}
if (!tnbr) {
- if (!((flags & F_HELLO_REQ_TARG) &&
- ((ldp_af_conf_get(leconf, af))->flags &
- F_LDPD_AF_THELLO_ACCEPT)))
+ struct ldpd_af_conf *af_conf;
+
+ if (!(flags & F_HELLO_REQ_TARG))
+ return;
+ af_conf = ldp_af_conf_get(leconf, af);
+ if (!(af_conf->flags & F_LDPD_AF_THELLO_ACCEPT))
+ return;
+ if (ldpe_acl_check(af_conf->acl_thello_accept_from, af,
+ src, (af == AF_INET) ? 32 : 128) != FILTER_PERMIT)
return;
tnbr = tnbr_new(af, src);
return (0);
}
+int
+lde_acl_check(char *acl_name, int af, union ldpd_addr *addr, uint8_t prefixlen)
+{
+ return ldp_acl_request(iev_main_sync, acl_name, af, addr, prefixlen);
+}
+
uint32_t
-lde_assign_label(void)
+lde_assign_label(struct fec *fec, int connected)
{
static uint32_t label = MPLS_LABEL_RESERVED_MAX;
+ /* should we allocate a label for this fec? */
+ switch (fec->type) {
+ case FEC_TYPE_IPV4:
+ if ((ldeconf->ipv4.flags & F_LDPD_AF_ALLOCHOSTONLY) &&
+ fec->u.ipv4.prefixlen != 32)
+ return (NO_LABEL);
+ if (lde_acl_check(ldeconf->ipv4.acl_label_allocate_for,
+ AF_INET, (union ldpd_addr *)&fec->u.ipv4.prefix,
+ fec->u.ipv4.prefixlen) != FILTER_PERMIT)
+ return (NO_LABEL);
+ break;
+ case FEC_TYPE_IPV6:
+ if ((ldeconf->ipv6.flags & F_LDPD_AF_ALLOCHOSTONLY) &&
+ fec->u.ipv6.prefixlen != 128)
+ return (NO_LABEL);
+ if (lde_acl_check(ldeconf->ipv6.acl_label_allocate_for,
+ AF_INET6, (union ldpd_addr *)&fec->u.ipv6.prefix,
+ fec->u.ipv6.prefixlen) != FILTER_PERMIT)
+ return (NO_LABEL);
+ break;
+ default:
+ fatalx("lde_assign_label: unexpected fec type");
+ break;
+ }
+
+ if (connected) {
+ /* choose implicit or explicit-null depending on configuration */
+ switch (fec->type) {
+ case FEC_TYPE_IPV4:
+ if (!(ldeconf->ipv4.flags & F_LDPD_AF_EXPNULL))
+ return (MPLS_LABEL_IMPLNULL);
+ if (lde_acl_check(ldeconf->ipv4.acl_label_expnull_for,
+ AF_INET, (union ldpd_addr *)&fec->u.ipv4.prefix,
+ fec->u.ipv4.prefixlen) != FILTER_PERMIT)
+ return (MPLS_LABEL_IMPLNULL);
+ return (MPLS_LABEL_IPV4NULL);
+ case FEC_TYPE_IPV6:
+ if (!(ldeconf->ipv6.flags & F_LDPD_AF_EXPNULL))
+ return (MPLS_LABEL_IMPLNULL);
+ if (lde_acl_check(ldeconf->ipv6.acl_label_expnull_for,
+ AF_INET6, (union ldpd_addr *)&fec->u.ipv6.prefix,
+ fec->u.ipv6.prefixlen) != FILTER_PERMIT)
+ return (MPLS_LABEL_IMPLNULL);
+ return (MPLS_LABEL_IPV6NULL);
+ default:
+ fatalx("lde_assign_label: unexpected fec type");
+ break;
+ }
+ }
+
/*
* TODO: request label to zebra or define a range of labels for ldpd.
*/
case FEC_TYPE_IPV4:
if (!ln->v4_enabled)
return;
+ if (lde_acl_check(ldeconf->ipv4.acl_label_advertise_to,
+ AF_INET, (union ldpd_addr *)&ln->id, 32) != FILTER_PERMIT)
+ return;
+ if (lde_acl_check(ldeconf->ipv4.acl_label_advertise_for,
+ AF_INET, (union ldpd_addr *)&fn->fec.u.ipv4.prefix,
+ fn->fec.u.ipv4.prefixlen) != FILTER_PERMIT)
+ return;
break;
case FEC_TYPE_IPV6:
if (!ln->v6_enabled)
return;
+ if (lde_acl_check(ldeconf->ipv6.acl_label_advertise_to,
+ AF_INET, (union ldpd_addr *)&ln->id, 32) != FILTER_PERMIT)
+ return;
+ if (lde_acl_check(ldeconf->ipv6.acl_label_advertise_for,
+ AF_INET6, (union ldpd_addr *)&fn->fec.u.ipv6.prefix,
+ fn->fec.u.ipv6.prefixlen) != FILTER_PERMIT)
+ return;
break;
case FEC_TYPE_PWID:
pw = (struct l2vpn_pw *) fn->data;
}
void
-lde_change_egress_label(int af, int was_implicit)
+lde_change_egress_label(int af)
{
struct lde_nbr *ln;
struct fec *f;
/* explicitly withdraw all null labels */
RB_FOREACH(ln, nbr_tree, &lde_nbrs) {
- if (was_implicit)
- lde_send_labelwithdraw(ln, NULL, MPLS_LABEL_IMPLNULL,
+ lde_send_labelwithdraw(ln, NULL, MPLS_LABEL_IMPLNULL, NULL);
+ if (ln->v4_enabled)
+ lde_send_labelwithdraw(ln, NULL, MPLS_LABEL_IPV4NULL,
+ NULL);
+ if (ln->v6_enabled)
+ lde_send_labelwithdraw(ln, NULL, MPLS_LABEL_IPV6NULL,
NULL);
- else {
- if (ln->v4_enabled)
- lde_send_labelwithdraw(ln, NULL,
- MPLS_LABEL_IPV4NULL, NULL);
- if (ln->v6_enabled)
- lde_send_labelwithdraw(ln, NULL,
- MPLS_LABEL_IPV6NULL, NULL);
- }
}
/* update label of connected routes */
fatalx("lde_change_egress_label: unknown af");
}
- fn->local_label = egress_label(fn->fec.type);
- RB_FOREACH(ln, nbr_tree, &lde_nbrs)
- lde_send_labelmapping(ln, fn, 0);
+ fn->local_label = lde_assign_label(&fn->fec, 1);
+ if (fn->local_label != NO_LABEL)
+ RB_FOREACH(ln, nbr_tree, &lde_nbrs)
+ lde_send_labelmapping(ln, fn, 0);
}
RB_FOREACH(ln, nbr_tree, &lde_nbrs)
lde_imsg_compose_ldpe(IMSG_MAPPING_ADD_END, ln->peerid, 0,
void lde(const char *, const char *);
int lde_imsg_compose_parent(int, pid_t, void *, uint16_t);
int lde_imsg_compose_ldpe(int, uint32_t, pid_t, void *, uint16_t);
-uint32_t lde_assign_label(void);
+int lde_acl_check(char *, int, union ldpd_addr *, uint8_t);
+uint32_t lde_assign_label(struct fec *, int);
void lde_send_change_klabel(struct fec_node *, struct fec_nh *);
void lde_send_delete_klabel(struct fec_node *, struct fec_nh *);
void lde_fec2map(struct fec *, struct map *);
void lde_req_del(struct lde_nbr *, struct lde_req *, int);
struct lde_wdraw *lde_wdraw_add(struct lde_nbr *, struct fec_node *);
void lde_wdraw_del(struct lde_nbr *, struct lde_wdraw *);
-void lde_change_egress_label(int, int);
+void lde_change_egress_label(int);
struct lde_addr *lde_address_find(struct lde_nbr *, int,
union ldpd_addr *);
void fec_tree_clear(void);
struct fec_nh *fec_nh_find(struct fec_node *, int, union ldpd_addr *,
ifindex_t, uint8_t);
-uint32_t egress_label(enum fec_type);
void lde_kernel_insert(struct fec *, int, union ldpd_addr *,
ifindex_t, uint8_t, int, void *);
void lde_kernel_remove(struct fec *, int, union ldpd_addr *,
free(fnh);
}
-uint32_t
-egress_label(enum fec_type fec_type)
-{
- switch (fec_type) {
- case FEC_TYPE_IPV4:
- if (ldeconf->ipv4.flags & F_LDPD_AF_EXPNULL)
- return (MPLS_LABEL_IPV4NULL);
- break;
- case FEC_TYPE_IPV6:
- if (ldeconf->ipv6.flags & F_LDPD_AF_EXPNULL)
- return (MPLS_LABEL_IPV6NULL);
- break;
- default:
- fatalx("egress_label: unexpected fec type");
- }
-
- return (MPLS_LABEL_IMPLNULL);
-}
-
void
lde_kernel_insert(struct fec *fec, int af, union ldpd_addr *nexthop,
ifindex_t ifindex, uint8_t priority, int connected, void *data)
fn->data = data;
if (fn->local_label == NO_LABEL) {
- if (connected)
- fn->local_label = egress_label(fn->fec.type);
- else
- fn->local_label = lde_assign_label();
+ fn->local_label = lde_assign_label(&fn->fec, connected);
/* FEC.1: perform lsr label distribution procedure */
- RB_FOREACH(ln, nbr_tree, &lde_nbrs)
- lde_send_labelmapping(ln, fn, 1);
+ if (fn->local_label != NO_LABEL)
+ RB_FOREACH(ln, nbr_tree, &lde_nbrs)
+ lde_send_labelmapping(ln, fn, 1);
}
fnh = fec_nh_add(fn, af, nexthop, ifindex, priority);
int msgsource = 0;
lde_map2fec(map, ln->id, &fec);
+
+ switch (fec.type) {
+ case FEC_TYPE_IPV4:
+ if (lde_acl_check(ldeconf->ipv4.acl_label_accept_from,
+ AF_INET, (union ldpd_addr *)&ln->id, 32) != FILTER_PERMIT)
+ return;
+ if (lde_acl_check(ldeconf->ipv4.acl_label_accept_for,
+ AF_INET, (union ldpd_addr *)&fec.u.ipv4.prefix,
+ fec.u.ipv4.prefixlen) != FILTER_PERMIT)
+ return;
+ break;
+ case FEC_TYPE_IPV6:
+ if (lde_acl_check(ldeconf->ipv6.acl_label_accept_from,
+ AF_INET, (union ldpd_addr *)&ln->id, 32) != FILTER_PERMIT)
+ return;
+ if (lde_acl_check(ldeconf->ipv6.acl_label_accept_for,
+ AF_INET6, (union ldpd_addr *)&fec.u.ipv6.prefix,
+ fec.u.ipv6.prefixlen) != FILTER_PERMIT)
+ return;
+ break;
+ default:
+ break;
+ }
+
fn = (struct fec_node *)fec_find(&ft, &fec);
if (fn == NULL)
fn = fec_add(&fec);
int ldp_vty_interface(struct vty *, struct vty_arg *[]);
int ldp_vty_trans_addr(struct vty *, struct vty_arg *[]);
int ldp_vty_neighbor_targeted(struct vty *, struct vty_arg *[]);
-int ldp_vty_explicit_null(struct vty *, struct vty_arg *[]);
+int ldp_vty_label_advertise(struct vty *, struct vty_arg *[]);
+int ldp_vty_label_allocate(struct vty *, struct vty_arg *[]);
+int ldp_vty_label_expnull(struct vty *, struct vty_arg *[]);
+int ldp_vty_label_accept(struct vty *, struct vty_arg *[]);
int ldp_vty_ttl_security(struct vty *, struct vty_arg *[]);
int ldp_vty_router_id(struct vty *, struct vty_arg *[]);
int ldp_vty_ds_cisco_interop(struct vty *, struct vty_arg *[]);
<option name="sent" help="Sent messages"/>
</options>
+ <!-- ACL -->
+ <options name="acl">
+ <option input="acl_range" help="IP access-list number"/>
+ <option input="acl_expanded_range" help="IP access-list number (expanded range)"/>
+ <option input="word" help="IP access-list name"/>
+ </options>
+
<!-- shared subtrees -->
+ <subtree name="label_local_acls">
+ <option name="to" help="IP Access-list specifying controls on LDP Peers">
+ <select options="acl" arg="to_acl" function="inherited">
+ <option name="for" help="IP access-list for destination prefixes">
+ <select options="acl" arg="for_acl" function="inherited"/>
+ </option>
+ </select>
+ </option>
+ <option name="for" help="IP access-list for destination prefixes">
+ <select options="acl" arg="for_acl" function="inherited">
+ <option name="to" help="IP Access-list specifying controls on LDP Peers">
+ <select options="acl" arg="to_acl" function="inherited"/>
+ </option>
+ </select>
+ </option>
+ </subtree>
+
+ <subtree name="label_remote_acls">
+ <option name="from" help="Neighbor from whom to accept label advertisement">
+ <select options="acl" arg="from_acl" function="inherited">
+ <option name="for" help="IP access-list for destination prefixes">
+ <select options="acl" arg="for_acl" function="inherited"/>
+ </option>
+ </select>
+ </option>
+ <option name="for" help="IP access-list for destination prefixes">
+ <select options="acl" arg="for_acl" function="inherited">
+ <option name="from" help="Neighbor from whom to accept label advertisement">
+ <select options="acl" arg="from_acl" function="inherited"/>
+ </option>
+ </select>
+ </option>
+ </subtree>
+
<subtree name="discovery_link">
<option name="discovery" help="Configure discovery parameters">
<option name="hello" arg="hello_type" help="LDP Link Hellos">
<include subtree="discovery_targeted"/>
<option name="discovery" help="Configure discovery parameters">
<option name="targeted-hello" arg="hello_type" help="LDP Targeted Hellos">
- <option name="accept" help="Accept and respond to targeted hellos" function="ldp_vty_targeted_hello_accept"/>
+ <option name="accept" help="Accept and respond to targeted hellos" function="ldp_vty_targeted_hello_accept">
+ <option name="from" help="Access list to specify acceptable targeted hello source">
+ <select options="acl" arg="from_acl" function="inherited"/>
+ </option>
+ </option>
</option>
</option>
<option name="label" help="Configure label control and policies">
<option name="local" help="Configure local label control and policies">
- <option name="advertise" help="Configure outbound label advertisement control">
- <option name="explicit-null" help="Configure explicit-null advertisement" function="ldp_vty_explicit_null"/>
+ <option name="advertise" help="Configure outbound label advertisement control" function="ldp_vty_label_advertise">
+ <include subtree="label_local_acls"/>
+ <option name="explicit-null" help="Configure explicit-null advertisement" function="ldp_vty_label_expnull">
+ <option name="for" help="IP access-list for destination prefixes">
+ <select options="acl" arg="for_acl" function="inherited"/>
+ </option>
+ </option>
+ </option>
+ <option name="allocate" help="Configure label allocation control">
+ <option name="for" help="IP access-list">
+ <select options="acl" arg="for_acl" function="ldp_vty_label_allocate"/>
+ </option>
+ <option name="host-routes" arg="host-routes" help="allocate local label for host routes only" function="ldp_vty_label_allocate"/>
+ </option>
+ </option>
+ <option name="remote" help="Configure remote/peer label control and policies">
+ <option name="accept" help="Configure inbound label acceptance control" function="ldp_vty_label_accept">
+ <include subtree="label_remote_acls"/>
</option>
</option>
</option>
vty_out(vty, " discovery hello interval %u%s",
af_conf->lhello_interval, VTY_NEWLINE);
- if (af_conf->flags & F_LDPD_AF_THELLO_ACCEPT)
- vty_out(vty, " discovery targeted-hello accept%s",
- VTY_NEWLINE);
+ if (af_conf->flags & F_LDPD_AF_THELLO_ACCEPT) {
+ vty_out(vty, " discovery targeted-hello accept");
+ if (af_conf->acl_thello_accept_from[0] != '\0')
+ vty_out(vty, " from %s",
+ af_conf->acl_thello_accept_from);
+ vty_out(vty, "%s", VTY_NEWLINE);
+ }
if (af_conf->thello_holdtime != TARGETED_DFLT_HOLDTIME &&
af_conf->thello_holdtime != 0)
vty_out(vty, " ! Incomplete config, specify a discovery "
"transport-address%s", VTY_NEWLINE);
- if (af_conf->flags & F_LDPD_AF_EXPNULL)
- vty_out(vty, " label local advertise explicit-null%s",
- VTY_NEWLINE);
+ if ((af_conf->flags & F_LDPD_AF_ALLOCHOSTONLY) ||
+ af_conf->acl_label_allocate_for[0] != '\0') {
+ vty_out(vty, " label local allocate");
+ if (af_conf->flags & F_LDPD_AF_ALLOCHOSTONLY)
+ vty_out(vty, " host-routes");
+ else
+ vty_out(vty, " for %s",
+ af_conf->acl_label_allocate_for);
+ vty_out(vty, "%s", VTY_NEWLINE);
+ }
+
+ if (af_conf->acl_label_advertise_for[0] != '\0' ||
+ af_conf->acl_label_advertise_to[0] != '\0') {
+ vty_out(vty, " label local advertise");
+ if (af_conf->acl_label_advertise_to[0] != '\0')
+ vty_out(vty, " to %s",
+ af_conf->acl_label_advertise_to);
+ if (af_conf->acl_label_advertise_for[0] != '\0')
+ vty_out(vty, " for %s",
+ af_conf->acl_label_advertise_for);
+ vty_out(vty, "%s", VTY_NEWLINE);
+ }
+
+ if (af_conf->flags & F_LDPD_AF_EXPNULL) {
+ vty_out(vty, " label local advertise explicit-null");
+ if (af_conf->acl_label_expnull_for[0] != '\0')
+ vty_out(vty, " for %s",
+ af_conf->acl_label_expnull_for);
+ vty_out(vty, "%s", VTY_NEWLINE);
+ }
+
+ if (af_conf->acl_label_accept_for[0] != '\0' ||
+ af_conf->acl_label_accept_from[0] != '\0') {
+ vty_out(vty, " label remote accept");
+ if (af_conf->acl_label_accept_from[0] != '\0')
+ vty_out(vty, " from %s",
+ af_conf->acl_label_accept_from);
+ if (af_conf->acl_label_accept_for[0] != '\0')
+ vty_out(vty, " for %s",
+ af_conf->acl_label_accept_for);
+ vty_out(vty, "%s", VTY_NEWLINE);
+ }
if (af_conf->flags & F_LDPD_AF_NO_GTSM)
vty_out(vty, " ttl-security disable%s", VTY_NEWLINE);
struct ldpd_conf *vty_conf;
struct ldpd_af_conf *af_conf;
int af;
+ const char *acl_from_str;
int disable;
vty_conf = ldp_dup_config(ldpd_conf);
disable = (vty_get_arg_value(args, "no")) ? 1 : 0;
+ acl_from_str = vty_get_arg_value(args, "from_acl");
af = ldp_vty_get_af(vty);
af_conf = ldp_af_conf_get(vty_conf, af);
- if (disable)
+ if (disable) {
af_conf->flags &= ~F_LDPD_AF_THELLO_ACCEPT;
- else
+ af_conf->acl_thello_accept_from[0] = '\0';
+ } else {
af_conf->flags |= F_LDPD_AF_THELLO_ACCEPT;
+ if (acl_from_str)
+ strlcpy(af_conf->acl_thello_accept_from, acl_from_str,
+ sizeof(af_conf->acl_thello_accept_from));
+ else
+ af_conf->acl_thello_accept_from[0] = '\0';
+ }
ldp_reload(vty_conf);
}
int
-ldp_vty_explicit_null(struct vty *vty, struct vty_arg *args[])
+ldp_vty_label_advertise(struct vty *vty, struct vty_arg *args[])
{
struct ldpd_conf *vty_conf;
struct ldpd_af_conf *af_conf;
int af;
+ const char *acl_to_str;
+ const char *acl_for_str;
int disable;
disable = (vty_get_arg_value(args, "no")) ? 1 : 0;
+ acl_to_str = vty_get_arg_value(args, "to_acl");
+ acl_for_str = vty_get_arg_value(args, "for_acl");
vty_conf = ldp_dup_config(ldpd_conf);
af = ldp_vty_get_af(vty);
af_conf = ldp_af_conf_get(vty_conf, af);
- if (disable)
+ if (disable) {
+ af_conf->acl_label_advertise_to[0] = '\0';
+ af_conf->acl_label_advertise_for[0] = '\0';
+ } else {
+ if (acl_to_str)
+ strlcpy(af_conf->acl_label_advertise_to, acl_to_str,
+ sizeof(af_conf->acl_label_advertise_to));
+ else
+ af_conf->acl_label_advertise_to[0] = '\0';
+ if (acl_for_str)
+ strlcpy(af_conf->acl_label_advertise_for, acl_for_str,
+ sizeof(af_conf->acl_label_advertise_for));
+ else
+ af_conf->acl_label_advertise_for[0] = '\0';
+ }
+
+ ldp_reload(vty_conf);
+
+ return (CMD_SUCCESS);
+}
+
+int
+ldp_vty_label_allocate(struct vty *vty, struct vty_arg *args[])
+{
+ struct ldpd_conf *vty_conf;
+ struct ldpd_af_conf *af_conf;
+ int af;
+ const char *acl_for_str;
+ const char *host_routes_str;
+ int disable;
+
+ disable = (vty_get_arg_value(args, "no")) ? 1 : 0;
+ acl_for_str = vty_get_arg_value(args, "for_acl");
+ host_routes_str = vty_get_arg_value(args, "host-routes");
+
+ vty_conf = ldp_dup_config(ldpd_conf);
+ af = ldp_vty_get_af(vty);
+ af_conf = ldp_af_conf_get(vty_conf, af);
+
+ af_conf->flags &= ~F_LDPD_AF_ALLOCHOSTONLY;
+ af_conf->acl_label_allocate_for[0] = '\0';
+ if (!disable) {
+ if (host_routes_str)
+ af_conf->flags |= F_LDPD_AF_ALLOCHOSTONLY;
+ else
+ strlcpy(af_conf->acl_label_allocate_for, acl_for_str,
+ sizeof(af_conf->acl_label_allocate_for));
+ }
+
+ ldp_reload(vty_conf);
+
+ return (CMD_SUCCESS);
+}
+
+int
+ldp_vty_label_expnull(struct vty *vty, struct vty_arg *args[])
+{
+ struct ldpd_conf *vty_conf;
+ struct ldpd_af_conf *af_conf;
+ int af;
+ const char *acl_for_str;
+ int disable;
+
+ disable = (vty_get_arg_value(args, "no")) ? 1 : 0;
+ acl_for_str = vty_get_arg_value(args, "for_acl");
+
+ vty_conf = ldp_dup_config(ldpd_conf);
+ af = ldp_vty_get_af(vty);
+ af_conf = ldp_af_conf_get(vty_conf, af);
+
+ if (disable) {
af_conf->flags &= ~F_LDPD_AF_EXPNULL;
- else
+ af_conf->acl_label_expnull_for[0] = '\0';
+ } else {
af_conf->flags |= F_LDPD_AF_EXPNULL;
+ if (acl_for_str)
+ strlcpy(af_conf->acl_label_expnull_for, acl_for_str,
+ sizeof(af_conf->acl_label_expnull_for));
+ else
+ af_conf->acl_label_expnull_for[0] = '\0';
+ }
+
+ ldp_reload(vty_conf);
+
+ return (CMD_SUCCESS);
+}
+
+int
+ldp_vty_label_accept(struct vty *vty, struct vty_arg *args[])
+{
+ struct ldpd_conf *vty_conf;
+ struct ldpd_af_conf *af_conf;
+ int af;
+ const char *acl_from_str;
+ const char *acl_for_str;
+ int disable;
+
+ disable = (vty_get_arg_value(args, "no")) ? 1 : 0;
+ acl_from_str = vty_get_arg_value(args, "from_acl");
+ acl_for_str = vty_get_arg_value(args, "for_acl");
+
+ vty_conf = ldp_dup_config(ldpd_conf);
+ af = ldp_vty_get_af(vty);
+ af_conf = ldp_af_conf_get(vty_conf, af);
+
+ if (disable) {
+ af_conf->acl_label_accept_from[0] = '\0';
+ af_conf->acl_label_accept_for[0] = '\0';
+ } else {
+ if (acl_from_str)
+ strlcpy(af_conf->acl_label_accept_from, acl_from_str,
+ sizeof(af_conf->acl_label_accept_from));
+ else
+ af_conf->acl_label_accept_from[0] = '\0';
+ if (acl_for_str)
+ strlcpy(af_conf->acl_label_accept_for, acl_for_str,
+ sizeof(af_conf->acl_label_accept_for));
+ else
+ af_conf->acl_label_accept_for[0] = '\0';
+ }
ldp_reload(vty_conf);
#include "sigevent.h"
#include "zclient.h"
#include "vrf.h"
+#include "filter.h"
#include "qobj.h"
static void ldpd_shutdown(void);
vty_config_lockless ();
vty_init(master);
vrf_init();
+ access_list_init ();
ldp_vty_init();
ldp_vty_if_init();
log_info("terminating");
vrf_terminate();
+ access_list_reset();
cmd_terminate();
vty_terminate();
ldp_zebra_destroy();
af = imsg.hdr.pid;
main_imsg_send_net_sockets(af);
break;
+ case IMSG_ACL_CHECK:
+ if (imsg.hdr.len != IMSG_HEADER_SIZE +
+ sizeof(struct acl_check))
+ fatalx("IMSG_ACL_CHECK imsg with wrong len");
+ ldp_acl_reply(iev, (struct acl_check *)imsg.data);
+ break;
default:
log_debug("%s: error handling imsg %d", __func__,
imsg.hdr.type);
log_warnx("%s: error unsetting pseudowire",
__func__);
break;
+ case IMSG_ACL_CHECK:
+ if (imsg.hdr.len != IMSG_HEADER_SIZE +
+ sizeof(struct acl_check))
+ fatalx("IMSG_ACL_CHECK imsg with wrong len");
+ ldp_acl_reply(iev, (struct acl_check *)imsg.data);
+ break;
default:
log_debug("%s: error handling imsg %d", __func__,
imsg.hdr.type);
sizeof(type));
}
+int
+ldp_acl_request(struct imsgev *iev, char *acl_name, int af,
+ union ldpd_addr *addr, uint8_t prefixlen)
+{
+ struct imsg imsg;
+ ssize_t n;
+ struct acl_check acl_check;
+
+ if (acl_name[0] == '\0')
+ return FILTER_PERMIT;
+
+ /* build request */
+ strlcpy(acl_check.acl, acl_name, sizeof(acl_check.acl));
+ acl_check.af = af;
+ acl_check.addr = *addr;
+ acl_check.prefixlen = prefixlen;
+
+ /* send (blocking) */
+ imsg_compose_event(iev, IMSG_ACL_CHECK, 0, 0, -1, &acl_check,
+ sizeof(acl_check));
+ imsg_flush(&iev->ibuf);
+
+ /* receive (blocking) and parse result */
+ if ((n = imsg_read(&iev->ibuf)) == -1)
+ fatal("imsg_read error");
+ if ((n = imsg_get(&iev->ibuf, &imsg)) == -1)
+ fatal("imsg_get");
+ if (imsg.hdr.type != IMSG_ACL_CHECK ||
+ imsg.hdr.len != IMSG_HEADER_SIZE + sizeof(int))
+ fatalx("ldp_acl_request: invalid response");
+
+ return (*((int *)imsg.data));
+}
+
+void
+ldp_acl_reply(struct imsgev *iev, struct acl_check *acl_check)
+{
+ struct access_list *alist;
+ struct prefix prefix;
+ int result;
+
+ alist = access_list_lookup(family2afi(acl_check->af), acl_check->acl);
+ if (alist == NULL)
+ result = FILTER_DENY;
+ else {
+ prefix.family = acl_check->af;
+ switch (prefix.family) {
+ case AF_INET:
+ prefix.u.prefix4 = acl_check->addr.v4;
+ break;
+ case AF_INET6:
+ prefix.u.prefix6 = acl_check->addr.v6;
+ break;
+ default:
+ fatalx("ldp_acl_reply: unknown af");
+ }
+ prefix.prefixlen = acl_check->prefixlen;
+ result = access_list_apply(alist, &prefix);
+ }
+
+ imsg_compose_event(iev, IMSG_ACL_CHECK, 0, 0, -1, &result,
+ sizeof(result));
+}
+
struct ldpd_af_conf *
ldp_af_conf_get(struct ldpd_conf *xconf, int af)
{
/* change of router-id requires resetting all neighborships */
if (conf->rtr_id.s_addr != xconf->rtr_id.s_addr) {
if (ldpd_process == PROC_LDP_ENGINE) {
- ldpe_reset_nbrs(AF_INET);
- ldpe_reset_nbrs(AF_INET6);
+ ldpe_reset_nbrs(AF_UNSPEC);
if (conf->rtr_id.s_addr == INADDR_ANY ||
xconf->rtr_id.s_addr == INADDR_ANY) {
if_update_all(AF_UNSPEC);
static void
merge_af(int af, struct ldpd_af_conf *af_conf, struct ldpd_af_conf *xa)
{
- int egress_label_changed = 0;
- int update_sockets = 0;
-
+ int stop_init_backoff = 0;
+ int remove_dynamic_tnbrs = 0;
+ int change_egress_label = 0;
+ int reset_nbrs_ipv4 = 0;
+ int reset_nbrs = 0;
+ int update_sockets = 0;
+
+ /* update timers */
if (af_conf->keepalive != xa->keepalive) {
af_conf->keepalive = xa->keepalive;
- if (ldpd_process == PROC_LDP_ENGINE)
- ldpe_stop_init_backoff(af);
+ stop_init_backoff = 1;
}
-
af_conf->lhello_holdtime = xa->lhello_holdtime;
af_conf->lhello_interval = xa->lhello_interval;
af_conf->thello_holdtime = xa->thello_holdtime;
af_conf->thello_interval = xa->thello_interval;
/* update flags */
- if (ldpd_process == PROC_LDP_ENGINE &&
- (af_conf->flags & F_LDPD_AF_THELLO_ACCEPT) &&
+ if ((af_conf->flags & F_LDPD_AF_THELLO_ACCEPT) &&
!(xa->flags & F_LDPD_AF_THELLO_ACCEPT))
- ldpe_remove_dynamic_tnbrs(af);
-
+ remove_dynamic_tnbrs = 1;
if ((af_conf->flags & F_LDPD_AF_NO_GTSM) !=
(xa->flags & F_LDPD_AF_NO_GTSM)) {
if (af == AF_INET6)
/* need to set/unset IPV6_MINHOPCOUNT */
update_sockets = 1;
- else if (ldpd_process == PROC_LDP_ENGINE)
+ else
/* for LDPv4 just resetting the neighbors is enough */
- ldpe_reset_nbrs(af);
+ reset_nbrs_ipv4 = 1;
}
-
if ((af_conf->flags & F_LDPD_AF_EXPNULL) !=
(xa->flags & F_LDPD_AF_EXPNULL))
- egress_label_changed = 1;
-
+ change_egress_label = 1;
af_conf->flags = xa->flags;
- if (egress_label_changed) {
- switch (ldpd_process) {
- case PROC_LDE_ENGINE:
- lde_change_egress_label(af, af_conf->flags &
- F_LDPD_AF_EXPNULL);
- break;
- default:
- break;
- }
- }
-
+ /* update the transport address */
if (ldp_addrcmp(af, &af_conf->trans_addr, &xa->trans_addr)) {
af_conf->trans_addr = xa->trans_addr;
update_sockets = 1;
}
- if (ldpd_process == PROC_MAIN && iev_ldpe && update_sockets)
- imsg_compose_event(iev_ldpe, IMSG_CLOSE_SOCKETS, af, 0, -1,
- NULL, 0);
+ /* update ACLs */
+ if (strcmp(af_conf->acl_label_advertise_to,
+ xa->acl_label_advertise_to) ||
+ strcmp(af_conf->acl_label_advertise_for,
+ xa->acl_label_advertise_for) ||
+ strcmp(af_conf->acl_label_accept_from,
+ xa->acl_label_accept_from) ||
+ strcmp(af_conf->acl_label_accept_for,
+ xa->acl_label_accept_for))
+ reset_nbrs = 1;
+ if (strcmp(af_conf->acl_thello_accept_from, xa->acl_thello_accept_from))
+ remove_dynamic_tnbrs = 1;
+ if (strcmp(af_conf->acl_label_expnull_for, xa->acl_label_expnull_for))
+ change_egress_label = 1;
+ strlcpy(af_conf->acl_thello_accept_from, xa->acl_thello_accept_from,
+ sizeof(af_conf->acl_thello_accept_from));
+ strlcpy(af_conf->acl_label_allocate_for, xa->acl_label_allocate_for,
+ sizeof(af_conf->acl_label_allocate_for));
+ strlcpy(af_conf->acl_label_advertise_to, xa->acl_label_advertise_to,
+ sizeof(af_conf->acl_label_advertise_to));
+ strlcpy(af_conf->acl_label_advertise_for, xa->acl_label_advertise_for,
+ sizeof(af_conf->acl_label_advertise_for));
+ strlcpy(af_conf->acl_label_accept_from, xa->acl_label_accept_from,
+ sizeof(af_conf->acl_label_accept_from));
+ strlcpy(af_conf->acl_label_accept_for, xa->acl_label_accept_for,
+ sizeof(af_conf->acl_label_accept_for));
+ strlcpy(af_conf->acl_label_expnull_for, xa->acl_label_expnull_for,
+ sizeof(af_conf->acl_label_expnull_for));
+
+ /* apply the new configuration */
+ switch (ldpd_process) {
+ case PROC_LDE_ENGINE:
+ if (change_egress_label)
+ lde_change_egress_label(af);
+ break;
+ case PROC_LDP_ENGINE:
+ if (stop_init_backoff)
+ ldpe_stop_init_backoff(af);
+ if (remove_dynamic_tnbrs)
+ ldpe_remove_dynamic_tnbrs(af);
+ if (reset_nbrs)
+ ldpe_reset_nbrs(AF_UNSPEC);
+ else if (reset_nbrs_ipv4)
+ ldpe_reset_nbrs(AF_INET);
+ break;
+ case PROC_MAIN:
+ if (update_sockets && iev_ldpe)
+ imsg_compose_event(iev_ldpe, IMSG_CLOSE_SOCKETS, af,
+ 0, -1, NULL, 0);
+ break;
+ }
}
static void
#include "imsg.h"
#include "thread.h"
#include "qobj.h"
+#include "filter.h"
#include "ldp.h"
IMSG_RECONF_L2VPN_IPW,
IMSG_RECONF_END,
IMSG_DEBUG_UPDATE,
- IMSG_LOG
+ IMSG_LOG,
+ IMSG_ACL_CHECK
};
union ldpd_addr {
uint16_t thello_holdtime;
uint16_t thello_interval;
union ldpd_addr trans_addr;
+ char acl_thello_accept_from[ACL_NAMSIZ];
+ char acl_label_allocate_for[ACL_NAMSIZ];
+ char acl_label_advertise_to[ACL_NAMSIZ];
+ char acl_label_advertise_for[ACL_NAMSIZ];
+ char acl_label_expnull_for[ACL_NAMSIZ];
+ char acl_label_accept_from[ACL_NAMSIZ];
+ char acl_label_accept_for[ACL_NAMSIZ];
int flags;
};
#define F_LDPD_AF_ENABLED 0x0001
#define F_LDPD_AF_THELLO_ACCEPT 0x0002
#define F_LDPD_AF_EXPNULL 0x0004
#define F_LDPD_AF_NO_GTSM 0x0008
+#define F_LDPD_AF_ALLOCHOSTONLY 0x0010
struct ldpd_conf {
struct in_addr rtr_id;
int mtu;
};
+struct acl_check {
+ char acl[ACL_NAMSIZ];
+ int af;
+ union ldpd_addr addr;
+ uint8_t prefixlen;
+};
+
/* control data structures */
struct ctl_iface {
int af;
void evbuf_init(struct evbuf *, int,
int (*)(struct thread *), void *);
void evbuf_clear(struct evbuf *);
+int ldp_acl_request(struct imsgev *, char *, int,
+ union ldpd_addr *, uint8_t);
+void ldp_acl_reply(struct imsgev *, struct acl_check *);
struct ldpd_af_conf *ldp_af_conf_get(struct ldpd_conf *, int);
struct ldpd_af_global *ldp_af_global_get(struct ldpd_global *, int);
int ldp_is_dual_stack(struct ldpd_conf *);
memcpy(&global.rtr_id, imsg.data,
sizeof(global.rtr_id));
if (leconf->rtr_id.s_addr == INADDR_ANY) {
- ldpe_reset_nbrs(AF_INET);
- ldpe_reset_nbrs(AF_INET6);
+ ldpe_reset_nbrs(AF_UNSPEC);
}
if_update_all(AF_UNSPEC);
tnbr_update_all(AF_UNSPEC);
}
}
+int
+ldpe_acl_check(char *acl_name, int af, union ldpd_addr *addr, uint8_t prefixlen)
+{
+ return ldp_acl_request(iev_main_sync, acl_name, af, addr, prefixlen);
+}
+
void
ldpe_reset_nbrs(int af)
{
struct nbr *nbr;
RB_FOREACH(nbr, nbr_id_head, &nbrs_by_id) {
- if (nbr->af == af)
+ if (af == AF_UNSPEC || nbr->af == af)
session_shutdown(nbr, S_SHUTDOWN, 0, 0);
}
}
uint16_t);
int ldpe_imsg_compose_lde(int, uint32_t, pid_t, void *,
uint16_t);
+int ldpe_acl_check(char *, int, union ldpd_addr *, uint8_t);
void ldpe_reset_nbrs(int);
void ldpe_reset_ds_nbrs(void);
void ldpe_remove_dynamic_tnbrs(int);
struct access_list *access;
struct prefix p;
+ if (strlen(name_str) > ACL_NAMSIZ)
+ {
+ vty_out (vty, "%% ACL name %s is invalid: length exceeds "
+ "%d characters%s",
+ name_str, ACL_NAMSIZ, VTY_NEWLINE);
+ return CMD_WARNING;
+ }
+
/* Check of filter type. */
if (strncmp (type_str, "p", 1) == 0)
type = FILTER_PERMIT;
#include "if.h"
+/* Maximum ACL name length */
+#define ACL_NAMSIZ 128
+
/* Filter direction. */
#define FILTER_IN 0
#define FILTER_OUT 1
"ipv6" => "X:X::X:X",
"ipv6m" => "X:X::X:X/M",
"mtu" => "(1500-9180)",
+ "acl_range" => "(1-199)",
+ "acl_expanded_range" => "(1300-2699)",
# BGP specific
"rd" => "ASN:nn_or_IP-address:nn",
"asn" => "(1-4294967295)",
}
# update the command string
- if ($node{'function'} ne "inherited") {
+ if ($node{'function'} ne "inherited" and $node{'function'}) {
$function = $node{'function'};
}
}
projects / matthieu / frr.git / commitdiff