// vim: sw=8 ts=8
char const *cvs_name = "$Name: $";
-char const *cvs_id_cli = "$Id: cli.c,v 1.28 2004/11/16 07:54:32 bodea Exp $";
+char const *cvs_id_cli = "$Id: cli.c,v 1.43.2.5 2005/01/13 08:26:51 bodea Exp $";
#include <stdio.h>
#include <stdarg.h>
+#include <unistd.h>
#include <sys/file.h>
#include <sys/stat.h>
#include <syslog.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <signal.h>
-#include <unistd.h>
#include <dlfcn.h>
+#include <netdb.h>
#include <libcli.h>
+
#include "l2tpns.h"
#include "util.h"
#include "cluster.h"
#include "ll.h"
#ifdef BGP
#include "bgp.h"
-#include <netdb.h>
#endif
extern tunnelt *tunnel;
extern ippoolt *ip_address_pool;
extern struct Tstats *_statistics;
static struct cli_def *cli = NULL;
-extern struct configt *config;
-extern struct config_descriptt config_values[];
+extern configt *config;
+extern config_descriptt config_values[];
#ifdef RINGBUFFER
extern struct Tringbuffer *ringbuffer;
#endif
extern struct cli_session_actions *cli_session_actions;
extern struct cli_tunnel_actions *cli_tunnel_actions;
extern tbft *filter_list;
+extern ip_filtert *ip_filters;
static char *debug_levels[] = {
"CRIT",
static int cmd_restart_bgp(struct cli_def *cli, char *command, char **argv, int argc);
#endif /* BGP */
+#define MODE_CONFIG_NACL 9
+static int cmd_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_no_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_ip_access_list_rule(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_filter(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_no_filter(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_show_access_list(struct cli_def *cli, char *command, char **argv, int argc);
+
+/* match if b is a substr of a */
+#define MATCH(a,b) (!strncmp((a), (b), strlen(b)))
+
void init_cli(char *hostname)
{
FILE *f;
cli_register_command(cli, c, "tunnels", cmd_show_tunnels, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show a list of tunnels or details for a single tunnel");
cli_register_command(cli, c, "users", cmd_show_users, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show a list of all connected users or details of selected user");
cli_register_command(cli, c, "version", cmd_show_version, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show currently running software version");
+ cli_register_command(cli, c, "access-list", cmd_show_access_list, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show named access-list");
c2 = cli_register_command(cli, c, "histogram", NULL, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, NULL);
cli_register_command(cli, c2, "idle", cmd_show_hist_idle, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show histogram of session idle times");
cli_register_command(cli, c, "memory", cmd_write_memory, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Save the running config to flash");
cli_register_command(cli, c, "terminal", cmd_show_run, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show the running config");
- cli_register_command(cli, NULL, "snoop", cmd_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily enable interception for a user");
- cli_register_command(cli, NULL, "throttle", cmd_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily enable throttling for a user");
+ cli_register_command(cli, NULL, "snoop", cmd_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Enable interception of a session");
+ cli_register_command(cli, NULL, "throttle", cmd_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Enable throttling of a session");
+ cli_register_command(cli, NULL, "filter", cmd_filter, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Add filtering to a session");
cli_register_command(cli, NULL, "debug", cmd_debug, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Set the level of logging that is shown on the console");
#ifdef BGP
#endif /* BGP */
c = cli_register_command(cli, NULL, "no", NULL, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, NULL);
- cli_register_command(cli, c, "snoop", cmd_no_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily disable interception for a user");
- cli_register_command(cli, c, "throttle", cmd_no_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily disable throttling for a user");
+ cli_register_command(cli, c, "snoop", cmd_no_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Disable interception of a session");
+ cli_register_command(cli, c, "throttle", cmd_no_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Disable throttling of a session");
+ cli_register_command(cli, c, "filter", cmd_no_filter, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Remove filtering from a session");
cli_register_command(cli, c, "debug", cmd_no_debug, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Turn off logging of a certain level of debugging");
#ifdef BGP
cli_register_command(cli, NULL, "set", cmd_set, PRIVILEGE_PRIVILEGED, MODE_CONFIG, "Set a configuration variable");
+ c = cli_register_command(cli, NULL, "ip", NULL, PRIVILEGE_PRIVILEGED, MODE_CONFIG, NULL);
+ cli_register_command(cli, c, "access-list", cmd_ip_access_list, PRIVILEGE_PRIVILEGED, MODE_CONFIG, "Add named access-list");
+
+ cli_register_command(cli, NULL, "permit", cmd_ip_access_list_rule, PRIVILEGE_PRIVILEGED, MODE_CONFIG_NACL, "Permit rule");
+ cli_register_command(cli, NULL, "deny", cmd_ip_access_list_rule, PRIVILEGE_PRIVILEGED, MODE_CONFIG_NACL, "Deny rule");
+
+ c = cli_register_command(cli, NULL, "no", NULL, PRIVILEGE_UNPRIVILEGED, MODE_CONFIG, NULL);
+ c2 = cli_register_command(cli, c, "ip", NULL, PRIVILEGE_PRIVILEGED, MODE_CONFIG, NULL);
+ cli_register_command(cli, c2, "access-list", cmd_no_ip_access_list, PRIVILEGE_PRIVILEGED, MODE_CONFIG, "Remove named access-list");
+
// Enable regular processing
cli_regular(cli, regular_stuff);
if (!(f = fopen(CLIUSERS, "r")))
{
- LOG(0, 0, 0, 0, "WARNING! No users specified. Command-line access is open to all\n");
+ LOG(0, 0, 0, "WARNING! No users specified. Command-line access is open to all\n");
}
else
{
if (!strcmp(buf, "enable"))
{
cli_allow_enable(cli, p);
- LOG(3, 0, 0, 0, "Setting enable password\n");
+ LOG(3, 0, 0, "Setting enable password\n");
}
else
{
cli_allow_user(cli, buf, p);
- LOG(3, 0, 0, 0, "Allowing user %s to connect to the CLI\n", buf);
+ LOG(3, 0, 0, "Allowing user %s to connect to the CLI\n", buf);
}
}
fclose(f);
addr.sin_port = htons(23);
if (bind(clifd, (void *) &addr, sizeof(addr)) < 0)
{
- LOG(0, 0, 0, 0, "Error listening on cli port 23: %s\n", strerror(errno));
+ LOG(0, 0, 0, "Error listening on cli port 23: %s\n", strerror(errno));
return;
}
listen(clifd, 10);
if (fork_and_close()) return;
if (getpeername(sockfd, (struct sockaddr *)&addr, &l) == 0)
{
- LOG(3, 0, 0, 0, "Accepted connection to CLI from %s\n", inet_toa(addr.sin_addr.s_addr));
require_auth = addr.sin_addr.s_addr != inet_addr("127.0.0.1");
+ LOG(require_auth ? 3 : 4, 0, 0, "Accepted connection to CLI from %s\n",
+ fmtaddr(addr.sin_addr.s_addr, 0));
}
else
- LOG(0, 0, 0, 0, "getpeername() failed on cli socket. Requiring authentication: %s\n", strerror(errno));
+ LOG(0, 0, 0, "getpeername() failed on cli socket. Requiring authentication: %s\n", strerror(errno));
if (require_auth)
{
- LOG(3, 0, 0, 0, "CLI is remote, requiring authentication\n");
+ LOG(3, 0, 0, "CLI is remote, requiring authentication\n");
if (!cli->users) /* paranoia */
{
- LOG(0, 0, 0, 0, "No users for remote authentication! Exiting CLI\n");
+ LOG(0, 0, 0, "No users for remote authentication! Exiting CLI\n");
exit(0);
}
}
cli_loop(cli, sockfd);
close(sockfd);
- LOG(3, 0, 0, 0, "Closed CLI connection from %s\n", inet_toa(addr.sin_addr.s_addr));
+ LOG(require_auth ? 3 : 4, 0, 0, "Closed CLI connection from %s\n",
+ fmtaddr(addr.sin_addr.s_addr, 0));
+
exit(0);
}
static void cli_print_log(struct cli_def *cli, char *string)
{
- LOG(3, 0, 0, 0, "%s\n", string);
+ LOG(3, 0, 0, "%s\n", string);
}
void cli_do_file(FILE *fh)
{
- LOG(3, 0, 0, 0, "Reading configuration file\n");
+ LOG(3, 0, 0, "Reading configuration file\n");
cli_print_callback(cli, cli_print_log);
cli_file(cli, fh, PRIVILEGE_PRIVILEGED, MODE_CONFIG);
cli_print_callback(cli, NULL);
cli_print(cli, "\tCalling Num:\t%s", session[s].calling);
cli_print(cli, "\tCalled Num:\t%s", session[s].called);
cli_print(cli, "\tTunnel ID:\t%d", session[s].tunnel);
- cli_print(cli, "\tIP address:\t%s", inet_toa(htonl(session[s].ip)));
+ cli_print(cli, "\tIP address:\t%s", fmtaddr(htonl(session[s].ip), 0));
cli_print(cli, "\tUnique SID:\t%lu", session[s].unique_id);
cli_print(cli, "\tIdle time:\t%u seconds", abs(time_now - session[s].last_packet));
cli_print(cli, "\tNext Recv:\t%u", session[s].nr);
cli_print(cli, "\tNext Send:\t%u", session[s].ns);
- cli_print(cli, "\tBytes In/Out:\t%lu/%lu", (unsigned long)session[s].total_cout, (unsigned long)session[s].total_cin);
- cli_print(cli, "\tPkts In/Out:\t%lu/%lu", (unsigned long)session[s].pout, (unsigned long)session[s].pin);
+ cli_print(cli, "\tBytes In/Out:\t%u/%u", session[s].total_cout, session[s].total_cin);
+ cli_print(cli, "\tPkts In/Out:\t%u/%u", session[s].pout, session[s].pin);
cli_print(cli, "\tMRU:\t\t%d", session[s].mru);
cli_print(cli, "\tRadius Session:\t%u", session[s].radius);
- cli_print(cli, "\tRx Speed:\t%lu", session[s].rx_connect_speed);
- cli_print(cli, "\tTx Speed:\t%lu", session[s].tx_connect_speed);
+ cli_print(cli, "\tRx Speed:\t%u", session[s].rx_connect_speed);
+ cli_print(cli, "\tTx Speed:\t%u", session[s].tx_connect_speed);
+ if (session[s].filter_in && session[s].filter_in <= MAXFILTER)
+ cli_print(cli, "\tFilter in:\t%u (%s)", session[s].filter_in, ip_filters[session[s].filter_in - 1].name);
+ if (session[s].filter_out && session[s].filter_out <= MAXFILTER)
+ cli_print(cli, "\tFilter out:\t%u (%s)", session[s].filter_out, ip_filters[session[s].filter_out - 1].name);
if (session[s].snoop_ip && session[s].snoop_port)
- cli_print(cli, "\tIntercepted:\t%s:%d", inet_toa(session[s].snoop_ip), session[s] .snoop_port);
+ cli_print(cli, "\tIntercepted:\t%s:%d", fmtaddr(session[s].snoop_ip, 0), session[s] .snoop_port);
else
cli_print(cli, "\tIntercepted:\tno");
for (i = 1; i < MAXSESSION; i++)
{
- char *userip, *tunnelip;
if (!session[i].opened) continue;
- userip = strdup(inet_toa(htonl(session[i].ip)));
- tunnelip = strdup(inet_toa(htonl(tunnel[ session[i].tunnel ].ip)));
cli_print(cli, "%5d %4d %-32s %-15s %s %s %s %10u %10lu %10lu %4u %-15s %s",
i,
session[i].tunnel,
session[i].user[0] ? session[i].user : "*",
- userip,
+ fmtaddr(htonl(session[i].ip), 0),
(session[i].snoop_ip && session[i].snoop_port) ? "Y" : "N",
(session[i].throttle_in || session[i].throttle_out) ? "Y" : "N",
(session[i].walled_garden) ? "Y" : "N",
(unsigned long)session[i].total_cout,
(unsigned long)session[i].total_cin,
abs(time_now - (session[i].last_packet ? session[i].last_packet : time_now)),
- tunnelip,
+ fmtaddr(htonl(tunnel[ session[i].tunnel ].ip), 1),
session[i].calling[0] ? session[i].calling : "*");
- if (userip) free(userip);
- if (tunnelip) free(tunnelip);
}
return CLI_OK;
}
cli_print(cli, "\r\nTunnel %d:", t);
cli_print(cli, "\tState:\t\t%s", states[tunnel[t].state]);
cli_print(cli, "\tHostname:\t%s", tunnel[t].hostname[0] ? tunnel[t].hostname : "(none)");
- cli_print(cli, "\tRemote IP:\t%s", inet_toa(htonl(tunnel[t].ip)));
+ cli_print(cli, "\tRemote IP:\t%s", fmtaddr(htonl(tunnel[t].ip), 0));
cli_print(cli, "\tRemote Port:\t%d", tunnel[t].port);
cli_print(cli, "\tRx Window:\t%u", tunnel[t].window);
cli_print(cli, "\tNext Recv:\t%u", tunnel[t].nr);
cli_print(cli, "%4d %20s %20s %6s %6d",
i,
*tunnel[i].hostname ? tunnel[i].hostname : "(null)",
- inet_toa(htonl(tunnel[i].ip)),
+ fmtaddr(htonl(tunnel[i].ip), 0),
states[tunnel[i].state],
sessions);
}
if (CLI_HELP_REQUESTED)
return CLI_HELP_NO_ARGS;
- cli_print(cli, "%-10s %-8s %-10s %-8s", "Ethernet", "Bytes", "Packets", "Errors");
- cli_print(cli, "%-10s %8lu %8lu %8lu", "RX",
+ cli_print(cli, "%-10s %10s %10s %10s %10s", "Ethernet", "Bytes", "Packets", "Errors", "Dropped");
+ cli_print(cli, "%-10s %10u %10u %10u %10u", "RX",
GET_STAT(tun_rx_bytes),
GET_STAT(tun_rx_packets),
- GET_STAT(tun_rx_errors));
- cli_print(cli, "%-10s %8lu %8lu %8lu", "TX",
+ GET_STAT(tun_rx_errors),
+ GET_STAT(tun_rx_dropped));
+ cli_print(cli, "%-10s %10u %10u %10u", "TX",
GET_STAT(tun_tx_bytes),
GET_STAT(tun_tx_packets),
GET_STAT(tun_tx_errors));
cli_print(cli, "");
- cli_print(cli, "%-10s %-8s %-10s %-8s %-8s", "Tunnel", "Bytes", "Packets", "Errors", "Retries");
- cli_print(cli, "%-10s %8lu %8lu %8lu %8lu", "RX",
+ cli_print(cli, "%-10s %10s %10s %10s %10s", "Tunnel", "Bytes", "Packets", "Errors", "Retries");
+ cli_print(cli, "%-10s %10u %10u %10u", "RX",
GET_STAT(tunnel_rx_bytes),
GET_STAT(tunnel_rx_packets),
- GET_STAT(tunnel_rx_errors),
- 0L);
- cli_print(cli, "%-10s %8lu %8lu %8lu %8lu", "TX",
+ GET_STAT(tunnel_rx_errors));
+ cli_print(cli, "%-10s %10u %10u %10u %10u", "TX",
GET_STAT(tunnel_tx_bytes),
GET_STAT(tunnel_tx_packets),
GET_STAT(tunnel_tx_errors),
cli_print(cli, "%-30s%-10s", "Counter", "Value");
cli_print(cli, "-----------------------------------------");
- cli_print(cli, "%-30s%lu", "radius_retries", GET_STAT(radius_retries));
- cli_print(cli, "%-30s%lu", "arp_sent", GET_STAT(arp_sent));
- cli_print(cli, "%-30s%lu", "packets_snooped", GET_STAT(packets_snooped));
- cli_print(cli, "%-30s%lu", "tunnel_created", GET_STAT(tunnel_created));
- cli_print(cli, "%-30s%lu", "session_created", GET_STAT(session_created));
- cli_print(cli, "%-30s%lu", "tunnel_timeout", GET_STAT(tunnel_timeout));
- cli_print(cli, "%-30s%lu", "session_timeout", GET_STAT(session_timeout));
- cli_print(cli, "%-30s%lu", "radius_timeout", GET_STAT(radius_timeout));
- cli_print(cli, "%-30s%lu", "radius_overflow", GET_STAT(radius_overflow));
- cli_print(cli, "%-30s%lu", "tunnel_overflow", GET_STAT(tunnel_overflow));
- cli_print(cli, "%-30s%lu", "session_overflow", GET_STAT(session_overflow));
- cli_print(cli, "%-30s%lu", "ip_allocated", GET_STAT(ip_allocated));
- cli_print(cli, "%-30s%lu", "ip_freed", GET_STAT(ip_freed));
- cli_print(cli, "%-30s%lu", "cluster_forwarded", GET_STAT(c_forwarded));
- cli_print(cli, "%-30s%lu", "recv_forward", GET_STAT(recv_forward));
+ cli_print(cli, "%-30s%u", "radius_retries", GET_STAT(radius_retries));
+ cli_print(cli, "%-30s%u", "arp_sent", GET_STAT(arp_sent));
+ cli_print(cli, "%-30s%u", "packets_snooped", GET_STAT(packets_snooped));
+ cli_print(cli, "%-30s%u", "tunnel_created", GET_STAT(tunnel_created));
+ cli_print(cli, "%-30s%u", "session_created", GET_STAT(session_created));
+ cli_print(cli, "%-30s%u", "tunnel_timeout", GET_STAT(tunnel_timeout));
+ cli_print(cli, "%-30s%u", "session_timeout", GET_STAT(session_timeout));
+ cli_print(cli, "%-30s%u", "radius_timeout", GET_STAT(radius_timeout));
+ cli_print(cli, "%-30s%u", "radius_overflow", GET_STAT(radius_overflow));
+ cli_print(cli, "%-30s%u", "tunnel_overflow", GET_STAT(tunnel_overflow));
+ cli_print(cli, "%-30s%u", "session_overflow", GET_STAT(session_overflow));
+ cli_print(cli, "%-30s%u", "ip_allocated", GET_STAT(ip_allocated));
+ cli_print(cli, "%-30s%u", "ip_freed", GET_STAT(ip_freed));
+ cli_print(cli, "%-30s%u", "cluster_forwarded", GET_STAT(c_forwarded));
+ cli_print(cli, "%-30s%u", "recv_forward", GET_STAT(recv_forward));
+ cli_print(cli, "%-30s%u", "select_called", GET_STAT(select_called));
+ cli_print(cli, "%-30s%u", "multi_read_used", GET_STAT(multi_read_used));
+ cli_print(cli, "%-30s%u", "multi_read_exceeded", GET_STAT(multi_read_exceeded));
#ifdef STATISTICS
cli_print(cli, "\n%-30s%-10s", "Counter", "Value");
cli_print(cli, "-----------------------------------------");
- cli_print(cli, "%-30s%lu", "call_processtun", GET_STAT(call_processtun));
- cli_print(cli, "%-30s%lu", "call_processipout", GET_STAT(call_processipout));
- cli_print(cli, "%-30s%lu", "call_processudp", GET_STAT(call_processudp));
- cli_print(cli, "%-30s%lu", "call_processpap", GET_STAT(call_processpap));
- cli_print(cli, "%-30s%lu", "call_processchap", GET_STAT(call_processchap));
- cli_print(cli, "%-30s%lu", "call_processlcp", GET_STAT(call_processlcp));
- cli_print(cli, "%-30s%lu", "call_processipcp", GET_STAT(call_processipcp));
- cli_print(cli, "%-30s%lu", "call_processipin", GET_STAT(call_processipin));
- cli_print(cli, "%-30s%lu", "call_processccp", GET_STAT(call_processccp));
- cli_print(cli, "%-30s%lu", "call_processrad", GET_STAT(call_processrad));
- cli_print(cli, "%-30s%lu", "call_sendarp", GET_STAT(call_sendarp));
- cli_print(cli, "%-30s%lu", "call_sendipcp", GET_STAT(call_sendipcp));
- cli_print(cli, "%-30s%lu", "call_sendchap", GET_STAT(call_sendchap));
- cli_print(cli, "%-30s%lu", "call_sessionbyip", GET_STAT(call_sessionbyip));
- cli_print(cli, "%-30s%lu", "call_sessionbyuser", GET_STAT(call_sessionbyuser));
- cli_print(cli, "%-30s%lu", "call_tunnelsend", GET_STAT(call_tunnelsend));
- cli_print(cli, "%-30s%lu", "call_tunnelkill", GET_STAT(call_tunnelkill));
- cli_print(cli, "%-30s%lu", "call_tunnelshutdown", GET_STAT(call_tunnelshutdown));
- cli_print(cli, "%-30s%lu", "call_sessionkill", GET_STAT(call_sessionkill));
- cli_print(cli, "%-30s%lu", "call_sessionshutdown", GET_STAT(call_sessionshutdown));
- cli_print(cli, "%-30s%lu", "call_sessionsetup", GET_STAT(call_sessionsetup));
- cli_print(cli, "%-30s%lu", "call_assign_ip_address", GET_STAT(call_assign_ip_address));
- cli_print(cli, "%-30s%lu", "call_free_ip_address", GET_STAT(call_free_ip_address));
- cli_print(cli, "%-30s%lu", "call_dump_acct_info", GET_STAT(call_dump_acct_info));
- cli_print(cli, "%-30s%lu", "call_radiussend", GET_STAT(call_radiussend));
- cli_print(cli, "%-30s%lu", "call_radiusretry", GET_STAT(call_radiusretry));
+ cli_print(cli, "%-30s%u", "call_processtun", GET_STAT(call_processtun));
+ cli_print(cli, "%-30s%u", "call_processipout", GET_STAT(call_processipout));
+ cli_print(cli, "%-30s%u", "call_processudp", GET_STAT(call_processudp));
+ cli_print(cli, "%-30s%u", "call_processpap", GET_STAT(call_processpap));
+ cli_print(cli, "%-30s%u", "call_processchap", GET_STAT(call_processchap));
+ cli_print(cli, "%-30s%u", "call_processlcp", GET_STAT(call_processlcp));
+ cli_print(cli, "%-30s%u", "call_processipcp", GET_STAT(call_processipcp));
+ cli_print(cli, "%-30s%u", "call_processipin", GET_STAT(call_processipin));
+ cli_print(cli, "%-30s%u", "call_processccp", GET_STAT(call_processccp));
+ cli_print(cli, "%-30s%u", "call_processrad", GET_STAT(call_processrad));
+ cli_print(cli, "%-30s%u", "call_sendarp", GET_STAT(call_sendarp));
+ cli_print(cli, "%-30s%u", "call_sendipcp", GET_STAT(call_sendipcp));
+ cli_print(cli, "%-30s%u", "call_sendchap", GET_STAT(call_sendchap));
+ cli_print(cli, "%-30s%u", "call_sessionbyip", GET_STAT(call_sessionbyip));
+ cli_print(cli, "%-30s%u", "call_sessionbyuser", GET_STAT(call_sessionbyuser));
+ cli_print(cli, "%-30s%u", "call_tunnelsend", GET_STAT(call_tunnelsend));
+ cli_print(cli, "%-30s%u", "call_tunnelkill", GET_STAT(call_tunnelkill));
+ cli_print(cli, "%-30s%u", "call_tunnelshutdown", GET_STAT(call_tunnelshutdown));
+ cli_print(cli, "%-30s%u", "call_sessionkill", GET_STAT(call_sessionkill));
+ cli_print(cli, "%-30s%u", "call_sessionshutdown", GET_STAT(call_sessionshutdown));
+ cli_print(cli, "%-30s%u", "call_sessionsetup", GET_STAT(call_sessionsetup));
+ cli_print(cli, "%-30s%u", "call_assign_ip_address", GET_STAT(call_assign_ip_address));
+ cli_print(cli, "%-30s%u", "call_free_ip_address", GET_STAT(call_free_ip_address));
+ cli_print(cli, "%-30s%u", "call_dump_acct_info", GET_STAT(call_dump_acct_info));
+ cli_print(cli, "%-30s%u", "call_radiussend", GET_STAT(call_radiussend));
+ cli_print(cli, "%-30s%u", "call_radiusretry", GET_STAT(call_radiusretry));
#endif
+
+ {
+ time_t l = GET_STAT(last_reset);
+ char *t = ctime(&l);
+ char *p = strchr(t, '\n');
+ if (p) *p = 0;
+
+ cli_print(cli, "");
+ cli_print(cli, "Last counter reset %s", t);
+ }
+
return CLI_OK;
}
p = "HEAD";
e = strpbrk(p, " \t$");
- cli_print(cli, "Tag: %.*s", e ? e - p + 1 : strlen(p), p);
+ cli_print(cli, "Tag: %.*s", (int) (e ? e - p + 1 : strlen(p)), p);
}
if (file)
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
if (ip_address_pool[i].assigned)
{
cli_print(cli, "%-15s\tY %8d %s",
- inet_toa(htonl(ip_address_pool[i].address)), ip_address_pool[i].session, session[ip_address_pool[i].session].user);
+ fmtaddr(htonl(ip_address_pool[i].address), 0),
+ ip_address_pool[i].session,
+ session[ip_address_pool[i].session].user);
used++;
}
{
if (ip_address_pool[i].last)
cli_print(cli, "%-15s\tN %8s [%s] %ds",
- inet_toa(htonl(ip_address_pool[i].address)), "",
- ip_address_pool[i].user, time_now - ip_address_pool[i].last);
+ fmtaddr(htonl(ip_address_pool[i].address), 0), "",
+ ip_address_pool[i].user, (int) time_now - ip_address_pool[i].last);
+
else if (show_all)
- cli_print(cli, "%-15s\tN", inet_toa(htonl(ip_address_pool[i].address)));
+ cli_print(cli, "%-15s\tN", fmtaddr(htonl(ip_address_pool[i].address), 0));
free++;
}
return CLI_OK;
}
+static char const *show_access_list_rule(int extended, ip_filter_rulet *rule);
+
static int cmd_show_run(struct cli_def *cli, char *command, char **argv, int argc)
{
int i;
if (config_values[i].type == STRING)
cli_print(cli, "set %s \"%.*s\"", config_values[i].key, config_values[i].size, (char *)value);
else if (config_values[i].type == IP)
- cli_print(cli, "set %s %s", config_values[i].key, inet_toa(*(unsigned *)value));
+ cli_print(cli, "set %s %s", config_values[i].key, fmtaddr(*(unsigned *)value, 0));
else if (config_values[i].type == SHORT)
cli_print(cli, "set %s %hu", config_values[i].key, *(short *)value);
else if (config_values[i].type == BOOL)
#ifdef BGP
if (config->as_number)
{
- int k;
+ int k;
int h;
- cli_print(cli, "# BGP");
+ cli_print(cli, "# BGP");
cli_print(cli, "router bgp %u", config->as_number);
for (i = 0; i < BGP_NUM_PEERS; i++)
{
if (!config->neighbour[i].name[0])
continue;
- cli_print(cli, " neighbour %s remote-as %u", config->neighbour[i].name, config->neighbour[i].as);
+ cli_print(cli, " neighbour %s remote-as %u", config->neighbour[i].name, config->neighbour[i].as);
k = config->neighbour[i].keepalive;
h = config->neighbour[i].hold;
}
#endif
+ cli_print(cli, "# Filters");
+ for (i = 0; i < MAXFILTER; i++)
+ {
+ ip_filter_rulet *rules;
+ if (!*ip_filters[i].name)
+ continue;
+
+ cli_print(cli, "ip access-list %s %s",
+ ip_filters[i].extended ? "extended" : "standard",
+ ip_filters[i].name);
+
+ rules = ip_filters[i].rules;
+ while (rules->action)
+ cli_print(cli, "%s", show_access_list_rule(ip_filters[i].extended, rules++));
+ }
+
cli_print(cli, "# end");
return CLI_OK;
}
NULL);
}
- cli_print(cli, "%6s%6s%5s%6s%9s%9s%4s", "ID", "Radius", "Sock", "State", "Session", "Retry", "Try");
+ cli_print(cli, "%6s%7s%5s%6s%9s%9s%4s", "ID", "Radius", "Sock", "State", "Session", "Retry", "Try");
time(&time_now);
if (!show_all && radius[i].state == RADIUSNULL) continue;
- cli_print(cli, "%6d%6d%5d%6s%9d%9u%4d",
+ cli_print(cli, "%6d%7d%5d%6s%9d%9u%4d",
i,
i >> RADIUS_SHIFT,
i & RADIUS_MASK,
if (CLI_HELP_REQUESTED)
return CLI_HELP_NO_ARGS;
- cli_print(cli, "Counters cleared");
+ memset(_statistics, 0, sizeof(struct Tstats));
SET_STAT(last_reset, time(NULL));
+
+ cli_print(cli, "Counters cleared");
return CLI_OK;
}
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
static int cmd_snoop(struct cli_def *cli, char *command, char **argv, int argc)
{
- ipt ip;
- u16 port;
+ in_addr_t ip;
+ uint16_t port;
sessionidt s;
if (CLI_HELP_REQUESTED)
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
return CLI_OK;
}
- cli_print(cli, "Snooping user %s to %s:%d", argv[0], inet_toa(ip), port);
+ cli_print(cli, "Snooping user %s to %s:%d", argv[0], fmtaddr(ip, 0), port);
cli_session_actions[s].snoop_ip = ip;
cli_session_actions[s].snoop_port = port;
cli_session_actions[s].action |= CLI_SESS_SNOOP;
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
int i;
for (i = 1; i < argc - 1; i += 2)
{
- int len = strlen(argv[i]);
int r = 0;
- if (!strncasecmp(argv[i], "in", len))
+ if (MATCH("in", argv[i]))
r = rate_in = atoi(argv[i+1]);
- else if (!strncasecmp(argv[i], "out", len))
+ else if (MATCH("out", argv[i]))
r = rate_out = atoi(argv[i+1]);
if (r < 1)
if (!config->cluster_iam_master)
{
- cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
return CLI_OK;
}
if (argv[i][0] == 'c' && len < 2)
len = 2; /* distinguish [cr]itical from [ca]lls */
- if (!strncasecmp(argv[i], "critical", len)) { debug_flags.critical = 1; continue; }
- if (!strncasecmp(argv[i], "error", len)) { debug_flags.error = 1; continue; }
- if (!strncasecmp(argv[i], "warning", len)) { debug_flags.warning = 1; continue; }
- if (!strncasecmp(argv[i], "info", len)) { debug_flags.info = 1; continue; }
- if (!strncasecmp(argv[i], "calls", len)) { debug_flags.calls = 1; continue; }
- if (!strncasecmp(argv[i], "data", len)) { debug_flags.data = 1; continue; }
- if (!strncasecmp(argv[i], "all", len))
+ if (!strncmp("critical", argv[i], len)) { debug_flags.critical = 1; continue; }
+ if (!strncmp("error", argv[i], len)) { debug_flags.error = 1; continue; }
+ if (!strncmp("warning", argv[i], len)) { debug_flags.warning = 1; continue; }
+ if (!strncmp("info", argv[i], len)) { debug_flags.info = 1; continue; }
+ if (!strncmp("calls", argv[i], len)) { debug_flags.calls = 1; continue; }
+ if (!strncmp("data", argv[i], len)) { debug_flags.data = 1; continue; }
+ if (!strncmp("all", argv[i], len))
{
memset(&debug_flags, 1, sizeof(debug_flags));
debug_flags.data = 0;
if (argv[i][0] == 'c' && len < 2)
len = 2; /* distinguish [cr]itical from [ca]lls */
- if (!strncasecmp(argv[i], "critical", len)) { debug_flags.critical = 0; continue; }
- if (!strncasecmp(argv[i], "error", len)) { debug_flags.error = 0; continue; }
- if (!strncasecmp(argv[i], "warning", len)) { debug_flags.warning = 0; continue; }
- if (!strncasecmp(argv[i], "info", len)) { debug_flags.info = 0; continue; }
- if (!strncasecmp(argv[i], "calls", len)) { debug_flags.calls = 0; continue; }
- if (!strncasecmp(argv[i], "data", len)) { debug_flags.data = 0; continue; }
- if (!strncasecmp(argv[i], "all", len))
+ if (!strncmp("critical", argv[i], len)) { debug_flags.critical = 0; continue; }
+ if (!strncmp("error", argv[i], len)) { debug_flags.error = 0; continue; }
+ if (!strncmp("warning", argv[i], len)) { debug_flags.warning = 0; continue; }
+ if (!strncmp("info", argv[i], len)) { debug_flags.info = 0; continue; }
+ if (!strncmp("calls", argv[i], len)) { debug_flags.calls = 0; continue; }
+ if (!strncmp("data", argv[i], len)) { debug_flags.data = 0; continue; }
+ if (!strncmp("all", argv[i], len))
{
memset(&debug_flags, 0, sizeof(debug_flags));
continue;
{
int len = strlen(argv[0])-1;
for (i = 0; config_values[i].key; i++)
- if (!len || !strncmp(argv[0], config_values[i].key, len))
+ if (!len || !strncmp(config_values[i].key, argv[0], len))
cli_print(cli, " %s", config_values[i].key);
}
int regular_stuff(struct cli_def *cli)
{
- int i = debug_rb_tail;
- int reprompt = 0;
+ int out = 0;
+ int i;
#ifdef RINGBUFFER
- while (i != ringbuffer->tail)
+ for (i = debug_rb_tail; i != ringbuffer->tail; i = (i + 1) % RINGBUFFER_SIZE)
{
- int show_message = 0;
+ char *m = ringbuffer->buffer[i].message;
+ char *p;
+ int show = 0;
+
+ if (!*m) continue;
- if (*ringbuffer->buffer[i].message)
+ switch (ringbuffer->buffer[i].level)
{
- // Always show messages if we are doing general debug
- if (ringbuffer->buffer[i].level == 0 && debug_flags.critical) show_message = 1;
- if (ringbuffer->buffer[i].level == 1 && debug_flags.error) show_message = 1;
- if (ringbuffer->buffer[i].level == 2 && debug_flags.warning) show_message = 1;
- if (ringbuffer->buffer[i].level == 3 && debug_flags.info) show_message = 1;
- if (ringbuffer->buffer[i].level == 4 && debug_flags.calls) show_message = 1;
- if (ringbuffer->buffer[i].level == 5 && debug_flags.data) show_message = 1;
+ case 0: show = debug_flags.critical; break;
+ case 1: show = debug_flags.error; break;
+ case 2: show = debug_flags.warning; break;
+ case 3: show = debug_flags.info; break;
+ case 4: show = debug_flags.calls; break;
+ case 5: show = debug_flags.data; break;
}
- if (show_message)
- {
- ipt address = htonl(ringbuffer->buffer[i].address);
- char *ipaddr;
- struct in_addr addr;
+ if (!show) continue;
- memcpy(&addr, &address, sizeof(ringbuffer->buffer[i].address));
- ipaddr = inet_ntoa(addr);
+ if (!(p = strchr(m, '\n')))
+ p = m + strlen(p);
- cli_print(cli, "\r%s-%s-%u-%u %s",
- debug_levels[(int)ringbuffer->buffer[i].level],
- ipaddr,
- ringbuffer->buffer[i].tunnel,
- ringbuffer->buffer[i].session,
- ringbuffer->buffer[i].message);
+ cli_print(cli, "\r%s-%u-%u %.*s",
+ debug_levels[(int)ringbuffer->buffer[i].level],
+ ringbuffer->buffer[i].tunnel,
+ ringbuffer->buffer[i].session,
+ (int) (p - m), m);
- reprompt = 1;
- }
-
- if (++i == ringbuffer->tail) break;
- if (i == RINGBUFFER_SIZE) i = 0;
+ out++;
}
debug_rb_tail = ringbuffer->tail;
- if (reprompt)
+ if (out)
cli_reprompt(cli);
#endif
return CLI_OK;
return CLI_OK;
}
-static int find_bgp_neighbour(char *name)
+static int find_bgp_neighbour(char const *name)
{
int i;
int new = -1;
for (i = 0; i < BGP_NUM_PEERS; i++)
{
- if (!config->neighbour[i].name[0])
+ if (!config->neighbour[i].name[0])
{
if (new == -1) new = i;
continue;
NULL);
default:
- if (!strncmp("remote-as", argv[1], strlen(argv[1])))
- return cli_arg_help(cli, argv[2][1], "<1-65535>", "Autonomous system number", NULL);
+ if (MATCH("remote-as", argv[1]))
+ return cli_arg_help(cli, argv[2][1], "<1-65535>", "Autonomous system number", NULL);
- if (!strncmp("timers", argv[1], strlen(argv[1])))
+ if (MATCH("timers", argv[1]))
{
- if (argc == 3)
+ if (argc == 3)
return cli_arg_help(cli, 0, "<1-65535>", "Keepalive time", NULL);
if (argc == 4)
return CLI_OK;
}
- if (!strncmp("remote-as", argv[1], strlen(argv[1])))
+ if (MATCH("remote-as", argv[1]))
{
- int as = atoi(argv[2]);
+ int as = atoi(argv[2]);
if (as < 0 || as > 65535)
{
cli_print(cli, "Invalid autonomous system number");
return CLI_OK;
}
- if (argc != 4 || strncmp("timers", argv[1], strlen(argv[1])))
+ if (argc != 4 || !MATCH("timers", argv[1]))
{
cli_print(cli, "Invalid arguments");
return CLI_OK;
NULL);
cli_print(cli, "BGPv%d router identifier %s, local AS number %d",
- BGP_VERSION, inet_toa(my_address), (int) config->as_number);
+ BGP_VERSION, fmtaddr(my_address, 0), (int) config->as_number);
time(&time_now);
if (!*bgp_peers[i].name)
continue;
- addr = inet_toa(bgp_peers[i].addr);
+ addr = fmtaddr(bgp_peers[i].addr, 0);
if (argc && strcmp(addr, argv[0]) &&
strncmp(bgp_peers[i].name, argv[0], strlen(argv[0])))
continue;
"----------- ------- -------- ----- ---- ---------");
}
- cli_print(cli, "%-18.18s %5d %15s %-11s %7d %7ds %5s %4s %4d %4d",
+ cli_print(cli, "%-18.18s %5d %15s %-11s %7d %7lds %5s %4s %4d %4d",
bgp_peers[i].name,
bgp_peers[i].as,
addr,
if (!bgp_peers[i].routing)
continue;
- addr = inet_toa(bgp_peers[i].addr);
+ addr = fmtaddr(bgp_peers[i].addr, 0);
if (argc && strcmp(addr, argv[0]) && strcmp(bgp_peers[i].name, argv[0]))
continue;
if (bgp_peers[i].routing)
continue;
- addr = inet_toa(bgp_peers[i].addr);
+ addr = fmtaddr(bgp_peers[i].addr, 0);
if (argc && strcmp(addr, argv[0]) &&
strncmp(bgp_peers[i].name, argv[0], strlen(argv[0])))
continue;
if (!*bgp_peers[i].name)
continue;
- addr = inet_toa(bgp_peers[i].addr);
+ addr = fmtaddr(bgp_peers[i].addr, 0);
if (argc && strcmp(addr, argv[0]) &&
strncmp(bgp_peers[i].name, argv[0], strlen(argv[0])))
continue;
}
#endif /* BGP*/
+static int filt;
+static int find_access_list(char const *name)
+{
+ int i;
+
+ for (i = 0; i < MAXFILTER; i++)
+ if (!(*ip_filters[i].name && strcmp(ip_filters[i].name, name)))
+ return i;
+
+ return -1;
+}
+
+static int access_list(struct cli_def *cli, char **argv, int argc, int add)
+{
+ int extended;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ switch (argc)
+ {
+ case 1:
+ return cli_arg_help(cli, 0,
+ "standard", "Standard syntax",
+ "extended", "Extended syntax",
+ NULL);
+
+ case 2:
+ return cli_arg_help(cli, argv[1][1],
+ "NAME", "Access-list name",
+ NULL);
+
+ default:
+ if (argc == 3 && !argv[2][1])
+ return cli_arg_help(cli, 1, NULL);
+
+ return CLI_OK;
+ }
+ }
+
+ if (argc != 2)
+ {
+ cli_print(cli, "Specify access-list type and name");
+ return CLI_OK;
+ }
+
+ if (MATCH("standard", argv[0]))
+ extended = 0;
+ else if (MATCH("extended", argv[0]))
+ extended = 1;
+ else
+ {
+ cli_print(cli, "Invalid access-list type");
+ return CLI_OK;
+ }
+
+ if (strlen(argv[1]) > sizeof(ip_filters[0].name) - 1 ||
+ strspn(argv[1], "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-") != strlen(argv[1]))
+ {
+ cli_print(cli, "Invalid access-list name");
+ return CLI_OK;
+ }
+
+ filt = find_access_list(argv[1]);
+ if (add)
+ {
+ if (filt < 0)
+ {
+ cli_print(cli, "Too many access-lists");
+ return CLI_OK;
+ }
+
+ // racy
+ if (!*ip_filters[filt].name)
+ {
+ memset(&ip_filters[filt], 0, sizeof(ip_filters[filt]));
+ strcpy(ip_filters[filt].name, argv[1]);
+ ip_filters[filt].extended = extended;
+ }
+ else if (ip_filters[filt].extended != extended)
+ {
+ cli_print(cli, "Access-list is %s",
+ ip_filters[filt].extended ? "extended" : "standard");
+
+ return CLI_OK;
+ }
+
+ cli_set_configmode(cli, MODE_CONFIG_NACL, extended ? "ext-nacl" : "std-nacl");
+ return CLI_OK;
+ }
+
+ if (filt < 0 || !*ip_filters[filt].name)
+ {
+ cli_print(cli, "Access-list not defined");
+ return CLI_OK;
+ }
+
+ // racy
+ if (ip_filters[filt].used)
+ {
+ cli_print(cli, "Access-list in use");
+ return CLI_OK;
+ }
+
+ memset(&ip_filters[filt], 0, sizeof(ip_filters[filt]));
+ return CLI_OK;
+}
+
+static int cmd_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ return access_list(cli, argv, argc, 1);
+}
+
+static int cmd_no_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ return access_list(cli, argv, argc, 0);
+}
+
+static int show_ip_wild(char *buf, in_addr_t ip, in_addr_t wild)
+{
+ if (ip == INADDR_ANY && wild == INADDR_BROADCAST)
+ return sprintf(buf, " any");
+
+ if (wild == INADDR_ANY)
+ return sprintf(buf, " host %s", fmtaddr(ip, 0));
+
+ return sprintf(buf, " %s %s", fmtaddr(ip, 0), fmtaddr(wild, 1));
+}
+
+static int show_ports(char *buf, ip_filter_portt *ports)
+{
+ switch (ports->op)
+ {
+ case FILTER_PORT_OP_EQ: return sprintf(buf, " eq %u", ports->port);
+ case FILTER_PORT_OP_NEQ: return sprintf(buf, " neq %u", ports->port);
+ case FILTER_PORT_OP_GT: return sprintf(buf, " gt %u", ports->port);
+ case FILTER_PORT_OP_LT: return sprintf(buf, " lt %u", ports->port);
+ case FILTER_PORT_OP_RANGE: return sprintf(buf, " range %u %u", ports->port, ports->port2);
+ }
+
+ return 0;
+}
+
+static char const *show_access_list_rule(int extended, ip_filter_rulet *rule)
+{
+ static char buf[256];
+ char *p = buf;
+
+ p += sprintf(p, " %s", rule->action == FILTER_ACTION_PERMIT ? "permit" : "deny");
+ if (extended)
+ {
+ struct protoent *proto = getprotobynumber(rule->proto);
+ p += sprintf(p, " %s", proto ? proto->p_name : "ERR");
+ }
+
+ p += show_ip_wild(p, rule->src_ip, rule->src_wild);
+ if (!extended)
+ return buf;
+
+ if (rule->proto == IPPROTO_TCP || rule->proto == IPPROTO_UDP)
+ p += show_ports(p, &rule->src_ports);
+
+ p += show_ip_wild(p, rule->dst_ip, rule->dst_wild);
+ if (rule->proto == IPPROTO_TCP || rule->proto == IPPROTO_UDP)
+ p += show_ports(p, &rule->dst_ports);
+
+ if (rule->proto == IPPROTO_TCP && rule->tcp_flag_op)
+ {
+ switch (rule->tcp_flag_op)
+ {
+ case FILTER_FLAG_OP_EST:
+ p += sprintf(p, " established");
+ break;
+
+ case FILTER_FLAG_OP_ANY:
+ case FILTER_FLAG_OP_ALL:
+ p += sprintf(p, " match-%s", rule->tcp_flag_op == FILTER_FLAG_OP_ALL ? "all" : "any");
+ if (rule->tcp_sflags & TCP_FLAG_FIN) p += sprintf(p, " +fin");
+ if (rule->tcp_cflags & TCP_FLAG_FIN) p += sprintf(p, " -fin");
+ if (rule->tcp_sflags & TCP_FLAG_SYN) p += sprintf(p, " +syn");
+ if (rule->tcp_cflags & TCP_FLAG_SYN) p += sprintf(p, " -syn");
+ if (rule->tcp_sflags & TCP_FLAG_RST) p += sprintf(p, " +rst");
+ if (rule->tcp_cflags & TCP_FLAG_RST) p += sprintf(p, " -rst");
+ if (rule->tcp_sflags & TCP_FLAG_PSH) p += sprintf(p, " +psh");
+ if (rule->tcp_cflags & TCP_FLAG_PSH) p += sprintf(p, " -psh");
+ if (rule->tcp_sflags & TCP_FLAG_ACK) p += sprintf(p, " +ack");
+ if (rule->tcp_cflags & TCP_FLAG_ACK) p += sprintf(p, " -ack");
+ if (rule->tcp_sflags & TCP_FLAG_URG) p += sprintf(p, " +urg");
+ if (rule->tcp_cflags & TCP_FLAG_URG) p += sprintf(p, " -urg");
+ break;
+ }
+ }
+
+ if (rule->frag)
+ p += sprintf(p, " fragments");
+
+ return buf;
+}
+
+ip_filter_rulet *access_list_rule_ext(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ static ip_filter_rulet rule;
+ struct in_addr addr;
+ int i;
+ int a;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ if (argc == 1)
+ {
+ cli_arg_help(cli, 0,
+ "ip", "Match IP packets",
+ "tcp", "Match TCP packets",
+ "udp", "Match UDP packets",
+ NULL);
+
+ return NULL;
+ }
+
+ // *sigh*, too darned complex
+ cli_arg_help(cli, 0, "RULE", "SOURCE [PORTS] DEST [PORTS] FLAGS", NULL);
+ return NULL;
+ }
+
+ if (argc < 3)
+ {
+ cli_print(cli, "Specify rule details");
+ return NULL;
+ }
+
+ memset(&rule, 0, sizeof(rule));
+ rule.action = (command[0] == 'p')
+ ? FILTER_ACTION_PERMIT
+ : FILTER_ACTION_DENY;
+
+ if (MATCH("ip", argv[0]))
+ rule.proto = IPPROTO_IP;
+ else if (MATCH("udp", argv[0]))
+ rule.proto = IPPROTO_UDP;
+ else if (MATCH("tcp", argv[0]))
+ rule.proto = IPPROTO_TCP;
+ else
+ {
+ cli_print(cli, "Invalid protocol \"%s\"", argv[0]);
+ return NULL;
+ }
+
+ for (a = 1, i = 0; i < 2; i++)
+ {
+ in_addr_t *ip;
+ in_addr_t *wild;
+ ip_filter_portt *port;
+
+ if (i == 0)
+ {
+ ip = &rule.src_ip;
+ wild = &rule.src_wild;
+ port = &rule.src_ports;
+ }
+ else
+ {
+ ip = &rule.dst_ip;
+ wild = &rule.dst_wild;
+ port = &rule.dst_ports;
+ if (a >= argc)
+ {
+ cli_print(cli, "Specify destination");
+ return NULL;
+ }
+ }
+
+ if (MATCH("any", argv[a]))
+ {
+ *ip = INADDR_ANY;
+ *wild = INADDR_BROADCAST;
+ a++;
+ }
+ else if (MATCH("host", argv[a]))
+ {
+ if (++a >= argc)
+ {
+ cli_print(cli, "Specify host ip address");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[a], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *ip = addr.s_addr;
+ *wild = INADDR_ANY;
+ a++;
+ }
+ else
+ {
+ if (a >= argc - 1)
+ {
+ cli_print(cli, "Specify %s ip address and wildcard", i ? "destination" : "source");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[a], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *ip = addr.s_addr;
+
+ if (!inet_aton(argv[++a], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *wild = addr.s_addr;
+ a++;
+ }
+
+ if (rule.proto == IPPROTO_IP || a >= argc)
+ continue;
+
+ port->op = 0;
+ if (MATCH("eq", argv[a]))
+ port->op = FILTER_PORT_OP_EQ;
+ else if (MATCH("neq", argv[a]))
+ port->op = FILTER_PORT_OP_NEQ;
+ else if (MATCH("gt", argv[a]))
+ port->op = FILTER_PORT_OP_GT;
+ else if (MATCH("lt", argv[a]))
+ port->op = FILTER_PORT_OP_LT;
+ else if (MATCH("range", argv[a]))
+ port->op = FILTER_PORT_OP_RANGE;
+
+ if (!port->op)
+ continue;
+
+ if (++a >= argc)
+ {
+ cli_print(cli, "Specify port");
+ return NULL;
+ }
+
+ if (!(port->port = atoi(argv[a])))
+ {
+ cli_print(cli, "Invalid port \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ if (port->op != FILTER_PORT_OP_RANGE)
+ continue;
+
+ if (a >= argc)
+ {
+ cli_print(cli, "Specify port");
+ return NULL;
+ }
+
+ if (!(port->port2 = atoi(argv[a])) || port->port2 < port->port)
+ {
+ cli_print(cli, "Invalid port \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ }
+
+ if (rule.proto == IPPROTO_TCP && a < argc)
+ {
+ if (MATCH("established", argv[a]))
+ {
+ rule.tcp_flag_op = FILTER_FLAG_OP_EST;
+ a++;
+ }
+ else if (!strcmp(argv[a], "match-any") || !strcmp(argv[a], "match-an") ||
+ !strcmp(argv[a], "match-all") || !strcmp(argv[a], "match-al"))
+ {
+ rule.tcp_flag_op = argv[a][7] == 'n'
+ ? FILTER_FLAG_OP_ANY
+ : FILTER_FLAG_OP_ALL;
+
+ if (++a >= argc)
+ {
+ cli_print(cli, "Specify tcp flags");
+ return NULL;
+ }
+
+ while (a < argc && (argv[a][0] == '+' || argv[a][0] == '-'))
+ {
+ uint8_t *f;
+
+ f = (argv[a][0] == '+') ? &rule.tcp_sflags : &rule.tcp_cflags;
+
+ if (MATCH("fin", &argv[a][1])) *f |= TCP_FLAG_FIN;
+ else if (MATCH("syn", &argv[a][1])) *f |= TCP_FLAG_SYN;
+ else if (MATCH("rst", &argv[a][1])) *f |= TCP_FLAG_RST;
+ else if (MATCH("psh", &argv[a][1])) *f |= TCP_FLAG_PSH;
+ else if (MATCH("ack", &argv[a][1])) *f |= TCP_FLAG_ACK;
+ else if (MATCH("urg", &argv[a][1])) *f |= TCP_FLAG_URG;
+ else
+ {
+ cli_print(cli, "Invalid tcp flag \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ }
+ }
+ }
+
+ if (a < argc && MATCH("fragments", argv[a]))
+ {
+ if (rule.src_ports.op || rule.dst_ports.op || rule.tcp_flag_op)
+ {
+ cli_print(cli, "Can't specify \"fragments\" on rules with layer 4 matches");
+ return NULL;
+ }
+
+ rule.frag = 1;
+ a++;
+ }
+
+ if (a < argc)
+ {
+ cli_print(cli, "Invalid flag \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ return &rule;
+}
+
+ip_filter_rulet *access_list_rule_std(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ static ip_filter_rulet rule;
+ struct in_addr addr;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ if (argc == 1)
+ {
+ cli_arg_help(cli, argv[0][1],
+ "A.B.C.D", "Source address",
+ "any", "Any source address",
+ "host", "Source host",
+ NULL);
+
+ return NULL;
+ }
+
+ if (MATCH("any", argv[0]))
+ {
+ if (argc == 2 && !argv[1][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+ else if (MATCH("host", argv[0]))
+ {
+ if (argc == 2)
+ {
+ cli_arg_help(cli, argv[1][1],
+ "A.B.C.D", "Host address",
+ NULL);
+ }
+ else if (argc == 3 && !argv[2][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+ else
+ {
+ if (argc == 2)
+ {
+ cli_arg_help(cli, 1,
+ "A.B.C.D", "Wildcard bits",
+ NULL);
+ }
+ else if (argc == 3 && !argv[2][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+
+ return NULL;
+ }
+
+ if (argc < 1)
+ {
+ cli_print(cli, "Specify rule details");
+ return NULL;
+ }
+
+ memset(&rule, 0, sizeof(rule));
+ rule.action = (command[0] == 'p')
+ ? FILTER_ACTION_PERMIT
+ : FILTER_ACTION_DENY;
+
+ rule.proto = IPPROTO_IP;
+ if (MATCH("any", argv[0]))
+ {
+ rule.src_ip = INADDR_ANY;
+ rule.src_wild = INADDR_BROADCAST;
+ }
+ else if (MATCH("host", argv[0]))
+ {
+ if (argc != 2)
+ {
+ cli_print(cli, "Specify host ip address");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[1], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[1]);
+ return NULL;
+ }
+
+ rule.src_ip = addr.s_addr;
+ rule.src_wild = INADDR_ANY;
+ }
+ else
+ {
+ if (argc > 2)
+ {
+ cli_print(cli, "Specify source ip address and wildcard");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[0], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[0]);
+ return NULL;
+ }
+
+ rule.src_ip = addr.s_addr;
+
+ if (argc > 1)
+ {
+ if (!inet_aton(argv[1], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[1]);
+ return NULL;
+ }
+
+ rule.src_wild = addr.s_addr;
+ }
+ else
+ rule.src_wild = INADDR_ANY;
+ }
+
+ return &rule;
+}
+
+static int cmd_ip_access_list_rule(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+ ip_filter_rulet *rule = ip_filters[filt].extended
+ ? access_list_rule_ext(cli, command, argv, argc)
+ : access_list_rule_std(cli, command, argv, argc);
+
+ if (!rule)
+ return CLI_OK;
+
+ for (i = 0; i < MAXFILTER_RULES - 1; i++) // -1: list always terminated by empty rule
+ {
+ if (!ip_filters[filt].rules[i].action)
+ {
+ memcpy(&ip_filters[filt].rules[i], rule, sizeof(*rule));
+ return CLI_OK;
+ }
+
+ if (!memcmp(&ip_filters[filt].rules[i], rule, sizeof(*rule)))
+ return CLI_OK;
+ }
+
+ cli_print(cli, "Too many rules");
+ return CLI_OK;
+}
+
+static int cmd_filter(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ sessionidt s;
+ int i;
+
+ /* filter USER {in|out} FILTER ... */
+ if (CLI_HELP_REQUESTED)
+ {
+ switch (argc)
+ {
+ case 1:
+ return cli_arg_help(cli, 0,
+ "USER", "Username of session to filter", NULL);
+
+ case 2:
+ case 4:
+ return cli_arg_help(cli, 0,
+ "in", "Set incoming filter",
+ "out", "Set outgoing filter", NULL);
+
+ case 3:
+ case 5:
+ return cli_arg_help(cli, argc == 5 && argv[4][1],
+ "NAME", "Filter name", NULL);
+
+ default:
+ return cli_arg_help(cli, argc > 1, NULL);
+ }
+ }
+
+ if (!config->cluster_iam_master)
+ {
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
+ return CLI_OK;
+ }
+
+ if (argc != 3 && argc != 5)
+ {
+ cli_print(cli, "Specify a user and filters");
+ return CLI_OK;
+ }
+
+ if (!(s = sessionbyuser(argv[0])))
+ {
+ cli_print(cli, "User %s is not connected", argv[0]);
+ return CLI_OK;
+ }
+
+ cli_session_actions[s].filter_in = cli_session_actions[s].filter_out = -1;
+ for (i = 1; i < argc; i += 2)
+ {
+ int *f = 0;
+ int v;
+
+ if (MATCH("in", argv[i]))
+ {
+ if (session[s].filter_in)
+ {
+ cli_print(cli, "Input already filtered");
+ return CLI_OK;
+ }
+ f = &cli_session_actions[s].filter_in;
+ }
+ else if (MATCH("out", argv[i]))
+ {
+ if (session[s].filter_out)
+ {
+ cli_print(cli, "Output already filtered");
+ return CLI_OK;
+ }
+ f = &cli_session_actions[s].filter_out;
+ }
+ else
+ {
+ cli_print(cli, "Invalid filter specification");
+ return CLI_OK;
+ }
+
+ v = find_access_list(argv[i+1]);
+ if (v < 0 || !*ip_filters[v].name)
+ {
+ cli_print(cli, "Access-list %s not defined", argv[i+1]);
+ return CLI_OK;
+ }
+
+ *f = v + 1;
+ }
+
+ cli_print(cli, "Filtering user %s", argv[0]);
+ cli_session_actions[s].action |= CLI_SESS_FILTER;
+
+ return CLI_OK;
+}
+
+static int cmd_no_filter(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+ sessionidt s;
+
+ if (CLI_HELP_REQUESTED)
+ return cli_arg_help(cli, argc > 1,
+ "USER", "Username of session to remove filters from", NULL);
+
+ if (!config->cluster_iam_master)
+ {
+ cli_print(cli, "Can't do this on a slave. Do it on %s",
+ fmtaddr(config->cluster_master_address, 0));
+
+ return CLI_OK;
+ }
+
+ if (!argc)
+ {
+ cli_print(cli, "Specify a user to remove filters from");
+ return CLI_OK;
+ }
+
+ for (i = 0; i < argc; i++)
+ {
+ if (!(s = sessionbyuser(argv[i])))
+ {
+ cli_print(cli, "User %s is not connected", argv[i]);
+ continue;
+ }
+
+ if (session[s].filter_in || session[s].filter_out)
+ {
+ cli_print(cli, "Removing filters from user %s", argv[i]);
+ cli_session_actions[s].action |= CLI_SESS_NOFILTER;
+ }
+ else
+ {
+ cli_print(cli, "User %s not filtered", argv[i]);
+ }
+ }
+
+ return CLI_OK;
+}
+
+static int cmd_show_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+
+ if (CLI_HELP_REQUESTED)
+ return cli_arg_help(cli, argc > 1, "NAME", "Filter name", NULL);
+
+ if (argc < 1)
+ {
+ cli_print(cli, "Specify a filter name");
+ return CLI_OK;
+ }
+
+ for (i = 0; i < argc; i++)
+ {
+ int f = find_access_list(argv[i]);
+ ip_filter_rulet *rules;
+
+ if (f < 0 || !*ip_filters[f].name)
+ {
+ cli_print(cli, "Access-list %s not defined", argv[i]);
+ return CLI_OK;
+ }
+
+ if (i)
+ cli_print(cli, "");
+
+ cli_print(cli, "%s IP access list %s",
+ ip_filters[f].extended ? "Extended" : "Standard",
+ ip_filters[f].name);
+
+ for (rules = ip_filters[f].rules; rules->action; rules++)
+ {
+ char const *r = show_access_list_rule(ip_filters[f].extended, rules);
+ if (rules->counter)
+ cli_print(cli, "%s (%d match%s)", r,
+ rules->counter, rules->counter > 1 ? "es" : "");
+ else
+ cli_print(cli, "%s", r);
+ }
+ }
+
+ return CLI_OK;
+}
+
// Convert a string in the form of abcd.ef12.3456 into char[6]
void parsemac(char *string, char mac[6])
{
projects / l2tpns.git / blobdiff