// vim: sw=8 ts=8
char const *cvs_name = "$Name: $";
-char const *cvs_id_cli = "$Id: cli.c,v 1.28 2004-11-16 07:54:32 bodea Exp $";
+char const *cvs_id_cli = "$Id: cli.c,v 1.32 2004-11-28 02:53:11 bodea Exp $";
#include <stdio.h>
#include <stdarg.h>
extern ippoolt *ip_address_pool;
extern struct Tstats *_statistics;
static struct cli_def *cli = NULL;
-extern struct configt *config;
-extern struct config_descriptt config_values[];
+extern configt *config;
+extern config_descriptt config_values[];
#ifdef RINGBUFFER
extern struct Tringbuffer *ringbuffer;
#endif
extern struct cli_session_actions *cli_session_actions;
extern struct cli_tunnel_actions *cli_tunnel_actions;
extern tbft *filter_list;
+extern ip_filtert *ip_filters;
static char *debug_levels[] = {
"CRIT",
static int cmd_restart_bgp(struct cli_def *cli, char *command, char **argv, int argc);
#endif /* BGP */
+#define MODE_CONFIG_NACL 9
+static int cmd_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_no_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_ip_access_list_rule(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_filter(struct cli_def *cli, char *command, char **argv, int argc);
+static int cmd_no_filter(struct cli_def *cli, char *command, char **argv, int argc);
+
+/* match if b is a substr of a */
+#define MATCH(a,b) (!strncmp((a), (b), strlen(b)))
+
void init_cli(char *hostname)
{
FILE *f;
cli_register_command(cli, c, "memory", cmd_write_memory, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Save the running config to flash");
cli_register_command(cli, c, "terminal", cmd_show_run, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Show the running config");
- cli_register_command(cli, NULL, "snoop", cmd_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily enable interception for a user");
- cli_register_command(cli, NULL, "throttle", cmd_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily enable throttling for a user");
+ cli_register_command(cli, NULL, "snoop", cmd_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Enable interception of a session");
+ cli_register_command(cli, NULL, "throttle", cmd_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Enable throttling of a session");
+ cli_register_command(cli, NULL, "filter", cmd_filter, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Add filtering to a session");
cli_register_command(cli, NULL, "debug", cmd_debug, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Set the level of logging that is shown on the console");
#ifdef BGP
#endif /* BGP */
c = cli_register_command(cli, NULL, "no", NULL, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, NULL);
- cli_register_command(cli, c, "snoop", cmd_no_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily disable interception for a user");
- cli_register_command(cli, c, "throttle", cmd_no_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Temporarily disable throttling for a user");
+ cli_register_command(cli, c, "snoop", cmd_no_snoop, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Disable interception of a session");
+ cli_register_command(cli, c, "throttle", cmd_no_throttle, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Disable throttling of a session");
+ cli_register_command(cli, c, "filter", cmd_no_filter, PRIVILEGE_PRIVILEGED, MODE_EXEC, "Remove filtering from a session");
cli_register_command(cli, c, "debug", cmd_no_debug, PRIVILEGE_UNPRIVILEGED, MODE_EXEC, "Turn off logging of a certain level of debugging");
#ifdef BGP
cli_register_command(cli, NULL, "set", cmd_set, PRIVILEGE_PRIVILEGED, MODE_CONFIG, "Set a configuration variable");
+ c = cli_register_command(cli, NULL, "ip", NULL, PRIVILEGE_PRIVILEGED, MODE_CONFIG, NULL);
+ cli_register_command(cli, c, "access-list", cmd_ip_access_list, PRIVILEGE_PRIVILEGED, MODE_CONFIG, "Add named access-list");
+
+ cli_register_command(cli, NULL, "permit", cmd_ip_access_list_rule, PRIVILEGE_PRIVILEGED, MODE_CONFIG_NACL, "Permit rule");
+ cli_register_command(cli, NULL, "deny", cmd_ip_access_list_rule, PRIVILEGE_PRIVILEGED, MODE_CONFIG_NACL, "Deny rule");
+
+ c = cli_register_command(cli, NULL, "no", NULL, PRIVILEGE_UNPRIVILEGED, MODE_CONFIG, NULL);
+ c2 = cli_register_command(cli, c, "ip", NULL, PRIVILEGE_PRIVILEGED, MODE_CONFIG, NULL);
+ cli_register_command(cli, c2, "access-list", cmd_no_ip_access_list, PRIVILEGE_PRIVILEGED, MODE_CONFIG, "Remove named access-list");
+
// Enable regular processing
cli_regular(cli, regular_stuff);
require_auth = addr.sin_addr.s_addr != inet_addr("127.0.0.1");
}
else
- LOG(0, 0, 0, 0, "getpeername() failed on cli socket. Requiring authentication: %s\n", strerror(errno));
+ LOG(0, 0, 0, 0, "getpeername() failed on cli socket. Requiring authentication: %s\n", strerror(errno));
if (require_auth)
{
cli_print(cli, "\tRadius Session:\t%u", session[s].radius);
cli_print(cli, "\tRx Speed:\t%lu", session[s].rx_connect_speed);
cli_print(cli, "\tTx Speed:\t%lu", session[s].tx_connect_speed);
+ if (session[s].filter_in && session[s].filter_in <= MAXFILTER)
+ cli_print(cli, "\tFilter in:\t%u (%s)", session[s].filter_in, ip_filters[session[s].filter_in - 1].name);
+ if (session[s].filter_out && session[s].filter_out <= MAXFILTER)
+ cli_print(cli, "\tFilter out:\t%u (%s)", session[s].filter_out, ip_filters[session[s].filter_out - 1].name);
if (session[s].snoop_ip && session[s].snoop_port)
cli_print(cli, "\tIntercepted:\t%s:%d", inet_toa(session[s].snoop_ip), session[s] .snoop_port);
else
return CLI_OK;
}
+static char const *show_access_list_rule(int extended, ip_filter_rulet *rule);
+
static int cmd_show_run(struct cli_def *cli, char *command, char **argv, int argc)
{
int i;
#ifdef BGP
if (config->as_number)
{
- int k;
+ int k;
int h;
- cli_print(cli, "# BGP");
+ cli_print(cli, "# BGP");
cli_print(cli, "router bgp %u", config->as_number);
for (i = 0; i < BGP_NUM_PEERS; i++)
{
if (!config->neighbour[i].name[0])
continue;
- cli_print(cli, " neighbour %s remote-as %u", config->neighbour[i].name, config->neighbour[i].as);
+ cli_print(cli, " neighbour %s remote-as %u", config->neighbour[i].name, config->neighbour[i].as);
k = config->neighbour[i].keepalive;
h = config->neighbour[i].hold;
}
#endif
+ cli_print(cli, "# Filters");
+ for (i = 0; i < MAXFILTER; i++)
+ {
+ ip_filter_rulet *rules;
+ if (!*ip_filters[i].name)
+ continue;
+
+ cli_print(cli, "ip access-list %s %s",
+ ip_filters[i].extended ? "extended" : "standard",
+ ip_filters[i].name);
+
+ rules = ip_filters[i].rules;
+ while (rules->action)
+ cli_print(cli, "%s", show_access_list_rule(ip_filters[i].extended, rules++));
+ }
+
cli_print(cli, "# end");
return CLI_OK;
}
int i;
for (i = 1; i < argc - 1; i += 2)
{
- int len = strlen(argv[i]);
int r = 0;
- if (!strncasecmp(argv[i], "in", len))
+ if (MATCH("in", argv[i]))
r = rate_in = atoi(argv[i+1]);
- else if (!strncasecmp(argv[i], "out", len))
+ else if (MATCH("out", argv[i]))
r = rate_out = atoi(argv[i+1]);
if (r < 1)
if (argv[i][0] == 'c' && len < 2)
len = 2; /* distinguish [cr]itical from [ca]lls */
- if (!strncasecmp(argv[i], "critical", len)) { debug_flags.critical = 1; continue; }
- if (!strncasecmp(argv[i], "error", len)) { debug_flags.error = 1; continue; }
- if (!strncasecmp(argv[i], "warning", len)) { debug_flags.warning = 1; continue; }
- if (!strncasecmp(argv[i], "info", len)) { debug_flags.info = 1; continue; }
- if (!strncasecmp(argv[i], "calls", len)) { debug_flags.calls = 1; continue; }
- if (!strncasecmp(argv[i], "data", len)) { debug_flags.data = 1; continue; }
- if (!strncasecmp(argv[i], "all", len))
+ if (!strncmp("critical", argv[i], len)) { debug_flags.critical = 1; continue; }
+ if (!strncmp("error", argv[i], len)) { debug_flags.error = 1; continue; }
+ if (!strncmp("warning", argv[i], len)) { debug_flags.warning = 1; continue; }
+ if (!strncmp("info", argv[i], len)) { debug_flags.info = 1; continue; }
+ if (!strncmp("calls", argv[i], len)) { debug_flags.calls = 1; continue; }
+ if (!strncmp("data", argv[i], len)) { debug_flags.data = 1; continue; }
+ if (!strncmp("all", argv[i], len))
{
memset(&debug_flags, 1, sizeof(debug_flags));
debug_flags.data = 0;
if (argv[i][0] == 'c' && len < 2)
len = 2; /* distinguish [cr]itical from [ca]lls */
- if (!strncasecmp(argv[i], "critical", len)) { debug_flags.critical = 0; continue; }
- if (!strncasecmp(argv[i], "error", len)) { debug_flags.error = 0; continue; }
- if (!strncasecmp(argv[i], "warning", len)) { debug_flags.warning = 0; continue; }
- if (!strncasecmp(argv[i], "info", len)) { debug_flags.info = 0; continue; }
- if (!strncasecmp(argv[i], "calls", len)) { debug_flags.calls = 0; continue; }
- if (!strncasecmp(argv[i], "data", len)) { debug_flags.data = 0; continue; }
- if (!strncasecmp(argv[i], "all", len))
+ if (!strncmp("critical", argv[i], len)) { debug_flags.critical = 0; continue; }
+ if (!strncmp("error", argv[i], len)) { debug_flags.error = 0; continue; }
+ if (!strncmp("warning", argv[i], len)) { debug_flags.warning = 0; continue; }
+ if (!strncmp("info", argv[i], len)) { debug_flags.info = 0; continue; }
+ if (!strncmp("calls", argv[i], len)) { debug_flags.calls = 0; continue; }
+ if (!strncmp("data", argv[i], len)) { debug_flags.data = 0; continue; }
+ if (!strncmp("all", argv[i], len))
{
memset(&debug_flags, 0, sizeof(debug_flags));
continue;
{
int len = strlen(argv[0])-1;
for (i = 0; config_values[i].key; i++)
- if (!len || !strncmp(argv[0], config_values[i].key, len))
+ if (!len || !strncmp(config_values[i].key, argv[0], len))
cli_print(cli, " %s", config_values[i].key);
}
return CLI_OK;
}
-static int find_bgp_neighbour(char *name)
+static int find_bgp_neighbour(char const *name)
{
int i;
int new = -1;
for (i = 0; i < BGP_NUM_PEERS; i++)
{
- if (!config->neighbour[i].name[0])
+ if (!config->neighbour[i].name[0])
{
if (new == -1) new = i;
continue;
NULL);
default:
- if (!strncmp("remote-as", argv[1], strlen(argv[1])))
- return cli_arg_help(cli, argv[2][1], "<1-65535>", "Autonomous system number", NULL);
+ if (MATCH("remote-as", argv[1]))
+ return cli_arg_help(cli, argv[2][1], "<1-65535>", "Autonomous system number", NULL);
- if (!strncmp("timers", argv[1], strlen(argv[1])))
+ if (MATCH("timers", argv[1]))
{
- if (argc == 3)
+ if (argc == 3)
return cli_arg_help(cli, 0, "<1-65535>", "Keepalive time", NULL);
if (argc == 4)
return CLI_OK;
}
- if (!strncmp("remote-as", argv[1], strlen(argv[1])))
+ if (MATCH("remote-as", argv[1]))
{
- int as = atoi(argv[2]);
+ int as = atoi(argv[2]);
if (as < 0 || as > 65535)
{
cli_print(cli, "Invalid autonomous system number");
return CLI_OK;
}
- if (argc != 4 || strncmp("timers", argv[1], strlen(argv[1])))
+ if (argc != 4 || !MATCH("timers", argv[1]))
{
cli_print(cli, "Invalid arguments");
return CLI_OK;
}
#endif /* BGP*/
+static int filt;
+static int find_access_list(char const *name)
+{
+ int i;
+
+ for (i = 0; i < MAXFILTER; i++)
+ if (!(*ip_filters[i].name && strcmp(ip_filters[i].name, name)))
+ return i;
+
+ return -1;
+}
+
+static int access_list(struct cli_def *cli, char **argv, int argc, int add)
+{
+ int extended;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ switch (argc)
+ {
+ case 1:
+ return cli_arg_help(cli, 0,
+ "standard", "Standard syntax",
+ "extended", "Extended syntax",
+ NULL);
+
+ case 2:
+ return cli_arg_help(cli, argv[1][1],
+ "NAME", "Access-list name",
+ NULL);
+
+ default:
+ if (argc == 3 && !argv[2][1])
+ return cli_arg_help(cli, 1, NULL);
+
+ return CLI_OK;
+ }
+ }
+
+ if (argc != 2)
+ {
+ cli_print(cli, "Specify access-list type and name");
+ return CLI_OK;
+ }
+
+ if (MATCH("standard", argv[0]))
+ extended = 0;
+ else if (MATCH("extended", argv[0]))
+ extended = 1;
+ else
+ {
+ cli_print(cli, "Invalid access-list type");
+ return CLI_OK;
+ }
+
+ if (strlen(argv[1]) > sizeof(ip_filters[0].name) - 1 ||
+ strspn(argv[1], "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-") != strlen(argv[1]))
+ {
+ cli_print(cli, "Invalid access-list name");
+ return CLI_OK;
+ }
+
+ filt = find_access_list(argv[1]);
+ if (add)
+ {
+ if (filt < 0)
+ {
+ cli_print(cli, "Too many access-lists");
+ return CLI_OK;
+ }
+
+ // racy
+ if (!*ip_filters[filt].name)
+ {
+ memset(&ip_filters[filt], 0, sizeof(ip_filters[filt]));
+ strcpy(ip_filters[filt].name, argv[1]);
+ ip_filters[filt].extended = extended;
+ }
+ else if (ip_filters[filt].extended != extended)
+ {
+ cli_print(cli, "Access-list is %s",
+ ip_filters[filt].extended ? "extended" : "standard");
+
+ return CLI_OK;
+ }
+
+ cli_set_configmode(cli, MODE_CONFIG_NACL, extended ? "ext-nacl" : "std-nacl");
+ return CLI_OK;
+ }
+
+ if (filt < 0 || !*ip_filters[filt].name)
+ {
+ cli_print(cli, "Access-list not defined");
+ return CLI_OK;
+ }
+
+ // racy
+ if (ip_filters[filt].used)
+ {
+ cli_print(cli, "Access-list in use");
+ return CLI_OK;
+ }
+
+ memset(&ip_filters[filt], 0, sizeof(ip_filters[filt]));
+ return CLI_OK;
+}
+
+static int cmd_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ return access_list(cli, argv, argc, 1);
+}
+
+static int cmd_no_ip_access_list(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ return access_list(cli, argv, argc, 0);
+}
+
+static int show_ip_wild(char *buf, ipt ip, ipt wild)
+{
+ int i;
+ if (ip == INADDR_ANY && wild == INADDR_BROADCAST)
+ return sprintf(buf, " any");
+
+ if (wild == INADDR_ANY)
+ return sprintf(buf, " host %s", inet_toa(ip));
+
+ i = sprintf(buf, " %s", inet_toa(ip));
+ return i + sprintf(buf + i, " %s", inet_toa(wild));
+}
+
+static int show_ports(char *buf, ip_filter_portt *ports)
+{
+ switch (ports->op)
+ {
+ case FILTER_PORT_OP_EQ: return sprintf(buf, " eq %u", ports->port);
+ case FILTER_PORT_OP_NEQ: return sprintf(buf, " neq %u", ports->port);
+ case FILTER_PORT_OP_GT: return sprintf(buf, " gt %u", ports->port);
+ case FILTER_PORT_OP_LT: return sprintf(buf, " lt %u", ports->port);
+ case FILTER_PORT_OP_RANGE: return sprintf(buf, " range %u %u", ports->port, ports->port2);
+ }
+
+ return 0;
+}
+
+static char const *show_access_list_rule(int extended, ip_filter_rulet *rule)
+{
+ static char buf[256];
+ char *p = buf;
+
+ p += sprintf(p, " %s", rule->action == FILTER_ACTION_PERMIT ? "permit" : "deny");
+ if (extended)
+ {
+ struct protoent *proto = getprotobynumber(rule->proto);
+ p += sprintf(p, " %s", proto ? proto->p_name : "ERR");
+ }
+
+ p += show_ip_wild(p, rule->src_ip, rule->src_wild);
+ if (!extended)
+ return buf;
+
+ if (rule->proto == IPPROTO_TCP || rule->proto == IPPROTO_UDP)
+ p += show_ports(p, &rule->src_ports);
+
+ p += show_ip_wild(p, rule->dst_ip, rule->dst_wild);
+ if (rule->proto == IPPROTO_TCP || rule->proto == IPPROTO_UDP)
+ p += show_ports(p, &rule->dst_ports);
+
+ if (rule->proto == IPPROTO_TCP && (rule->tcp_sflags || rule->tcp_cflags))
+ {
+ if (rule->tcp_flag_op == FILTER_FLAG_OP_ANY &&
+ rule->tcp_sflags == (TCP_FLAG_ACK|TCP_FLAG_FIN) &&
+ rule->tcp_cflags == TCP_FLAG_SYN)
+ {
+ p += sprintf(p, " established");
+ }
+ else
+ {
+ p += sprintf(p, " match-%s", rule->tcp_flag_op == FILTER_FLAG_OP_ALL ? "all" : "any");
+ if (rule->tcp_sflags & TCP_FLAG_FIN) p += sprintf(p, " +fin");
+ if (rule->tcp_cflags & TCP_FLAG_FIN) p += sprintf(p, " -fin");
+ if (rule->tcp_sflags & TCP_FLAG_SYN) p += sprintf(p, " +syn");
+ if (rule->tcp_cflags & TCP_FLAG_SYN) p += sprintf(p, " -syn");
+ if (rule->tcp_sflags & TCP_FLAG_RST) p += sprintf(p, " +rst");
+ if (rule->tcp_cflags & TCP_FLAG_RST) p += sprintf(p, " -rst");
+ if (rule->tcp_sflags & TCP_FLAG_PSH) p += sprintf(p, " +psh");
+ if (rule->tcp_cflags & TCP_FLAG_PSH) p += sprintf(p, " -psh");
+ if (rule->tcp_sflags & TCP_FLAG_ACK) p += sprintf(p, " +ack");
+ if (rule->tcp_cflags & TCP_FLAG_ACK) p += sprintf(p, " -ack");
+ if (rule->tcp_sflags & TCP_FLAG_URG) p += sprintf(p, " +urg");
+ if (rule->tcp_cflags & TCP_FLAG_URG) p += sprintf(p, " -urg");
+ }
+ }
+
+ return buf;
+}
+
+ip_filter_rulet *access_list_rule_ext(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ static ip_filter_rulet rule;
+ struct in_addr addr;
+ int i;
+ int a;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ if (argc == 1)
+ {
+ cli_arg_help(cli, 0,
+ "ip", "Match IP packets",
+ "tcp", "Match TCP packets",
+ "udp", "Match UDP packets",
+ NULL);
+
+ return NULL;
+ }
+
+ // *sigh*, too darned complex
+ cli_arg_help(cli, 0, "RULE", "SOURCE [PORTS] DEST [PORTS] FLAGS", NULL);
+ return NULL;
+ }
+
+ if (argc < 3)
+ {
+ cli_print(cli, "Specify rule details");
+ return NULL;
+ }
+
+ memset(&rule, 0, sizeof(rule));
+ rule.action = (command[0] == 'p')
+ ? FILTER_ACTION_PERMIT
+ : FILTER_ACTION_DENY;
+
+ if (MATCH("ip", argv[0]))
+ rule.proto = IPPROTO_IP;
+ else if (MATCH("udp", argv[0]))
+ rule.proto = IPPROTO_UDP;
+ else if (MATCH("tcp", argv[0]))
+ rule.proto = IPPROTO_TCP;
+ else
+ {
+ cli_print(cli, "Invalid protocol \"%s\"", argv[0]);
+ return NULL;
+ }
+
+ for (a = 1, i = 0; i < 2; i++)
+ {
+ ipt *ip;
+ ipt *wild;
+ ip_filter_portt *port;
+
+ if (i == 0)
+ {
+ ip = &rule.src_ip;
+ wild = &rule.src_wild;
+ port = &rule.src_ports;
+ }
+ else
+ {
+ ip = &rule.dst_ip;
+ wild = &rule.dst_wild;
+ port = &rule.dst_ports;
+ if (a >= argc)
+ {
+ cli_print(cli, "Specify destination");
+ return NULL;
+ }
+ }
+
+ if (MATCH("any", argv[a]))
+ {
+ *ip = INADDR_ANY;
+ *wild = INADDR_BROADCAST;
+ a++;
+ }
+ else if (MATCH("host", argv[a]))
+ {
+ if (++a >= argc)
+ {
+ cli_print(cli, "Specify host ip address");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[a], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *ip = addr.s_addr;
+ *wild = INADDR_ANY;
+ a++;
+ }
+ else
+ {
+ if (a >= argc - 1)
+ {
+ cli_print(cli, "Specify %s ip address and wildcard", i ? "destination" : "source");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[a], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *ip = addr.s_addr;
+
+ if (!inet_aton(argv[++a], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ *wild = addr.s_addr;
+ a++;
+ }
+
+ if (rule.proto == IPPROTO_IP || a >= argc)
+ continue;
+
+ port->op = 0;
+ if (MATCH("eq", argv[a]))
+ port->op = FILTER_PORT_OP_EQ;
+ else if (MATCH("neq", argv[a]))
+ port->op = FILTER_PORT_OP_NEQ;
+ else if (MATCH("gt", argv[a]))
+ port->op = FILTER_PORT_OP_GT;
+ else if (MATCH("lt", argv[a]))
+ port->op = FILTER_PORT_OP_LT;
+ else if (MATCH("range", argv[a]))
+ port->op = FILTER_PORT_OP_RANGE;
+
+ if (!port->op)
+ continue;
+
+ if (++a >= argc)
+ {
+ cli_print(cli, "Specify port");
+ return NULL;
+ }
+
+ if (!(port->port = atoi(argv[a])))
+ {
+ cli_print(cli, "Invalid port \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ if (port->op != FILTER_PORT_OP_RANGE)
+ continue;
+
+ if (a >= argc)
+ {
+ cli_print(cli, "Specify port");
+ return NULL;
+ }
+
+ if (!(port->port2 = atoi(argv[a])) || port->port2 < port->port)
+ {
+ cli_print(cli, "Invalid port \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ }
+
+ if (rule.proto == IPPROTO_TCP && a < argc)
+ {
+ if (MATCH("established", argv[a]))
+ {
+ rule.tcp_flag_op = FILTER_FLAG_OP_ANY;
+ rule.tcp_sflags = (TCP_FLAG_ACK|TCP_FLAG_FIN);
+ rule.tcp_cflags = TCP_FLAG_SYN;
+ a++;
+ }
+ else if (!strcmp(argv[a], "match-any") || !strcmp(argv[a], "match-an") ||
+ !strcmp(argv[a], "match-all") || !strcmp(argv[a], "match-al"))
+ {
+ rule.tcp_flag_op = argv[a][7] == 'n'
+ ? FILTER_FLAG_OP_ANY
+ : FILTER_FLAG_OP_ALL;
+
+ if (++a >= argc)
+ {
+ cli_print(cli, "Specify tcp flags");
+ return NULL;
+ }
+
+ while (a < argc && (argv[a][0] == '+' || argv[a][0] == '-'))
+ {
+ u8 *f;
+
+ f = (argv[a][0] == '+') ? &rule.tcp_sflags : &rule.tcp_cflags;
+
+ if (MATCH("fin", &argv[a][1])) *f |= TCP_FLAG_FIN;
+ else if (MATCH("syn", &argv[a][1])) *f |= TCP_FLAG_SYN;
+ else if (MATCH("rst", &argv[a][1])) *f |= TCP_FLAG_RST;
+ else if (MATCH("psh", &argv[a][1])) *f |= TCP_FLAG_PSH;
+ else if (MATCH("ack", &argv[a][1])) *f |= TCP_FLAG_ACK;
+ else if (MATCH("urg", &argv[a][1])) *f |= TCP_FLAG_URG;
+ else
+ {
+ cli_print(cli, "Invalid tcp flag \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ a++;
+ }
+ }
+ }
+
+ if (a < argc)
+ {
+ cli_print(cli, "Invalid flag \"%s\"", argv[a]);
+ return NULL;
+ }
+
+ return &rule;
+}
+
+ip_filter_rulet *access_list_rule_std(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ static ip_filter_rulet rule;
+ struct in_addr addr;
+
+ if (CLI_HELP_REQUESTED)
+ {
+ if (argc == 1)
+ {
+ cli_arg_help(cli, argv[0][1],
+ "A.B.C.D", "Source address",
+ "any", "Any source address",
+ "host", "Source host",
+ NULL);
+
+ return NULL;
+ }
+
+ if (MATCH("any", argv[0]))
+ {
+ if (argc == 2 && !argv[1][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+ else if (MATCH("host", argv[0]))
+ {
+ if (argc == 2)
+ {
+ cli_arg_help(cli, argv[1][1],
+ "A.B.C.D", "Host address",
+ NULL);
+ }
+ else if (argc == 3 && !argv[2][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+ else
+ {
+ if (argc == 2)
+ {
+ cli_arg_help(cli, 1,
+ "A.B.C.D", "Wildcard bits",
+ NULL);
+ }
+ else if (argc == 3 && !argv[2][1])
+ cli_arg_help(cli, 1, NULL);
+ }
+
+ return NULL;
+ }
+
+ if (argc < 1)
+ {
+ cli_print(cli, "Specify rule details");
+ return NULL;
+ }
+
+ memset(&rule, 0, sizeof(rule));
+ rule.action = (command[0] == 'p')
+ ? FILTER_ACTION_PERMIT
+ : FILTER_ACTION_DENY;
+
+ rule.proto = IPPROTO_IP;
+ if (MATCH("any", argv[0]))
+ {
+ rule.src_ip = INADDR_ANY;
+ rule.src_wild = INADDR_BROADCAST;
+ }
+ else if (MATCH("host", argv[0]))
+ {
+ if (argc != 2)
+ {
+ cli_print(cli, "Specify host ip address");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[1], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[1]);
+ return NULL;
+ }
+
+ rule.src_ip = addr.s_addr;
+ rule.src_wild = INADDR_ANY;
+ }
+ else
+ {
+ if (argc > 2)
+ {
+ cli_print(cli, "Specify source ip address and wildcard");
+ return NULL;
+ }
+
+ if (!inet_aton(argv[0], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[0]);
+ return NULL;
+ }
+
+ rule.src_ip = addr.s_addr;
+
+ if (argc > 1)
+ {
+ if (!inet_aton(argv[1], &addr))
+ {
+ cli_print(cli, "Cannot parse IP \"%s\"", argv[1]);
+ return NULL;
+ }
+
+ rule.src_wild = addr.s_addr;
+ }
+ else
+ rule.src_wild = INADDR_ANY;
+ }
+
+ return &rule;
+}
+
+static int cmd_ip_access_list_rule(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+ ip_filter_rulet *rule = ip_filters[filt].extended
+ ? access_list_rule_ext(cli, command, argv, argc)
+ : access_list_rule_std(cli, command, argv, argc);
+
+ if (!rule)
+ return CLI_OK;
+
+ for (i = 0; i < MAXFILTER_RULES - 1; i++) // -1: list always terminated by empty rule
+ {
+ if (!ip_filters[filt].rules[i].action)
+ {
+ memcpy(&ip_filters[filt].rules[i], rule, sizeof(*rule));
+ return CLI_OK;
+ }
+
+ if (!memcmp(&ip_filters[filt].rules[i], rule, sizeof(*rule)))
+ return CLI_OK;
+ }
+
+ cli_print(cli, "Too many rules");
+ return CLI_OK;
+}
+
+static int cmd_filter(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ sessionidt s;
+ int i;
+
+ /* filter USER {in|out} FILTER ... */
+ if (CLI_HELP_REQUESTED)
+ {
+ switch (argc)
+ {
+ case 1:
+ return cli_arg_help(cli, 0,
+ "USER", "Username of session to filter", NULL);
+
+ case 2:
+ case 4:
+ return cli_arg_help(cli, 0,
+ "in", "Set incoming filter",
+ "out", "Set outgoing filter", NULL);
+
+ case 3:
+ case 5:
+ return cli_arg_help(cli, argc == 5 && argv[4][1],
+ "NAME", "Filter name", NULL);
+
+ default:
+ return cli_arg_help(cli, argc > 1, NULL);
+ }
+ }
+
+ if (!config->cluster_iam_master)
+ {
+ cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ return CLI_OK;
+ }
+
+ if (argc != 3 && argc != 5)
+ {
+ cli_print(cli, "Specify a user and filters");
+ return CLI_OK;
+ }
+
+ if (!(s = sessionbyuser(argv[0])))
+ {
+ cli_print(cli, "User %s is not connected", argv[0]);
+ return CLI_OK;
+ }
+
+ cli_session_actions[s].filter_in = cli_session_actions[s].filter_out = -1;
+ for (i = 1; i < argc; i += 2)
+ {
+ int *f = 0;
+ int v;
+
+ if (MATCH("in", argv[i]))
+ {
+ if (session[s].filter_in)
+ {
+ cli_print(cli, "Input already filtered");
+ return CLI_OK;
+ }
+ f = &cli_session_actions[s].filter_in;
+ }
+ else if (MATCH("out", argv[i]))
+ {
+ if (session[s].filter_out)
+ {
+ cli_print(cli, "Output already filtered");
+ return CLI_OK;
+ }
+ f = &cli_session_actions[s].filter_out;
+ }
+ else
+ {
+ cli_print(cli, "Invalid filter specification");
+ return CLI_OK;
+ }
+
+ v = find_access_list(argv[i+1]);
+ if (v < 0 || !*ip_filters[v].name)
+ {
+ cli_print(cli, "Access-list %s not defined", argv[i+1]);
+ return CLI_OK;
+ }
+
+ *f = v + 1;
+ }
+
+ cli_print(cli, "Filtering user %s", argv[0]);
+ cli_session_actions[s].action |= CLI_SESS_FILTER;
+
+ return CLI_OK;
+}
+
+static int cmd_no_filter(struct cli_def *cli, char *command, char **argv, int argc)
+{
+ int i;
+ sessionidt s;
+
+ if (CLI_HELP_REQUESTED)
+ return cli_arg_help(cli, argc > 1,
+ "USER", "Username of session to remove filters from", NULL);
+
+ if (!config->cluster_iam_master)
+ {
+ cli_print(cli, "Can't do this on a slave. Do it on %s", inet_toa(config->cluster_master_address));
+ return CLI_OK;
+ }
+
+ if (!argc)
+ {
+ cli_print(cli, "Specify a user to remove filters from");
+ return CLI_OK;
+ }
+
+ for (i = 0; i < argc; i++)
+ {
+ if (!(s = sessionbyuser(argv[i])))
+ {
+ cli_print(cli, "User %s is not connected", argv[i]);
+ continue;
+ }
+
+ if (session[s].filter_in || session[s].filter_out)
+ {
+ cli_print(cli, "Removing filters from user %s", argv[i]);
+ cli_session_actions[s].action |= CLI_SESS_NOFILTER;
+ }
+ else
+ {
+ cli_print(cli, "User %s not filtered", argv[i]);
+ }
+ }
+
+ return CLI_OK;
+}
+
// Convert a string in the form of abcd.ef12.3456 into char[6]
void parsemac(char *string, char mac[6])
{