomask_cmd
,
907 "no access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> A.B.C.D",
909 "Add an access list entry\n"
910 "IP standard access list\n"
911 "IP standard access list (expanded range)\n"
912 "Sequence number of an entry\n"
914 "Specify packets to reject\n"
915 "Specify packets to forward\n"
916 "Address to match\n")
921 char *permit_deny
= NULL
;
922 char *address
= NULL
;
924 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
926 seq
= argv
[idx
]->arg
;
929 argv_find(argv
, argc
, "permit", &idx
);
930 argv_find(argv
, argc
, "deny", &idx
);
932 permit_deny
= argv
[idx
]->arg
;
935 argv_find(argv
, argc
, "A.B.C.D", &idx
);
937 address
= argv
[idx
]->arg
;
939 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
940 address
, "0.0.0.0", NULL
, NULL
, 0, 0);
943 DEFUN (no_access_list_standard_host
,
944 no_access_list_standard_host_cmd
,
945 "no access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> host A.B.C.D",
947 "Add an access list entry\n"
948 "IP standard access list\n"
949 "IP standard access list (expanded range)\n"
950 "Sequence number of an entry\n"
952 "Specify packets to reject\n"
953 "Specify packets to forward\n"
954 "A single host address\n"
955 "Address to match\n")
960 char *permit_deny
= NULL
;
961 char *address
= NULL
;
963 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
965 seq
= argv
[idx
]->arg
;
968 argv_find(argv
, argc
, "permit", &idx
);
969 argv_find(argv
, argc
, "deny", &idx
);
971 permit_deny
= argv
[idx
]->arg
;
974 argv_find(argv
, argc
, "A.B.C.D", &idx
);
976 address
= argv
[idx
]->arg
;
978 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
979 address
, "0.0.0.0", NULL
, NULL
, 0, 0);
982 DEFUN (no_access_list_standard_any
,
983 no_access_list_standard_any_cmd
,
984 "no access-list <(1-99)|(1300-1999)> [seq (1-4294967295)] <deny|permit> any",
986 "Add an access list entry\n"
987 "IP standard access list\n"
988 "IP standard access list (expanded range)\n"
989 "Sequence number of an entry\n"
991 "Specify packets to reject\n"
992 "Specify packets to forward\n"
998 char *permit_deny
= NULL
;
1000 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1002 seq
= argv
[idx
]->arg
;
1005 argv_find(argv
, argc
, "permit", &idx
);
1006 argv_find(argv
, argc
, "deny", &idx
);
1008 permit_deny
= argv
[idx
]->arg
;
1010 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1011 "0.0.0.0", "255.255.255.255", NULL
, NULL
, 0, 0);
1014 /* Extended access-list */
1015 DEFUN (access_list_extended
,
1016 access_list_extended_cmd
,
1017 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
1018 "Add an access list entry\n"
1019 "IP extended access list\n"
1020 "IP extended access list (expanded range)\n"
1021 "Sequence number of an entry\n"
1023 "Specify packets to reject\n"
1024 "Specify packets to forward\n"
1025 "Any Internet Protocol\n"
1027 "Source wildcard bits\n"
1028 "Destination address\n"
1029 "Destination Wildcard bits\n")
1034 char *permit_deny
= NULL
;
1037 char *src_wildcard
= NULL
;
1038 char *dst_wildcard
= NULL
;
1040 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1042 seq
= argv
[idx
]->arg
;
1045 argv_find(argv
, argc
, "permit", &idx
);
1046 argv_find(argv
, argc
, "deny", &idx
);
1048 permit_deny
= argv
[idx
]->arg
;
1051 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1053 src
= argv
[idx
]->arg
;
1054 src_wildcard
= argv
[idx
+ 1]->arg
;
1055 dst
= argv
[idx
+ 2]->arg
;
1056 dst_wildcard
= argv
[idx
+ 3]->arg
;
1059 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1060 src_wildcard
, dst
, dst_wildcard
, 1, 1);
1063 DEFUN (access_list_extended_mask_any
,
1064 access_list_extended_mask_any_cmd
,
1065 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip A.B.C.D A.B.C.D any",
1066 "Add an access list entry\n"
1067 "IP extended access list\n"
1068 "IP extended access list (expanded range)\n"
1069 "Sequence number of an entry\n"
1071 "Specify packets to reject\n"
1072 "Specify packets to forward\n"
1073 "Any Internet Protocol\n"
1075 "Source wildcard bits\n"
1076 "Any destination host\n")
1081 char *permit_deny
= NULL
;
1083 char *src_wildcard
= NULL
;
1085 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1087 seq
= argv
[idx
]->arg
;
1090 argv_find(argv
, argc
, "permit", &idx
);
1091 argv_find(argv
, argc
, "deny", &idx
);
1093 permit_deny
= argv
[idx
]->arg
;
1096 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1098 src
= argv
[idx
]->arg
;
1099 src_wildcard
= argv
[idx
+ 1]->arg
;
1102 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1103 src_wildcard
, "0.0.0.0", "255.255.255.255", 1,
1107 DEFUN (access_list_extended_any_mask
,
1108 access_list_extended_any_mask_cmd
,
1109 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip any A.B.C.D A.B.C.D",
1110 "Add an access list entry\n"
1111 "IP extended access list\n"
1112 "IP extended access list (expanded range)\n"
1113 "Sequence number of an entry\n"
1115 "Specify packets to reject\n"
1116 "Specify packets to forward\n"
1117 "Any Internet Protocol\n"
1119 "Destination address\n"
1120 "Destination Wildcard bits\n")
1125 char *permit_deny
= NULL
;
1127 char *dst_wildcard
= NULL
;
1129 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1131 seq
= argv
[idx
]->arg
;
1134 argv_find(argv
, argc
, "permit", &idx
);
1135 argv_find(argv
, argc
, "deny", &idx
);
1137 permit_deny
= argv
[idx
]->arg
;
1140 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1142 dst
= argv
[idx
]->arg
;
1143 dst_wildcard
= argv
[idx
+ 1]->arg
;
1146 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1147 "0.0.0.0", "255.255.255.255", dst
, dst_wildcard
,
1151 DEFUN (access_list_extended_any_any
,
1152 access_list_extended_any_any_cmd
,
1153 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip any any",
1154 "Add an access list entry\n"
1155 "IP extended access list\n"
1156 "IP extended access list (expanded range)\n"
1157 "Sequence number of an entry\n"
1159 "Specify packets to reject\n"
1160 "Specify packets to forward\n"
1161 "Any Internet Protocol\n"
1163 "Any destination host\n")
1168 char *permit_deny
= NULL
;
1170 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1172 seq
= argv
[idx
]->arg
;
1175 argv_find(argv
, argc
, "permit", &idx
);
1176 argv_find(argv
, argc
, "deny", &idx
);
1178 permit_deny
= argv
[idx
]->arg
;
1180 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1181 "0.0.0.0", "255.255.255.255", "0.0.0.0",
1182 "255.255.255.255", 1, 1);
1185 DEFUN (access_list_extended_mask_host
,
1186 access_list_extended_mask_host_cmd
,
1187 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
1188 "Add an access list entry\n"
1189 "IP extended access list\n"
1190 "IP extended access list (expanded range)\n"
1191 "Sequence number of an entry\n"
1193 "Specify packets to reject\n"
1194 "Specify packets to forward\n"
1195 "Any Internet Protocol\n"
1197 "Source wildcard bits\n"
1198 "A single destination host\n"
1199 "Destination address\n")
1204 char *permit_deny
= NULL
;
1207 char *src_wildcard
= NULL
;
1209 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1211 seq
= argv
[idx
]->arg
;
1214 argv_find(argv
, argc
, "permit", &idx
);
1215 argv_find(argv
, argc
, "deny", &idx
);
1217 permit_deny
= argv
[idx
]->arg
;
1220 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1222 src
= argv
[idx
]->arg
;
1223 src_wildcard
= argv
[idx
+ 1]->arg
;
1224 dst
= argv
[idx
+ 3]->arg
;
1227 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1228 src_wildcard
, dst
, "0.0.0.0", 1, 1);
1231 DEFUN (access_list_extended_host_mask
,
1232 access_list_extended_host_mask_cmd
,
1233 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
1234 "Add an access list entry\n"
1235 "IP extended access list\n"
1236 "IP extended access list (expanded range)\n"
1237 "Sequence number of an entry\n"
1239 "Specify packets to reject\n"
1240 "Specify packets to forward\n"
1241 "Any Internet Protocol\n"
1242 "A single source host\n"
1244 "Destination address\n"
1245 "Destination Wildcard bits\n")
1250 char *permit_deny
= NULL
;
1253 char *dst_wildcard
= NULL
;
1255 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1257 seq
= argv
[idx
]->arg
;
1260 argv_find(argv
, argc
, "permit", &idx
);
1261 argv_find(argv
, argc
, "deny", &idx
);
1263 permit_deny
= argv
[idx
]->arg
;
1266 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1268 src
= argv
[idx
]->arg
;
1269 dst
= argv
[idx
+ 1]->arg
;
1270 dst_wildcard
= argv
[idx
+ 2]->arg
;
1273 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1274 "0.0.0.0", dst
, dst_wildcard
, 1, 1);
1277 DEFUN (access_list_extended_host_host
,
1278 access_list_extended_host_host_cmd
,
1279 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip host A.B.C.D host A.B.C.D",
1280 "Add an access list entry\n"
1281 "IP extended access list\n"
1282 "IP extended access list (expanded range)\n"
1283 "Sequence number of an entry\n"
1285 "Specify packets to reject\n"
1286 "Specify packets to forward\n"
1287 "Any Internet Protocol\n"
1288 "A single source host\n"
1290 "A single destination host\n"
1291 "Destination address\n")
1296 char *permit_deny
= NULL
;
1300 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1302 seq
= argv
[idx
]->arg
;
1305 argv_find(argv
, argc
, "permit", &idx
);
1306 argv_find(argv
, argc
, "deny", &idx
);
1308 permit_deny
= argv
[idx
]->arg
;
1311 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1313 src
= argv
[idx
]->arg
;
1314 dst
= argv
[idx
+ 2]->arg
;
1317 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1318 "0.0.0.0", dst
, "0.0.0.0", 1, 1);
1321 DEFUN (access_list_extended_any_host
,
1322 access_list_extended_any_host_cmd
,
1323 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip any host A.B.C.D",
1324 "Add an access list entry\n"
1325 "IP extended access list\n"
1326 "IP extended access list (expanded range)\n"
1327 "Sequence number of an entry\n"
1329 "Specify packets to reject\n"
1330 "Specify packets to forward\n"
1331 "Any Internet Protocol\n"
1333 "A single destination host\n"
1334 "Destination address\n")
1339 char *permit_deny
= NULL
;
1342 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1344 seq
= argv
[idx
]->arg
;
1347 argv_find(argv
, argc
, "permit", &idx
);
1348 argv_find(argv
, argc
, "deny", &idx
);
1350 permit_deny
= argv
[idx
]->arg
;
1353 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1355 dst
= argv
[idx
]->arg
;
1357 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1358 "0.0.0.0", "255.255.255.255", dst
, "0.0.0.0", 1,
1362 DEFUN (access_list_extended_host_any
,
1363 access_list_extended_host_any_cmd
,
1364 "access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip host A.B.C.D any",
1365 "Add an access list entry\n"
1366 "IP extended access list\n"
1367 "IP extended access list (expanded range)\n"
1368 "Sequence number of an entry\n"
1370 "Specify packets to reject\n"
1371 "Specify packets to forward\n"
1372 "Any Internet Protocol\n"
1373 "A single source host\n"
1375 "Any destination host\n")
1380 char *permit_deny
= NULL
;
1383 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1385 seq
= argv
[idx
]->arg
;
1388 argv_find(argv
, argc
, "permit", &idx
);
1389 argv_find(argv
, argc
, "deny", &idx
);
1391 permit_deny
= argv
[idx
]->arg
;
1394 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1396 src
= argv
[idx
]->arg
;
1398 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1399 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 1);
1402 DEFUN (no_access_list_extended
,
1403 no_access_list_extended_cmd
,
1404 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
1406 "Add an access list entry\n"
1407 "IP extended access list\n"
1408 "IP extended access list (expanded range)\n"
1409 "Sequence number of an entry\n"
1411 "Specify packets to reject\n"
1412 "Specify packets to forward\n"
1413 "Any Internet Protocol\n"
1415 "Source wildcard bits\n"
1416 "Destination address\n"
1417 "Destination Wildcard bits\n")
1422 char *permit_deny
= NULL
;
1425 char *src_wildcard
= NULL
;
1426 char *dst_wildcard
= NULL
;
1428 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1430 seq
= argv
[idx
]->arg
;
1433 argv_find(argv
, argc
, "permit", &idx
);
1434 argv_find(argv
, argc
, "deny", &idx
);
1436 permit_deny
= argv
[idx
]->arg
;
1439 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1441 src
= argv
[idx
]->arg
;
1442 src_wildcard
= argv
[idx
+ 1]->arg
;
1443 dst
= argv
[idx
+ 2]->arg
;
1444 dst_wildcard
= argv
[idx
+ 3]->arg
;
1447 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1448 src_wildcard
, dst
, dst_wildcard
, 1, 0);
1451 DEFUN (no_access_list_extended_mask_any
,
1452 no_access_list_extended_mask_any_cmd
,
1453 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip A.B.C.D A.B.C.D any",
1455 "Add an access list entry\n"
1456 "IP extended access list\n"
1457 "IP extended access list (expanded range)\n"
1458 "Sequence number of an entry\n"
1460 "Specify packets to reject\n"
1461 "Specify packets to forward\n"
1462 "Any Internet Protocol\n"
1464 "Source wildcard bits\n"
1465 "Any destination host\n")
1470 char *permit_deny
= NULL
;
1472 char *src_wildcard
= NULL
;
1474 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1476 seq
= argv
[idx
]->arg
;
1479 argv_find(argv
, argc
, "permit", &idx
);
1480 argv_find(argv
, argc
, "deny", &idx
);
1482 permit_deny
= argv
[idx
]->arg
;
1485 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1487 src
= argv
[idx
]->arg
;
1488 src_wildcard
= argv
[idx
+ 1]->arg
;
1491 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1492 src_wildcard
, "0.0.0.0", "255.255.255.255", 1,
1496 DEFUN (no_access_list_extended_any_mask
,
1497 no_access_list_extended_any_mask_cmd
,
1498 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip any A.B.C.D A.B.C.D",
1500 "Add an access list entry\n"
1501 "IP extended access list\n"
1502 "IP extended access list (expanded range)\n"
1503 "Sequence number of an entry\n"
1505 "Specify packets to reject\n"
1506 "Specify packets to forward\n"
1507 "Any Internet Protocol\n"
1509 "Destination address\n"
1510 "Destination Wildcard bits\n")
1515 char *permit_deny
= NULL
;
1517 char *dst_wildcard
= NULL
;
1519 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1521 seq
= argv
[idx
]->arg
;
1524 argv_find(argv
, argc
, "permit", &idx
);
1525 argv_find(argv
, argc
, "deny", &idx
);
1527 permit_deny
= argv
[idx
]->arg
;
1530 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1532 dst
= argv
[idx
]->arg
;
1533 dst_wildcard
= argv
[idx
+ 1]->arg
;
1536 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1537 "0.0.0.0", "255.255.255.255", dst
, dst_wildcard
,
1541 DEFUN (no_access_list_extended_any_any
,
1542 no_access_list_extended_any_any_cmd
,
1543 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip any any",
1545 "Add an access list entry\n"
1546 "IP extended access list\n"
1547 "IP extended access list (expanded range)\n"
1548 "Sequence number of an entry\n"
1550 "Specify packets to reject\n"
1551 "Specify packets to forward\n"
1552 "Any Internet Protocol\n"
1554 "Any destination host\n")
1559 char *permit_deny
= NULL
;
1561 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1563 seq
= argv
[idx
]->arg
;
1566 argv_find(argv
, argc
, "permit", &idx
);
1567 argv_find(argv
, argc
, "deny", &idx
);
1569 permit_deny
= argv
[idx
]->arg
;
1571 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1572 "0.0.0.0", "255.255.255.255", "0.0.0.0",
1573 "255.255.255.255", 1, 0);
1576 DEFUN (no_access_list_extended_mask_host
,
1577 no_access_list_extended_mask_host_cmd
,
1578 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
1580 "Add an access list entry\n"
1581 "IP extended access list\n"
1582 "IP extended access list (expanded range)\n"
1583 "Sequence number of an entry\n"
1585 "Specify packets to reject\n"
1586 "Specify packets to forward\n"
1587 "Any Internet Protocol\n"
1589 "Source wildcard bits\n"
1590 "A single destination host\n"
1591 "Destination address\n")
1596 char *permit_deny
= NULL
;
1599 char *src_wildcard
= NULL
;
1601 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1603 seq
= argv
[idx
]->arg
;
1606 argv_find(argv
, argc
, "permit", &idx
);
1607 argv_find(argv
, argc
, "deny", &idx
);
1609 permit_deny
= argv
[idx
]->arg
;
1612 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1614 src
= argv
[idx
]->arg
;
1615 src_wildcard
= argv
[idx
+ 1]->arg
;
1616 dst
= argv
[idx
+ 3]->arg
;
1619 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1620 src_wildcard
, dst
, "0.0.0.0", 1, 0);
1623 DEFUN (no_access_list_extended_host_mask
,
1624 no_access_list_extended_host_mask_cmd
,
1625 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
1627 "Add an access list entry\n"
1628 "IP extended access list\n"
1629 "IP extended access list (expanded range)\n"
1630 "Sequence number of an entry\n"
1632 "Specify packets to reject\n"
1633 "Specify packets to forward\n"
1634 "Any Internet Protocol\n"
1635 "A single source host\n"
1637 "Destination address\n"
1638 "Destination Wildcard bits\n")
1643 char *permit_deny
= NULL
;
1646 char *dst_wildcard
= NULL
;
1648 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1650 seq
= argv
[idx
]->arg
;
1653 argv_find(argv
, argc
, "permit", &idx
);
1654 argv_find(argv
, argc
, "deny", &idx
);
1656 permit_deny
= argv
[idx
]->arg
;
1659 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1661 src
= argv
[idx
]->arg
;
1662 dst
= argv
[idx
+ 1]->arg
;
1663 dst_wildcard
= argv
[idx
+ 2]->arg
;
1666 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1667 "0.0.0.0", dst
, dst_wildcard
, 1, 0);
1670 DEFUN (no_access_list_extended_host_host
,
1671 no_access_list_extended_host_host_cmd
,
1672 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip host A.B.C.D host A.B.C.D",
1674 "Add an access list entry\n"
1675 "IP extended access list\n"
1676 "IP extended access list (expanded range)\n"
1677 "Sequence number of an entry\n"
1679 "Specify packets to reject\n"
1680 "Specify packets to forward\n"
1681 "Any Internet Protocol\n"
1682 "A single source host\n"
1684 "A single destination host\n"
1685 "Destination address\n")
1690 char *permit_deny
= NULL
;
1694 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1696 seq
= argv
[idx
]->arg
;
1699 argv_find(argv
, argc
, "permit", &idx
);
1700 argv_find(argv
, argc
, "deny", &idx
);
1702 permit_deny
= argv
[idx
]->arg
;
1705 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1707 src
= argv
[idx
]->arg
;
1708 dst
= argv
[idx
+ 2]->arg
;
1711 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1712 "0.0.0.0", dst
, "0.0.0.0", 1, 0);
1715 DEFUN (no_access_list_extended_any_host
,
1716 no_access_list_extended_any_host_cmd
,
1717 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip any host A.B.C.D",
1719 "Add an access list entry\n"
1720 "IP extended access list\n"
1721 "IP extended access list (expanded range)\n"
1722 "Sequence number of an entry\n"
1724 "Specify packets to reject\n"
1725 "Specify packets to forward\n"
1726 "Any Internet Protocol\n"
1728 "A single destination host\n"
1729 "Destination address\n")
1734 char *permit_deny
= NULL
;
1737 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1739 seq
= argv
[idx
]->arg
;
1742 argv_find(argv
, argc
, "permit", &idx
);
1743 argv_find(argv
, argc
, "deny", &idx
);
1745 permit_deny
= argv
[idx
]->arg
;
1748 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1750 dst
= argv
[idx
]->arg
;
1752 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
,
1753 "0.0.0.0", "255.255.255.255", dst
, "0.0.0.0", 1,
1757 DEFUN (no_access_list_extended_host_any
,
1758 no_access_list_extended_host_any_cmd
,
1759 "no access-list <(100-199)|(2000-2699)> [seq (1-4294967295)] <deny|permit> ip host A.B.C.D any",
1761 "Add an access list entry\n"
1762 "IP extended access list\n"
1763 "IP extended access list (expanded range)\n"
1764 "Sequence number of an entry\n"
1766 "Specify packets to reject\n"
1767 "Specify packets to forward\n"
1768 "Any Internet Protocol\n"
1769 "A single source host\n"
1771 "Any destination host\n")
1776 char *permit_deny
= NULL
;
1779 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1781 seq
= argv
[idx
]->arg
;
1784 argv_find(argv
, argc
, "permit", &idx
);
1785 argv_find(argv
, argc
, "deny", &idx
);
1787 permit_deny
= argv
[idx
]->arg
;
1790 argv_find(argv
, argc
, "A.B.C.D", &idx
);
1792 src
= argv
[idx
]->arg
;
1794 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
, seq
, permit_deny
, src
,
1795 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 0);
1798 static int filter_set_zebra(struct vty
*vty
, const char *name_str
,
1799 const char *seq
, const char *type_str
, afi_t afi
,
1800 const char *prefix_str
, int exact
, int set
)
1803 enum filter_type type
= FILTER_DENY
;
1804 struct filter
*mfilter
;
1805 struct filter_zebra
*filter
;
1806 struct access_list
*access
;
1808 int64_t seqnum
= -1;
1810 if (strlen(name_str
) > ACL_NAMSIZ
) {
1812 "%% ACL name %s is invalid: length exceeds "
1814 name_str
, ACL_NAMSIZ
);
1815 return CMD_WARNING_CONFIG_FAILED
;
1819 seqnum
= (int64_t)atol(seq
);
1821 /* Check of filter type. */
1823 if (strncmp(type_str
, "p", 1) == 0)
1824 type
= FILTER_PERMIT
;
1825 else if (strncmp(type_str
, "d", 1) == 0)
1828 vty_out(vty
, "filter type must be [permit|deny]\n");
1829 return CMD_WARNING_CONFIG_FAILED
;
1833 /* Check string format of prefix and prefixlen. */
1834 if (afi
== AFI_IP
) {
1835 ret
= str2prefix_ipv4(prefix_str
, (struct prefix_ipv4
*)&p
);
1838 "IP address prefix/prefixlen is malformed\n");
1839 return CMD_WARNING_CONFIG_FAILED
;
1841 } else if (afi
== AFI_IP6
) {
1842 ret
= str2prefix_ipv6(prefix_str
, (struct prefix_ipv6
*)&p
);
1845 "IPv6 address prefix/prefixlen is malformed\n");
1846 return CMD_WARNING_CONFIG_FAILED
;
1848 } else if (afi
== AFI_L2VPN
) {
1849 ret
= str2prefix_eth(prefix_str
, (struct prefix_eth
*)&p
);
1851 vty_out(vty
, "MAC address is malformed\n");
1855 return CMD_WARNING_CONFIG_FAILED
;
1857 mfilter
= filter_new();
1858 mfilter
->type
= type
;
1859 mfilter
->seq
= seqnum
;
1860 filter
= &mfilter
->u
.zfilter
;
1861 prefix_copy(&filter
->prefix
, &p
);
1867 /* Install new filter to the access_list. */
1868 access
= access_list_get(afi
, name_str
);
1871 if (filter_lookup_zebra(access
, mfilter
))
1872 filter_free(mfilter
);
1874 access_list_filter_add(access
, mfilter
);
1876 struct filter
*delete_filter
;
1877 delete_filter
= filter_lookup_zebra(access
, mfilter
);
1879 access_list_filter_delete(access
, delete_filter
);
1881 filter_free(mfilter
);
1887 DEFUN (mac_access_list
,
1888 mac_access_list_cmd
,
1889 "mac access-list WORD [seq (1-4294967295)] <deny|permit> X:X:X:X:X:X",
1890 "Add a mac access-list\n"
1891 "Add an access list entry\n"
1892 "MAC zebra access-list name\n"
1893 "Sequence number of an entry\n"
1895 "Specify packets to reject\n"
1896 "Specify packets to forward\n"
1897 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1901 char *permit_deny
= NULL
;
1904 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1906 seq
= argv
[idx
]->arg
;
1909 argv_find(argv
, argc
, "permit", &idx
);
1910 argv_find(argv
, argc
, "deny", &idx
);
1912 permit_deny
= argv
[idx
]->arg
;
1915 argv_find(argv
, argc
, "X:X:X:X:X:X", &idx
);
1917 mac
= argv
[idx
]->arg
;
1920 return filter_set_zebra(vty
, argv
[2]->arg
, seq
, permit_deny
, AFI_L2VPN
,
1924 DEFUN (no_mac_access_list
,
1925 no_mac_access_list_cmd
,
1926 "no mac access-list WORD [seq (1-4294967295)] <deny|permit> X:X:X:X:X:X",
1928 "Remove a mac access-list\n"
1929 "Remove an access list entry\n"
1930 "MAC zebra access-list name\n"
1931 "Sequence number of an entry\n"
1933 "Specify packets to reject\n"
1934 "Specify packets to forward\n"
1935 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1939 char *permit_deny
= NULL
;
1942 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1944 seq
= argv
[idx
]->arg
;
1947 argv_find(argv
, argc
, "permit", &idx
);
1948 argv_find(argv
, argc
, "deny", &idx
);
1950 permit_deny
= argv
[idx
]->arg
;
1953 argv_find(argv
, argc
, "X:X:X:X:X:X", &idx
);
1955 mac
= argv
[idx
]->arg
;
1958 return filter_set_zebra(vty
, argv
[2]->arg
, seq
, permit_deny
, AFI_L2VPN
,
1962 DEFUN (mac_access_list_any
,
1963 mac_access_list_any_cmd
,
1964 "mac access-list WORD [seq (1-4294967295)] <deny|permit> any",
1965 "Add a mac access-list\n"
1966 "Add an access list entry\n"
1967 "MAC zebra access-list name\n"
1968 "Sequence number of an entry\n"
1970 "Specify packets to reject\n"
1971 "Specify packets to forward\n"
1972 "MAC address to match. e.g. 00:01:00:01:00:01\n")
1976 char *permit_deny
= NULL
;
1978 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
1980 seq
= argv
[idx
]->arg
;
1983 argv_find(argv
, argc
, "permit", &idx
);
1984 argv_find(argv
, argc
, "deny", &idx
);
1986 permit_deny
= argv
[idx
]->arg
;
1988 return filter_set_zebra(vty
, argv
[2]->arg
, seq
, permit_deny
, AFI_L2VPN
,
1989 "00:00:00:00:00:00", 0, 1);
1992 DEFUN (no_mac_access_list_any
,
1993 no_mac_access_list_any_cmd
,
1994 "no mac access-list WORD [seq (1-4294967295)] <deny|permit> any",
1996 "Remove a mac access-list\n"
1997 "Remove an access list entry\n"
1998 "MAC zebra access-list name\n"
1999 "Sequence number of an entry\n"
2001 "Specify packets to reject\n"
2002 "Specify packets to forward\n"
2003 "MAC address to match. e.g. 00:01:00:01:00:01\n")
2007 char *permit_deny
= NULL
;
2009 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2011 seq
= argv
[idx
]->arg
;
2014 argv_find(argv
, argc
, "permit", &idx
);
2015 argv_find(argv
, argc
, "deny", &idx
);
2017 permit_deny
= argv
[idx
]->arg
;
2019 return filter_set_zebra(vty
, argv
[2]->arg
, seq
, permit_deny
, AFI_L2VPN
,
2020 "00:00:00:00:00:00", 0, 0);
2023 DEFUN (access_list_exact
,
2024 access_list_exact_cmd
,
2025 "access-list WORD [seq (1-4294967295)] <deny|permit> A.B.C.D/M [exact-match]",
2026 "Add an access list entry\n"
2027 "IP zebra access-list name\n"
2028 "Sequence number of an entry\n"
2030 "Specify packets to reject\n"
2031 "Specify packets to forward\n"
2032 "Prefix to match. e.g. 10.0.0.0/8\n"
2033 "Exact match of the prefixes\n")
2038 char *permit_deny
= NULL
;
2039 char *prefix
= NULL
;
2041 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2043 seq
= argv
[idx
]->arg
;
2046 argv_find(argv
, argc
, "permit", &idx
);
2047 argv_find(argv
, argc
, "deny", &idx
);
2049 permit_deny
= argv
[idx
]->arg
;
2052 argv_find(argv
, argc
, "A.B.C.D/M", &idx
);
2054 prefix
= argv
[idx
]->arg
;
2058 if (argv_find(argv
, argc
, "exact-match", &idx
))
2061 return filter_set_zebra(vty
, argv
[1]->arg
, seq
, permit_deny
,
2062 AFI_IP
, prefix
, exact
, 1);
2065 DEFUN (access_list_any
,
2066 access_list_any_cmd
,
2067 "access-list WORD [seq (1-4294967295)] <deny|permit> any",
2068 "Add an access list entry\n"
2069 "IP zebra access-list name\n"
2070 "Sequence number of an entry\n"
2072 "Specify packets to reject\n"
2073 "Specify packets to forward\n"
2074 "Prefix to match. e.g. 10.0.0.0/8\n")
2079 char *permit_deny
= NULL
;
2081 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2083 seq
= argv
[idx
]->arg
;
2086 argv_find(argv
, argc
, "permit", &idx
);
2087 argv_find(argv
, argc
, "deny", &idx
);
2089 permit_deny
= argv
[idx
]->arg
;
2091 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, seq
, permit_deny
,
2092 AFI_IP
, "0.0.0.0/0", 0, 1);
2095 DEFUN (no_access_list_exact
,
2096 no_access_list_exact_cmd
,
2097 "no access-list WORD [seq (1-4294967295)] <deny|permit> A.B.C.D/M [exact-match]",
2099 "Add an access list entry\n"
2100 "IP zebra access-list name\n"
2101 "Sequence number of an entry\n"
2103 "Specify packets to reject\n"
2104 "Specify packets to forward\n"
2105 "Prefix to match. e.g. 10.0.0.0/8\n"
2106 "Exact match of the prefixes\n")
2111 char *permit_deny
= NULL
;
2112 char *prefix
= NULL
;
2114 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2116 seq
= argv
[idx
]->arg
;
2119 argv_find(argv
, argc
, "permit", &idx
);
2120 argv_find(argv
, argc
, "deny", &idx
);
2122 permit_deny
= argv
[idx
]->arg
;
2125 argv_find(argv
, argc
, "A.B.C.D/M", &idx
);
2127 prefix
= argv
[idx
]->arg
;
2131 if (argv_find(argv
, argc
, "exact-match", &idx
))
2134 return filter_set_zebra(vty
, argv
[2]->arg
, seq
, permit_deny
,
2135 AFI_IP
, prefix
, exact
, 0);
2138 DEFUN (no_access_list_any
,
2139 no_access_list_any_cmd
,
2140 "no access-list WORD [seq (1-4294967295)] <deny|permit> any",
2142 "Add an access list entry\n"
2143 "IP zebra access-list name\n"
2144 "Sequence number of an entry\n"
2146 "Specify packets to reject\n"
2147 "Specify packets to forward\n"
2148 "Prefix to match. e.g. 10.0.0.0/8\n")
2153 char *permit_deny
= NULL
;
2155 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2157 seq
= argv
[idx
]->arg
;
2160 argv_find(argv
, argc
, "permit", &idx
);
2161 argv_find(argv
, argc
, "deny", &idx
);
2163 permit_deny
= argv
[idx
]->arg
;
2165 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, seq
, permit_deny
,
2166 AFI_IP
, "0.0.0.0/0", 0, 0);
2169 DEFUN (no_access_list_all
,
2170 no_access_list_all_cmd
,
2171 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
2173 "Add an access list entry\n"
2174 "IP standard access list\n"
2175 "IP extended access list\n"
2176 "IP standard access list (expanded range)\n"
2177 "IP extended access list (expanded range)\n"
2178 "IP zebra access-list name\n")
2181 struct access_list
*access
;
2182 struct access_master
*master
;
2184 /* Looking up access_list. */
2185 access
= access_list_lookup(AFI_IP
, argv
[idx_acl
]->arg
);
2186 if (access
== NULL
) {
2187 vty_out(vty
, "%% access-list %s doesn't exist\n",
2188 argv
[idx_acl
]->arg
);
2189 return CMD_WARNING_CONFIG_FAILED
;
2192 master
= access
->master
;
2194 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
2195 /* Run hook function. */
2196 if (master
->delete_hook
)
2197 (*master
->delete_hook
)(access
);
2199 /* Delete all filter from access-list. */
2200 access_list_delete(access
);
2205 DEFUN (access_list_remark
,
2206 access_list_remark_cmd
,
2207 "access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
2208 "Add an access list entry\n"
2209 "IP standard access list\n"
2210 "IP extended access list\n"
2211 "IP standard access list (expanded range)\n"
2212 "IP extended access list (expanded range)\n"
2213 "IP zebra access-list\n"
2214 "Access list entry comment\n"
2215 "Comment up to 100 characters\n")
2219 struct access_list
*access
;
2221 access
= access_list_get(AFI_IP
, argv
[idx_acl
]->arg
);
2223 if (access
->remark
) {
2224 XFREE(MTYPE_TMP
, access
->remark
);
2225 access
->remark
= NULL
;
2227 access
->remark
= argv_concat(argv
, argc
, idx_remark
);
2232 DEFUN (no_access_list_remark
,
2233 no_access_list_remark_cmd
,
2234 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark",
2236 "Add an access list entry\n"
2237 "IP standard access list\n"
2238 "IP extended access list\n"
2239 "IP standard access list (expanded range)\n"
2240 "IP extended access list (expanded range)\n"
2241 "IP zebra access-list\n"
2242 "Access list entry comment\n")
2245 return vty_access_list_remark_unset(vty
, AFI_IP
, argv
[idx_acl
]->arg
);
2249 DEFUN (no_access_list_remark_comment
,
2250 no_access_list_remark_comment_cmd
,
2251 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
2253 "Add an access list entry\n"
2254 "IP standard access list\n"
2255 "IP extended access list\n"
2256 "IP standard access list (expanded range)\n"
2257 "IP extended access list (expanded range)\n"
2258 "IP zebra access-list\n"
2259 "Access list entry comment\n"
2260 "Comment up to 100 characters\n")
2262 return no_access_list_remark(self
, vty
, argc
, argv
);
2265 DEFUN (ipv6_access_list_exact
,
2266 ipv6_access_list_exact_cmd
,
2267 "ipv6 access-list WORD [seq (1-4294967295)] <deny|permit> X:X::X:X/M [exact-match]",
2269 "Add an access list entry\n"
2270 "IPv6 zebra access-list\n"
2271 "Sequence number of an entry\n"
2273 "Specify packets to reject\n"
2274 "Specify packets to forward\n"
2276 "Exact match of the prefixes\n")
2282 char *permit_deny
= NULL
;
2283 char *prefix
= NULL
;
2285 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2287 seq
= argv
[idx
]->arg
;
2290 argv_find(argv
, argc
, "permit", &idx
);
2291 argv_find(argv
, argc
, "deny", &idx
);
2293 permit_deny
= argv
[idx
]->arg
;
2296 argv_find(argv
, argc
, "X:X::X:X/M", &idx
);
2298 prefix
= argv
[idx
]->arg
;
2301 if (argv_find(argv
, argc
, "exact-match", &idx
))
2304 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, seq
, permit_deny
,
2305 AFI_IP6
, prefix
, exact
, 1);
2308 DEFUN (ipv6_access_list_any
,
2309 ipv6_access_list_any_cmd
,
2310 "ipv6 access-list WORD [seq (1-4294967295)] <deny|permit> any",
2312 "Add an access list entry\n"
2313 "IPv6 zebra access-list\n"
2314 "Sequence number of an entry\n"
2316 "Specify packets to reject\n"
2317 "Specify packets to forward\n"
2318 "Any prefixi to match\n")
2323 char *permit_deny
= NULL
;
2325 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2327 seq
= argv
[idx
]->arg
;
2330 argv_find(argv
, argc
, "permit", &idx
);
2331 argv_find(argv
, argc
, "deny", &idx
);
2333 permit_deny
= argv
[idx
]->arg
;
2335 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, seq
, permit_deny
,
2336 AFI_IP6
, "::/0", 0, 1);
2339 DEFUN (no_ipv6_access_list_exact
,
2340 no_ipv6_access_list_exact_cmd
,
2341 "no ipv6 access-list WORD [seq (1-4294967295)] <deny|permit> X:X::X:X/M [exact-match]",
2344 "Add an access list entry\n"
2345 "IPv6 zebra access-list\n"
2346 "Sequence number of an entry\n"
2348 "Specify packets to reject\n"
2349 "Specify packets to forward\n"
2350 "Prefix to match. e.g. 3ffe:506::/32\n"
2351 "Exact match of the prefixes\n")
2357 char *permit_deny
= NULL
;
2358 char *prefix
= NULL
;
2360 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2362 seq
= argv
[idx
]->arg
;
2365 argv_find(argv
, argc
, "permit", &idx
);
2366 argv_find(argv
, argc
, "deny", &idx
);
2368 permit_deny
= argv
[idx
]->arg
;
2371 argv_find(argv
, argc
, "X:X::X:X/M", &idx
);
2373 prefix
= argv
[idx
]->arg
;
2377 if (argv_find(argv
, argc
, "exact-match", &idx
))
2380 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, seq
, permit_deny
,
2381 AFI_IP6
, prefix
, exact
, 0);
2384 DEFUN (no_ipv6_access_list_any
,
2385 no_ipv6_access_list_any_cmd
,
2386 "no ipv6 access-list WORD [seq (1-4294967295)] <deny|permit> any",
2389 "Add an access list entry\n"
2390 "IPv6 zebra access-list\n"
2391 "Sequence number of an entry\n"
2393 "Specify packets to reject\n"
2394 "Specify packets to forward\n"
2395 "Any prefixi to match\n")
2400 char *permit_deny
= NULL
;
2402 argv_find(argv
, argc
, "(1-4294967295)", &idx
);
2404 seq
= argv
[idx
]->arg
;
2407 argv_find(argv
, argc
, "permit", &idx
);
2408 argv_find(argv
, argc
, "deny", &idx
);
2410 permit_deny
= argv
[idx
]->arg
;
2412 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, seq
, permit_deny
,
2413 AFI_IP6
, "::/0", 0, 0);
2417 DEFUN (no_ipv6_access_list_all
,
2418 no_ipv6_access_list_all_cmd
,
2419 "no ipv6 access-list WORD",
2422 "Add an access list entry\n"
2423 "IPv6 zebra access-list\n")
2426 struct access_list
*access
;
2427 struct access_master
*master
;
2429 /* Looking up access_list. */
2430 access
= access_list_lookup(AFI_IP6
, argv
[idx_word
]->arg
);
2431 if (access
== NULL
) {
2432 vty_out(vty
, "%% access-list %s doesn't exist\n",
2433 argv
[idx_word
]->arg
);
2434 return CMD_WARNING_CONFIG_FAILED
;
2437 master
= access
->master
;
2439 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
2440 /* Run hook function. */
2441 if (master
->delete_hook
)
2442 (*master
->delete_hook
)(access
);
2444 /* Delete all filter from access-list. */
2445 access_list_delete(access
);
2450 DEFUN (ipv6_access_list_remark
,
2451 ipv6_access_list_remark_cmd
,
2452 "ipv6 access-list WORD remark LINE...",
2454 "Add an access list entry\n"
2455 "IPv6 zebra access-list\n"
2456 "Access list entry comment\n"
2457 "Comment up to 100 characters\n")
2461 struct access_list
*access
;
2463 access
= access_list_get(AFI_IP6
, argv
[idx_word
]->arg
);
2465 if (access
->remark
) {
2466 XFREE(MTYPE_TMP
, access
->remark
);
2467 access
->remark
= NULL
;
2469 access
->remark
= argv_concat(argv
, argc
, idx_line
);
2474 DEFUN (no_ipv6_access_list_remark
,
2475 no_ipv6_access_list_remark_cmd
,
2476 "no ipv6 access-list WORD remark",
2479 "Add an access list entry\n"
2480 "IPv6 zebra access-list\n"
2481 "Access list entry comment\n")
2484 return vty_access_list_remark_unset(vty
, AFI_IP6
, argv
[idx_word
]->arg
);
2488 DEFUN (no_ipv6_access_list_remark_comment
,
2489 no_ipv6_access_list_remark_comment_cmd
,
2490 "no ipv6 access-list WORD remark LINE...",
2493 "Add an access list entry\n"
2494 "IPv6 zebra access-list\n"
2495 "Access list entry comment\n"
2496 "Comment up to 100 characters\n")
2498 return no_ipv6_access_list_remark(self
, vty
, argc
, argv
);
2501 static void config_write_access_zebra(struct vty
*, struct filter
*);
2502 static void config_write_access_cisco(struct vty
*, struct filter
*);
2504 /* show access-list command. */
2505 static int filter_show(struct vty
*vty
, const char *name
, afi_t afi
)
2507 struct access_list
*access
;
2508 struct access_master
*master
;
2509 struct filter
*mfilter
;
2510 struct filter_cisco
*filter
;
2513 master
= access_master_get(afi
);
2517 /* Print the name of the protocol */
2518 vty_out(vty
, "%s:\n", frr_protoname
);
2520 for (access
= master
->num
.head
; access
; access
= access
->next
) {
2521 if (name
&& strcmp(access
->name
, name
) != 0)
2526 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
2527 filter
= &mfilter
->u
.cfilter
;
2530 vty_out(vty
, "%s %s access list %s\n",
2531 mfilter
->cisco
? (filter
->extended
2537 : ((afi
== AFI_IP6
) ? ("IPv6 ")
2543 vty_out(vty
, " seq %" PRId64
, mfilter
->seq
);
2544 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
2545 mfilter
->type
== FILTER_DENY
? " " : "");
2547 if (!mfilter
->cisco
)
2548 config_write_access_zebra(vty
, mfilter
);
2549 else if (filter
->extended
)
2550 config_write_access_cisco(vty
, mfilter
);
2552 if (filter
->addr_mask
.s_addr
== 0xffffffff)
2553 vty_out(vty
, " any\n");
2556 inet_ntoa(filter
->addr
));
2557 if (filter
->addr_mask
.s_addr
!= 0)
2559 ", wildcard bits %s",
2561 filter
->addr_mask
));
2568 for (access
= master
->str
.head
; access
; access
= access
->next
) {
2569 if (name
&& strcmp(access
->name
, name
) != 0)
2574 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
2575 filter
= &mfilter
->u
.cfilter
;
2578 vty_out(vty
, "%s %s access list %s\n",
2579 mfilter
->cisco
? (filter
->extended
2585 : ((afi
== AFI_IP6
) ? ("IPv6 ")
2591 vty_out(vty
, " seq %" PRId64
, mfilter
->seq
);
2592 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
2593 mfilter
->type
== FILTER_DENY
? " " : "");
2595 if (!mfilter
->cisco
)
2596 config_write_access_zebra(vty
, mfilter
);
2597 else if (filter
->extended
)
2598 config_write_access_cisco(vty
, mfilter
);
2600 if (filter
->addr_mask
.s_addr
== 0xffffffff)
2601 vty_out(vty
, " any\n");
2604 inet_ntoa(filter
->addr
));
2605 if (filter
->addr_mask
.s_addr
!= 0)
2607 ", wildcard bits %s",
2609 filter
->addr_mask
));
2618 /* show MAC access list - this only has MAC filters for now*/
2619 DEFUN (show_mac_access_list
,
2620 show_mac_access_list_cmd
,
2621 "show mac access-list",
2623 "mac access lists\n"
2624 "List mac access lists\n")
2626 return filter_show(vty
, NULL
, AFI_L2VPN
);
2629 DEFUN (show_mac_access_list_name
,
2630 show_mac_access_list_name_cmd
,
2631 "show mac access-list WORD",
2633 "mac access lists\n"
2634 "List mac access lists\n"
2637 return filter_show(vty
, argv
[3]->arg
, AFI_L2VPN
);
2640 DEFUN (show_ip_access_list
,
2641 show_ip_access_list_cmd
,
2642 "show ip access-list",
2645 "List IP access lists\n")
2647 return filter_show(vty
, NULL
, AFI_IP
);
2650 DEFUN (show_ip_access_list_name
,
2651 show_ip_access_list_name_cmd
,
2652 "show ip access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
2655 "List IP access lists\n"
2656 "IP standard access list\n"
2657 "IP extended access list\n"
2658 "IP standard access list (expanded range)\n"
2659 "IP extended access list (expanded range)\n"
2660 "IP zebra access-list\n")
2663 return filter_show(vty
, argv
[idx_acl
]->arg
, AFI_IP
);
2666 DEFUN (show_ipv6_access_list
,
2667 show_ipv6_access_list_cmd
,
2668 "show ipv6 access-list",
2671 "List IPv6 access lists\n")
2673 return filter_show(vty
, NULL
, AFI_IP6
);
2676 DEFUN (show_ipv6_access_list_name
,
2677 show_ipv6_access_list_name_cmd
,
2678 "show ipv6 access-list WORD",
2681 "List IPv6 access lists\n"
2682 "IPv6 zebra access-list\n")
2685 return filter_show(vty
, argv
[idx_word
]->arg
, AFI_IP6
);
2688 static void config_write_access_cisco(struct vty
*vty
, struct filter
*mfilter
)
2690 struct filter_cisco
*filter
;
2692 filter
= &mfilter
->u
.cfilter
;
2694 if (filter
->extended
) {
2695 vty_out(vty
, " ip");
2696 if (filter
->addr_mask
.s_addr
== 0xffffffff)
2697 vty_out(vty
, " any");
2698 else if (filter
->addr_mask
.s_addr
== 0)
2699 vty_out(vty
, " host %s", inet_ntoa(filter
->addr
));
2701 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
2702 vty_out(vty
, " %s", inet_ntoa(filter
->addr_mask
));
2705 if (filter
->mask_mask
.s_addr
== 0xffffffff)
2706 vty_out(vty
, " any");
2707 else if (filter
->mask_mask
.s_addr
== 0)
2708 vty_out(vty
, " host %s", inet_ntoa(filter
->mask
));
2710 vty_out(vty
, " %s", inet_ntoa(filter
->mask
));
2711 vty_out(vty
, " %s", inet_ntoa(filter
->mask_mask
));
2715 if (filter
->addr_mask
.s_addr
== 0xffffffff)
2716 vty_out(vty
, " any\n");
2718 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
2719 if (filter
->addr_mask
.s_addr
!= 0)
2721 inet_ntoa(filter
->addr_mask
));
2727 static void config_write_access_zebra(struct vty
*vty
, struct filter
*mfilter
)
2729 struct filter_zebra
*filter
;
2733 filter
= &mfilter
->u
.zfilter
;
2734 p
= &filter
->prefix
;
2736 if (p
->prefixlen
== 0 && !filter
->exact
)
2737 vty_out(vty
, " any");
2738 else if (p
->family
== AF_INET6
|| p
->family
== AF_INET
)
2739 vty_out(vty
, " %s/%d%s",
2740 inet_ntop(p
->family
, &p
->u
.prefix
, buf
, BUFSIZ
),
2741 p
->prefixlen
, filter
->exact
? " exact-match" : "");
2742 else if (p
->family
== AF_ETHERNET
) {
2743 if (p
->prefixlen
== 0)
2744 vty_out(vty
, " any");
2746 vty_out(vty
, " %s", prefix_mac2str(&(p
->u
.prefix_eth
),
2753 static int config_write_access(struct vty
*vty
, afi_t afi
)
2755 struct access_list
*access
;
2756 struct access_master
*master
;
2757 struct filter
*mfilter
;
2760 master
= access_master_get(afi
);
2764 for (access
= master
->num
.head
; access
; access
= access
->next
) {
2765 if (access
->remark
) {
2766 vty_out(vty
, "%saccess-list %s remark %s\n",
2767 (afi
== AFI_IP
) ? ("")
2768 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2770 access
->name
, access
->remark
);
2774 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
2775 vty_out(vty
, "%saccess-list %s seq %" PRId64
" %s",
2776 (afi
== AFI_IP
) ? ("")
2777 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2779 access
->name
, mfilter
->seq
,
2780 filter_type_str(mfilter
));
2783 config_write_access_cisco(vty
, mfilter
);
2785 config_write_access_zebra(vty
, mfilter
);
2791 for (access
= master
->str
.head
; access
; access
= access
->next
) {
2792 if (access
->remark
) {
2793 vty_out(vty
, "%saccess-list %s remark %s\n",
2794 (afi
== AFI_IP
) ? ("")
2795 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2797 access
->name
, access
->remark
);
2801 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
2802 vty_out(vty
, "%saccess-list %s seq %" PRId64
" %s",
2803 (afi
== AFI_IP
) ? ("")
2804 : ((afi
== AFI_IP6
) ? ("ipv6 ")
2806 access
->name
, mfilter
->seq
,
2807 filter_type_str(mfilter
));
2810 config_write_access_cisco(vty
, mfilter
);
2812 config_write_access_zebra(vty
, mfilter
);
2820 static struct cmd_node access_mac_node
= {
2821 ACCESS_MAC_NODE
, "", /* Access list has no interface. */
2824 static int config_write_access_mac(struct vty
*vty
)
2826 return config_write_access(vty
, AFI_L2VPN
);
2829 static void access_list_reset_mac(void)
2831 struct access_list
*access
;
2832 struct access_list
*next
;
2833 struct access_master
*master
;
2835 master
= access_master_get(AFI_L2VPN
);
2839 for (access
= master
->num
.head
; access
; access
= next
) {
2840 next
= access
->next
;
2841 access_list_delete(access
);
2843 for (access
= master
->str
.head
; access
; access
= next
) {
2844 next
= access
->next
;
2845 access_list_delete(access
);
2848 assert(master
->num
.head
== NULL
);
2849 assert(master
->num
.tail
== NULL
);
2851 assert(master
->str
.head
== NULL
);
2852 assert(master
->str
.tail
== NULL
);
2855 /* Install vty related command. */
2856 static void access_list_init_mac(void)
2858 install_node(&access_mac_node
, config_write_access_mac
);
2860 install_element(ENABLE_NODE
, &show_mac_access_list_cmd
);
2861 install_element(ENABLE_NODE
, &show_mac_access_list_name_cmd
);
2863 /* Zebra access-list */
2864 install_element(CONFIG_NODE
, &mac_access_list_cmd
);
2865 install_element(CONFIG_NODE
, &no_mac_access_list_cmd
);
2866 install_element(CONFIG_NODE
, &mac_access_list_any_cmd
);
2867 install_element(CONFIG_NODE
, &no_mac_access_list_any_cmd
);
2870 /* Access-list node. */
2871 static struct cmd_node access_node
= {ACCESS_NODE
,
2872 "", /* Access list has no interface. */
2875 static int config_write_access_ipv4(struct vty
*vty
)
2877 return config_write_access(vty
, AFI_IP
);
2880 static void access_list_reset_ipv4(void)
2882 struct access_list
*access
;
2883 struct access_list
*next
;
2884 struct access_master
*master
;
2886 master
= access_master_get(AFI_IP
);
2890 for (access
= master
->num
.head
; access
; access
= next
) {
2891 next
= access
->next
;
2892 access_list_delete(access
);
2894 for (access
= master
->str
.head
; access
; access
= next
) {
2895 next
= access
->next
;
2896 access_list_delete(access
);
2899 assert(master
->num
.head
== NULL
);
2900 assert(master
->num
.tail
== NULL
);
2902 assert(master
->str
.head
== NULL
);
2903 assert(master
->str
.tail
== NULL
);
2906 /* Install vty related command. */
2907 static void access_list_init_ipv4(void)
2909 install_node(&access_node
, config_write_access_ipv4
);
2911 install_element(ENABLE_NODE
, &show_ip_access_list_cmd
);
2912 install_element(ENABLE_NODE
, &show_ip_access_list_name_cmd
);
2914 /* Zebra access-list */
2915 install_element(CONFIG_NODE
, &access_list_exact_cmd
);
2916 install_element(CONFIG_NODE
, &access_list_any_cmd
);
2917 install_element(CONFIG_NODE
, &no_access_list_exact_cmd
);
2918 install_element(CONFIG_NODE
, &no_access_list_any_cmd
);
2920 /* Standard access-list */
2921 install_element(CONFIG_NODE
, &access_list_standard_cmd
);
2922 install_element(CONFIG_NODE
, &access_list_standard_nomask_cmd
);
2923 install_element(CONFIG_NODE
, &access_list_standard_host_cmd
);
2924 install_element(CONFIG_NODE
, &access_list_standard_any_cmd
);
2925 install_element(CONFIG_NODE
, &no_access_list_standard_cmd
);
2926 install_element(CONFIG_NODE
, &no_access_list_standard_nomask_cmd
);
2927 install_element(CONFIG_NODE
, &no_access_list_standard_host_cmd
);
2928 install_element(CONFIG_NODE
, &no_access_list_standard_any_cmd
);
2930 /* Extended access-list */
2931 install_element(CONFIG_NODE
, &access_list_extended_cmd
);
2932 install_element(CONFIG_NODE
, &access_list_extended_any_mask_cmd
);
2933 install_element(CONFIG_NODE
, &access_list_extended_mask_any_cmd
);
2934 install_element(CONFIG_NODE
, &access_list_extended_any_any_cmd
);
2935 install_element(CONFIG_NODE
, &access_list_extended_host_mask_cmd
);
2936 install_element(CONFIG_NODE
, &access_list_extended_mask_host_cmd
);
2937 install_element(CONFIG_NODE
, &access_list_extended_host_host_cmd
);
2938 install_element(CONFIG_NODE
, &access_list_extended_any_host_cmd
);
2939 install_element(CONFIG_NODE
, &access_list_extended_host_any_cmd
);
2940 install_element(CONFIG_NODE
, &no_access_list_extended_cmd
);
2941 install_element(CONFIG_NODE
, &no_access_list_extended_any_mask_cmd
);
2942 install_element(CONFIG_NODE
, &no_access_list_extended_mask_any_cmd
);
2943 install_element(CONFIG_NODE
, &no_access_list_extended_any_any_cmd
);
2944 install_element(CONFIG_NODE
, &no_access_list_extended_host_mask_cmd
);
2945 install_element(CONFIG_NODE
, &no_access_list_extended_mask_host_cmd
);
2946 install_element(CONFIG_NODE
, &no_access_list_extended_host_host_cmd
);
2947 install_element(CONFIG_NODE
, &no_access_list_extended_any_host_cmd
);
2948 install_element(CONFIG_NODE
, &no_access_list_extended_host_any_cmd
);
2950 install_element(CONFIG_NODE
, &access_list_remark_cmd
);
2951 install_element(CONFIG_NODE
, &no_access_list_all_cmd
);
2952 install_element(CONFIG_NODE
, &no_access_list_remark_cmd
);
2953 install_element(CONFIG_NODE
, &no_access_list_remark_comment_cmd
);
2956 static struct cmd_node access_ipv6_node
= {ACCESS_IPV6_NODE
, "", 1};
2958 static int config_write_access_ipv6(struct vty
*vty
)
2960 return config_write_access(vty
, AFI_IP6
);
2963 static void access_list_reset_ipv6(void)
2965 struct access_list
*access
;
2966 struct access_list
*next
;
2967 struct access_master
*master
;
2969 master
= access_master_get(AFI_IP6
);
2973 for (access
= master
->num
.head
; access
; access
= next
) {
2974 next
= access
->next
;
2975 access_list_delete(access
);
2977 for (access
= master
->str
.head
; access
; access
= next
) {
2978 next
= access
->next
;
2979 access_list_delete(access
);
2982 assert(master
->num
.head
== NULL
);
2983 assert(master
->num
.tail
== NULL
);
2985 assert(master
->str
.head
== NULL
);
2986 assert(master
->str
.tail
== NULL
);
2989 static void access_list_init_ipv6(void)
2991 install_node(&access_ipv6_node
, config_write_access_ipv6
);
2993 install_element(ENABLE_NODE
, &show_ipv6_access_list_cmd
);
2994 install_element(ENABLE_NODE
, &show_ipv6_access_list_name_cmd
);
2996 install_element(CONFIG_NODE
, &ipv6_access_list_exact_cmd
);
2997 install_element(CONFIG_NODE
, &ipv6_access_list_any_cmd
);
2998 install_element(CONFIG_NODE
, &no_ipv6_access_list_exact_cmd
);
2999 install_element(CONFIG_NODE
, &no_ipv6_access_list_any_cmd
);
3001 install_element(CONFIG_NODE
, &no_ipv6_access_list_all_cmd
);
3002 install_element(CONFIG_NODE
, &ipv6_access_list_remark_cmd
);
3003 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_cmd
);
3004 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_comment_cmd
);
3007 void access_list_init(void)
3009 access_list_init_ipv4();
3010 access_list_init_ipv6();
3011 access_list_init_mac();
3014 void access_list_reset(void)
3016 access_list_reset_ipv4();
3017 access_list_reset_ipv6();
3018 access_list_reset_mac();