1 /* Route filtering function.
2 * Copyright (C) 1998, 1999 Kunihiro Ishiguro
4 * This file is part of GNU Zebra.
6 * GNU Zebra is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published
8 * by the Free Software Foundation; either version 2, or (at your
9 * option) any later version.
11 * GNU Zebra is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * General Public License for more details.
16 * You should have received a copy of the GNU General Public License along
17 * with this program; see the file COPYING; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
27 #include "sockunion.h"
33 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST
, "Access List")
34 DEFINE_MTYPE_STATIC(LIB
, ACCESS_LIST_STR
, "Access List Str")
35 DEFINE_MTYPE_STATIC(LIB
, ACCESS_FILTER
, "Access Filter")
38 /* Cisco access-list */
41 struct in_addr addr_mask
;
43 struct in_addr mask_mask
;
47 /* If this filter is "exact" match then this flag is set. */
50 /* Prefix information. */
54 /* Filter element of access list */
56 /* For doubly linked list. */
60 /* Filter type information. */
61 enum filter_type type
;
63 /* Cisco access-list */
67 struct filter_cisco cfilter
;
68 struct filter_zebra zfilter
;
72 /* List of access_list. */
73 struct access_list_list
{
74 struct access_list
*head
;
75 struct access_list
*tail
;
78 /* Master structure of access_list. */
79 struct access_master
{
80 /* List of access_list which name is number. */
81 struct access_list_list num
;
83 /* List of access_list which name is string. */
84 struct access_list_list str
;
86 /* Hook function which is executed when new access_list is added. */
87 void (*add_hook
)(struct access_list
*);
89 /* Hook function which is executed when access_list is deleted. */
90 void (*delete_hook
)(struct access_list
*);
93 /* Static structure for IPv4 access_list's master. */
94 static struct access_master access_master_ipv4
= {
101 /* Static structure for IPv6 access_list's master. */
102 static struct access_master access_master_ipv6
= {
109 static struct access_master
*access_master_get(afi_t afi
)
112 return &access_master_ipv4
;
113 else if (afi
== AFI_IP6
)
114 return &access_master_ipv6
;
118 /* Allocate new filter structure. */
119 static struct filter
*filter_new(void)
121 return (struct filter
*)XCALLOC(MTYPE_ACCESS_FILTER
,
122 sizeof(struct filter
));
125 static void filter_free(struct filter
*filter
)
127 XFREE(MTYPE_ACCESS_FILTER
, filter
);
130 /* Return string of filter_type. */
131 static const char *filter_type_str(struct filter
*filter
)
133 switch (filter
->type
) {
149 /* If filter match to the prefix then return 1. */
150 static int filter_match_cisco(struct filter
*mfilter
, struct prefix
*p
)
152 struct filter_cisco
*filter
;
154 u_int32_t check_addr
;
155 u_int32_t check_mask
;
157 filter
= &mfilter
->u
.cfilter
;
158 check_addr
= p
->u
.prefix4
.s_addr
& ~filter
->addr_mask
.s_addr
;
160 if (filter
->extended
) {
161 masklen2ip(p
->prefixlen
, &mask
);
162 check_mask
= mask
.s_addr
& ~filter
->mask_mask
.s_addr
;
164 if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0
165 && memcmp(&check_mask
, &filter
->mask
.s_addr
, 4) == 0)
167 } else if (memcmp(&check_addr
, &filter
->addr
.s_addr
, 4) == 0)
173 /* If filter match to the prefix then return 1. */
174 static int filter_match_zebra(struct filter
*mfilter
, struct prefix
*p
)
176 struct filter_zebra
*filter
;
178 filter
= &mfilter
->u
.zfilter
;
180 if (filter
->prefix
.family
== p
->family
) {
182 if (filter
->prefix
.prefixlen
== p
->prefixlen
)
183 return prefix_match(&filter
->prefix
, p
);
187 return prefix_match(&filter
->prefix
, p
);
192 /* Allocate new access list structure. */
193 static struct access_list
*access_list_new(void)
195 return (struct access_list
*)XCALLOC(MTYPE_ACCESS_LIST
,
196 sizeof(struct access_list
));
199 /* Free allocated access_list. */
200 static void access_list_free(struct access_list
*access
)
202 XFREE(MTYPE_ACCESS_LIST
, access
);
205 /* Delete access_list from access_master and free it. */
206 static void access_list_delete(struct access_list
*access
)
208 struct filter
*filter
;
210 struct access_list_list
*list
;
211 struct access_master
*master
;
213 for (filter
= access
->head
; filter
; filter
= next
) {
218 master
= access
->master
;
220 if (access
->type
== ACCESS_TYPE_NUMBER
)
226 access
->next
->prev
= access
->prev
;
228 list
->tail
= access
->prev
;
231 access
->prev
->next
= access
->next
;
233 list
->head
= access
->next
;
236 XFREE(MTYPE_ACCESS_LIST_STR
, access
->name
);
239 XFREE(MTYPE_TMP
, access
->remark
);
241 access_list_free(access
);
244 /* Insert new access list to list of access_list. Each acceess_list
245 is sorted by the name. */
246 static struct access_list
*access_list_insert(afi_t afi
, const char *name
)
250 struct access_list
*access
;
251 struct access_list
*point
;
252 struct access_list_list
*alist
;
253 struct access_master
*master
;
255 master
= access_master_get(afi
);
259 /* Allocate new access_list and copy given name. */
260 access
= access_list_new();
261 access
->name
= XSTRDUP(MTYPE_ACCESS_LIST_STR
, name
);
262 access
->master
= master
;
264 /* If name is made by all digit character. We treat it as
266 for (number
= 0, i
= 0; i
< strlen(name
); i
++) {
267 if (isdigit((int)name
[i
]))
268 number
= (number
* 10) + (name
[i
] - '0');
273 /* In case of name is all digit character */
274 if (i
== strlen(name
)) {
275 access
->type
= ACCESS_TYPE_NUMBER
;
277 /* Set access_list to number list. */
278 alist
= &master
->num
;
280 for (point
= alist
->head
; point
; point
= point
->next
)
281 if (atol(point
->name
) >= number
)
284 access
->type
= ACCESS_TYPE_STRING
;
286 /* Set access_list to string list. */
287 alist
= &master
->str
;
289 /* Set point to insertion point. */
290 for (point
= alist
->head
; point
; point
= point
->next
)
291 if (strcmp(point
->name
, name
) >= 0)
295 /* In case of this is the first element of master. */
296 if (alist
->head
== NULL
) {
297 alist
->head
= alist
->tail
= access
;
301 /* In case of insertion is made at the tail of access_list. */
303 access
->prev
= alist
->tail
;
304 alist
->tail
->next
= access
;
305 alist
->tail
= access
;
309 /* In case of insertion is made at the head of access_list. */
310 if (point
== alist
->head
) {
311 access
->next
= alist
->head
;
312 alist
->head
->prev
= access
;
313 alist
->head
= access
;
317 /* Insertion is made at middle of the access_list. */
318 access
->next
= point
;
319 access
->prev
= point
->prev
;
322 point
->prev
->next
= access
;
323 point
->prev
= access
;
328 /* Lookup access_list from list of access_list by name. */
329 struct access_list
*access_list_lookup(afi_t afi
, const char *name
)
331 struct access_list
*access
;
332 struct access_master
*master
;
337 master
= access_master_get(afi
);
341 for (access
= master
->num
.head
; access
; access
= access
->next
)
342 if (strcmp(access
->name
, name
) == 0)
345 for (access
= master
->str
.head
; access
; access
= access
->next
)
346 if (strcmp(access
->name
, name
) == 0)
352 /* Get access list from list of access_list. If there isn't matched
353 access_list create new one and return it. */
354 static struct access_list
*access_list_get(afi_t afi
, const char *name
)
356 struct access_list
*access
;
358 access
= access_list_lookup(afi
, name
);
360 access
= access_list_insert(afi
, name
);
364 /* Apply access list to object (which should be struct prefix *). */
365 enum filter_type
access_list_apply(struct access_list
*access
, void *object
)
367 struct filter
*filter
;
370 p
= (struct prefix
*)object
;
375 for (filter
= access
->head
; filter
; filter
= filter
->next
) {
377 if (filter_match_cisco(filter
, p
))
380 if (filter_match_zebra(filter
, p
))
388 /* Add hook function. */
389 void access_list_add_hook(void (*func
)(struct access_list
*access
))
391 access_master_ipv4
.add_hook
= func
;
392 access_master_ipv6
.add_hook
= func
;
395 /* Delete hook function. */
396 void access_list_delete_hook(void (*func
)(struct access_list
*access
))
398 access_master_ipv4
.delete_hook
= func
;
399 access_master_ipv6
.delete_hook
= func
;
402 /* Add new filter to the end of specified access_list. */
403 static void access_list_filter_add(struct access_list
*access
,
404 struct filter
*filter
)
407 filter
->prev
= access
->tail
;
410 access
->tail
->next
= filter
;
412 access
->head
= filter
;
413 access
->tail
= filter
;
415 /* Run hook function. */
416 if (access
->master
->add_hook
)
417 (*access
->master
->add_hook
)(access
);
418 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_ADDED
);
421 /* If access_list has no filter then return 1. */
422 static int access_list_empty(struct access_list
*access
)
424 if (access
->head
== NULL
&& access
->tail
== NULL
)
430 /* Delete filter from specified access_list. If there is hook
431 function execute it. */
432 static void access_list_filter_delete(struct access_list
*access
,
433 struct filter
*filter
)
435 struct access_master
*master
;
437 master
= access
->master
;
440 filter
->next
->prev
= filter
->prev
;
442 access
->tail
= filter
->prev
;
445 filter
->prev
->next
= filter
->next
;
447 access
->head
= filter
->next
;
451 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
452 /* Run hook function. */
453 if (master
->delete_hook
)
454 (*master
->delete_hook
)(access
);
456 /* If access_list becomes empty delete it from access_master. */
457 if (access_list_empty(access
))
458 access_list_delete(access
);
462 deny Specify packets to reject
463 permit Specify packets to forward
468 Hostname or A.B.C.D Address to match
470 host A single host address
473 static struct filter
*filter_lookup_cisco(struct access_list
*access
,
476 struct filter
*mfilter
;
477 struct filter_cisco
*filter
;
478 struct filter_cisco
*new;
480 new = &mnew
->u
.cfilter
;
482 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
483 filter
= &mfilter
->u
.cfilter
;
485 if (filter
->extended
) {
486 if (mfilter
->type
== mnew
->type
487 && filter
->addr
.s_addr
== new->addr
.s_addr
488 && filter
->addr_mask
.s_addr
== new->addr_mask
.s_addr
489 && filter
->mask
.s_addr
== new->mask
.s_addr
490 && filter
->mask_mask
.s_addr
491 == new->mask_mask
.s_addr
)
494 if (mfilter
->type
== mnew
->type
495 && filter
->addr
.s_addr
== new->addr
.s_addr
496 && filter
->addr_mask
.s_addr
497 == new->addr_mask
.s_addr
)
505 static struct filter
*filter_lookup_zebra(struct access_list
*access
,
508 struct filter
*mfilter
;
509 struct filter_zebra
*filter
;
510 struct filter_zebra
*new;
512 new = &mnew
->u
.zfilter
;
514 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
515 filter
= &mfilter
->u
.zfilter
;
517 if (filter
->exact
== new->exact
519 == mnew
->type
&&prefix_same(&filter
->prefix
,
526 static int vty_access_list_remark_unset(struct vty
*vty
, afi_t afi
,
529 struct access_list
*access
;
531 access
= access_list_lookup(afi
, name
);
533 vty_out(vty
, "%% access-list %s doesn't exist\n", name
);
534 return CMD_WARNING_CONFIG_FAILED
;
537 if (access
->remark
) {
538 XFREE(MTYPE_TMP
, access
->remark
);
539 access
->remark
= NULL
;
542 if (access
->head
== NULL
&& access
->tail
== NULL
543 && access
->remark
== NULL
)
544 access_list_delete(access
);
549 static int filter_set_cisco(struct vty
*vty
, const char *name_str
,
550 const char *type_str
, const char *addr_str
,
551 const char *addr_mask_str
, const char *mask_str
,
552 const char *mask_mask_str
, int extended
, int set
)
555 enum filter_type type
;
556 struct filter
*mfilter
;
557 struct filter_cisco
*filter
;
558 struct access_list
*access
;
560 struct in_addr addr_mask
;
562 struct in_addr mask_mask
;
564 /* Check of filter type. */
565 if (strncmp(type_str
, "p", 1) == 0)
566 type
= FILTER_PERMIT
;
567 else if (strncmp(type_str
, "d", 1) == 0)
570 vty_out(vty
, "%% filter type must be permit or deny\n");
571 return CMD_WARNING_CONFIG_FAILED
;
574 ret
= inet_aton(addr_str
, &addr
);
576 vty_out(vty
, "%%Inconsistent address and mask\n");
577 return CMD_WARNING_CONFIG_FAILED
;
580 ret
= inet_aton(addr_mask_str
, &addr_mask
);
582 vty_out(vty
, "%%Inconsistent address and mask\n");
583 return CMD_WARNING_CONFIG_FAILED
;
587 ret
= inet_aton(mask_str
, &mask
);
589 vty_out(vty
, "%%Inconsistent address and mask\n");
590 return CMD_WARNING_CONFIG_FAILED
;
593 ret
= inet_aton(mask_mask_str
, &mask_mask
);
595 vty_out(vty
, "%%Inconsistent address and mask\n");
596 return CMD_WARNING_CONFIG_FAILED
;
600 mfilter
= filter_new();
601 mfilter
->type
= type
;
603 filter
= &mfilter
->u
.cfilter
;
604 filter
->extended
= extended
;
605 filter
->addr
.s_addr
= addr
.s_addr
& ~addr_mask
.s_addr
;
606 filter
->addr_mask
.s_addr
= addr_mask
.s_addr
;
609 filter
->mask
.s_addr
= mask
.s_addr
& ~mask_mask
.s_addr
;
610 filter
->mask_mask
.s_addr
= mask_mask
.s_addr
;
613 /* Install new filter to the access_list. */
614 access
= access_list_get(AFI_IP
, name_str
);
617 if (filter_lookup_cisco(access
, mfilter
))
618 filter_free(mfilter
);
620 access_list_filter_add(access
, mfilter
);
622 struct filter
*delete_filter
;
624 delete_filter
= filter_lookup_cisco(access
, mfilter
);
626 access_list_filter_delete(access
, delete_filter
);
628 filter_free(mfilter
);
634 /* Standard access-list */
635 DEFUN (access_list_standard
,
636 access_list_standard_cmd
,
637 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
638 "Add an access list entry\n"
639 "IP standard access list\n"
640 "IP standard access list (expanded range)\n"
641 "Specify packets to reject\n"
642 "Specify packets to forward\n"
647 int idx_permit_deny
= 2;
650 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
651 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
652 argv
[idx_ipv4_2
]->arg
, NULL
, NULL
, 0, 1);
655 DEFUN (access_list_standard_nomask
,
656 access_list_standard_nomask_cmd
,
657 "access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
658 "Add an access list entry\n"
659 "IP standard access list\n"
660 "IP standard access list (expanded range)\n"
661 "Specify packets to reject\n"
662 "Specify packets to forward\n"
663 "Address to match\n")
666 int idx_permit_deny
= 2;
668 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
669 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
670 "0.0.0.0", NULL
, NULL
, 0, 1);
673 DEFUN (access_list_standard_host
,
674 access_list_standard_host_cmd
,
675 "access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
676 "Add an access list entry\n"
677 "IP standard access list\n"
678 "IP standard access list (expanded range)\n"
679 "Specify packets to reject\n"
680 "Specify packets to forward\n"
681 "A single host address\n"
682 "Address to match\n")
685 int idx_permit_deny
= 2;
687 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
688 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
689 "0.0.0.0", NULL
, NULL
, 0, 1);
692 DEFUN (access_list_standard_any
,
693 access_list_standard_any_cmd
,
694 "access-list <(1-99)|(1300-1999)> <deny|permit> any",
695 "Add an access list entry\n"
696 "IP standard access list\n"
697 "IP standard access list (expanded range)\n"
698 "Specify packets to reject\n"
699 "Specify packets to forward\n"
703 int idx_permit_deny
= 2;
704 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
705 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
706 "255.255.255.255", NULL
, NULL
, 0, 1);
709 DEFUN (no_access_list_standard
,
710 no_access_list_standard_cmd
,
711 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D A.B.C.D",
713 "Add an access list entry\n"
714 "IP standard access list\n"
715 "IP standard access list (expanded range)\n"
716 "Specify packets to reject\n"
717 "Specify packets to forward\n"
722 int idx_permit_deny
= 3;
725 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
726 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
727 argv
[idx_ipv4_2
]->arg
, NULL
, NULL
, 0, 0);
730 DEFUN (no_access_list_standard_nomask
,
731 no_access_list_standard_nomask_cmd
,
732 "no access-list <(1-99)|(1300-1999)> <deny|permit> A.B.C.D",
734 "Add an access list entry\n"
735 "IP standard access list\n"
736 "IP standard access list (expanded range)\n"
737 "Specify packets to reject\n"
738 "Specify packets to forward\n"
739 "Address to match\n")
742 int idx_permit_deny
= 3;
744 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
745 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
746 "0.0.0.0", NULL
, NULL
, 0, 0);
749 DEFUN (no_access_list_standard_host
,
750 no_access_list_standard_host_cmd
,
751 "no access-list <(1-99)|(1300-1999)> <deny|permit> host A.B.C.D",
753 "Add an access list entry\n"
754 "IP standard access list\n"
755 "IP standard access list (expanded range)\n"
756 "Specify packets to reject\n"
757 "Specify packets to forward\n"
758 "A single host address\n"
759 "Address to match\n")
762 int idx_permit_deny
= 3;
764 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
765 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
766 "0.0.0.0", NULL
, NULL
, 0, 0);
769 DEFUN (no_access_list_standard_any
,
770 no_access_list_standard_any_cmd
,
771 "no access-list <(1-99)|(1300-1999)> <deny|permit> any",
773 "Add an access list entry\n"
774 "IP standard access list\n"
775 "IP standard access list (expanded range)\n"
776 "Specify packets to reject\n"
777 "Specify packets to forward\n"
781 int idx_permit_deny
= 3;
782 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
783 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
784 "255.255.255.255", NULL
, NULL
, 0, 0);
787 /* Extended access-list */
788 DEFUN (access_list_extended
,
789 access_list_extended_cmd
,
790 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
791 "Add an access list entry\n"
792 "IP extended access list\n"
793 "IP extended access list (expanded range)\n"
794 "Specify packets to reject\n"
795 "Specify packets to forward\n"
796 "Any Internet Protocol\n"
798 "Source wildcard bits\n"
799 "Destination address\n"
800 "Destination Wildcard bits\n")
803 int idx_permit_deny
= 2;
808 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
809 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
810 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
811 argv
[idx_ipv4_4
]->arg
, 1, 1);
814 DEFUN (access_list_extended_mask_any
,
815 access_list_extended_mask_any_cmd
,
816 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
817 "Add an access list entry\n"
818 "IP extended access list\n"
819 "IP extended access list (expanded range)\n"
820 "Specify packets to reject\n"
821 "Specify packets to forward\n"
822 "Any Internet Protocol\n"
824 "Source wildcard bits\n"
825 "Any destination host\n")
828 int idx_permit_deny
= 2;
831 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
832 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
833 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
834 "255.255.255.255", 1, 1);
837 DEFUN (access_list_extended_any_mask
,
838 access_list_extended_any_mask_cmd
,
839 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
840 "Add an access list entry\n"
841 "IP extended access list\n"
842 "IP extended access list (expanded range)\n"
843 "Specify packets to reject\n"
844 "Specify packets to forward\n"
845 "Any Internet Protocol\n"
847 "Destination address\n"
848 "Destination Wildcard bits\n")
851 int idx_permit_deny
= 2;
854 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
855 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
856 "255.255.255.255", argv
[idx_ipv4
]->arg
,
857 argv
[idx_ipv4_2
]->arg
, 1, 1);
860 DEFUN (access_list_extended_any_any
,
861 access_list_extended_any_any_cmd
,
862 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
863 "Add an access list entry\n"
864 "IP extended access list\n"
865 "IP extended access list (expanded range)\n"
866 "Specify packets to reject\n"
867 "Specify packets to forward\n"
868 "Any Internet Protocol\n"
870 "Any destination host\n")
873 int idx_permit_deny
= 2;
874 return filter_set_cisco(
875 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
876 "255.255.255.255", "0.0.0.0", "255.255.255.255", 1, 1);
879 DEFUN (access_list_extended_mask_host
,
880 access_list_extended_mask_host_cmd
,
881 "access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
882 "Add an access list entry\n"
883 "IP extended access list\n"
884 "IP extended access list (expanded range)\n"
885 "Specify packets to reject\n"
886 "Specify packets to forward\n"
887 "Any Internet Protocol\n"
889 "Source wildcard bits\n"
890 "A single destination host\n"
891 "Destination address\n")
894 int idx_permit_deny
= 2;
898 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
899 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
900 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
904 DEFUN (access_list_extended_host_mask
,
905 access_list_extended_host_mask_cmd
,
906 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
907 "Add an access list entry\n"
908 "IP extended access list\n"
909 "IP extended access list (expanded range)\n"
910 "Specify packets to reject\n"
911 "Specify packets to forward\n"
912 "Any Internet Protocol\n"
913 "A single source host\n"
915 "Destination address\n"
916 "Destination Wildcard bits\n")
919 int idx_permit_deny
= 2;
923 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
924 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
925 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
926 argv
[idx_ipv4_3
]->arg
, 1, 1);
929 DEFUN (access_list_extended_host_host
,
930 access_list_extended_host_host_cmd
,
931 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
932 "Add an access list entry\n"
933 "IP extended access list\n"
934 "IP extended access list (expanded range)\n"
935 "Specify packets to reject\n"
936 "Specify packets to forward\n"
937 "Any Internet Protocol\n"
938 "A single source host\n"
940 "A single destination host\n"
941 "Destination address\n")
944 int idx_permit_deny
= 2;
947 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
948 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
949 "0.0.0.0", argv
[idx_ipv4_2
]->arg
, "0.0.0.0", 1,
953 DEFUN (access_list_extended_any_host
,
954 access_list_extended_any_host_cmd
,
955 "access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
956 "Add an access list entry\n"
957 "IP extended access list\n"
958 "IP extended access list (expanded range)\n"
959 "Specify packets to reject\n"
960 "Specify packets to forward\n"
961 "Any Internet Protocol\n"
963 "A single destination host\n"
964 "Destination address\n")
967 int idx_permit_deny
= 2;
969 return filter_set_cisco(
970 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
971 "255.255.255.255", argv
[idx_ipv4
]->arg
, "0.0.0.0", 1, 1);
974 DEFUN (access_list_extended_host_any
,
975 access_list_extended_host_any_cmd
,
976 "access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
977 "Add an access list entry\n"
978 "IP extended access list\n"
979 "IP extended access list (expanded range)\n"
980 "Specify packets to reject\n"
981 "Specify packets to forward\n"
982 "Any Internet Protocol\n"
983 "A single source host\n"
985 "Any destination host\n")
988 int idx_permit_deny
= 2;
990 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
991 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
992 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 1);
995 DEFUN (no_access_list_extended
,
996 no_access_list_extended_cmd
,
997 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D A.B.C.D A.B.C.D",
999 "Add an access list entry\n"
1000 "IP extended access list\n"
1001 "IP extended access list (expanded range)\n"
1002 "Specify packets to reject\n"
1003 "Specify packets to forward\n"
1004 "Any Internet Protocol\n"
1006 "Source wildcard bits\n"
1007 "Destination address\n"
1008 "Destination Wildcard bits\n")
1011 int idx_permit_deny
= 3;
1016 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1017 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1018 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1019 argv
[idx_ipv4_4
]->arg
, 1, 0);
1022 DEFUN (no_access_list_extended_mask_any
,
1023 no_access_list_extended_mask_any_cmd
,
1024 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D any",
1026 "Add an access list entry\n"
1027 "IP extended access list\n"
1028 "IP extended access list (expanded range)\n"
1029 "Specify packets to reject\n"
1030 "Specify packets to forward\n"
1031 "Any Internet Protocol\n"
1033 "Source wildcard bits\n"
1034 "Any destination host\n")
1037 int idx_permit_deny
= 3;
1040 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1041 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1042 argv
[idx_ipv4_2
]->arg
, "0.0.0.0",
1043 "255.255.255.255", 1, 0);
1046 DEFUN (no_access_list_extended_any_mask
,
1047 no_access_list_extended_any_mask_cmd
,
1048 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any A.B.C.D A.B.C.D",
1050 "Add an access list entry\n"
1051 "IP extended access list\n"
1052 "IP extended access list (expanded range)\n"
1053 "Specify packets to reject\n"
1054 "Specify packets to forward\n"
1055 "Any Internet Protocol\n"
1057 "Destination address\n"
1058 "Destination Wildcard bits\n")
1061 int idx_permit_deny
= 3;
1064 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1065 argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1066 "255.255.255.255", argv
[idx_ipv4
]->arg
,
1067 argv
[idx_ipv4_2
]->arg
, 1, 0);
1070 DEFUN (no_access_list_extended_any_any
,
1071 no_access_list_extended_any_any_cmd
,
1072 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any any",
1074 "Add an access list entry\n"
1075 "IP extended access list\n"
1076 "IP extended access list (expanded range)\n"
1077 "Specify packets to reject\n"
1078 "Specify packets to forward\n"
1079 "Any Internet Protocol\n"
1081 "Any destination host\n")
1084 int idx_permit_deny
= 3;
1085 return filter_set_cisco(
1086 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1087 "255.255.255.255", "0.0.0.0", "255.255.255.255", 1, 0);
1090 DEFUN (no_access_list_extended_mask_host
,
1091 no_access_list_extended_mask_host_cmd
,
1092 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip A.B.C.D A.B.C.D host A.B.C.D",
1094 "Add an access list entry\n"
1095 "IP extended access list\n"
1096 "IP extended access list (expanded range)\n"
1097 "Specify packets to reject\n"
1098 "Specify packets to forward\n"
1099 "Any Internet Protocol\n"
1101 "Source wildcard bits\n"
1102 "A single destination host\n"
1103 "Destination address\n")
1106 int idx_permit_deny
= 3;
1110 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1111 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1112 argv
[idx_ipv4_2
]->arg
, argv
[idx_ipv4_3
]->arg
,
1116 DEFUN (no_access_list_extended_host_mask
,
1117 no_access_list_extended_host_mask_cmd
,
1118 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D A.B.C.D A.B.C.D",
1120 "Add an access list entry\n"
1121 "IP extended access list\n"
1122 "IP extended access list (expanded range)\n"
1123 "Specify packets to reject\n"
1124 "Specify packets to forward\n"
1125 "Any Internet Protocol\n"
1126 "A single source host\n"
1128 "Destination address\n"
1129 "Destination Wildcard bits\n")
1132 int idx_permit_deny
= 3;
1136 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1137 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1138 "0.0.0.0", argv
[idx_ipv4_2
]->arg
,
1139 argv
[idx_ipv4_3
]->arg
, 1, 0);
1142 DEFUN (no_access_list_extended_host_host
,
1143 no_access_list_extended_host_host_cmd
,
1144 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D host A.B.C.D",
1146 "Add an access list entry\n"
1147 "IP extended access list\n"
1148 "IP extended access list (expanded range)\n"
1149 "Specify packets to reject\n"
1150 "Specify packets to forward\n"
1151 "Any Internet Protocol\n"
1152 "A single source host\n"
1154 "A single destination host\n"
1155 "Destination address\n")
1158 int idx_permit_deny
= 3;
1161 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1162 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1163 "0.0.0.0", argv
[idx_ipv4_2
]->arg
, "0.0.0.0", 1,
1167 DEFUN (no_access_list_extended_any_host
,
1168 no_access_list_extended_any_host_cmd
,
1169 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip any host A.B.C.D",
1171 "Add an access list entry\n"
1172 "IP extended access list\n"
1173 "IP extended access list (expanded range)\n"
1174 "Specify packets to reject\n"
1175 "Specify packets to forward\n"
1176 "Any Internet Protocol\n"
1178 "A single destination host\n"
1179 "Destination address\n")
1182 int idx_permit_deny
= 3;
1184 return filter_set_cisco(
1185 vty
, argv
[idx_acl
]->arg
, argv
[idx_permit_deny
]->arg
, "0.0.0.0",
1186 "255.255.255.255", argv
[idx_ipv4
]->arg
, "0.0.0.0", 1, 0);
1189 DEFUN (no_access_list_extended_host_any
,
1190 no_access_list_extended_host_any_cmd
,
1191 "no access-list <(100-199)|(2000-2699)> <deny|permit> ip host A.B.C.D any",
1193 "Add an access list entry\n"
1194 "IP extended access list\n"
1195 "IP extended access list (expanded range)\n"
1196 "Specify packets to reject\n"
1197 "Specify packets to forward\n"
1198 "Any Internet Protocol\n"
1199 "A single source host\n"
1201 "Any destination host\n")
1204 int idx_permit_deny
= 3;
1206 return filter_set_cisco(vty
, argv
[idx_acl
]->arg
,
1207 argv
[idx_permit_deny
]->arg
, argv
[idx_ipv4
]->arg
,
1208 "0.0.0.0", "0.0.0.0", "255.255.255.255", 1, 0);
1211 static int filter_set_zebra(struct vty
*vty
, const char *name_str
,
1212 const char *type_str
, afi_t afi
,
1213 const char *prefix_str
, int exact
, int set
)
1216 enum filter_type type
;
1217 struct filter
*mfilter
;
1218 struct filter_zebra
*filter
;
1219 struct access_list
*access
;
1222 if (strlen(name_str
) > ACL_NAMSIZ
) {
1224 "%% ACL name %s is invalid: length exceeds "
1226 name_str
, ACL_NAMSIZ
);
1227 return CMD_WARNING_CONFIG_FAILED
;
1230 /* Check of filter type. */
1231 if (strncmp(type_str
, "p", 1) == 0)
1232 type
= FILTER_PERMIT
;
1233 else if (strncmp(type_str
, "d", 1) == 0)
1236 vty_out(vty
, "filter type must be [permit|deny]\n");
1237 return CMD_WARNING_CONFIG_FAILED
;
1240 /* Check string format of prefix and prefixlen. */
1241 if (afi
== AFI_IP
) {
1242 ret
= str2prefix_ipv4(prefix_str
, (struct prefix_ipv4
*)&p
);
1245 "IP address prefix/prefixlen is malformed\n");
1246 return CMD_WARNING_CONFIG_FAILED
;
1248 } else if (afi
== AFI_IP6
) {
1249 ret
= str2prefix_ipv6(prefix_str
, (struct prefix_ipv6
*)&p
);
1252 "IPv6 address prefix/prefixlen is malformed\n");
1253 return CMD_WARNING_CONFIG_FAILED
;
1256 return CMD_WARNING_CONFIG_FAILED
;
1258 mfilter
= filter_new();
1259 mfilter
->type
= type
;
1260 filter
= &mfilter
->u
.zfilter
;
1261 prefix_copy(&filter
->prefix
, &p
);
1267 /* Install new filter to the access_list. */
1268 access
= access_list_get(afi
, name_str
);
1271 if (filter_lookup_zebra(access
, mfilter
))
1272 filter_free(mfilter
);
1274 access_list_filter_add(access
, mfilter
);
1276 struct filter
*delete_filter
;
1278 delete_filter
= filter_lookup_zebra(access
, mfilter
);
1280 access_list_filter_delete(access
, delete_filter
);
1282 filter_free(mfilter
);
1288 DEFUN (access_list_exact
,
1289 access_list_exact_cmd
,
1290 "access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1291 "Add an access list entry\n"
1292 "IP zebra access-list name\n"
1293 "Specify packets to reject\n"
1294 "Specify packets to forward\n"
1295 "Prefix to match. e.g. 10.0.0.0/8\n"
1296 "Exact match of the prefixes\n")
1301 int idx_permit_deny
= 2;
1302 int idx_ipv4_prefixlen
= 3;
1303 idx
= idx_ipv4_prefixlen
;
1305 if (argv_find(argv
, argc
, "exact-match", &idx
))
1308 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1309 argv
[idx_permit_deny
]->arg
, AFI_IP
,
1310 argv
[idx_ipv4_prefixlen
]->arg
, exact
, 1);
1313 DEFUN (access_list_any
,
1314 access_list_any_cmd
,
1315 "access-list WORD <deny|permit> any",
1316 "Add an access list entry\n"
1317 "IP zebra access-list name\n"
1318 "Specify packets to reject\n"
1319 "Specify packets to forward\n"
1320 "Prefix to match. e.g. 10.0.0.0/8\n")
1323 int idx_permit_deny
= 2;
1324 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1325 argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0",
1329 DEFUN (no_access_list_exact
,
1330 no_access_list_exact_cmd
,
1331 "no access-list WORD <deny|permit> A.B.C.D/M [exact-match]",
1333 "Add an access list entry\n"
1334 "IP zebra access-list name\n"
1335 "Specify packets to reject\n"
1336 "Specify packets to forward\n"
1337 "Prefix to match. e.g. 10.0.0.0/8\n"
1338 "Exact match of the prefixes\n")
1343 int idx_permit_deny
= 3;
1344 int idx_ipv4_prefixlen
= 4;
1345 idx
= idx_ipv4_prefixlen
;
1347 if (argv_find(argv
, argc
, "exact-match", &idx
))
1350 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1351 argv
[idx_permit_deny
]->arg
, AFI_IP
,
1352 argv
[idx_ipv4_prefixlen
]->arg
, exact
, 0);
1355 DEFUN (no_access_list_any
,
1356 no_access_list_any_cmd
,
1357 "no access-list WORD <deny|permit> any",
1359 "Add an access list entry\n"
1360 "IP zebra access-list name\n"
1361 "Specify packets to reject\n"
1362 "Specify packets to forward\n"
1363 "Prefix to match. e.g. 10.0.0.0/8\n")
1366 int idx_permit_deny
= 3;
1367 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1368 argv
[idx_permit_deny
]->arg
, AFI_IP
, "0.0.0.0/0",
1372 DEFUN (no_access_list_all
,
1373 no_access_list_all_cmd
,
1374 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1376 "Add an access list entry\n"
1377 "IP standard access list\n"
1378 "IP extended access list\n"
1379 "IP standard access list (expanded range)\n"
1380 "IP extended access list (expanded range)\n"
1381 "IP zebra access-list name\n")
1384 struct access_list
*access
;
1385 struct access_master
*master
;
1387 /* Looking up access_list. */
1388 access
= access_list_lookup(AFI_IP
, argv
[idx_acl
]->arg
);
1389 if (access
== NULL
) {
1390 vty_out(vty
, "%% access-list %s doesn't exist\n",
1391 argv
[idx_acl
]->arg
);
1392 return CMD_WARNING_CONFIG_FAILED
;
1395 master
= access
->master
;
1397 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1398 /* Run hook function. */
1399 if (master
->delete_hook
)
1400 (*master
->delete_hook
)(access
);
1402 /* Delete all filter from access-list. */
1403 access_list_delete(access
);
1408 DEFUN (access_list_remark
,
1409 access_list_remark_cmd
,
1410 "access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1411 "Add an access list entry\n"
1412 "IP standard access list\n"
1413 "IP extended access list\n"
1414 "IP standard access list (expanded range)\n"
1415 "IP extended access list (expanded range)\n"
1416 "IP zebra access-list\n"
1417 "Access list entry comment\n"
1418 "Comment up to 100 characters\n")
1422 struct access_list
*access
;
1424 access
= access_list_get(AFI_IP
, argv
[idx_acl
]->arg
);
1426 if (access
->remark
) {
1427 XFREE(MTYPE_TMP
, access
->remark
);
1428 access
->remark
= NULL
;
1430 access
->remark
= argv_concat(argv
, argc
, idx_remark
);
1435 DEFUN (no_access_list_remark
,
1436 no_access_list_remark_cmd
,
1437 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark",
1439 "Add an access list entry\n"
1440 "IP standard access list\n"
1441 "IP extended access list\n"
1442 "IP standard access list (expanded range)\n"
1443 "IP extended access list (expanded range)\n"
1444 "IP zebra access-list\n"
1445 "Access list entry comment\n")
1448 return vty_access_list_remark_unset(vty
, AFI_IP
, argv
[idx_acl
]->arg
);
1452 DEFUN (no_access_list_remark_comment
,
1453 no_access_list_remark_comment_cmd
,
1454 "no access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD> remark LINE...",
1456 "Add an access list entry\n"
1457 "IP standard access list\n"
1458 "IP extended access list\n"
1459 "IP standard access list (expanded range)\n"
1460 "IP extended access list (expanded range)\n"
1461 "IP zebra access-list\n"
1462 "Access list entry comment\n"
1463 "Comment up to 100 characters\n")
1465 return no_access_list_remark(self
, vty
, argc
, argv
);
1468 DEFUN (ipv6_access_list_exact
,
1469 ipv6_access_list_exact_cmd
,
1470 "ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1472 "Add an access list entry\n"
1473 "IPv6 zebra access-list\n"
1474 "Specify packets to reject\n"
1475 "Specify packets to forward\n"
1477 "Exact match of the prefixes\n")
1486 if (argv_find(argv
, argc
, "exact-match", &idx
))
1489 return filter_set_zebra(vty
, argv
[idx_word
]->arg
, argv
[idx_allow
]->text
,
1490 AFI_IP6
, argv
[idx_addr
]->arg
, exact
, 1);
1493 DEFUN (ipv6_access_list_any
,
1494 ipv6_access_list_any_cmd
,
1495 "ipv6 access-list WORD <deny|permit> any",
1497 "Add an access list entry\n"
1498 "IPv6 zebra access-list\n"
1499 "Specify packets to reject\n"
1500 "Specify packets to forward\n"
1501 "Any prefixi to match\n")
1504 int idx_permit_deny
= 3;
1505 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1506 argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0,
1510 DEFUN (no_ipv6_access_list_exact
,
1511 no_ipv6_access_list_exact_cmd
,
1512 "no ipv6 access-list WORD <deny|permit> X:X::X:X/M [exact-match]",
1515 "Add an access list entry\n"
1516 "IPv6 zebra access-list\n"
1517 "Specify packets to reject\n"
1518 "Specify packets to forward\n"
1519 "Prefix to match. e.g. 3ffe:506::/32\n"
1520 "Exact match of the prefixes\n")
1525 int idx_permit_deny
= 4;
1526 int idx_ipv6_prefixlen
= 5;
1527 idx
= idx_ipv6_prefixlen
;
1529 if (argv_find(argv
, argc
, "exact-match", &idx
))
1532 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1533 argv
[idx_permit_deny
]->arg
, AFI_IP6
,
1534 argv
[idx_ipv6_prefixlen
]->arg
, exact
, 0);
1537 DEFUN (no_ipv6_access_list_any
,
1538 no_ipv6_access_list_any_cmd
,
1539 "no ipv6 access-list WORD <deny|permit> any",
1542 "Add an access list entry\n"
1543 "IPv6 zebra access-list\n"
1544 "Specify packets to reject\n"
1545 "Specify packets to forward\n"
1546 "Any prefixi to match\n")
1549 int idx_permit_deny
= 4;
1550 return filter_set_zebra(vty
, argv
[idx_word
]->arg
,
1551 argv
[idx_permit_deny
]->arg
, AFI_IP6
, "::/0", 0,
1556 DEFUN (no_ipv6_access_list_all
,
1557 no_ipv6_access_list_all_cmd
,
1558 "no ipv6 access-list WORD",
1561 "Add an access list entry\n"
1562 "IPv6 zebra access-list\n")
1565 struct access_list
*access
;
1566 struct access_master
*master
;
1568 /* Looking up access_list. */
1569 access
= access_list_lookup(AFI_IP6
, argv
[idx_word
]->arg
);
1570 if (access
== NULL
) {
1571 vty_out(vty
, "%% access-list %s doesn't exist\n",
1572 argv
[idx_word
]->arg
);
1573 return CMD_WARNING_CONFIG_FAILED
;
1576 master
= access
->master
;
1578 route_map_notify_dependencies(access
->name
, RMAP_EVENT_FILTER_DELETED
);
1579 /* Run hook function. */
1580 if (master
->delete_hook
)
1581 (*master
->delete_hook
)(access
);
1583 /* Delete all filter from access-list. */
1584 access_list_delete(access
);
1589 DEFUN (ipv6_access_list_remark
,
1590 ipv6_access_list_remark_cmd
,
1591 "ipv6 access-list WORD remark LINE...",
1593 "Add an access list entry\n"
1594 "IPv6 zebra access-list\n"
1595 "Access list entry comment\n"
1596 "Comment up to 100 characters\n")
1600 struct access_list
*access
;
1602 access
= access_list_get(AFI_IP6
, argv
[idx_word
]->arg
);
1604 if (access
->remark
) {
1605 XFREE(MTYPE_TMP
, access
->remark
);
1606 access
->remark
= NULL
;
1608 access
->remark
= argv_concat(argv
, argc
, idx_line
);
1613 DEFUN (no_ipv6_access_list_remark
,
1614 no_ipv6_access_list_remark_cmd
,
1615 "no ipv6 access-list WORD remark",
1618 "Add an access list entry\n"
1619 "IPv6 zebra access-list\n"
1620 "Access list entry comment\n")
1623 return vty_access_list_remark_unset(vty
, AFI_IP6
, argv
[idx_word
]->arg
);
1627 DEFUN (no_ipv6_access_list_remark_comment
,
1628 no_ipv6_access_list_remark_comment_cmd
,
1629 "no ipv6 access-list WORD remark LINE...",
1632 "Add an access list entry\n"
1633 "IPv6 zebra access-list\n"
1634 "Access list entry comment\n"
1635 "Comment up to 100 characters\n")
1637 return no_ipv6_access_list_remark(self
, vty
, argc
, argv
);
1640 void config_write_access_zebra(struct vty
*, struct filter
*);
1641 void config_write_access_cisco(struct vty
*, struct filter
*);
1643 /* show access-list command. */
1644 static int filter_show(struct vty
*vty
, const char *name
, afi_t afi
)
1646 struct access_list
*access
;
1647 struct access_master
*master
;
1648 struct filter
*mfilter
;
1649 struct filter_cisco
*filter
;
1652 master
= access_master_get(afi
);
1656 /* Print the name of the protocol */
1657 vty_out(vty
, "%s:\n", frr_protoname
);
1659 for (access
= master
->num
.head
; access
; access
= access
->next
) {
1660 if (name
&& strcmp(access
->name
, name
) != 0)
1665 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1666 filter
= &mfilter
->u
.cfilter
;
1669 vty_out(vty
, "%s IP%s access list %s\n",
1670 mfilter
->cisco
? (filter
->extended
1674 afi
== AFI_IP6
? "v6" : "",
1679 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
1680 mfilter
->type
== FILTER_DENY
? " " : "");
1682 if (!mfilter
->cisco
)
1683 config_write_access_zebra(vty
, mfilter
);
1684 else if (filter
->extended
)
1685 config_write_access_cisco(vty
, mfilter
);
1687 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1688 vty_out(vty
, " any\n");
1691 inet_ntoa(filter
->addr
));
1692 if (filter
->addr_mask
.s_addr
!= 0)
1694 ", wildcard bits %s",
1696 filter
->addr_mask
));
1703 for (access
= master
->str
.head
; access
; access
= access
->next
) {
1704 if (name
&& strcmp(access
->name
, name
) != 0)
1709 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1710 filter
= &mfilter
->u
.cfilter
;
1713 vty_out(vty
, "%s IP%s access list %s\n",
1714 mfilter
->cisco
? (filter
->extended
1718 afi
== AFI_IP6
? "v6" : "",
1723 vty_out(vty
, " %s%s", filter_type_str(mfilter
),
1724 mfilter
->type
== FILTER_DENY
? " " : "");
1726 if (!mfilter
->cisco
)
1727 config_write_access_zebra(vty
, mfilter
);
1728 else if (filter
->extended
)
1729 config_write_access_cisco(vty
, mfilter
);
1731 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1732 vty_out(vty
, " any\n");
1735 inet_ntoa(filter
->addr
));
1736 if (filter
->addr_mask
.s_addr
!= 0)
1738 ", wildcard bits %s",
1740 filter
->addr_mask
));
1749 DEFUN (show_ip_access_list
,
1750 show_ip_access_list_cmd
,
1751 "show ip access-list",
1754 "List IP access lists\n")
1756 return filter_show(vty
, NULL
, AFI_IP
);
1759 DEFUN (show_ip_access_list_name
,
1760 show_ip_access_list_name_cmd
,
1761 "show ip access-list <(1-99)|(100-199)|(1300-1999)|(2000-2699)|WORD>",
1764 "List IP access lists\n"
1765 "IP standard access list\n"
1766 "IP extended access list\n"
1767 "IP standard access list (expanded range)\n"
1768 "IP extended access list (expanded range)\n"
1769 "IP zebra access-list\n")
1772 return filter_show(vty
, argv
[idx_acl
]->arg
, AFI_IP
);
1775 DEFUN (show_ipv6_access_list
,
1776 show_ipv6_access_list_cmd
,
1777 "show ipv6 access-list",
1780 "List IPv6 access lists\n")
1782 return filter_show(vty
, NULL
, AFI_IP6
);
1785 DEFUN (show_ipv6_access_list_name
,
1786 show_ipv6_access_list_name_cmd
,
1787 "show ipv6 access-list WORD",
1790 "List IPv6 access lists\n"
1791 "IPv6 zebra access-list\n")
1794 return filter_show(vty
, argv
[idx_word
]->arg
, AFI_IP6
);
1797 void config_write_access_cisco(struct vty
*vty
, struct filter
*mfilter
)
1799 struct filter_cisco
*filter
;
1801 filter
= &mfilter
->u
.cfilter
;
1803 if (filter
->extended
) {
1804 vty_out(vty
, " ip");
1805 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1806 vty_out(vty
, " any");
1807 else if (filter
->addr_mask
.s_addr
== 0)
1808 vty_out(vty
, " host %s", inet_ntoa(filter
->addr
));
1810 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
1811 vty_out(vty
, " %s", inet_ntoa(filter
->addr_mask
));
1814 if (filter
->mask_mask
.s_addr
== 0xffffffff)
1815 vty_out(vty
, " any");
1816 else if (filter
->mask_mask
.s_addr
== 0)
1817 vty_out(vty
, " host %s", inet_ntoa(filter
->mask
));
1819 vty_out(vty
, " %s", inet_ntoa(filter
->mask
));
1820 vty_out(vty
, " %s", inet_ntoa(filter
->mask_mask
));
1824 if (filter
->addr_mask
.s_addr
== 0xffffffff)
1825 vty_out(vty
, " any\n");
1827 vty_out(vty
, " %s", inet_ntoa(filter
->addr
));
1828 if (filter
->addr_mask
.s_addr
!= 0)
1830 inet_ntoa(filter
->addr_mask
));
1836 void config_write_access_zebra(struct vty
*vty
, struct filter
*mfilter
)
1838 struct filter_zebra
*filter
;
1842 filter
= &mfilter
->u
.zfilter
;
1843 p
= &filter
->prefix
;
1845 if (p
->prefixlen
== 0 && !filter
->exact
)
1846 vty_out(vty
, " any");
1848 vty_out(vty
, " %s/%d%s",
1849 inet_ntop(p
->family
, &p
->u
.prefix
, buf
, BUFSIZ
),
1850 p
->prefixlen
, filter
->exact
? " exact-match" : "");
1855 static int config_write_access(struct vty
*vty
, afi_t afi
)
1857 struct access_list
*access
;
1858 struct access_master
*master
;
1859 struct filter
*mfilter
;
1862 master
= access_master_get(afi
);
1866 for (access
= master
->num
.head
; access
; access
= access
->next
) {
1867 if (access
->remark
) {
1868 vty_out(vty
, "%saccess-list %s remark %s\n",
1869 afi
== AFI_IP
? "" : "ipv6 ", access
->name
,
1874 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1875 vty_out(vty
, "%saccess-list %s %s",
1876 afi
== AFI_IP
? "" : "ipv6 ", access
->name
,
1877 filter_type_str(mfilter
));
1880 config_write_access_cisco(vty
, mfilter
);
1882 config_write_access_zebra(vty
, mfilter
);
1888 for (access
= master
->str
.head
; access
; access
= access
->next
) {
1889 if (access
->remark
) {
1890 vty_out(vty
, "%saccess-list %s remark %s\n",
1891 afi
== AFI_IP
? "" : "ipv6 ", access
->name
,
1896 for (mfilter
= access
->head
; mfilter
; mfilter
= mfilter
->next
) {
1897 vty_out(vty
, "%saccess-list %s %s",
1898 afi
== AFI_IP
? "" : "ipv6 ", access
->name
,
1899 filter_type_str(mfilter
));
1902 config_write_access_cisco(vty
, mfilter
);
1904 config_write_access_zebra(vty
, mfilter
);
1912 /* Access-list node. */
1913 static struct cmd_node access_node
= {ACCESS_NODE
,
1914 "", /* Access list has no interface. */
1917 static int config_write_access_ipv4(struct vty
*vty
)
1919 return config_write_access(vty
, AFI_IP
);
1922 static void access_list_reset_ipv4(void)
1924 struct access_list
*access
;
1925 struct access_list
*next
;
1926 struct access_master
*master
;
1928 master
= access_master_get(AFI_IP
);
1932 for (access
= master
->num
.head
; access
; access
= next
) {
1933 next
= access
->next
;
1934 access_list_delete(access
);
1936 for (access
= master
->str
.head
; access
; access
= next
) {
1937 next
= access
->next
;
1938 access_list_delete(access
);
1941 assert(master
->num
.head
== NULL
);
1942 assert(master
->num
.tail
== NULL
);
1944 assert(master
->str
.head
== NULL
);
1945 assert(master
->str
.tail
== NULL
);
1948 /* Install vty related command. */
1949 static void access_list_init_ipv4(void)
1951 install_node(&access_node
, config_write_access_ipv4
);
1953 install_element(ENABLE_NODE
, &show_ip_access_list_cmd
);
1954 install_element(ENABLE_NODE
, &show_ip_access_list_name_cmd
);
1956 /* Zebra access-list */
1957 install_element(CONFIG_NODE
, &access_list_exact_cmd
);
1958 install_element(CONFIG_NODE
, &access_list_any_cmd
);
1959 install_element(CONFIG_NODE
, &no_access_list_exact_cmd
);
1960 install_element(CONFIG_NODE
, &no_access_list_any_cmd
);
1962 /* Standard access-list */
1963 install_element(CONFIG_NODE
, &access_list_standard_cmd
);
1964 install_element(CONFIG_NODE
, &access_list_standard_nomask_cmd
);
1965 install_element(CONFIG_NODE
, &access_list_standard_host_cmd
);
1966 install_element(CONFIG_NODE
, &access_list_standard_any_cmd
);
1967 install_element(CONFIG_NODE
, &no_access_list_standard_cmd
);
1968 install_element(CONFIG_NODE
, &no_access_list_standard_nomask_cmd
);
1969 install_element(CONFIG_NODE
, &no_access_list_standard_host_cmd
);
1970 install_element(CONFIG_NODE
, &no_access_list_standard_any_cmd
);
1972 /* Extended access-list */
1973 install_element(CONFIG_NODE
, &access_list_extended_cmd
);
1974 install_element(CONFIG_NODE
, &access_list_extended_any_mask_cmd
);
1975 install_element(CONFIG_NODE
, &access_list_extended_mask_any_cmd
);
1976 install_element(CONFIG_NODE
, &access_list_extended_any_any_cmd
);
1977 install_element(CONFIG_NODE
, &access_list_extended_host_mask_cmd
);
1978 install_element(CONFIG_NODE
, &access_list_extended_mask_host_cmd
);
1979 install_element(CONFIG_NODE
, &access_list_extended_host_host_cmd
);
1980 install_element(CONFIG_NODE
, &access_list_extended_any_host_cmd
);
1981 install_element(CONFIG_NODE
, &access_list_extended_host_any_cmd
);
1982 install_element(CONFIG_NODE
, &no_access_list_extended_cmd
);
1983 install_element(CONFIG_NODE
, &no_access_list_extended_any_mask_cmd
);
1984 install_element(CONFIG_NODE
, &no_access_list_extended_mask_any_cmd
);
1985 install_element(CONFIG_NODE
, &no_access_list_extended_any_any_cmd
);
1986 install_element(CONFIG_NODE
, &no_access_list_extended_host_mask_cmd
);
1987 install_element(CONFIG_NODE
, &no_access_list_extended_mask_host_cmd
);
1988 install_element(CONFIG_NODE
, &no_access_list_extended_host_host_cmd
);
1989 install_element(CONFIG_NODE
, &no_access_list_extended_any_host_cmd
);
1990 install_element(CONFIG_NODE
, &no_access_list_extended_host_any_cmd
);
1992 install_element(CONFIG_NODE
, &access_list_remark_cmd
);
1993 install_element(CONFIG_NODE
, &no_access_list_all_cmd
);
1994 install_element(CONFIG_NODE
, &no_access_list_remark_cmd
);
1995 install_element(CONFIG_NODE
, &no_access_list_remark_comment_cmd
);
1998 static struct cmd_node access_ipv6_node
= {ACCESS_IPV6_NODE
, "", 1};
2000 static int config_write_access_ipv6(struct vty
*vty
)
2002 return config_write_access(vty
, AFI_IP6
);
2005 static void access_list_reset_ipv6(void)
2007 struct access_list
*access
;
2008 struct access_list
*next
;
2009 struct access_master
*master
;
2011 master
= access_master_get(AFI_IP6
);
2015 for (access
= master
->num
.head
; access
; access
= next
) {
2016 next
= access
->next
;
2017 access_list_delete(access
);
2019 for (access
= master
->str
.head
; access
; access
= next
) {
2020 next
= access
->next
;
2021 access_list_delete(access
);
2024 assert(master
->num
.head
== NULL
);
2025 assert(master
->num
.tail
== NULL
);
2027 assert(master
->str
.head
== NULL
);
2028 assert(master
->str
.tail
== NULL
);
2031 static void access_list_init_ipv6(void)
2033 install_node(&access_ipv6_node
, config_write_access_ipv6
);
2035 install_element(ENABLE_NODE
, &show_ipv6_access_list_cmd
);
2036 install_element(ENABLE_NODE
, &show_ipv6_access_list_name_cmd
);
2038 install_element(CONFIG_NODE
, &ipv6_access_list_exact_cmd
);
2039 install_element(CONFIG_NODE
, &ipv6_access_list_any_cmd
);
2040 install_element(CONFIG_NODE
, &no_ipv6_access_list_exact_cmd
);
2041 install_element(CONFIG_NODE
, &no_ipv6_access_list_any_cmd
);
2043 install_element(CONFIG_NODE
, &no_ipv6_access_list_all_cmd
);
2044 install_element(CONFIG_NODE
, &ipv6_access_list_remark_cmd
);
2045 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_cmd
);
2046 install_element(CONFIG_NODE
, &no_ipv6_access_list_remark_comment_cmd
);
2049 void access_list_init()
2051 access_list_init_ipv4();
2052 access_list_init_ipv6();
2055 void access_list_reset()
2057 access_list_reset_ipv4();
2058 access_list_reset_ipv6();