Before this patch, if we destroy `any` flag for a prefix-list entry, we always
set destination as 0.0.0.0/0 and/or ::/0.
This means that, if we switch from `ip prefix-list r1-2 seq 5 deny any` to
`ip prefix-list r1-2 seq 5 permit 10.10.10.10/32` we will have
`permit any` eventually, which broke ACLs.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
Reading in prefix-lists is reading in the specified
prefix list and validating that the prefix is unique
2 times. This makes no sense. Relax the requirement
that a prefix list can limit this as well as completely
remove this check. Validation then just becomes
does this prefix-list specified actually make sense
and that is taken care of by the the cli code.
Reading in prefix-lists was looking for duplicate prefixes
2 times instead of doing it just one time. Let's just
not do it at all.
By doing this change, The code changes from never
completing for a 27k long prefix-list to taking
just under 30 seconds, with 4 daemons processing
this data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Passing a pre-formatted buffer in these places needs a `"%s"` in front
so it doesn't get formatted twice.
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
When setting rule for access-list ( and prefix-list ) without sequence, it
will automatically get a sequence by `acl_get_seq()`, and return
`CMD_SUCCESS` for command even this sequence value is wrong.
In this scene, `CMD_WARNING_CONFIG_FAILED` should be returned with a
warning.
So, add the check in `acl_get_seq()` and move `nb_cli_enqueue_change()`
after the check of wrong sequence.
Both `plist_remove_if_empty()` and `acl_remove_if_empty()` should ignore
this check, there is no change on them.
Before:
```
anlan(config)# access-list aa seq 4294967295 deny 6.6.6.6/32
anlan(config)# access-list aa deny 6.6.6.7/32 <- Return CMD_SUCCESS
YANG error(s):
Value "4294967300" is out of uint32's min/max bounds.
Value "4294967300" is out of uint32's min/max bounds.
Value "4294967300" is out of uint32's min/max bounds.
Value "4294967300" is out of uint32's min/max bounds.
Value "4294967300" is out of uint32's min/max bounds.
YANG path: Schema location /frr-filter:lib/prefix-list/entry/sequence.
% Failed to edit configuration.
```
After:
```
anlan(config)# access-list aa seq 4294967295 deny 6.6.6.6/32
anlan(config)# access-list aa deny 6.6.6.7/32 <- Return CMD_WARNING_CONFIG_FAILED
% Malformed sequence value
```
Additionally, fixed the overflow issue on `acl_get_seq()` on **32bit** platforms.
Just change the returned type of `acl_get_seq()` from `long` to `int64_t`.
Before:
```
anlan(config)# access-list bb seq 4294967295 deny 6.6.6.6/32
anlan(config)# access-list bb deny 6.6.6.7/32
anlan(config)# do show run
...
access-list bb seq 4294967295 deny 6.6.6.6/32
access-list bb seq 4 deny 6.6.6.7/32 <- Overflow
```
After:
```
anlan(config)# access-list bb seq 4294967295 deny 6.6.6.6/32
anlan(config)# access-list bb deny 6.6.6.7/32
% Malformed sequence value
```
Signed-off-by: anlan_cs <vic.lan@pica8.com>
Rather than running selected source files through the preprocessor and a
bunch of perl regex'ing to get the list of all DEFUNs, use the data
collected in frr.xref.
This not only eliminates issues we've been having with preprocessor
failures due to nonexistent header files, but is also much faster.
Where extract.pl would take 5s, this now finishes in 0.2s. And since
this is a non-parallelizable build step towards the end of the build
(dependent on a lot of other things being done already), the speedup is
actually noticeable.
Also files containing CLI no longer need to be listed in `vtysh_scan`
since the .xref data covers everything. `#ifndef VTYSH_EXTRACT_PL`
checks are equally obsolete.
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
If duplicate value is entered, the whole plist/alist just dropped.
Before:
```
$ grep prefix-list /etc/frr/frr.conf
ip prefix-list test seq 5 permit 1.1.1.1/32
ip prefix-list test seq 10 permit 1.1.1.1/32
$ systemctl restart frr
$ vtysh -c 'show run | include prefix-list'
$
```
After:
```
$ grep prefix-list /etc/frr/frr.conf
ip prefix-list test seq 5 permit 1.1.1.1/32
ip prefix-list test seq 10 permit 1.1.1.1/32
$ systemctl restart frr
$ vtysh -c 'show run | include prefix-list'
ip prefix-list test seq 5 permit 1.1.1.1/32
```
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
To ensure this, add a const modifier to functions' arguments. Would be
great do this initially and avoid this large code change, but better
late than never.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
There's no more difference between number-named and word-named access-lists.
This commit removes separate arguments for number-named ACLs from CLI.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
Currently, when we check the new prefix-list entry for duplication, we
only take filled in fields into account and ignore optional fields.
For example, if we already have `ip prefix-list A 0.0.0.0/0 le 32` and
we try to add `ip prefix-list A 0.0.0.0/0`, it is treated as duplicate.
We should always compare all prefix-list fields when doing the check.
Fixes#9355.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
When specifying only an "le" for an existing ip prefix-list qualified with
both an "le" and "ge" make sure to remove the "ge" property so it does
not stay in the tree.
E.g. Saying these two things in order:
ip prefix-list test seq 1 permit 1.1.0.0/16 ge 18 le 24
ip prefix-list test seq 1 permit 1.1.0.0/16 ge 18
... should result in the second statement "overwriting" the first like
this:
vxdev-arch# do show ip prefix-list
ZEBRA: ip prefix-list foobar: 3 entries
seq 1 permit 15.0.0.0/16 ge 18
Previously this did not happen and "le" would stick around since it was
never given NB_OP_DESTROY and purged from the data tree.
Signed-off-by: Wesley Coakley <wcoakley@nvidia.com>
We should delete the access-list when the last entry and remark is
deleted. This is already done for prefix-lists.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
We delete the prefix-list when its last entry is deleted, but the check
is missed when we delete the description.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
CLI must never use operational data, because this won't work in
transactional mode. Rework search for prefix-list/access-list entries
using only candidate config.
Signed-off-by: Igor Ryzhov <iryzhov@nfware.com>
Keep the previous CLI behavior of silently ignoring access lists which
contain the same value.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Keep the previous CLI behavior of silently ignoring access lists which
contain the same value.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Don't attempt to compress the wildcard information to fit a `/M`, but
use its own full 4 byte field.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Wildcards bits have the opposite representation of a network mask,
example:
192.168.0.0/24 has the following netmask 255.255.0.0 and the wildcard
representation is 0.0.255.255.
To avoid future confusion lets put those definitions into a macro so we
know for sure which form to use.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
When removing an IPv4 prefix configuration the wrong amount of bytes
will be read from `struct prefix_ipv4` from `DEFPY`, so lets use the
proper function for this.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
When configuring a access list rule with type `any` it is now ambiguous
between cisco and zebra because both have the same syntax, so lets
remove the cisco command to avoid that.
YANG users will not notice this change.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
`nb_cli_enqueue_change` just points to the string values passed in
parameter, so we must use different strings for different function
calls (at least until `nb_cli_apply_changes`).
While here fix a variable name typo/copy paste error on destination host
case.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
The restriction was already lift at the YANG model level, now lets
unlock the CLI as well.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
DEFPY_YANG will allow the CLI to identify which commands are
YANG-modeled or not before executing them. This is going to be
useful for the upcoming configuration back-off timer work that
needs to commit pending configuration changes before executing a
command that isn't YANG-modeled.
Signed-off-by: Renato Westphal <renato@opensourcerouting.org>
Merge the cisco style access list with zebra's logic so we can mix both
types of rules while keeping the commands.
With this the cisco style limitation of having 'destination-*' only for
specific number ranges no longer exist for users of YANG/northbound (the
CLI still has this limitation).
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Unfortunately, the way the frr-format plugin is set up, snprintf() with
PRId64 can generate false warnings :|. Easy workaround is to use
snprintfrr().
Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
We can avoid a big amount of `snprintf` by using relative XPath in
`nb_cli_apply_changes`.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
`acl_get_seq` should be able to get the sequence number from candidate
configuration without needing to commit anything midway.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Some tests expect that a prefix list structure is gone after all its
entries are removed, so lets keep that behaviour.
NOTE: users using YANG/northbound directly without CLI won't be
affected.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
- Show the correct cisco style access list extended information.
- `assert` action so static analyzer doesn't complain about possible
NULL usage.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Copy & paste mistake: MAC commands need `X:X:X:X:X:X` and not
`X:X::X:X/M` types. Also, MAC access-list don't use `exact-match`.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Implement the commands `no ... remark LINE` for cisco and zebra style
access lists to match `ipX prefix-list description LINE` command set.
It useful when you just want to go through the command history and
prepend a `no` to a `remark` or `description` command. Example:
```
access-list foo remark just another acl
!
! ...
!
! Suddenly we decide we no longer think that remark is useful,
! lets press up key to find that line in history and append `no`:
no access-list foo remark just another acl
```
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Bump the size of the buffers so the new compilers don't complain about
possible truncation:
```
lib/filter_cli.c: In function ‘ipv6_prefix_list_magic.isra.0’:
lib/filter_cli.c:1336:5: error: ‘%lld’ directive output may be truncated writing between 1 and 20 bytes into a region of size between 16 and 527 [-Werror=format-truncation=]
1336 | "%s/entry[sequence='%" PRId64 "']", xpath, sseq);
| ^~~~~~~~~~~~~~~~~~~~~~
lib/filter_cli.c:1336:25: note: format string is defined here
1336 | "%s/entry[sequence='%" PRId64 "']", xpath, sseq);
lib/filter_cli.c:1336:5: note: directive argument in the range [-9223372036854775803, 9223372036854775807]
1336 | "%s/entry[sequence='%" PRId64 "']", xpath, sseq);
| ^~~~~~~~~~~~~~~~~~~~~~
```
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Changes:
- Use `description` on CLI but `remark` on YANG like access-list (also
because `description` is a reserved word).
- Rename YANG model field and northbound code.
- Fix wrong sequence type get.
- Fix wrong action XPath in action callback.
- Fix wrong concat in (ipv6|mac) access-list.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Use northbound to write the configuration from now on. While here, fix
how `exact-match` configuration is being created.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Look up next sequence number by checking XPath instead of trying to
access unallocated context data structures.
This only applies for creation, on destroy the data structures must be
there.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
Changes:
- Remove unused variable.
- Make prototypes static like the declaration.
- Fix new compilers complaint about uninitialized values.
- Fix new compilers complaint about small buffer for `snprintf` concatenation.
Signed-off-by: Rafael Zalamena <rzalamena@opensourcerouting.org>
