diff options
| author | Stig Thormodsrud <stig@vyatta.com> | 2010-01-18 16:22:29 -0800 |
|---|---|---|
| committer | Stig Thormodsrud <stig@vyatta.com> | 2010-01-18 16:22:29 -0800 |
| commit | 90fee79f793f26a39a05cd8feadb3d15ff3fd13e (patch) | |
| tree | a0fdd0032f7fa69a40f421e1a332ded11c1197d6 | |
| parent | 6fcc7325db526924cf21123a9f9ab662a64e490c (diff) | |
| download | vyatta-cfg-quagga-90fee79f793f26a39a05cd8feadb3d15ff3fd13e.tar.gz vyatta-cfg-quagga-90fee79f793f26a39a05cd8feadb3d15ff3fd13e.zip | |
Add IPv6 policy access-list.
14 files changed, 126 insertions, 17 deletions
diff --git a/scripts/policy/vyatta-policy.pl b/scripts/policy/vyatta-policy.pl index 2ce6a2aa..a91d606b 100755 --- a/scripts/policy/vyatta-policy.pl +++ b/scripts/policy/vyatta-policy.pl @@ -7,11 +7,12 @@ use Getopt::Long; my $VTYSH = '/usr/bin/vyatta-vtysh'; -my ( $accesslist, $aspathlist, $communitylist, $peer ); +my ( $accesslist, $accesslist6, $aspathlist, $communitylist, $peer ); my ( $routemap, $deleteroutemap ); GetOptions( "update-access-list=s" => \$accesslist, + "update-access-list6=s" => \$accesslist6, "update-aspath-list=s" => \$aspathlist, "update-community-list=s" => \$communitylist, "check-peer-syntax=s" => \$peer, @@ -20,6 +21,7 @@ GetOptions( ) or exit 1; update_access_list($accesslist) if ($accesslist); +update_access_list6($accesslist6) if ($accesslist6); update_as_path($aspathlist) if ($aspathlist); update_community_list($communitylist) if ($communitylist); check_peer_syntax($peer) if ($peer); @@ -141,6 +143,12 @@ sub is_access_list { return ( $count > 0 ); } +sub is_access_list6 { + my $list = shift; + my $count = `$VTYSH -c \"show ipv6 access-list $list\" | grep -c $list`; + return ( $count > 0 ); +} + sub update_access_list { my $list = shift; my $config = new Vyatta::Config; @@ -221,6 +229,53 @@ sub update_access_list { exit 0; } +sub update_access_list6 { + my $list = shift; + my $config = new Vyatta::Config; + my @rules = (); + + # remove the old rule if it already exists + if ( is_access_list6($list) ) { + system("$VTYSH -c \"conf t\" -c \"no ipv6 access-list $list\" "); + } + + $config->setLevel("policy access-list6 $list rule"); + @rules = $config->listNodes(); + + foreach my $rule ( sort numerically @rules ) { + my ($action, $src, $exact) = ''; + + # set the action + $action = $config->returnValue("$rule action"); + if ( !defined $action ) { + print +"policy access-list6 $list rule $rule: You must specify an action\n"; + exit 1; + } + + if ( defined $config->returnValue("$rule source network") ) { + $src = $config->returnValue("$rule source network"); + if ($config->exists("$rule source exact-match")) { + $exact = 'exact-match'; + } + } + else { + if ( $config->exists("$rule source any") ) { $src = "any"; } + else { + print +"policy access-list6 $list rule $rule source: incorrect source filter\n"; + exit 1; + } + } + + system( +"$VTYSH -c \"configure terminal\" -c \"ipv6 access-list $list $action $src $exact\" " + ); + } + + exit 0; +} + ## check_routemap_action # check if the action has been changed since the last commit. # we need to do this because quagga will wipe the entire config if diff --git a/templates/policy/access-list6/node.def b/templates/policy/access-list6/node.def new file mode 100644 index 00000000..01a5f90f --- /dev/null +++ b/templates/policy/access-list6/node.def @@ -0,0 +1,17 @@ +tag: + +type: txt + +help: Set IPv6 access-list filter + +syntax:expression: pattern $VAR(@) "^[[:graph:]]{1,64}$" ; \ + "access-list name must be 64 characters or less" +syntax:expression: pattern $VAR(@) "^[^-]" ; \ + "access-list name cannot start with \"-\"" +syntax:expression: pattern $VAR(@) "^[^|;&$<>]*$" ; \ + "access-list name cannot contain shell punctuation" + +end: /opt/vyatta/sbin/vyatta-policy.pl --update-access-list6 "$VAR(@)" + +comp_help: possible completions: + <txt> Set name of ipv6 access-list diff --git a/templates/policy/access-list6/node.tag/description/node.def b/templates/policy/access-list6/node.tag/description/node.def new file mode 100644 index 00000000..2ed57fe5 --- /dev/null +++ b/templates/policy/access-list6/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set a description for this IPv6 access-list diff --git a/templates/policy/access-list6/node.tag/rule/node.def b/templates/policy/access-list6/node.tag/rule/node.def new file mode 100644 index 00000000..68666a4e --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.def @@ -0,0 +1,11 @@ +tag: + +type: u32 + +help: Set a rule for this access-list6 + +syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; \ + "rule number must be between 1 and 65535" + +comp_help: possible completions: + <1-65535> Set access-list6 rule number diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/action/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/action/node.def new file mode 100644 index 00000000..00d8d511 --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,9 @@ +type: txt + +help: Set action to take on networks matching this rule [REQUIRED] + +syntax:expression: $VAR(@) in "permit", "deny"; "action must be permit or deny" + +comp_help: possible completions + permit permit matching networks + deny deny matching networks diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/description/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/description/node.def new file mode 100644 index 00000000..9fbe0f6c --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Set a description for this IPv6 access-list rule diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def new file mode 100644 index 00000000..94dac8f3 --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/any/node.def @@ -0,0 +1,5 @@ +help: Set any IPv6 address to match + +commit:expression: ($VAR(../network/) == ""); "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you may only define one filter type. (network|any)" + +commit:expression: $VAR(../../action/) != ""; "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you must specify an action" diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def new file mode 100644 index 00000000..170efc33 --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/exact-match/node.def @@ -0,0 +1,3 @@ +help: Exact match of the network prefixes + +commit:expression: ($VAR(../any/) == ""); "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: exact-match can only be used with a network filter " diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def new file mode 100644 index 00000000..085a59ec --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/network/node.def @@ -0,0 +1,10 @@ +type: ipv6net + +help: Set a network/netmask to match (requires inverse-mask be defined) + +comp_help: possible completions: + <h:h:h:h:h:h:h:h/x> Set the IPv6 address and prefix length + +commit:expression: ($VAR(../any/) == ""); "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you may only define one filter type. (network|any)" + +commit:expression: $VAR(../../action/) != ""; "policy access-list6 $VAR(../../../@) rule $VAR(../../@) source: you must specify an action" diff --git a/templates/policy/access-list6/node.tag/rule/node.tag/source/node.def b/templates/policy/access-list6/node.tag/rule/node.tag/source/node.def new file mode 100644 index 00000000..37277c3d --- /dev/null +++ b/templates/policy/access-list6/node.tag/rule/node.tag/source/node.def @@ -0,0 +1 @@ +help: Set source IPv6 network to match diff --git a/templates/policy/route-map/node.tag/description/node.def b/templates/policy/route-map/node.tag/description/node.def index 040ef5c1..27f1ce01 100644 --- a/templates/policy/route-map/node.tag/description/node.def +++ b/templates/policy/route-map/node.tag/description/node.def @@ -1,2 +1,2 @@ type: txt -help: Set a description for this access-list +help: Set a description for this route-map diff --git a/templates/policy/route-map/node.tag/rule/node.def b/templates/policy/route-map/node.tag/rule/node.def index 24bdbfc9..98c179da 100644 --- a/templates/policy/route-map/node.tag/rule/node.def +++ b/templates/policy/route-map/node.tag/rule/node.def @@ -1,6 +1,6 @@ tag: type: u32 -help: Set a rule for this access-list +help: Set a rule for this route-map comp_help: \1 <1-65535>\troute-map rule number syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; "rule number must be between 1 and 65535" delete: if [ -f /tmp/route-map-$VAR(../@)-rule-$VAR(@)-action.$PPID ]; then diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/address/access-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/address/access-list/node.def index 2cb8ca32..2f7526a0 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/address/access-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/address/access-list/node.def @@ -1,9 +1,9 @@ -type: u32 -help: Set an IP access-list to match +type: txt +help: Set an IPv6 access-list6 to match commit:expression: $VAR(../prefix-list/) == ""; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@) match ip address access-list: you may only specify a prefix-list or access-list" -commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list $VAR(@)\" "; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@) match ipv6 address access-list: access-list $VAR(@) does not exist" +commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list6 $VAR(@)\" "; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@) match ipv6 address access-list: access-list6 $VAR(@) does not exist" commit:expression: $VAR(../../../../action/) != ""; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@): you must specify an action" @@ -16,7 +16,4 @@ delete: vyatta-vtysh -c "configure terminal" \ -c "no match ipv6 address $VAR(@) " comp_help: possible completions: - <1-99> IP standard access list number - <100-199> IP extended access list number - <1300-1999> IP standard access list number (expanded range) - <2000-2699> IP extended access list number (expanded range)
\ No newline at end of file + <txt> name of an IPv6 access-list6 diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/nexthop/access-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/nexthop/access-list/node.def index 03b8c244..83e9e3dd 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/nexthop/access-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ipv6/nexthop/access-list/node.def @@ -1,9 +1,9 @@ -type: u32 -help: Set an IP access-list to match +type: txt +help: Set an IPv6 access-list6 to match commit:expression: $VAR(../prefix-list/) == ""; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@) match ipv6 nexthop access-list: you may only specify a prefix-list or access-list" -commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list $VAR(@)\" "; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@) match ipv6 nexthop access-list: access-list $VAR(@) does not exist" +commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list6 $VAR(@)\" "; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@) match ipv6 nexthop access-list: access-list6 $VAR(@) does not exist" commit:expression: $VAR(../../../../action/) != ""; "policy route-map $VAR(../../../../../@) rule $VAR(../../../../@): you must specify an action" @@ -16,7 +16,4 @@ delete: vyatta-vtysh -c "configure terminal" \ -c "no match ipv6 next-hop $VAR(@)" comp_help: possible completions: - <1-99> IP standard access list number - <100-199> IP extended access list number - <1300-1999> IP standard access list number (expanded range) - <2000-2699> IP extended access list number (expanded range) + <txt> name of IPv6 access-list6 |