From ba02a2baf43cd6dc72a7201127764361c76bca31 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Tue, 9 Oct 2018 14:35:05 +0200 Subject: Update FRR version dependency for T882. --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 9b133aba..e5a3f34a 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Depends: sed (>= 4.1.5), vyatta-cfg-system (>= 0.19.125), libc6 (>= 2.7-6), vyatta-bash | bash (>= 3.1), - frr (>= 5.1) + frr (>= 6.1) Suggests: util-linux (>= 2.13-5), net-tools, ethtool, -- cgit v1.2.3 From 3deced46d8ff3d625d974c0f207550fc9f267b2b Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 14 Oct 2018 15:24:08 +0200 Subject: T800: correct "no set ipv6-nexthop global" command syntax for FRR. --- .../route-map/node.tag/rule/node.tag/set/ipv6-next-hop/global/node.def | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/global/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/global/node.def index 9d52bf4f..b7305d8e 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/global/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/global/node.def @@ -11,4 +11,4 @@ update: vtysh -c "configure terminal" \ delete: vtysh -c "configure terminal" \ -c "route-map $VAR(../../../../@) $VAR(../../../action/@) $VAR(../../../@)" \ - -c "no set ipv6 next-hop global" + -c "no set ipv6 next-hop global $VAR(@)" -- cgit v1.2.3 From 13605fb2b2af49edd8b9fd68a14c26c8f44b09bf Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 14 Oct 2018 15:36:11 +0200 Subject: T897: check the value of the "set ipv6-next-hop local" option at set time. --- .../route-map/node.tag/rule/node.tag/set/ipv6-next-hop/local/node.def | 2 ++ 1 file changed, 2 insertions(+) diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/local/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/local/node.def index 34eaccfc..0f83beb3 100644 --- a/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/local/node.def +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/ipv6-next-hop/local/node.def @@ -2,6 +2,8 @@ type: ipv6 help: Nexthop IPv6 local address val_help: IPv6 address +syntax:expression: exec "ipaddrcheck --is-ipv6-link-local $VAR(@) || echo $VAR(@) is not a valid IPv6 link-local adddress" + # TODO: can also set to peer for BGP commit:expression: $VAR(../../../action/) != ""; "you must specify an action" -- cgit v1.2.3 From 230041a139f64c3d3f7e949e9c0e453bde7c590a Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 14 Oct 2018 22:19:59 +0200 Subject: T143: add CLI for BGP large communities. --- templates/policy/large-community-list/node.def | 4 ++++ .../large-community-list/node.tag/rule/node.def | 20 ++++++++++++++++++++ .../node.tag/rule/node.tag/action/node.def | 5 +++++ .../node.tag/rule/node.tag/description/node.def | 2 ++ .../node.tag/rule/node.tag/regex/node.def | 3 +++ .../large-community/large-community-list/node.def | 5 +++++ .../rule/node.tag/match/large-community/node.def | 22 ++++++++++++++++++++++ 7 files changed, 61 insertions(+) create mode 100644 templates/policy/large-community-list/node.def create mode 100644 templates/policy/large-community-list/node.tag/rule/node.def create mode 100644 templates/policy/large-community-list/node.tag/rule/node.tag/action/node.def create mode 100644 templates/policy/large-community-list/node.tag/rule/node.tag/description/node.def create mode 100644 templates/policy/large-community-list/node.tag/rule/node.tag/regex/node.def create mode 100644 templates/policy/route-map/node.tag/rule/node.tag/match/large-community/large-community-list/node.def create mode 100644 templates/policy/route-map/node.tag/rule/node.tag/match/large-community/node.def diff --git a/templates/policy/large-community-list/node.def b/templates/policy/large-community-list/node.def new file mode 100644 index 00000000..61687d47 --- /dev/null +++ b/templates/policy/large-community-list/node.def @@ -0,0 +1,4 @@ +tag: +priority: 470 +type: txt +help: Border Gateway Protocol (BGP) large-community-list filter diff --git a/templates/policy/large-community-list/node.tag/rule/node.def b/templates/policy/large-community-list/node.tag/rule/node.def new file mode 100644 index 00000000..cdea7e30 --- /dev/null +++ b/templates/policy/large-community-list/node.tag/rule/node.def @@ -0,0 +1,20 @@ +tag: +type: u32 +help: create a rule for this BGP large-community list +val_help: u32:1-65535; large-community-list rule number + +syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; "rule number must be between 1 and 65535" + +commit:expression: $VAR(./regex/) != ""; "You must specify a regex" +commit:expression: $VAR(./action/) != ""; "You must specify an action" + +end: + # If the rule exists in the running config + if cli-shell-api existsActive policy large-community-list $VAR(../@) rule $VAR(@); then + orig_action=$(cli-shell-api returnActiveValue policy large-community-list $VAR(../@) rule $VAR(@) action) + orig_regex=$(cli-shell-api returnActiveValue policy large-community-list $VAR(../@) rule $VAR(@) regex) + vtysh -c "configure terminal" -c "no ip large-community-list expanded $VAR(../@) $orig_action $VAR(@) regex $orig_regex" + fi + if [[ ${COMMIT_ACTION} != 'DELETE' ]]; then + vtysh -c "configure terminal" -c "ip large-community-list expanded $VAR(../@) $VAR(./action/@) $VAR(@) regex $VAR(./regex/@)" + fi diff --git a/templates/policy/large-community-list/node.tag/rule/node.tag/action/node.def b/templates/policy/large-community-list/node.tag/rule/node.tag/action/node.def new file mode 100644 index 00000000..b965bccf --- /dev/null +++ b/templates/policy/large-community-list/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,5 @@ +type: txt +help: Action to take on communities matching this rule [REQUIRED] +val_help: permit; Permit matching communities +val_help: deny; Deny matching communities +syntax:expression: $VAR(@) in "permit", "deny"; "action must be permit or deny" diff --git a/templates/policy/large-community-list/node.tag/rule/node.tag/description/node.def b/templates/policy/large-community-list/node.tag/rule/node.tag/description/node.def new file mode 100644 index 00000000..b8e3095b --- /dev/null +++ b/templates/policy/large-community-list/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Description for this rule diff --git a/templates/policy/large-community-list/node.tag/rule/node.tag/regex/node.def b/templates/policy/large-community-list/node.tag/rule/node.tag/regex/node.def new file mode 100644 index 00000000..2a820bc6 --- /dev/null +++ b/templates/policy/large-community-list/node.tag/rule/node.tag/regex/node.def @@ -0,0 +1,3 @@ +type: txt +help: Regular expression to match against a community list +val_help: Community list regular expression diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/large-community/large-community-list/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/large-community/large-community-list/node.def new file mode 100644 index 00000000..5e35214d --- /dev/null +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/large-community/large-community-list/node.def @@ -0,0 +1,5 @@ +type: txt +help: BGP large-community-list to match +allowed: cli-shell-api listNodes policy large-community-list + +commit:expression: exec "cli-shell-api exists policy large-community-list $VAR(./@)"; "Large community list $VAR(./@) does not exist" diff --git a/templates/policy/route-map/node.tag/rule/node.tag/match/large-community/node.def b/templates/policy/route-map/node.tag/rule/node.tag/match/large-community/node.def new file mode 100644 index 00000000..609f8d76 --- /dev/null +++ b/templates/policy/route-map/node.tag/rule/node.tag/match/large-community/node.def @@ -0,0 +1,22 @@ +help: Match BGP large communities +delete: echo route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@) >> /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-large-community.$PPID +end: if [ -f /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-large-community.$PPID ]; then + routemap=`cat /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-large-community.$PPID` + rm -f /tmp/delete-policy-route-map-$VAR(../../../@)-$VAR(../../@)-match-large-community.$PPID; + vtysh --noerror -c "configure terminal" -c "$routemap " -c "no match large-community"; + exit 0; + else + if [ -z "$VAR(./large-community-list/@)" ]; then + echo route-map $VAR(../../../@) rule $VAR(../../@) match large-community: you must configure a community-list; + exit 1 ; + fi ; + if [ -z "$VAR(../../action/@)" ]; then + echo route-map $VAR(../../../@) rule $VAR(../../@): you must configure an action; + exit 1 ; + fi ; + routemap='route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)'; + + vtysh --noerror -c "configure terminal" -c "$routemap " -c "no match large-community"; + vtysh -c "configure terminal" -c "$routemap " -c "match large-community $VAR(./large-community-list/@)"; + fi + -- cgit v1.2.3 From 81f16510354b9fcface2fca55d50db57e01c82a2 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Mon, 15 Oct 2018 15:36:59 +0200 Subject: T143: add CLI for setting large communities. --- .../node.tag/rule/node.tag/set/large-community/node.def | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 templates/policy/route-map/node.tag/rule/node.tag/set/large-community/node.def diff --git a/templates/policy/route-map/node.tag/rule/node.tag/set/large-community/node.def b/templates/policy/route-map/node.tag/rule/node.tag/set/large-community/node.def new file mode 100644 index 00000000..2031a96d --- /dev/null +++ b/templates/policy/route-map/node.tag/rule/node.tag/set/large-community/node.def @@ -0,0 +1,13 @@ +type: txt +help: Set BGP large community value +val_help: ASN:nn:mm BGP large community +commit:expression: $VAR(../../action/) != ""; "you must specify an action" + +update: vtysh -c "configure terminal" \ + -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ + -c "set large-community $VAR(@)" + +delete: vtysh -c "configure terminal" \ + -c "route-map $VAR(../../../@) $VAR(../../action/@) $VAR(../../@)" \ + -c "no set large-community $VAR(@)" + -- cgit v1.2.3 From 38174337fbf99ce5159d659a7be943d091e1e631 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 21 Oct 2018 17:25:36 +0200 Subject: T890: fix the priority of the interface "ip " subtree. Without explicit priority setting (priority inversion, let's be honest) configs will fail to load because the system will attempt to change settings for a non-existent interface. --- interface-templates/ip/ospf/node.def | 1 + interface-templates/ip/rip/node.def | 1 + interface-templates/ip/source-validation/node.def | 1 + 3 files changed, 3 insertions(+) diff --git a/interface-templates/ip/ospf/node.def b/interface-templates/ip/ospf/node.def index 8eaece24..7011d036 100644 --- a/interface-templates/ip/ospf/node.def +++ b/interface-templates/ip/ospf/node.def @@ -1 +1,2 @@ +priority: 610 help: Open Shortest Path First (OSPF) parameters diff --git a/interface-templates/ip/rip/node.def b/interface-templates/ip/rip/node.def index d6a4eb34..468803ed 100644 --- a/interface-templates/ip/rip/node.def +++ b/interface-templates/ip/rip/node.def @@ -1 +1,2 @@ +priority: 610 help: Routing Information Protocol (RIP) diff --git a/interface-templates/ip/source-validation/node.def b/interface-templates/ip/source-validation/node.def index 3ddb6aa5..2c8523d2 100644 --- a/interface-templates/ip/source-validation/node.def +++ b/interface-templates/ip/source-validation/node.def @@ -1,3 +1,4 @@ +priority: 610 # rp_filter # default value - 0 # The max value from conf/{all,interface}/rp_filter is used -- cgit v1.2.3 From c912b1a542304dd2adec87bf225bf241ef9cdf7a Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 21 Oct 2018 21:15:11 +0200 Subject: T799: workaround for FRR being unable to delete entire community lists. --- scripts/policy/vyatta-policy.pl | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/scripts/policy/vyatta-policy.pl b/scripts/policy/vyatta-policy.pl index 4acd1881..9ca97036 100755 --- a/scripts/policy/vyatta-policy.pl +++ b/scripts/policy/vyatta-policy.pl @@ -82,11 +82,16 @@ sub update_ext_community_list { "set policy route extcommunity-list [ standard | expanded ] list-name rule rule-num action { deny | permit } ^^^^^^^^^^^^^^^^^^^^^^^\n"; }; - my $cmdline="$VTYSH -c \"configure terminal\" "; + # remove the old rule - if ( is_extcommunity_list($name) ) { - $cmdline.= " -c \"no ip extcommunity-list $name\" "; - }; + if ( is_extcommunity_list($num) ) { + my $clist = `$VTYSH -c \"show ip extcommunity-list $num\" | grep -v \"access list $num\"`; + my @oldrules = split(/\n/, $clist); + foreach my $oldrule (@oldrules) { + print "$oldrule\n"; + system("$VTYSH -c \"conf t\" -c \"no ip extcommunity-list $num $oldrule\""); + } + } $config->setLevel("policy route extcommunity-list $variant $name "); @rules = $config->listNodes(); @@ -130,10 +135,13 @@ sub update_community_list { # remove the old rule if ( is_community_list($num) ) { - system( - "$VTYSH -c \"configure terminal\" -c \"no ip community-list $num\" " - ); - } + my $clist = `$VTYSH -c \"show ip community-list $num\" | grep -v \"access list $num\"`; + my @oldrules = split(/\n/, $clist); + foreach my $oldrule (@oldrules) { + print "$oldrule\n"; + system("$VTYSH -c \"conf t\" -c \"no ip community-list $num $oldrule\""); + } + } $config->setLevel("policy community-list $num rule"); @rules = $config->listNodes(); -- cgit v1.2.3 From 569a97fc0e9fd4a729cca5a36cc2bdba066d7356 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 21 Oct 2018 22:06:29 +0200 Subject: T64: fix and revamp the broken extcommunity-list commands. --- scripts/policy/vyatta-policy.pl | 54 +++++++--------------- .../expanded/description/node.def | 2 - .../policy/extcommunity-list/expanded/node.def | 8 ---- .../extcommunity-list/expanded/rule/node.def | 6 --- .../expanded/rule/node.tag/action/node.def | 6 --- .../expanded/rule/node.tag/description/node.def | 2 - .../expanded/rule/node.tag/regex/node.def | 5 -- templates/policy/extcommunity-list/node.def | 9 ++-- .../node.tag/description/node.def | 2 + .../extcommunity-list/node.tag/rule/node.def | 6 +++ .../node.tag/rule/node.tag/action/node.def | 6 +++ .../node.tag/rule/node.tag/description/node.def | 2 + .../node.tag/rule/node.tag/regex/node.def | 5 ++ .../standard/description/node.def | 2 - .../policy/extcommunity-list/standard/node.def | 8 ---- .../extcommunity-list/standard/rule/node.def | 6 --- .../standard/rule/node.tag/action/node.def | 6 --- .../standard/rule/node.tag/description/node.def | 2 - .../standard/rule/node.tag/regex/node.def | 7 --- 19 files changed, 43 insertions(+), 101 deletions(-) delete mode 100644 templates/policy/extcommunity-list/expanded/description/node.def delete mode 100644 templates/policy/extcommunity-list/expanded/node.def delete mode 100644 templates/policy/extcommunity-list/expanded/rule/node.def delete mode 100644 templates/policy/extcommunity-list/expanded/rule/node.tag/action/node.def delete mode 100644 templates/policy/extcommunity-list/expanded/rule/node.tag/description/node.def delete mode 100644 templates/policy/extcommunity-list/expanded/rule/node.tag/regex/node.def create mode 100644 templates/policy/extcommunity-list/node.tag/description/node.def create mode 100644 templates/policy/extcommunity-list/node.tag/rule/node.def create mode 100644 templates/policy/extcommunity-list/node.tag/rule/node.tag/action/node.def create mode 100644 templates/policy/extcommunity-list/node.tag/rule/node.tag/description/node.def create mode 100644 templates/policy/extcommunity-list/node.tag/rule/node.tag/regex/node.def delete mode 100644 templates/policy/extcommunity-list/standard/description/node.def delete mode 100644 templates/policy/extcommunity-list/standard/node.def delete mode 100644 templates/policy/extcommunity-list/standard/rule/node.def delete mode 100644 templates/policy/extcommunity-list/standard/rule/node.tag/action/node.def delete mode 100644 templates/policy/extcommunity-list/standard/rule/node.tag/description/node.def delete mode 100644 templates/policy/extcommunity-list/standard/rule/node.tag/regex/node.def diff --git a/scripts/policy/vyatta-policy.pl b/scripts/policy/vyatta-policy.pl index 9ca97036..c5e781ba 100755 --- a/scripts/policy/vyatta-policy.pl +++ b/scripts/policy/vyatta-policy.pl @@ -27,7 +27,7 @@ update_access_list($accesslist) if ($accesslist); update_access_list6($accesslist6) if ($accesslist6); update_as_path($aspathlist) if ($aspathlist); update_community_list($communitylist) if ($communitylist); -update_ext_community_list($extcommunitylist) if ($extcommunitylist); +update_ext_community_list($extcommunitylist) if ($extcommunitylist); check_peer_syntax($peer) if ($peer); check_routemap_action($routemap) if ($routemap); check_delete_routemap_action($deleteroutemap) if ($deleteroutemap); @@ -72,59 +72,40 @@ sub is_extcommunity_list { sub update_ext_community_list { - my $variant= shift; my $name = shift; my $config = new Vyatta::Config; my @rules = (); - if($variant !~ /^standard|expanded$/ ) { - die -"set policy route extcommunity-list [ standard | expanded ] list-name rule rule-num action { deny | permit } - ^^^^^^^^^^^^^^^^^^^^^^^\n"; - }; - - # remove the old rule - if ( is_extcommunity_list($num) ) { - my $clist = `$VTYSH -c \"show ip extcommunity-list $num\" | grep -v \"access list $num\"`; + # remove the old rules + if ( is_extcommunity_list($name) ) { + my $clist = `$VTYSH -c \"show ip extcommunity-list $name\" | grep -v \"expanded list $name\"`; my @oldrules = split(/\n/, $clist); foreach my $oldrule (@oldrules) { - print "$oldrule\n"; - system("$VTYSH -c \"conf t\" -c \"no ip extcommunity-list $num $oldrule\""); + system("$VTYSH -c \"conf t\" -c \"no ip extcommunity-list expanded $name $oldrule\""); } - } + } - $config->setLevel("policy route extcommunity-list $variant $name "); + $config->setLevel("policy extcommunity-list $name rule"); @rules = $config->listNodes(); foreach my $rule ( sort numerically @rules ) { - # set the action my $action = $config->returnValue("$rule action"); die - "policy route extcommunity-list $variant $name rule $rule: You must specify an action\n" + "extcommunity-list $name rule $rule: You must specify an action\n" unless $action; # grab the regex my $regex = $config->returnValue("$rule regex"); - die "policy route extcommunity-list $variant $name rule $rule: You must specify a regex\n" - unless $regex; - if($variant eq 'standard') { - unless (($regex =~ /(.*):(.*)/) and (isIpAddress($1)or($1=~/^\d+$/) ) and ($2=~/^\d+$/)) { - die "for standard extcommunity-list regex should be either: - -AS:VAL - - This is a format to define AS based Extended Community value. AS part is 2 octets Global Administrator subfield in Extended Community value. VAL part is 4 octets Local Administrator subfield. 7675:100 represents AS 7675 policy value 100. - -IP-Address:VAL + if(!defined($regex)) { + die "extcommunity-list $name rule $rule: You must specify a regex\n"; + } + if (!($regex =~ /(.*):(.*)/) and (isIpAddress($1)or($1=~/^\d+$/) ) and ($2=~/^\d+$/)) { + die "extcommunity-list $name rule $rule: Malformed extcommunity-list regex"; + } + system("$VTYSH -c \"conf t\" -c \"ip extcommunity-list expanded $name $action $regex\""); + } - This is a format to define IP address based Extended Community value. IP-Address part is 4 octets Global Administrator subfield. VAL part is 2 octets Local Administrator subfield. 10.0.0.1:100 represents IP 10.0.0.1 policy value 100. -"; - - }; - }; - $cmdline.="-c \"ip extcommunity-list $name $action $regex\" "; - }; - exit system($cmdline); + exit(0); } @@ -138,7 +119,6 @@ sub update_community_list { my $clist = `$VTYSH -c \"show ip community-list $num\" | grep -v \"access list $num\"`; my @oldrules = split(/\n/, $clist); foreach my $oldrule (@oldrules) { - print "$oldrule\n"; system("$VTYSH -c \"conf t\" -c \"no ip community-list $num $oldrule\""); } } diff --git a/templates/policy/extcommunity-list/expanded/description/node.def b/templates/policy/extcommunity-list/expanded/description/node.def deleted file mode 100644 index 7a660be4..00000000 --- a/templates/policy/extcommunity-list/expanded/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Description for this community list diff --git a/templates/policy/extcommunity-list/expanded/node.def b/templates/policy/extcommunity-list/expanded/node.def deleted file mode 100644 index 95f6f003..00000000 --- a/templates/policy/extcommunity-list/expanded/node.def +++ /dev/null @@ -1,8 +0,0 @@ -tag: -priority: 490 -type: txt -help: Border Gateway Protocol (BGP) extended community-list filter - -syntax:expression: pattern $VAR(@) "^[a-zA-Z0-9]+$" ; "Should be alphanumeric name" - -end: /opt/vyatta/sbin/vyatta-policy.pl --update-community-list expanded $VAR(@) diff --git a/templates/policy/extcommunity-list/expanded/rule/node.def b/templates/policy/extcommunity-list/expanded/rule/node.def deleted file mode 100644 index 7826f33d..00000000 --- a/templates/policy/extcommunity-list/expanded/rule/node.def +++ /dev/null @@ -1,6 +0,0 @@ -tag: -type: u32 -help: create a rule for this BGP extended community list -val_help: u32:1-65535; Extended community-list rule number - -syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; "rule number must be between 1 and 65535" diff --git a/templates/policy/extcommunity-list/expanded/rule/node.tag/action/node.def b/templates/policy/extcommunity-list/expanded/rule/node.tag/action/node.def deleted file mode 100644 index db4bdbc6..00000000 --- a/templates/policy/extcommunity-list/expanded/rule/node.tag/action/node.def +++ /dev/null @@ -1,6 +0,0 @@ -type: txt -help: Action to take on routes matching this rule [REQUIRED] -val_help: permit; Permit matching routes -val_help: deny; Deny matching routes - -syntax:expression: $VAR(@) in "permit", "deny"; "action must be permit or deny" diff --git a/templates/policy/extcommunity-list/expanded/rule/node.tag/description/node.def b/templates/policy/extcommunity-list/expanded/rule/node.tag/description/node.def deleted file mode 100644 index b8e3095b..00000000 --- a/templates/policy/extcommunity-list/expanded/rule/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Description for this rule diff --git a/templates/policy/extcommunity-list/expanded/rule/node.tag/regex/node.def b/templates/policy/extcommunity-list/expanded/rule/node.tag/regex/node.def deleted file mode 100644 index fae3784c..00000000 --- a/templates/policy/extcommunity-list/expanded/rule/node.tag/regex/node.def +++ /dev/null @@ -1,5 +0,0 @@ -type: txt -help: Extended community regexp. -val_help: Extended community list regular expression - -commit:expression: $VAR(../action/@) != ""; "You must specify an action" diff --git a/templates/policy/extcommunity-list/node.def b/templates/policy/extcommunity-list/node.def index 9676146c..fee4c402 100644 --- a/templates/policy/extcommunity-list/node.def +++ b/templates/policy/extcommunity-list/node.def @@ -1,7 +1,8 @@ tag: -priority: 480 +priority: 490 type: txt -help: Border Gateway Protocol (BGP) extended communities attribute. Usefull for implementing network policy for MPLS VPN/BGP by restricting routes according to their Route Target or Site of Origin. -val_help: Type of extended community. standard or expanded. +help: Border Gateway Protocol (BGP) extended community-list filter -syntax:expression: pattern $VAR(@) "^standard|expanded$" ; "Should be either standard or expanded" +syntax:expression: pattern $VAR(@) "^[a-zA-Z0-9]+$" ; "Should be alphanumeric name" + +end: /opt/vyatta/sbin/vyatta-policy.pl --update-extcommunity-list $VAR(@) diff --git a/templates/policy/extcommunity-list/node.tag/description/node.def b/templates/policy/extcommunity-list/node.tag/description/node.def new file mode 100644 index 00000000..7a660be4 --- /dev/null +++ b/templates/policy/extcommunity-list/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Description for this community list diff --git a/templates/policy/extcommunity-list/node.tag/rule/node.def b/templates/policy/extcommunity-list/node.tag/rule/node.def new file mode 100644 index 00000000..7826f33d --- /dev/null +++ b/templates/policy/extcommunity-list/node.tag/rule/node.def @@ -0,0 +1,6 @@ +tag: +type: u32 +help: create a rule for this BGP extended community list +val_help: u32:1-65535; Extended community-list rule number + +syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; "rule number must be between 1 and 65535" diff --git a/templates/policy/extcommunity-list/node.tag/rule/node.tag/action/node.def b/templates/policy/extcommunity-list/node.tag/rule/node.tag/action/node.def new file mode 100644 index 00000000..db4bdbc6 --- /dev/null +++ b/templates/policy/extcommunity-list/node.tag/rule/node.tag/action/node.def @@ -0,0 +1,6 @@ +type: txt +help: Action to take on routes matching this rule [REQUIRED] +val_help: permit; Permit matching routes +val_help: deny; Deny matching routes + +syntax:expression: $VAR(@) in "permit", "deny"; "action must be permit or deny" diff --git a/templates/policy/extcommunity-list/node.tag/rule/node.tag/description/node.def b/templates/policy/extcommunity-list/node.tag/rule/node.tag/description/node.def new file mode 100644 index 00000000..b8e3095b --- /dev/null +++ b/templates/policy/extcommunity-list/node.tag/rule/node.tag/description/node.def @@ -0,0 +1,2 @@ +type: txt +help: Description for this rule diff --git a/templates/policy/extcommunity-list/node.tag/rule/node.tag/regex/node.def b/templates/policy/extcommunity-list/node.tag/rule/node.tag/regex/node.def new file mode 100644 index 00000000..fae3784c --- /dev/null +++ b/templates/policy/extcommunity-list/node.tag/rule/node.tag/regex/node.def @@ -0,0 +1,5 @@ +type: txt +help: Extended community regexp. +val_help: Extended community list regular expression + +commit:expression: $VAR(../action/@) != ""; "You must specify an action" diff --git a/templates/policy/extcommunity-list/standard/description/node.def b/templates/policy/extcommunity-list/standard/description/node.def deleted file mode 100644 index 7a660be4..00000000 --- a/templates/policy/extcommunity-list/standard/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Description for this community list diff --git a/templates/policy/extcommunity-list/standard/node.def b/templates/policy/extcommunity-list/standard/node.def deleted file mode 100644 index aec1edcd..00000000 --- a/templates/policy/extcommunity-list/standard/node.def +++ /dev/null @@ -1,8 +0,0 @@ -tag: -priority: 485 -type: txt -help: Border Gateway Protocol (BGP) extended community-list filter - -syntax:expression: pattern $VAR(@) "^[a-zA-Z0-9]+$" ; "Should be alphanumeric name" - -end: /opt/vyatta/sbin/vyatta-policy.pl --update-community-list standard $VAR(@) diff --git a/templates/policy/extcommunity-list/standard/rule/node.def b/templates/policy/extcommunity-list/standard/rule/node.def deleted file mode 100644 index 7826f33d..00000000 --- a/templates/policy/extcommunity-list/standard/rule/node.def +++ /dev/null @@ -1,6 +0,0 @@ -tag: -type: u32 -help: create a rule for this BGP extended community list -val_help: u32:1-65535; Extended community-list rule number - -syntax:expression: $VAR(@) >= 1 && $VAR(@) <= 65535; "rule number must be between 1 and 65535" diff --git a/templates/policy/extcommunity-list/standard/rule/node.tag/action/node.def b/templates/policy/extcommunity-list/standard/rule/node.tag/action/node.def deleted file mode 100644 index db4bdbc6..00000000 --- a/templates/policy/extcommunity-list/standard/rule/node.tag/action/node.def +++ /dev/null @@ -1,6 +0,0 @@ -type: txt -help: Action to take on routes matching this rule [REQUIRED] -val_help: permit; Permit matching routes -val_help: deny; Deny matching routes - -syntax:expression: $VAR(@) in "permit", "deny"; "action must be permit or deny" diff --git a/templates/policy/extcommunity-list/standard/rule/node.tag/description/node.def b/templates/policy/extcommunity-list/standard/rule/node.tag/description/node.def deleted file mode 100644 index b8e3095b..00000000 --- a/templates/policy/extcommunity-list/standard/rule/node.tag/description/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: txt -help: Description for this rule diff --git a/templates/policy/extcommunity-list/standard/rule/node.tag/regex/node.def b/templates/policy/extcommunity-list/standard/rule/node.tag/regex/node.def deleted file mode 100644 index 36dd9954..00000000 --- a/templates/policy/extcommunity-list/standard/rule/node.tag/regex/node.def +++ /dev/null @@ -1,7 +0,0 @@ -type: txt -help: Extended community value. Should be either AS:VAL or IP-Address:VAL -val_help: Community list regular expression - -syntax:expression: pattern $VAR(@) "^([0-9]*)|([0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}\.[0-9]{1-3}):[0-9]*$" - -commit:expression: $VAR(../action/@) != ""; "You must specify an action" -- cgit v1.2.3 From f5aaf437d83022b6f6f707cb542dbcbc05aadb15 Mon Sep 17 00:00:00 2001 From: Daniil Baturin Date: Sun, 28 Oct 2018 14:19:54 +0100 Subject: T944: ensure correct ordering of BGP option deletion to prevent route leaks. --- scripts/bgp/vyatta-bgp.pl | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/scripts/bgp/vyatta-bgp.pl b/scripts/bgp/vyatta-bgp.pl index 97a0b861..856d3dcd 100755 --- a/scripts/bgp/vyatta-bgp.pl +++ b/scripts/bgp/vyatta-bgp.pl @@ -1596,7 +1596,18 @@ sub main ## deletes with priority # delete everything in neighbor, ordered nodes last - my @ordered = ('remote-as', 'peer-group', 'shutdown', 'route-map', 'prefix-list', 'filter-list', 'distribute-list', 'unsuppress-map'); + my @ordered = ('remote-as', 'peer-group', 'shutdown', + 'address-family ipv4-unicast route-map', + 'address-family ipv4-unicast prefix-list', + 'address-family ipv4-unicast filter-list', + 'address-family ipv4-unicast distribute-list', + 'address-family ipv4-unicast unsuppress-map', + 'address-family ipv6-unicast route-map', + 'address-family ipv6-unicast prefix-list', + 'address-family ipv6-unicast filter-list', + 'address-family ipv6-unicast distribute-list', + 'address-family ipv6-unicast unsuppress-map'); + # notice the extra space in the level string. keeps the parent from being deleted. $qconfig->deleteConfigTreeRecursive('protocols bgp var neighbor var ', undef, \@ordered) || die "exiting $?\n"; $qconfig->deleteConfigTreeRecursive('protocols bgp var peer-group var ', undef, \@ordered) || die "exiting $?\n"; -- cgit v1.2.3