summaryrefslogtreecommitdiffstats
path: root/nest
diff options
context:
space:
mode:
authorOndrej Zajicek <santiago@crfreenet.org>2010-02-21 09:57:26 +0100
committerOndrej Zajicek <santiago@crfreenet.org>2010-02-21 09:57:26 +0100
commite0a45fb42163a6bfdeeee44bd0a6a7461552e10f (patch)
treed0c889a0b98ea7d269e44c1693d5a3fbb6322738 /nest
parente304fd4bcf5813b581a39078a25a5cf6916b9f29 (diff)
downloadbird-e0a45fb42163a6bfdeeee44bd0a6a7461552e10f.tar
bird-e0a45fb42163a6bfdeeee44bd0a6a7461552e10f.zip
Restricted read-only CLI.
Also adds support for executing commands using birdc <cmd>.
Diffstat (limited to 'nest')
-rw-r--r--nest/cli.h9
-rw-r--r--nest/config.Y25
-rw-r--r--nest/proto.c6
-rw-r--r--nest/protocol.h2
4 files changed, 29 insertions, 13 deletions
diff --git a/nest/cli.h b/nest/cli.h
index f816ef1..57414a2 100644
--- a/nest/cli.h
+++ b/nest/cli.h
@@ -33,6 +33,7 @@ typedef struct cli {
void (*cleanup)(struct cli *c);
void *rover; /* Private to continuation routine */
int last_reply;
+ int restricted; /* CLI is restricted to read-only commands */
struct linpool *parser_pool; /* Pool used during parsing */
byte *ring_buf; /* Ring buffer for asynchronous messages */
byte *ring_end, *ring_read, *ring_write; /* Pointers to the ring buffer */
@@ -60,6 +61,14 @@ void cli_kick(cli *);
void cli_written(cli *);
void cli_echo(unsigned int class, byte *msg);
+static inline int cli_access_restricted(void)
+{
+ if (this_cli && this_cli->restricted)
+ return (cli_printf(this_cli, 8007, "Access denied"), 1);
+ else
+ return 0;
+}
+
/* Functions provided by sysdep layer */
void cli_write_trigger(cli *);
diff --git a/nest/config.Y b/nest/config.Y
index 8dc8c71..5a89505 100644
--- a/nest/config.Y
+++ b/nest/config.Y
@@ -45,7 +45,7 @@ CF_KEYWORDS(INTERFACE, IMPORT, EXPORT, FILTER, NONE, TABLE, STATES, ROUTES, FILT
CF_KEYWORDS(PASSWORD, FROM, PASSIVE, TO, ID, EVENTS, PACKETS, PROTOCOLS, INTERFACES)
CF_KEYWORDS(PRIMARY, STATS, COUNT, FOR, COMMANDS, PREEXPORT, GENERATE)
CF_KEYWORDS(LISTEN, BGP, V6ONLY, ADDRESS, PORT, PASSWORDS, DESCRIPTION)
-CF_KEYWORDS(RELOAD, IN, OUT, MRTDUMP, MESSAGES)
+CF_KEYWORDS(RELOAD, IN, OUT, MRTDUMP, MESSAGES, RESTRICT)
CF_ENUM(T_ENUM_RTS, RTS_, DUMMY, STATIC, INHERIT, DEVICE, STATIC_DEVICE, REDIRECT,
RIP, OSPF, OSPF_IA, OSPF_EXT1, OSPF_EXT2, BGP, PIPE)
@@ -325,10 +325,10 @@ CF_CLI(SHOW STATUS,,, [[Show router status]])
{ cmd_show_status(); } ;
CF_CLI(SHOW PROTOCOLS, proto_patt2, [<protocol> | \"<pattern>\"], [[Show routing protocols]])
-{ proto_apply_cmd($3, proto_cmd_show, 0); } ;
+{ proto_apply_cmd($3, proto_cmd_show, 0, 0); } ;
CF_CLI(SHOW PROTOCOLS ALL, proto_patt2, [<protocol> | \"<pattern>\"], [[Show routing protocol details]])
-{ proto_apply_cmd($4, proto_cmd_show, 1); } ;
+{ proto_apply_cmd($4, proto_cmd_show, 0, 1); } ;
optsym:
SYM
@@ -459,25 +459,28 @@ echo_size:
;
CF_CLI(DISABLE, proto_patt, <protocol> | \"<pattern>\" | all, [[Disable protocol]])
-{ proto_apply_cmd($2, proto_cmd_disable, 0); } ;
+{ proto_apply_cmd($2, proto_cmd_disable, 1, 0); } ;
CF_CLI(ENABLE, proto_patt, <protocol> | \"<pattern>\" | all, [[Enable protocol]])
-{ proto_apply_cmd($2, proto_cmd_enable, 0); } ;
+{ proto_apply_cmd($2, proto_cmd_enable, 1, 0); } ;
CF_CLI(RESTART, proto_patt, <protocol> | \"<pattern>\" | all, [[Restart protocol]])
-{ proto_apply_cmd($2, proto_cmd_restart, 0); } ;
+{ proto_apply_cmd($2, proto_cmd_restart, 1, 0); } ;
CF_CLI(RELOAD, proto_patt, <protocol> | \"<pattern>\" | all, [[Reload protocol]])
-{ proto_apply_cmd($2, proto_cmd_reload, CMD_RELOAD); } ;
+{ proto_apply_cmd($2, proto_cmd_reload, 1, CMD_RELOAD); } ;
CF_CLI(RELOAD IN, proto_patt, <protocol> | \"<pattern>\" | all, [[Reload protocol (just imported routes)]])
-{ proto_apply_cmd($3, proto_cmd_reload, CMD_RELOAD_IN); } ;
+{ proto_apply_cmd($3, proto_cmd_reload, 1, CMD_RELOAD_IN); } ;
CF_CLI(RELOAD OUT, proto_patt, <protocol> | \"<pattern>\" | all, [[Reload protocol (just exported routes)]])
-{ proto_apply_cmd($3, proto_cmd_reload, CMD_RELOAD_OUT); } ;
+{ proto_apply_cmd($3, proto_cmd_reload, 1, CMD_RELOAD_OUT); } ;
CF_CLI_HELP(DEBUG, ..., [[Control protocol debugging via BIRD logs]])
CF_CLI(DEBUG, proto_patt debug_mask, (<protocol> | <pattern> | all) (all | off | { states | routes | filters | events | packets }), [[Control protocol debugging via BIRD logs]])
-{ proto_apply_cmd($2, proto_cmd_debug, $3); } ;
+{ proto_apply_cmd($2, proto_cmd_debug, 1, $3); } ;
CF_CLI_HELP(MRTDUMP, ..., [[Control protocol debugging via MRTdump files]])
CF_CLI(MRTDUMP, proto_patt mrtdump_mask, (<protocol> | <pattern> | all) (all | off | { states | messages }), [[Control protocol debugging via MRTdump format]])
-{ proto_apply_cmd($2, proto_cmd_mrtdump, $3); } ;
+{ proto_apply_cmd($2, proto_cmd_mrtdump, 1, $3); } ;
+
+CF_CLI(RESTRICT,,,[[Restrict current CLI session to safe commands]])
+{ this_cli->restricted = 1; cli_msg(16, "Access restricted"); } ;
proto_patt:
SYM { $$.ptr = $1; $$.patt = 0; }
diff --git a/nest/proto.c b/nest/proto.c
index 7c4d32d..e9cf3df 100644
--- a/nest/proto.c
+++ b/nest/proto.c
@@ -1006,8 +1006,12 @@ proto_apply_cmd_patt(char *patt, void (* cmd)(struct proto *, unsigned int, int)
}
void
-proto_apply_cmd(struct proto_spec ps, void (* cmd)(struct proto *, unsigned int, int), unsigned int arg)
+proto_apply_cmd(struct proto_spec ps, void (* cmd)(struct proto *, unsigned int, int),
+ int restricted, unsigned int arg)
{
+ if (restricted && cli_access_restricted())
+ return;
+
if (ps.patt)
proto_apply_cmd_patt(ps.ptr, cmd, arg);
else
diff --git a/nest/protocol.h b/nest/protocol.h
index d652c4f..99356a3 100644
--- a/nest/protocol.h
+++ b/nest/protocol.h
@@ -213,7 +213,7 @@ void proto_cmd_reload(struct proto *, unsigned int, int);
void proto_cmd_debug(struct proto *, unsigned int, int);
void proto_cmd_mrtdump(struct proto *, unsigned int, int);
-void proto_apply_cmd(struct proto_spec ps, void (* cmd)(struct proto *, unsigned int, int), unsigned int arg);
+void proto_apply_cmd(struct proto_spec ps, void (* cmd)(struct proto *, unsigned int, int), int restricted, unsigned int arg);
struct proto *proto_get_named(struct symbol *, struct protocol *);
#define CMD_RELOAD 0