diff options
18 files changed, 130 insertions, 71 deletions
diff --git a/scripts/bgp/vyatta-bgp.pl b/scripts/bgp/vyatta-bgp.pl index 059ce1a5..d0f9c94c 100755 --- a/scripts/bgp/vyatta-bgp.pl +++ b/scripts/bgp/vyatta-bgp.pl @@ -36,6 +36,13 @@ sub check_peer_name() { print "malformed neighbor address $neighbor\n"; exit 1; } + + # Quagga treats the first byte as a potential IPv6 address + # so we can't use it as a peer group name. So let's check for it. + if (/^[A-Fa-f]{1,4}$/) { + print "malformed neighbor address $neighbor\n"; + exit 1; + } } # Make sure we aren't deleteing a peer-group that has diff --git a/scripts/policy/vyatta-policy.pl b/scripts/policy/vyatta-policy.pl index 51aa163a..e840271e 100755 --- a/scripts/policy/vyatta-policy.pl +++ b/scripts/policy/vyatta-policy.pl @@ -9,12 +9,16 @@ GetOptions("update-access-list=s" => \$accesslist, "update-aspath-list=s" => \$aspathlist, "update-community-list=s" => \$communitylist, "check-peer-syntax=s" => \$peer, + "check-routemap-action=s" => \$routemap, + "check-delete-routemap-action=s" => \$deleteroutemap, ); if (defined $accesslist) { update_access_list($accesslist); } if (defined $aspathlist) { update_as_path($aspathlist); } if (defined $communitylist) { update_community_list($communitylist); } if (defined $peer) { check_peer_syntax($peer); } +if (defined $routemap) { check_routemap_action($routemap); } +if (defined $deleteroutemap) { check_delete_routemap_action($deleteroutemap); } exit 0; @@ -209,3 +213,39 @@ sub update_access_list() { exit 0; } +## check_routemap_action +# check if the action has been changed since the last commit. +# we need to do this because quagga will wipe the entire config if +# the action is changed. +# $1 = policy route-map <name> rule <num> action +sub check_routemap_action() { + my $routemap = shift; + my $config = new VyattaConfig; + + my $action = $config->setLevel("$routemap"); + my $origvalue = $config->returnOrigValue(); + if ($origvalue) { + my $value = $config->returnValue(); + if ("$value" ne "$origvalue") { + exit 1; + } + } + + exit 0; +} + +## check_delete_routemap_action +# don't allow deleteing the route-map action if other sibling nodes exist. +# action is required for all other route-map definitions +# $1 = policy route-map <name> rule <num> +sub check_delete_routemap_action() { + my $routemap = shift; + my $config = new VyattaConfig; + + my @nodes = $config->listNodes("$routemap"); + if (defined @nodes) { + exit 1 + } + + exit 0; +} diff --git a/templates/policy/access-list/node.def b/templates/policy/access-list/node.def index a6f1b05a..de8ec16e 100644 --- a/templates/policy/access-list/node.def +++ b/templates/policy/access-list/node.def @@ -1,10 +1,6 @@ tag: type: u32 -help: Access list number must be - <1-99> IP standard access list - <100-199> IP extended access list - <1300-1999> IP standard access list (expanded range) - <2000-2699> IP extended access list (expanded range) +help: IP access list number syntax:expression: ($VAR(@) >= 1 && $VAR(@) <= 199) || ($VAR(@) >= 1300 && $VAR(@) <= 2699); \ "Access list number must be \n \ <1-99> IP standard access list \n \ diff --git a/templates/policy/route-map/node.tag/rule/node.def b/templates/policy/route-map/node.tag/rule/node.def index c3079f54..b5a8e367 100644 --- a/templates/policy/route-map/node.tag/rule/node.def +++ b/templates/policy/route-map/node.tag/rule/node.def @@ -2,7 +2,7 @@ tag: type: u32 help: Specify route-map rule number syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; "route-map $VAR(../@): rule number $VAR(@) must be between 1 and 65535" -end:expression: "if [ -f /tmp/delete-policy-route-map-$VAR(../@)-rule-$VAR(@) ]; then \ - ${vyatta_sbindir}/vyatta-policy-action-verify.pl $VAR(../@) $VAR(@) $( cat /tmp/delete-policy-route-map-$VAR(../@)-rule-$VAR(@) ); \ - fi" - +delete: if [ -f /tmp/route-map-$VAR(../@)-rule-$VAR(@)-action.$PPID ]; then + ${vyatta_sbindir}/vyatta-vtysh.pl -c "configure terminal" -c "no route-map $VAR(../@) $VAR(./@/action/@) $VAR(@)"; + rm -f /tmp/route-map-$VAR(../@)-rule-$VAR(@)-action.$PPID; + fi; diff --git a/templates/policy/route-map/node.tag/rule/node.tag/action/node.def b/templates/policy/route-map/node.tag/rule/node.tag/action/node.def index 83e092e8..3967558c 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/action/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/action/node.def @@ -1,7 +1,20 @@ type: txt help: Action to take on prefixes matching this rule syntax:expression: $VAR(@) in "permit", "deny"; "route-map $VAR(../../@) $VAR(@) $VAR(../@) action: must be permit or deny" -update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" -c \"route-map $VAR(../../@) $VAR(@) $VAR(../@)\" " -update:expression: exec "sudo rm -f /tmp/delete-policy-route-map-$VAR(../../@)-rule-$VAR(../@) 2>/dev/null" -delete:expression: exec "sudo echo $VAR(@) > /tmp/delete-policy-route-map-$VAR(../../@)-rule-$VAR(../@)" - +update: /opt/vyatta/sbin/vyatta-policy.pl --check-routemap-action "policy route-map $VAR(../../@) rule $VAR(../@) action"; + if [ $? -eq 0 ]; then + ${vyatta_sbindir}/vyatta-vtysh.pl -c "configure terminal" -c "route-map $VAR(../../@) $VAR(@) $VAR(../@)"; + else + echo " You can not change the action for \"route-map $VAR(../../@) rule $VAR(../@)\"."; + echo " To change the action you must first delete the rule "; + echo -e " \"delete route-map $VAR(../../@) rule $VAR(../@)\" and commit it. \\n"; + exit 1; + fi; +delete: /opt/vyatta/sbin/vyatta-policy.pl --check-delete-routemap-action "policy route-map $VAR(../../@) rule $VAR(../@)"; + if [ $? -eq 0 ]; then + touch /tmp/route-map-$VAR(../../@)-rule-$VAR(../@)-action.$PPID ; + else + echo " Action is a required node for \"route-map $VAR(../../@) rule $VAR(../@)\". "; + echo -e " To delete that node you must delete \"route-map $VAR(../../@) rule $VAR(../@)\". \\n"; + exit 1; + fi; diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/community/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/community/node.def index 29298fac..3ac8e05e 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/community/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/community/node.def @@ -1,19 +1,27 @@ help: Match BGP community list -delete:expression: "touch /tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-match-community.$PPID" -end:expression: "if [ -z \"$VAR(./community-list/)\" ]; then \ - echo You must configure a community-list ; \ - exit 1 ; \ - fi ; \ - ${vyatta_sbindir}/vyatta-vtysh.pl -noerr -c \"configure terminal\" \ - -c \"route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)\" \ - -c \"no match community \" ; \ - if [ -f \"/tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-match-community.$PPID\" ]; then \ - rm -rf /tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-match-community.$PPID; \ - else \ - if [ -n \"$VAR(./exact-match/)\" ]; then \ - cond=\"exact-match \"; \ - fi ; \ - ${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ - -c \"route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)\" \ - -c \"match community $VAR(./community-list/@) $cond\" ; \ - fi; " +delete: echo route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@) >> /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-community.$PPID +## this will always return exact-match pending bug 2525 being fixed +end: if [ -z "$VAR(./community-list/@)" ]; then + echo You must configure a community-list ; + exit 1 ; + fi ; + if [ -f /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-community.$PPID ]; then + routemap=`cat /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-community.$PPID` + rm -f /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-community.$PPID; + ${vyatta_sbindir}/vyatta-vtysh.pl -noerr -c "configure terminal" -c "$routemap " -c "no match community " ; + exit 0; + else + routemap='route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)'; + + # uncomment and replace the call to vyatta-check-typeless-node.pl pending bug 2525 + #if [ -n "$VAR(./exact-match/)" ]; then + # cond="exact-match "; + #fi ; + ${vyatta_sbindir}/vyatta-check-typeless-node.pl "policy route-map $VAR(../../../@) rule $VAR(../../@) match community exact-match"; + if [ $? -eq 0 ]; then + cond="exact-match "; + fi ; + + ${vyatta_sbindir}/vyatta-vtysh.pl -noerr -c "configure terminal" -c "$routemap " -c "no match community " ; + ${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" -c "$routemap " -c "match community $VAR(./community-list/@) $cond" ; + fi diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/access-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/access-list/node.def index d5a1a6d8..b9335c70 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/access-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/access-list/node.def @@ -2,6 +2,7 @@ type: u32 help: access-list number commit:expression: $VAR(../prefix-list/) == ""; "You may only specify a prefix-list or access-list" commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list $VAR(@)\" "; "access-list $VAR(@) does not exist" +commit:expression: $VAR(../../../../action/) != ""; "You must specify an action for route-map $VAR(../../../../../@) rule $VAR(../../../../@)" update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ -c \"route-map $VAR(../../../../../@) $VAR(../../../../action/@) $VAR(../../../../@)\" \ -c \"match ip address $VAR(@)\" " diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/prefix-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/prefix-list/node.def index 826af72f..c3ab9b28 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/prefix-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/address/prefix-list/node.def @@ -2,6 +2,7 @@ type: txt help: prefix-list name commit:expression: $VAR(../access-list/) == ""; "You can only specify a prefix-list or access-list" commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy prefix-list $VAR(@)\" "; "prefix-list $VAR(@) does not exist" +commit:expression: $VAR(../../../../action/) != ""; "You must specify an action for route-map $VAR(../../../../../@) rule $VAR(../../../../@)" update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ -c \"route-map $VAR(../../../../../@) $VAR(../../../../action/@) $VAR(../../../../@)\" \ -c \"match ip address prefix-list $VAR(@)\" " diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/access-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/access-list/node.def index 9a8daf82..6bcb4a3c 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/access-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/access-list/node.def @@ -2,6 +2,7 @@ type: u32 help: access-list number commit:expression: $VAR(../prefix-list/) == ""; "You may only specify a prefix-list or access-list" commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list $VAR(@)\" "; "access-list $VAR(@) does not exist" +commit:expression: $VAR(../../../../action/) != ""; "You must specify an action for route-map $VAR(../../../../../@) rule $VAR(../../../../@)" update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ -c \"route-map $VAR(../../../../../@) $VAR(../../../../action/@) $VAR(../../../../@)\" \ -c \"match ip next-hop $VAR(@)\" " diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/prefix-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/prefix-list/node.def index f4809ad2..346794ca 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/prefix-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/nexthop/prefix-list/node.def @@ -2,6 +2,7 @@ type: txt help: prefix-list name commit:expression: $VAR(../access-list/) == ""; "You can only specify a prefix-list or access-list" commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy prefix-list $VAR(@)\" "; "prefix-list $VAR(@) does not exist" +commit:expression: $VAR(../../../../action/) != ""; "You must specify an action for route-map $VAR(../../../../../@) rule $VAR(../../../../@)" update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ -c \"route-map $VAR(../../../../../@) $VAR(../../../../action/@) $VAR(../../../../@)\" \ -c \"match ip next-hop prefix-list $VAR(@)\" " diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/access-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/access-list/node.def index 45fcbfdc..85bcf447 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/access-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/access-list/node.def @@ -2,6 +2,7 @@ type: u32 help: access-list number commit:expression: $VAR(../prefix-list/) == ""; "You may only specify a prefix-list or access-list" commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy access-list $VAR(@)\" "; "access-list $VAR(@) does not exist" +commit:expression: $VAR(../../../../action/) != ""; "You must specify an action for route-map $VAR(../../../../../@) rule $VAR(../../../../@)" update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ -c \"route-map $VAR(../../../../../@) $VAR(../../../../action/@) $VAR(../../../../@)\" \ -c \"match ip route-source $VAR(@)\" " diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/prefix-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/prefix-list/node.def index f6c21378..2db6c602 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/prefix-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/ip/route-source/prefix-list/node.def @@ -2,6 +2,7 @@ type: txt help: prefix-list name commit:expression: $VAR(../access-list/) == ""; "You can only specify a prefix-list or access-list" commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy prefix-list $VAR(@)\" "; "prefix-list $VAR(@) does not exist" +commit:expression: $VAR(../../../../action/) != ""; "You must specify an action for route-map $VAR(../../../../../@) rule $VAR(../../../../@)" update:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" \ -c \"route-map $VAR(../../../../../@) $VAR(../../../../action/@) $VAR(../../../../@)\" \ -c \"match ip route-source prefix-list $VAR(@)\" " diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def index 5fd3eaae..eed327b9 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/comm-list/node.def @@ -1,3 +1,3 @@ -type: txt +type: u32 help: Set BGP community list commit:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --exists \"policy community-list $VAR(@)\""; "community list $VAR(@) does not exist" diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def index f1e98001..0dea5ab1 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/comm-list/node.def @@ -1,5 +1,6 @@ help: Set BGP community list delete:expression: "touch /tmp/policy-route-map-$VAR(../../../@)-$VAR(../../action/@)-$VAR(../../@)-set-comm-list.$PPID" +## this will always return delete pending bug 2525 being fixed end:expression: "if [ -z \"$VAR(./comm-list/)\" ]; then \ echo You must configure a comm-list ; \ exit 1 ; \ diff --git a/templates/protocols/bgp/node.tag/neighbor/node.tag/disable/node.def b/templates/protocols/bgp/node.tag/neighbor/node.tag/disable/node.def deleted file mode 100644 index 673af92f..00000000 --- a/templates/protocols/bgp/node.tag/neighbor/node.tag/disable/node.def +++ /dev/null @@ -1,12 +0,0 @@ -help: Disable the Address Family for this Neighbor -commit:expression: exec "/opt/vyatta/sbin/vyatta-bgp.pl --check-as --as $VAR(../../@) --neighbor $VAR(../@)" -update:expression: "if [ -n \"$VAR(../remote-as/@)\" ]; then \ - peer=\"remote-as $VAR(../remote-as/@)\"; \ - else \ - peer=\"peer-group $VAR(../peer-group/@)\"; \ - fi; \ - ${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" -c \"router bgp $VAR(../../@)\" \ - -c \"neighbor $VAR(../@) $peer\" \ - -c \"no neighbor $VAR(../@) activate \" " -delete:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -c \"configure terminal\" -c \"router bgp $VAR(../../@)\" \ - -c \"neighbor $VAR(../@) activate \" " diff --git a/templates/protocols/bgp/node.tag/network/node.def b/templates/protocols/bgp/node.tag/network/node.def index acd2475b..c6061749 100644 --- a/templates/protocols/bgp/node.tag/network/node.def +++ b/templates/protocols/bgp/node.tag/network/node.def @@ -1,31 +1,31 @@ tag: type: ipv4net help: Specify a network to announce via BGP -syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)" +syntax:expression: exec "/opt/vyatta/sbin/vyatta_quagga_utils.pl --check-prefix-boundry $VAR(@)"; + "Prefix doesn't fall on a natural boundry" -commit:expression: !($VAR(./backdoor/) != "" && $VAR(./route-map/) != ""); \ - "May specify route-map or backdoor but not both" +commit:expression: !($VAR(./backdoor/) != "" && $VAR(./route-map/) != ""); + "May specify route-map or backdoor but not both" -delete:expression: "touch /tmp/`echo $VAR(@) | sed 's!/!!'`.$PPID" +delete: touch /tmp/`echo $VAR(@) | sed 's!/!!'`.$PPID -end:expression: "${vyatta_sbindir}/vyatta-vtysh.pl -noerr \ - -c \"configure terminal\" \ - -c \"router bgp $VAR(../@)\" \ - -c \"no network $VAR(@)\"; \ - if [ -f \"/tmp/`echo $VAR(@) | sed 's!/!!'`.$PPID\" ]; then \ - rm -rf /tmp/`echo $VAR(@) | sed 's!/!!'`.$PPID; \ - else \ -# -# Commenting out until cli bug 2525 is fixed -# -# if [ -n \"$VAR(./backdoor/)\" ]; then -# COND=\"backdoor\"; -# fi; - if [ -n \"$VAR(./route-map/@)\" ]; then \ - COND=\"route-map $VAR(./route-map/@)\"; \ - fi; \ - ${vyatta_sbindir}/vyatta-vtysh.pl \ - -c \"configure terminal\" \ - -c \"router bgp $VAR(../@)\" \ - -c \"network $VAR(@) $COND\"; \ - fi; " +end: ${vyatta_sbindir}/vyatta-vtysh.pl -noerr -c "configure terminal" -c "router bgp $VAR(../@)" -c "no network $VAR(@)"; + + if [ -f "/tmp/`echo $VAR(@) | sed 's!/!!'`.$PPID" ]; then + rm -rf /tmp/`echo $VAR(@) | sed 's!/!!'`.$PPID; + else + # uncomment and replace the call to vyatta-check-typeless-node.pl pending bug 2525 + #if [ -n \"$VAR(./backdoor/)\" ]; then + # COND=\"backdoor\"; + #fi; + ${vyatta_sbindir}/vyatta-check-typeless-node.pl "protocols bgp $VAR(../@) network $VAR(@) backdoor"; + if [ $? -eq 0 ]; then + cond="backdoor "; + fi ; + + if [ -n "$VAR(./route-map/@)" ]; then + COND="route-map $VAR(./route-map/@)"; + fi; + + ${vyatta_sbindir}/vyatta-vtysh.pl -c "configure terminal" -c "router bgp $VAR(../@)" -c "network $VAR(@) $cond"; + fi; diff --git a/templates/protocols/bgp/node.tag/network/node.tag/.backdoor/node.def b/templates/protocols/bgp/node.tag/network/node.tag/backdoor/node.def index b7dc6950..b7dc6950 100644 --- a/templates/protocols/bgp/node.tag/network/node.tag/.backdoor/node.def +++ b/templates/protocols/bgp/node.tag/network/node.tag/backdoor/node.def diff --git a/templates/protocols/ospf/access-list/node.def b/templates/protocols/ospf/access-list/node.def index 6ec0f65e..e806f106 100644 --- a/templates/protocols/ospf/access-list/node.def +++ b/templates/protocols/ospf/access-list/node.def @@ -1,4 +1,4 @@ tag: -type: txt +type: u32 commit:expression: $VAR(./export/) != ""; "must add protocol to filter" -help: access-list to filter networks in routing updates +help: Access-list to filter networks in routing updates |