1 /* Route filtering function.
2 * Copyright (C) 1998, 1999 Kunihiro Ishiguro
4 * This file is part of GNU Zebra.
6 * GNU Zebra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published
8 * by the Free Software Foundation; either version 2, or (at your
9 * option) any later version.
11 * GNU Zebra is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include "sockunion.h"
33 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST
, "Access List")
34 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST_STR
, "Access List Str")
35 DEFINE_MTYPE_STATIC(LIB
, ACCESS_FILTER
, "Access Filter")
39 /* Cisco access-list */
42 struct in_addr addr_mask
;
44 struct in_addr mask_mask
;
49 /* If this filter is "exact" match then this flag is set. */
52 /* Prefix information. */
56 /* Filter element of access list */
59 /* For doubly linked list. */
63 /* Filter type information. */
64 enum filter_type type
;
66 /* Cisco access-list */
71 struct filter_cisco cfilter
;
72 struct filter_zebra zfilter
;
76 /* List of access_list. */
77 struct access_list_list
79 struct access_list
*head
;
80 struct access_list
*tail
;
83 /* Master structure of access_list. */
86 /* List of access_list which name is number. */
87 struct access_list_list num
;
89 /* List of access_list which name is string. */
90 struct access_list_list str
;
92 /* Hook function which is executed when new access_list is added. */
93 void (*add_hook
) (struct access_list
*);
95 /* Hook function which is executed when access_list is deleted. */
96 void (*delete_hook
) (struct access_list
*);
99 /* Static structure for IPv4 access_list's master. */
100 static struct access_master access_master_ipv4
=
108 /* Static structure for IPv6 access_list's master. */
109 static struct access_master access_master_ipv6
=
117 static struct access_master
*
118 access_master_get (afi_t afi
)
121 return &access_master_ipv4
;
122 else if (afi
== AFI_IP6
)
123 return &access_master_ipv6
;
127 /* Allocate new filter structure. */
128 static struct filter
*
131 return (struct filter
*) XCALLOC (MTYPE_ACCESS_FILTER
,
132 sizeof (struct filter
));
136 filter_free (struct filter
*filter
)
138 XFREE (MTYPE_ACCESS_FILTER
, filter
);
141 /* Return string of filter_type. */
143 filter_type_str (struct filter
*filter
)
145 switch (filter
->type
)
162 /* If filter match to the prefix then return 1. */
164 filter_match_cisco (struct filter
*mfilter
, struct prefix
*p
)
166 struct filter_cisco
*filter
;
168 u_int32_t check_addr
;
169 u_int32_t check_mask
;
171 filter
= &mfilter
->u
.cfilter
;
172 check_addr
= p
->u
.prefix4
.s_addr
& ~filter
->addr_mask
.s_addr
;
174 if (filter
->extended
)
176 masklen2ip (p
->prefixlen
, &mask
);
177 check_mask
= mask
.s_addr
& ~filter
->mask_mask
.s_addr
;
179 if (memcmp (&check_addr
, &filter
->addr
.s_addr
, 4) == 0
180 && memcmp (&check_mask
, &filter
->mask
.s_addr
, 4) == 0)
183 else if (memcmp (&check_addr
, &filter
->addr
.s_addr
, 4) == 0)
189 /* If filter match to the prefix then return 1. */
191 filter_match_zebra (struct filter
*mfilter
, struct prefix
*p
)
193 struct filter_zebra
*filter
;
195 filter
= &mfilter
->u
.zfilter
;
197 if (filter
->prefix
.family
== p
->family
)
201 if (filter
->prefix
.prefixlen
== p
->prefixlen
)
202 return prefix_match (&filter
->prefix
, p
);
207 return prefix_match (&filter
->prefix
, p
);
213 /* Allocate new access list structure. */
214 static struct access_list
*
215 access_list_new (void)
217 return (struct access_list
*) XCALLOC (MTYPE_ACCESS_LIST
,
218 sizeof (struct access_list
));
221 /* Free allocated access_list. */
223 access_list_free (struct access_list
*access
)
225 XFREE (MTYPE_ACCESS_LIST
, access
);
228 /* Delete access_list from access_master and free it. */
230 access_list_delete (struct access_list
*access
)
232 struct filter
*filter
;
234 struct access_list_list
*list
;
235 struct access_master
*master
;
237 for (filter
= access
->head
; filter
; filter
= next
)
240 filter_free (filter
);
243 master
= access
->master
;
245 if (access
->type
== ACCESS_TYPE_NUMBER
)
251 access
->next
->prev
= access
->prev
;
253 list
->tail
= access
->prev
;
256 access
->prev
->next
= access
->next
;
258 list
->head
= access
->next
;
261 XFREE (MTYPE_ACCESS_LIST_STR
, access
->name
);
264 XFREE (MTYPE_TMP
, access
->remark
);
266 access_list_free (access
);
269 /* Insert new access list to list of access_list. Each acceess_list
270 is sorted by the name. */
271 static struct access_list
*
272 access_list_insert (afi_t afi
, const char *name
)
276 struct access_list
*access
;
277 struct access_list
*point
;
278 struct access_list_list
*alist
;
279 struct access_master
*master
;
281 master
= access_master_get (afi
);
285 /* Allocate new access_list and copy given name. */
286 access
= access_list_new ();
287 access
->name
= XSTRDUP (MTYPE_ACCESS_LIST_STR
, name
);
288 access
->master
= master
;
290 /* If name is made by all digit character. We treat it as
292 for (number
= 0, i
= 0; i
< strlen (name
); i
++)
294 if (isdigit ((int) name
[i
]))
295 number
= (number
* 10) + (name
[i
] - '0');
300 /* In case of name is all digit character */
301 if (i
== strlen (name
))
303 access
->type
= ACCESS_TYPE_NUMBER
;
305 /* Set access_list to number list. */
306 alist
= &master
->num
;
308 for (point
= alist
->head
; point
; point
= point
->next
)
309 if (atol (point
->name
) >= number
)
314 access
->type
= ACCESS_TYPE_STRING
;
316 /* Set access_list to string list. */
317 alist
= &master
->str
;
319 /* Set point to insertion point. */
320 for (point
= alist
->head
; point
; point
= point
->next
)
321 if (strcmp (point
->name
, name
) >= 0)
325 /* In case of this is the first element of master. */
326 if (alist
->head
== NULL
)
328 alist
->head
= alist
->tail
= access
;
332 /* In case of insertion is made at the tail of access_list. */
335 access
->prev
= alist
->tail
;
336 alist
->tail
->next
= access
;
337 alist
->tail
= access
;
341 /* In case of insertion is made at the head of access_list. */
342 if (point
== alist
->head
)
344 access
->next
= alist
->head
;
345 alist
->head
->prev
= access
;
346 alist
->head
= access
;
350 /* Insertion is made at middle of the access_list. */
351 access
->next
= point
;
352 access
->prev
= point
->prev
;
355 point
->prev
->next
= access
;
356 point
->prev
= access
;
361 /* Lookup access_list from list of access_list by name. */
363 access_list_lookup (afi_t afi
, const char *name
)
365 struct access_list
*access
;
366 struct access_master
*master
;
371 master
= access_master_get (afi
);
375 for (access
= master
->num
.head
; access
; access
= access
->next
)
376 if (strcmp (access
->name
, name
) == 0)
379 for (access
= master
->str
.head
; access
; access
= access
->next
)
380 if (strcmp (access
->name
, name
) == 0)
386 /* Get access list from list of access_list. If there isn't matched
387 access_list create new one and return it. */
388 static struct access_list
*
389 access_list_get (afi_t afi
, const char *name
)
391 struct access_list
*access
;
393 access
= access_list_lookup (afi
, name
);
395 access
= access_list_insert (afi
, name
);
399 /* Apply access list to object (which should be struct prefix *). */
401 access_list_apply (struct access_list
*access
, void *object
)
403 struct filter
*filter
;
406 p
= (struct prefix
*) object
;
411 for (filter
= access
->head
; filter
; filter
= filter
->next
)
415 if (filter_match_cisco (filter
, p
))
420 if (filter_match_zebra (filter
, p
))
428 /* Add hook function. */
430 access_list_add_hook (void (*func
) (struct access_list
*access
))
432 access_master_ipv4
.add_hook
= func
;
433 access_master_ipv6
.add_hook
= func
;
436 /* Delete hook function. */
438 access_list_delete_hook (void (*func
) (struct access_list
*access
))
440 access_master_ipv4
.delete_hook
= func
;
441 access_master_ipv6
.delete_hook
= func
;
444 /* Add new filter to the end of specified access_list. */
446 access_list_filter_add (struct access_list
*access
, struct filter
*filter
)
449 filter
->prev
= access
->tail
;
452 access
->tail
->next
= filter
;
454 access
->head
= filter
;
455 access
->tail
= filter
;
457 /* Run hook function. */
458 if (access
->master
->add_hook
)
459 (*access
->master
->add_hook
) (access
);
460 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_ADDED
);
463 /* If access_list has no filter then return 1. */
465 access_list_empty (struct access_list
*access
)
467 if (access
->head
== NULL
&& access
->tail
== NULL
)
473 /* Delete filter from specified access_list. If there is hook
474 function execute it. */
476 access_list_filter_delete (struct access_list
*access
, struct filter
*filter
)
478 struct access_master
*master
;
480 master
= access
->master
;
483 filter
->next
->prev
= filter
->prev
;
485 access
->tail
= filter
->prev
;
488 filter
->prev
->next
= filter
->next
;
490 access
->head
= filter
->next
;
492 filter_free (filter
);
494 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
495 /* Run hook function. */
496 if (master
->delete_hook
)
497 (*master
->delete_hook
) (access
);
499 /* If access_list becomes empty delete it from access_master. */
500 if (access_list_empty (access
))
501 access_list_delete (access
);
505 deny Specify packets to reject
506 permit Specify packets to forward
511 Hostname or A.B.C.D Address to match
513 host A single host address
516 static struct filter
*
517 filter_lookup_cisco (struct access_list
*access
, struct filter
*mnew
)
519 struct filter
*mfilter
;
520 struct filter_cisco
*filter
;
521 struct filter_cisco
*new;
523 new = &mnew
->u
.cfilter
;
525 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
)
527 filter
= &mfilter
->u
.cfilter
;
529 if (filter
->extended
)
531 if (mfilter
->type
== mnew
->type
532 && filter
->addr
.s_addr
== new->addr
.s_addr
533 && filter
->addr_mask
.s_addr
== new->addr_mask
.s_addr
534 && filter
->mask
.s_addr
== new->mask
.s_addr
535 && filter
->mask_mask
.s_addr
== new->mask_mask
.s_addr
)
540 if (mfilter
->type
== mnew
->type
541 && filter
->addr
.s_addr
== new->addr
.s_addr
542 && filter
->addr_mask
.s_addr
== new->addr_mask
.s_addr
)
550 static struct filter
*
551 filter_lookup_zebra (struct access_list
*access
, struct filter
*mnew
)
553 struct filter
*mfilter
;
554 struct filter_zebra
*filter
;
555 struct filter_zebra
*new;
557 new = &mnew
->u
.zfilter
;
559 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
)
561 filter
= &mfilter
->u
.zfilter
;
563 if (filter
->exact
== new->exact
564 && mfilter
->type
== mnew
->type
565 && prefix_same (&filter
->prefix
, &new->prefix
))
572 vty_access_list_remark_unset (struct vty
*vty
, afi_t afi
, const char *name
)
574 struct access_list
*access
;
576 access
= access_list_lookup (afi
, name
);
579 vty_outln (vty
, "%% access-list %s doesn't exist",name
);
580 return CMD_WARNING_CONFIG_FAILED
;
585 XFREE (MTYPE_TMP
, access
->remark
);
586 access
->remark
= NULL
;
589 if (access
->head
== NULL
&& access
->tail
== NULL
&& access
->remark
== NULL
)
590 access_list_delete (access
);
596 filter_set_cisco (struct vty
*vty
, const char *name_str
, const char *type_str
,
597 const char *addr_str
, const char *addr_mask_str
,
598 const char *mask_str
, const char *mask_mask_str
,
599 int extended
, int set
)
602 enum filter_type type
;
603 struct filter
*mfilter
;
604 struct filter_cisco
*filter
;
605 struct access_list
*access
;
607 struct in_addr addr_mask
;
609 struct in_addr mask_mask
;
611 /* Check of filter type. */
612 if (strncmp (type_str
, "p", 1) == 0)
613 type
= FILTER_PERMIT
;
614 else if (strncmp (type_str
, "d", 1) == 0)
618 vty_outln (vty
, "%% filter type must be permit or deny");
619 return CMD_WARNING_CONFIG_FAILED
;
622 ret
= inet_aton (addr_str
, &addr
);
625 vty_outln (vty
,"%%Inconsistent address and mask");
626 return CMD_WARNING_CONFIG_FAILED
;
629 ret
= inet_aton (addr_mask_str
, &addr_mask
);
632 vty_outln (vty
,"%%Inconsistent address and mask");
633 return CMD_WARNING_CONFIG_FAILED
;
638 ret
= inet_aton (mask_str
, &mask
);
641 vty_outln (vty
,"%%Inconsistent address and mask");
642 return CMD_WARNING_CONFIG_FAILED
;
645 ret
= inet_aton (mask_mask_str
, &mask_mask
);
648 vty_outln (vty
,"%%Inconsistent address and mask");
649 return CMD_WARNING_CONFIG_FAILED
;
653 mfilter
= filter_new();
654 mfilter
->type
= type
;
656 filter
= &mfilter
->u
.cfilter
;
657 filter
->extended
= extended
;
658 filter
->addr
.s_addr
= addr
.s_addr
& ~addr_mask
.s_addr
;
659 filter
->addr_mask
.s_addr
= addr_mask
.s_addr
;
663 filter
->mask
.s_addr
= mask
.s_addr
& ~mask_mask
.s_addr
;
664 filter
->mask_mask
.s_addr
= mask_mask
.s_addr
;
667 /* Install new filter to the access_list. */
668 access
= access_list_get (AFI_IP
, name_str
);
672 if (filter_lookup_cisco (access
, mfilter
))
673 filter_free (mfilter
);
675 access_list_filter_add (access
, mfilter
);
679 struct filter
*delete_filter
;
681 delete_filter
= filter_lookup_cisco (access
, mfilter
);
683 access_list_filter_delete (access
, delete_filter
);
685 filter_free (mfilter
);
691 /* Standard access-list */
692 DEFUN (access_list_standard
,
693 access_list_standard_cmd
,
694 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
695 "Add an access list entry\n"
696 "IP standard access list\n"
697 "IP standard access list (expanded range)\n"
698 "Specify packets to reject\n"
699 "Specify packets to forward\n"
704 int idx_permit_deny
= 2;
707 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
, argv
[idx_ipv4_2
]->arg
,
711 DEFUN (access_list_standard_nomask
,
712 access_list_standard_nomask_cmd
,
713 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
714 "Add an access list entry\n"
715 "IP standard access list\n"
716 "IP standard access list (expanded range)\n"
717 "Specify packets to reject\n"
718 "Specify packets to forward\n"
719 "Address to match\n")
722 int idx_permit_deny
= 2;
724 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
, "0.0.0.0",
728 DEFUN (access_list_standard_host
,
729 access_list_standard_host_cmd
,
730 "access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
731 "Add an access list entry\n"
732 "IP standard access list\n"
733 "IP standard access list (expanded range)\n"
734 "Specify packets to reject\n"
735 "Specify packets to forward\n"
736 "A single host address\n"
737 "Address to match\n")
740 int idx_permit_deny
= 2;
742 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
, "0.0.0.0",
746 DEFUN (access_list_standard_any
,
747 access_list_standard_any_cmd
,
748 "access-list <(1-99)|(1300-1999)> <deny|permit> any",
749 "Add an access list entry\n"
750 "IP standard access list\n"
751 "IP standard access list (expanded range)\n"
752 "Specify packets to reject\n"
753 "Specify packets to forward\n"
757 int idx_permit_deny
= 2;
758 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
759 "255.255.255.255", NULL
, NULL
, 0, 1);
762 DEFUN (no_access_list_standard
,
763 no_access_list_standard_cmd
,
764 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
766 "Add an access list entry\n"
767 "IP standard access list\n"
768 "IP standard access list (expanded range)\n"
769 "Specify packets to reject\n"
770 "Specify packets to forward\n"
775 int idx_permit_deny
= 3;
778 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
, argv
[idx_ipv4_2
]->arg
,
782 DEFUN (no_access_list_standard_nomask
,
783 no_access_list_standard_nomask_cmd
,
784 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
786 "Add an access list entry\n"
787 "IP standard access list\n"
788 "IP standard access list (expanded range)\n"
789 "Specify packets to reject\n"
790 "Specify packets to forward\n"
791 "Address to match\n")
794 int idx_permit_deny
= 3;
796 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
, "0.0.0.0",
800 DEFUN (no_access_list_standard_host
,
801 no_access_list_standard_host_cmd
,
802 "no access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
804 "Add an access list entry\n"
805 "IP standard access list\n"
806 "IP standard access list (expanded range)\n"
807 "Specify packets to reject\n"
808 "Specify packets to forward\n"
809 "A single host address\n"
810 "Address to match\n")
813 int idx_permit_deny
= 3;
815 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
, "0.0.0.0",
819 DEFUN (no_access_list_standard_any
,
820 no_access_list_standard_any_cmd
,
821 "no access-list <(1-99)|(1300-1999)> <deny|permit> any",
823 "Add an access list entry\n"
824 "IP standard access list\n"
825 "IP standard access list (expanded range)\n"
826 "Specify packets to reject\n"
827 "Specify packets to forward\n"
831 int idx_permit_deny
= 3;
832 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
833 "255.255.255.255", NULL
, NULL
, 0, 0);
836 /* Extended access-list */
837 DEFUN (access_list_extended
,
838 access_list_extended_cmd
,
839 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
840 "Add an access list entry\n"
841 "IP extended access list\n"
842 "IP extended access list (expanded range)\n"
843 "Specify packets to reject\n"
844 "Specify packets to forward\n"
845 "Any Internet Protocol\n"
847 "Source wildcard bits\n"
848 "Destination address\n"
849 "Destination Wildcard bits\n")
852 int idx_permit_deny
= 2;
857 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
858 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
, argv
[idx_ipv4_4
]->arg
, 1 ,1);
861 DEFUN (access_list_extended_mask_any
,
862 access_list_extended_mask_any_cmd
,
863 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
864 "Add an access list entry\n"
865 "IP extended access list\n"
866 "IP extended access list (expanded range)\n"
867 "Specify packets to reject\n"
868 "Specify packets to forward\n"
869 "Any Internet Protocol\n"
871 "Source wildcard bits\n"
872 "Any destination host\n")
875 int idx_permit_deny
= 2;
878 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
879 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
880 "255.255.255.255", 1, 1);
883 DEFUN (access_list_extended_any_mask
,
884 access_list_extended_any_mask_cmd
,
885 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
886 "Add an access list entry\n"
887 "IP extended access list\n"
888 "IP extended access list (expanded range)\n"
889 "Specify packets to reject\n"
890 "Specify packets to forward\n"
891 "Any Internet Protocol\n"
893 "Destination address\n"
894 "Destination Wildcard bits\n")
897 int idx_permit_deny
= 2;
900 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
901 "255.255.255.255", argv
[idx_ipv4
]->arg
,
902 argv
[idx_ipv4_2
]->arg
, 1, 1);
905 DEFUN (access_list_extended_any_any
,
906 access_list_extended_any_any_cmd
,
907 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
908 "Add an access list entry\n"
909 "IP extended access list\n"
910 "IP extended access list (expanded range)\n"
911 "Specify packets to reject\n"
912 "Specify packets to forward\n"
913 "Any Internet Protocol\n"
915 "Any destination host\n")
918 int idx_permit_deny
= 2;
919 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
920 "255.255.255.255", "0.0.0.0",
921 "255.255.255.255", 1, 1);
924 DEFUN (access_list_extended_mask_host
,
925 access_list_extended_mask_host_cmd
,
926 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
927 "Add an access list entry\n"
928 "IP extended access list\n"
929 "IP extended access list (expanded range)\n"
930 "Specify packets to reject\n"
931 "Specify packets to forward\n"
932 "Any Internet Protocol\n"
934 "Source wildcard bits\n"
935 "A single destination host\n"
936 "Destination address\n")
939 int idx_permit_deny
= 2;
943 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
944 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
948 DEFUN (access_list_extended_host_mask
,
949 access_list_extended_host_mask_cmd
,
950 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
951 "Add an access list entry\n"
952 "IP extended access list\n"
953 "IP extended access list (expanded range)\n"
954 "Specify packets to reject\n"
955 "Specify packets to forward\n"
956 "Any Internet Protocol\n"
957 "A single source host\n"
959 "Destination address\n"
960 "Destination Wildcard bits\n")
963 int idx_permit_deny
= 2;
967 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
968 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
969 argv
[idx_ipv4_3
]->arg
, 1, 1);
972 DEFUN (access_list_extended_host_host
,
973 access_list_extended_host_host_cmd
,
974 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
975 "Add an access list entry\n"
976 "IP extended access list\n"
977 "IP extended access list (expanded range)\n"
978 "Specify packets to reject\n"
979 "Specify packets to forward\n"
980 "Any Internet Protocol\n"
981 "A single source host\n"
983 "A single destination host\n"
984 "Destination address\n")
987 int idx_permit_deny
= 2;
990 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
991 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
995 DEFUN (access_list_extended_any_host
,
996 access_list_extended_any_host_cmd
,
997 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
998 "Add an access list entry\n"
999 "IP extended access list\n"
1000 "IP extended access list (expanded range)\n"
1001 "Specify packets to reject\n"
1002 "Specify packets to forward\n"
1003 "Any Internet Protocol\n"
1005 "A single destination host\n"
1006 "Destination address\n")
1009 int idx_permit_deny
= 2;
1011 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1012 "255.255.255.255", argv
[idx_ipv4
]->arg
,
1016 DEFUN (access_list_extended_host_any
,
1017 access_list_extended_host_any_cmd
,
1018 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
1019 "Add an access list entry\n"
1020 "IP extended access list\n"
1021 "IP extended access list (expanded range)\n"
1022 "Specify packets to reject\n"
1023 "Specify packets to forward\n"
1024 "Any Internet Protocol\n"
1025 "A single source host\n"
1027 "Any destination host\n")
1030 int idx_permit_deny
= 2;
1032 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1033 "0.0.0.0", "0.0.0.0",
1034 "255.255.255.255", 1, 1);
1037 DEFUN (no_access_list_extended
,
1038 no_access_list_extended_cmd
,
1039 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
1041 "Add an access list entry\n"
1042 "IP extended access list\n"
1043 "IP extended access list (expanded range)\n"
1044 "Specify packets to reject\n"
1045 "Specify packets to forward\n"
1046 "Any Internet Protocol\n"
1048 "Source wildcard bits\n"
1049 "Destination address\n"
1050 "Destination Wildcard bits\n")
1053 int idx_permit_deny
= 3;
1058 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1059 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
, argv
[idx_ipv4_4
]->arg
, 1, 0);
1062 DEFUN (no_access_list_extended_mask_any
,
1063 no_access_list_extended_mask_any_cmd
,
1064 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
1066 "Add an access list entry\n"
1067 "IP extended access list\n"
1068 "IP extended access list (expanded range)\n"
1069 "Specify packets to reject\n"
1070 "Specify packets to forward\n"
1071 "Any Internet Protocol\n"
1073 "Source wildcard bits\n"
1074 "Any destination host\n")
1077 int idx_permit_deny
= 3;
1080 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1081 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
1082 "255.255.255.255", 1, 0);
1085 DEFUN (no_access_list_extended_any_mask
,
1086 no_access_list_extended_any_mask_cmd
,
1087 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
1089 "Add an access list entry\n"
1090 "IP extended access list\n"
1091 "IP extended access list (expanded range)\n"
1092 "Specify packets to reject\n"
1093 "Specify packets to forward\n"
1094 "Any Internet Protocol\n"
1096 "Destination address\n"
1097 "Destination Wildcard bits\n")
1100 int idx_permit_deny
= 3;
1103 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1104 "255.255.255.255", argv
[idx_ipv4
]->arg
,
1105 argv
[idx_ipv4_2
]->arg
, 1, 0);
1108 DEFUN (no_access_list_extended_any_any
,
1109 no_access_list_extended_any_any_cmd
,
1110 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
1112 "Add an access list entry\n"
1113 "IP extended access list\n"
1114 "IP extended access list (expanded range)\n"
1115 "Specify packets to reject\n"
1116 "Specify packets to forward\n"
1117 "Any Internet Protocol\n"
1119 "Any destination host\n")
1122 int idx_permit_deny
= 3;
1123 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1124 "255.255.255.255", "0.0.0.0",
1125 "255.255.255.255", 1, 0);
1128 DEFUN (no_access_list_extended_mask_host
,
1129 no_access_list_extended_mask_host_cmd
,
1130 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
1132 "Add an access list entry\n"
1133 "IP extended access list\n"
1134 "IP extended access list (expanded range)\n"
1135 "Specify packets to reject\n"
1136 "Specify packets to forward\n"
1137 "Any Internet Protocol\n"
1139 "Source wildcard bits\n"
1140 "A single destination host\n"
1141 "Destination address\n")
1144 int idx_permit_deny
= 3;
1148 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1149 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1153 DEFUN (no_access_list_extended_host_mask
,
1154 no_access_list_extended_host_mask_cmd
,
1155 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
1157 "Add an access list entry\n"
1158 "IP extended access list\n"
1159 "IP extended access list (expanded range)\n"
1160 "Specify packets to reject\n"
1161 "Specify packets to forward\n"
1162 "Any Internet Protocol\n"
1163 "A single source host\n"
1165 "Destination address\n"
1166 "Destination Wildcard bits\n")
1169 int idx_permit_deny
= 3;
1173 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1174 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
1175 argv
[idx_ipv4_3
]->arg
, 1, 0);
1178 DEFUN (no_access_list_extended_host_host
,
1179 no_access_list_extended_host_host_cmd
,
1180 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
1182 "Add an access list entry\n"
1183 "IP extended access list\n"
1184 "IP extended access list (expanded range)\n"
1185 "Specify packets to reject\n"
1186 "Specify packets to forward\n"
1187 "Any Internet Protocol\n"
1188 "A single source host\n"
1190 "A single destination host\n"
1191 "Destination address\n")
1194 int idx_permit_deny
= 3;
1197 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1198 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
1202 DEFUN (no_access_list_extended_any_host
,
1203 no_access_list_extended_any_host_cmd
,
1204 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
1206 "Add an access list entry\n"
1207 "IP extended access list\n"
1208 "IP extended access list (expanded range)\n"
1209 "Specify packets to reject\n"
1210 "Specify packets to forward\n"
1211 "Any Internet Protocol\n"
1213 "A single destination host\n"
1214 "Destination address\n")
1217 int idx_permit_deny
= 3;
1219 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1220 "255.255.255.255", argv
[idx_ipv4
]->arg
,
1224 DEFUN (no_access_list_extended_host_any
,
1225 no_access_list_extended_host_any_cmd
,
1226 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
1228 "Add an access list entry\n"
1229 "IP extended access list\n"
1230 "IP extended access list (expanded range)\n"
1231 "Specify packets to reject\n"
1232 "Specify packets to forward\n"
1233 "Any Internet Protocol\n"
1234 "A single source host\n"
1236 "Any destination host\n")
1239 int idx_permit_deny
= 3;
1241 return filter_set_cisco (vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1242 "0.0.0.0", "0.0.0.0",
1243 "255.255.255.255", 1, 0);
1247 filter_set_zebra (struct vty
*vty
, const char *name_str
, const char *type_str
,
1248 afi_t afi
, const char *prefix_str
, int exact
, int set
)
1251 enum filter_type type
;
1252 struct filter
*mfilter
;
1253 struct filter_zebra
*filter
;
1254 struct access_list
*access
;
1257 if (strlen(name_str
) > ACL_NAMSIZ
)
1259 vty_outln (vty
, "%% ACL name %s is invalid: length exceeds "
1261 name_str
, ACL_NAMSIZ
);
1262 return CMD_WARNING_CONFIG_FAILED
;
1265 /* Check of filter type. */
1266 if (strncmp (type_str
, "p", 1) == 0)
1267 type
= FILTER_PERMIT
;
1268 else if (strncmp (type_str
, "d", 1) == 0)
1272 vty_outln (vty
, "filter type must be [permit|deny]");
1273 return CMD_WARNING_CONFIG_FAILED
;
1276 /* Check string format of prefix and prefixlen. */
1279 ret
= str2prefix_ipv4 (prefix_str
, (struct prefix_ipv4
*)&p
);
1282 vty_outln (vty
,"IP address prefix/prefixlen is malformed");
1283 return CMD_WARNING_CONFIG_FAILED
;
1286 else if (afi
== AFI_IP6
)
1288 ret
= str2prefix_ipv6 (prefix_str
, (struct prefix_ipv6
*) &p
);
1291 vty_outln (vty
,"IPv6 address prefix/prefixlen is malformed");
1292 return CMD_WARNING_CONFIG_FAILED
;
1296 return CMD_WARNING_CONFIG_FAILED
;
1298 mfilter
= filter_new ();
1299 mfilter
->type
= type
;
1300 filter
= &mfilter
->u
.zfilter
;
1301 prefix_copy (&filter
->prefix
, &p
);
1307 /* Install new filter to the access_list. */
1308 access
= access_list_get (afi
, name_str
);
1312 if (filter_lookup_zebra (access
, mfilter
))
1313 filter_free (mfilter
);
1315 access_list_filter_add (access
, mfilter
);
1319 struct filter
*delete_filter
;
1321 delete_filter
= filter_lookup_zebra (access
, mfilter
);
1323 access_list_filter_delete (access
, delete_filter
);
1325 filter_free (mfilter
);
1331 DEFUN (access_list_exact
,
1332 access_list_exact_cmd
,
1333 "access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1334 "Add an access list entry\n"
1335 "IP zebra access-list name\n"
1336 "Specify packets to reject\n"
1337 "Specify packets to forward\n"
1338 "Prefix to match. e.g. 10.0.0.0/8\n"
1339 "Exact match of the prefixes\n")
1344 int idx_permit_deny
= 2;
1345 int idx_ipv4_prefixlen
= 3;
1346 idx
= idx_ipv4_prefixlen
;
1348 if (argv_find (argv
, argc
, "exact-match", &idx
))
1351 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
,
1352 AFI_IP
, argv
[idx_ipv4_prefixlen
]->arg
, exact
, 1);
1355 DEFUN (access_list_any
,
1356 access_list_any_cmd
,
1357 "access-list WORD <deny|permit> any",
1358 "Add an access list entry\n"
1359 "IP zebra access-list name\n"
1360 "Specify packets to reject\n"
1361 "Specify packets to forward\n"
1362 "Prefix to match. e.g. 10.0.0.0/8\n")
1365 int idx_permit_deny
= 2;
1366 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0", 0, 1);
1369 DEFUN (no_access_list_exact
,
1370 no_access_list_exact_cmd
,
1371 "no access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1373 "Add an access list entry\n"
1374 "IP zebra access-list name\n"
1375 "Specify packets to reject\n"
1376 "Specify packets to forward\n"
1377 "Prefix to match. e.g. 10.0.0.0/8\n"
1378 "Exact match of the prefixes\n")
1383 int idx_permit_deny
= 3;
1384 int idx_ipv4_prefixlen
= 4;
1385 idx
= idx_ipv4_prefixlen
;
1387 if (argv_find (argv
, argc
, "exact-match", &idx
))
1390 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
, AFI_IP
, argv
[idx_ipv4_prefixlen
]->arg
, exact
, 0);
1393 DEFUN (no_access_list_any
,
1394 no_access_list_any_cmd
,
1395 "no access-list WORD <deny|permit> any",
1397 "Add an access list entry\n"
1398 "IP zebra access-list name\n"
1399 "Specify packets to reject\n"
1400 "Specify packets to forward\n"
1401 "Prefix to match. e.g. 10.0.0.0/8\n")
1404 int idx_permit_deny
= 3;
1405 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0", 0, 0);
1408 DEFUN (no_access_list_all
,
1409 no_access_list_all_cmd
,
1410 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1412 "Add an access list entry\n"
1413 "IP standard access list\n"
1414 "IP extended access list\n"
1415 "IP standard access list (expanded range)\n"
1416 "IP extended access list (expanded range)\n"
1417 "IP zebra access-list name\n")
1420 struct access_list
*access
;
1421 struct access_master
*master
;
1423 /* Looking up access_list. */
1424 access
= access_list_lookup (AFI_IP
, argv
[idx_acl
]->arg
);
1427 vty_outln (vty
, "%% access-list %s doesn't exist",argv
[idx_acl
]->arg
);
1428 return CMD_WARNING_CONFIG_FAILED
;
1431 master
= access
->master
;
1433 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1434 /* Run hook function. */
1435 if (master
->delete_hook
)
1436 (*master
->delete_hook
) (access
);
1438 /* Delete all filter from access-list. */
1439 access_list_delete (access
);
1444 DEFUN (access_list_remark
,
1445 access_list_remark_cmd
,
1446 "access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1447 "Add an access list entry\n"
1448 "IP standard access list\n"
1449 "IP extended access list\n"
1450 "IP standard access list (expanded range)\n"
1451 "IP extended access list (expanded range)\n"
1452 "IP zebra access-list\n"
1453 "Access list entry comment\n"
1454 "Comment up to 100 characters\n")
1458 struct access_list
*access
;
1460 access
= access_list_get (AFI_IP
, argv
[idx_acl
]->arg
);
1464 XFREE (MTYPE_TMP
, access
->remark
);
1465 access
->remark
= NULL
;
1467 access
->remark
= argv_concat(argv
, argc
, idx_remark
);
1472 DEFUN (no_access_list_remark
,
1473 no_access_list_remark_cmd
,
1474 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark",
1476 "Add an access list entry\n"
1477 "IP standard access list\n"
1478 "IP extended access list\n"
1479 "IP standard access list (expanded range)\n"
1480 "IP extended access list (expanded range)\n"
1481 "IP zebra access-list\n"
1482 "Access list entry comment\n")
1485 return vty_access_list_remark_unset (vty
, AFI_IP
, argv
[idx_acl
]->arg
);
1489 DEFUN (no_access_list_remark_comment
,
1490 no_access_list_remark_comment_cmd
,
1491 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1493 "Add an access list entry\n"
1494 "IP standard access list\n"
1495 "IP extended access list\n"
1496 "IP standard access list (expanded range)\n"
1497 "IP extended access list (expanded range)\n"
1498 "IP zebra access-list\n"
1499 "Access list entry comment\n"
1500 "Comment up to 100 characters\n")
1502 return no_access_list_remark (self
, vty
, argc
, argv
);
1505 DEFUN (ipv6_access_list_exact
,
1506 ipv6_access_list_exact_cmd
,
1507 "ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1509 "Add an access list entry\n"
1510 "IPv6 zebra access-list\n"
1511 "Specify packets to reject\n"
1512 "Specify packets to forward\n"
1514 "Exact match of the prefixes\n")
1523 if (argv_find (argv
, argc
, "exact-match", &idx
))
1526 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_allow
]->text
,
1527 AFI_IP6
, argv
[idx_addr
]->arg
, exact
, 1);
1530 DEFUN (ipv6_access_list_any
,
1531 ipv6_access_list_any_cmd
,
1532 "ipv6 access-list WORD <deny|permit> any",
1534 "Add an access list entry\n"
1535 "IPv6 zebra access-list\n"
1536 "Specify packets to reject\n"
1537 "Specify packets to forward\n"
1538 "Any prefixi to match\n")
1541 int idx_permit_deny
= 3;
1542 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0, 1);
1545 DEFUN (no_ipv6_access_list_exact
,
1546 no_ipv6_access_list_exact_cmd
,
1547 "no ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1550 "Add an access list entry\n"
1551 "IPv6 zebra access-list\n"
1552 "Specify packets to reject\n"
1553 "Specify packets to forward\n"
1554 "Prefix to match. e.g. 3ffe:506::/32\n"
1555 "Exact match of the prefixes\n")
1560 int idx_permit_deny
= 4;
1561 int idx_ipv6_prefixlen
= 5;
1562 idx
= idx_ipv6_prefixlen
;
1564 if (argv_find (argv
, argc
, "exact-match", &idx
))
1567 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
,
1568 AFI_IP6
, argv
[idx_ipv6_prefixlen
]->arg
, exact
, 0);
1571 DEFUN (no_ipv6_access_list_any
,
1572 no_ipv6_access_list_any_cmd
,
1573 "no ipv6 access-list WORD <deny|permit> any",
1576 "Add an access list entry\n"
1577 "IPv6 zebra access-list\n"
1578 "Specify packets to reject\n"
1579 "Specify packets to forward\n"
1580 "Any prefixi to match\n")
1583 int idx_permit_deny
= 4;
1584 return filter_set_zebra (vty
, argv
[idx_word
]->arg
, argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0, 0);
1588 DEFUN (no_ipv6_access_list_all
,
1589 no_ipv6_access_list_all_cmd
,
1590 "no ipv6 access-list WORD",
1593 "Add an access list entry\n"
1594 "IPv6 zebra access-list\n")
1597 struct access_list
*access
;
1598 struct access_master
*master
;
1600 /* Looking up access_list. */
1601 access
= access_list_lookup (AFI_IP6
, argv
[idx_word
]->arg
);
1604 vty_outln (vty
, "%% access-list %s doesn't exist",argv
[idx_word
]->arg
);
1605 return CMD_WARNING_CONFIG_FAILED
;
1608 master
= access
->master
;
1610 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1611 /* Run hook function. */
1612 if (master
->delete_hook
)
1613 (*master
->delete_hook
) (access
);
1615 /* Delete all filter from access-list. */
1616 access_list_delete (access
);
1621 DEFUN (ipv6_access_list_remark
,
1622 ipv6_access_list_remark_cmd
,
1623 "ipv6 access-list WORD remark LINE...",
1625 "Add an access list entry\n"
1626 "IPv6 zebra access-list\n"
1627 "Access list entry comment\n"
1628 "Comment up to 100 characters\n")
1632 struct access_list
*access
;
1634 access
= access_list_get (AFI_IP6
, argv
[idx_word
]->arg
);
1638 XFREE (MTYPE_TMP
, access
->remark
);
1639 access
->remark
= NULL
;
1641 access
->remark
= argv_concat(argv
, argc
, idx_line
);
1646 DEFUN (no_ipv6_access_list_remark
,
1647 no_ipv6_access_list_remark_cmd
,
1648 "no ipv6 access-list WORD remark",
1651 "Add an access list entry\n"
1652 "IPv6 zebra access-list\n"
1653 "Access list entry comment\n")
1656 return vty_access_list_remark_unset (vty
, AFI_IP6
, argv
[idx_word
]->arg
);
1660 DEFUN (no_ipv6_access_list_remark_comment
,
1661 no_ipv6_access_list_remark_comment_cmd
,
1662 "no ipv6 access-list WORD remark LINE...",
1665 "Add an access list entry\n"
1666 "IPv6 zebra access-list\n"
1667 "Access list entry comment\n"
1668 "Comment up to 100 characters\n")
1670 return no_ipv6_access_list_remark (self
, vty
, argc
, argv
);
1673 void config_write_access_zebra (struct vty
*, struct filter
*);
1674 void config_write_access_cisco (struct vty
*, struct filter
*);
1676 /* show access-list command. */
1678 filter_show (struct vty
*vty
, const char *name
, afi_t afi
)
1680 struct access_list
*access
;
1681 struct access_master
*master
;
1682 struct filter
*mfilter
;
1683 struct filter_cisco
*filter
;
1686 master
= access_master_get (afi
);
1690 /* Print the name of the protocol */
1691 vty_outln (vty
, "%s:", frr_protoname
);
1693 for (access
= master
->num
.head
; access
; access
= access
->next
)
1695 if (name
&& strcmp (access
->name
, name
) != 0)
1700 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
)
1702 filter
= &mfilter
->u
.cfilter
;
1706 vty_outln (vty
, "%s IP%s access list %s",
1708 (filter
->extended
? "Extended" : "Standard") : "Zebra",
1709 afi
== AFI_IP6
? "v6" : "",
1714 vty_out (vty
, " %s%s", filter_type_str (mfilter
),
1715 mfilter
->type
== FILTER_DENY
? " " : "");
1717 if (! mfilter
->cisco
)
1718 config_write_access_zebra (vty
, mfilter
);
1719 else if (filter
->extended
)
1720 config_write_access_cisco (vty
, mfilter
);
1723 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1724 vty_outln (vty
, " any");
1727 vty_out (vty
, " %s", inet_ntoa (filter
->addr
));
1728 if (filter
->addr_mask
.s_addr
!= 0)
1729 vty_out (vty
, ", wildcard bits %s", inet_ntoa (filter
->addr_mask
));
1730 vty_out (vty
, VTYNL
);
1736 for (access
= master
->str
.head
; access
; access
= access
->next
)
1738 if (name
&& strcmp (access
->name
, name
) != 0)
1743 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
)
1745 filter
= &mfilter
->u
.cfilter
;
1749 vty_outln (vty
, "%s IP%s access list %s",
1751 (filter
->extended
? "Extended" : "Standard") : "Zebra",
1752 afi
== AFI_IP6
? "v6" : "",
1757 vty_out (vty
, " %s%s", filter_type_str (mfilter
),
1758 mfilter
->type
== FILTER_DENY
? " " : "");
1760 if (! mfilter
->cisco
)
1761 config_write_access_zebra (vty
, mfilter
);
1762 else if (filter
->extended
)
1763 config_write_access_cisco (vty
, mfilter
);
1766 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1767 vty_outln (vty
, " any");
1770 vty_out (vty
, " %s", inet_ntoa (filter
->addr
));
1771 if (filter
->addr_mask
.s_addr
!= 0)
1772 vty_out (vty
, ", wildcard bits %s", inet_ntoa (filter
->addr_mask
));
1773 vty_out (vty
, VTYNL
);
1781 DEFUN (show_ip_access_list
,
1782 show_ip_access_list_cmd
,
1783 "show ip access-list",
1786 "List IP access lists\n")
1788 return filter_show (vty
, NULL
, AFI_IP
);
1791 DEFUN (show_ip_access_list_name
,
1792 show_ip_access_list_name_cmd
,
1793 "show ip access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1796 "List IP access lists\n"
1797 "IP standard access list\n"
1798 "IP extended access list\n"
1799 "IP standard access list (expanded range)\n"
1800 "IP extended access list (expanded range)\n"
1801 "IP zebra access-list\n")
1804 return filter_show (vty
, argv
[idx_acl
]->arg
, AFI_IP
);
1807 DEFUN (show_ipv6_access_list
,
1808 show_ipv6_access_list_cmd
,
1809 "show ipv6 access-list",
1812 "List IPv6 access lists\n")
1814 return filter_show (vty
, NULL
, AFI_IP6
);
1817 DEFUN (show_ipv6_access_list_name
,
1818 show_ipv6_access_list_name_cmd
,
1819 "show ipv6 access-list WORD",
1822 "List IPv6 access lists\n"
1823 "IPv6 zebra access-list\n")
1826 return filter_show (vty
, argv
[idx_word
]->arg
, AFI_IP6
);
1830 config_write_access_cisco (struct vty
*vty
, struct filter
*mfilter
)
1832 struct filter_cisco
*filter
;
1834 filter
= &mfilter
->u
.cfilter
;
1836 if (filter
->extended
)
1838 vty_out (vty
, " ip");
1839 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1840 vty_out (vty
, " any");
1841 else if (filter
->addr_mask
.s_addr
== 0)
1842 vty_out (vty
, " host %s", inet_ntoa (filter
->addr
));
1845 vty_out (vty
, " %s", inet_ntoa (filter
->addr
));
1846 vty_out (vty
, " %s", inet_ntoa (filter
->addr_mask
));
1849 if (filter
->mask_mask
.s_addr
== 0xffffffff)
1850 vty_out (vty
, " any");
1851 else if (filter
->mask_mask
.s_addr
== 0)
1852 vty_out (vty
, " host %s", inet_ntoa (filter
->mask
));
1855 vty_out (vty
, " %s", inet_ntoa (filter
->mask
));
1856 vty_out (vty
, " %s", inet_ntoa (filter
->mask_mask
));
1858 vty_out (vty
, VTYNL
);
1862 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1863 vty_outln (vty
, " any");
1866 vty_out (vty
, " %s", inet_ntoa (filter
->addr
));
1867 if (filter
->addr_mask
.s_addr
!= 0)
1868 vty_out (vty
, " %s", inet_ntoa (filter
->addr_mask
));
1869 vty_out (vty
, VTYNL
);
1875 config_write_access_zebra (struct vty
*vty
, struct filter
*mfilter
)
1877 struct filter_zebra
*filter
;
1881 filter
= &mfilter
->u
.zfilter
;
1882 p
= &filter
->prefix
;
1884 if (p
->prefixlen
== 0 && ! filter
->exact
)
1885 vty_out (vty
, " any");
1887 vty_out (vty
, " %s/%d%s",
1888 inet_ntop (p
->family
, &p
->u
.prefix
, buf
, BUFSIZ
),
1890 filter
->exact
? " exact-match" : "");
1892 vty_out (vty
, VTYNL
);
1896 config_write_access (struct vty
*vty
, afi_t afi
)
1898 struct access_list
*access
;
1899 struct access_master
*master
;
1900 struct filter
*mfilter
;
1903 master
= access_master_get (afi
);
1907 for (access
= master
->num
.head
; access
; access
= access
->next
)
1911 vty_outln (vty
, "%saccess-list %s remark %s",
1912 afi
== AFI_IP
? "" : "ipv6 ",
1913 access
->name
,access
->remark
);
1917 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
)
1919 vty_out (vty
, "%saccess-list %s %s",
1920 afi
== AFI_IP
? "" : "ipv6 ",
1922 filter_type_str (mfilter
));
1925 config_write_access_cisco (vty
, mfilter
);
1927 config_write_access_zebra (vty
, mfilter
);
1933 for (access
= master
->str
.head
; access
; access
= access
->next
)
1937 vty_outln (vty
, "%saccess-list %s remark %s",
1938 afi
== AFI_IP
? "" : "ipv6 ",
1939 access
->name
,access
->remark
);
1943 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
)
1945 vty_out (vty
, "%saccess-list %s %s",
1946 afi
== AFI_IP
? "" : "ipv6 ",
1948 filter_type_str (mfilter
));
1951 config_write_access_cisco (vty
, mfilter
);
1953 config_write_access_zebra (vty
, mfilter
);
1961 /* Access-list node. */
1962 static struct cmd_node access_node
=
1965 "", /* Access list has no interface. */
1970 config_write_access_ipv4 (struct vty
*vty
)
1972 return config_write_access (vty
, AFI_IP
);
1976 access_list_reset_ipv4 (void)
1978 struct access_list
*access
;
1979 struct access_list
*next
;
1980 struct access_master
*master
;
1982 master
= access_master_get (AFI_IP
);
1986 for (access
= master
->num
.head
; access
; access
= next
)
1988 next
= access
->next
;
1989 access_list_delete (access
);
1991 for (access
= master
->str
.head
; access
; access
= next
)
1993 next
= access
->next
;
1994 access_list_delete (access
);
1997 assert (master
->num
.head
== NULL
);
1998 assert (master
->num
.tail
== NULL
);
2000 assert (master
->str
.head
== NULL
);
2001 assert (master
->str
.tail
== NULL
);
2004 /* Install vty related command. */
2006 access_list_init_ipv4 (void)
2008 install_node (&access_node
, config_write_access_ipv4
);
2010 install_element (ENABLE_NODE
, &show_ip_access_list_cmd
);
2011 install_element (ENABLE_NODE
, &show_ip_access_list_name_cmd
);
2013 /* Zebra access-list */
2014 install_element (CONFIG_NODE
, &access_list_exact_cmd
);
2015 install_element (CONFIG_NODE
, &access_list_any_cmd
);
2016 install_element (CONFIG_NODE
, &no_access_list_exact_cmd
);
2017 install_element (CONFIG_NODE
, &no_access_list_any_cmd
);
2019 /* Standard access-list */
2020 install_element (CONFIG_NODE
, &access_list_standard_cmd
);
2021 install_element (CONFIG_NODE
, &access_list_standard_nomask_cmd
);
2022 install_element (CONFIG_NODE
, &access_list_standard_host_cmd
);
2023 install_element (CONFIG_NODE
, &access_list_standard_any_cmd
);
2024 install_element (CONFIG_NODE
, &no_access_list_standard_cmd
);
2025 install_element (CONFIG_NODE
, &no_access_list_standard_nomask_cmd
);
2026 install_element (CONFIG_NODE
, &no_access_list_standard_host_cmd
);
2027 install_element (CONFIG_NODE
, &no_access_list_standard_any_cmd
);
2029 /* Extended access-list */
2030 install_element (CONFIG_NODE
, &access_list_extended_cmd
);
2031 install_element (CONFIG_NODE
, &access_list_extended_any_mask_cmd
);
2032 install_element (CONFIG_NODE
, &access_list_extended_mask_any_cmd
);
2033 install_element (CONFIG_NODE
, &access_list_extended_any_any_cmd
);
2034 install_element (CONFIG_NODE
, &access_list_extended_host_mask_cmd
);
2035 install_element (CONFIG_NODE
, &access_list_extended_mask_host_cmd
);
2036 install_element (CONFIG_NODE
, &access_list_extended_host_host_cmd
);
2037 install_element (CONFIG_NODE
, &access_list_extended_any_host_cmd
);
2038 install_element (CONFIG_NODE
, &access_list_extended_host_any_cmd
);
2039 install_element (CONFIG_NODE
, &no_access_list_extended_cmd
);
2040 install_element (CONFIG_NODE
, &no_access_list_extended_any_mask_cmd
);
2041 install_element (CONFIG_NODE
, &no_access_list_extended_mask_any_cmd
);
2042 install_element (CONFIG_NODE
, &no_access_list_extended_any_any_cmd
);
2043 install_element (CONFIG_NODE
, &no_access_list_extended_host_mask_cmd
);
2044 install_element (CONFIG_NODE
, &no_access_list_extended_mask_host_cmd
);
2045 install_element (CONFIG_NODE
, &no_access_list_extended_host_host_cmd
);
2046 install_element (CONFIG_NODE
, &no_access_list_extended_any_host_cmd
);
2047 install_element (CONFIG_NODE
, &no_access_list_extended_host_any_cmd
);
2049 install_element (CONFIG_NODE
, &access_list_remark_cmd
);
2050 install_element (CONFIG_NODE
, &no_access_list_all_cmd
);
2051 install_element (CONFIG_NODE
, &no_access_list_remark_cmd
);
2052 install_element (CONFIG_NODE
, &no_access_list_remark_comment_cmd
);
2055 static struct cmd_node access_ipv6_node
=
2063 config_write_access_ipv6 (struct vty
*vty
)
2065 return config_write_access (vty
, AFI_IP6
);
2069 access_list_reset_ipv6 (void)
2071 struct access_list
*access
;
2072 struct access_list
*next
;
2073 struct access_master
*master
;
2075 master
= access_master_get (AFI_IP6
);
2079 for (access
= master
->num
.head
; access
; access
= next
)
2081 next
= access
->next
;
2082 access_list_delete (access
);
2084 for (access
= master
->str
.head
; access
; access
= next
)
2086 next
= access
->next
;
2087 access_list_delete (access
);
2090 assert (master
->num
.head
== NULL
);
2091 assert (master
->num
.tail
== NULL
);
2093 assert (master
->str
.head
== NULL
);
2094 assert (master
->str
.tail
== NULL
);
2098 access_list_init_ipv6 (void)
2100 install_node (&access_ipv6_node
, config_write_access_ipv6
);
2102 install_element (ENABLE_NODE
, &show_ipv6_access_list_cmd
);
2103 install_element (ENABLE_NODE
, &show_ipv6_access_list_name_cmd
);
2105 install_element (CONFIG_NODE
, &ipv6_access_list_exact_cmd
);
2106 install_element (CONFIG_NODE
, &ipv6_access_list_any_cmd
);
2107 install_element (CONFIG_NODE
, &no_ipv6_access_list_exact_cmd
);
2108 install_element (CONFIG_NODE
, &no_ipv6_access_list_any_cmd
);
2110 install_element (CONFIG_NODE
, &no_ipv6_access_list_all_cmd
);
2111 install_element (CONFIG_NODE
, &ipv6_access_list_remark_cmd
);
2112 install_element (CONFIG_NODE
, &no_ipv6_access_list_remark_cmd
);
2113 install_element (CONFIG_NODE
, &no_ipv6_access_list_remark_comment_cmd
);
2119 access_list_init_ipv4 ();
2120 access_list_init_ipv6();
2124 access_list_reset ()
2126 access_list_reset_ipv4 ();
2127 access_list_reset_ipv6();