[quagga-dev 4418] Problem using undefined access-list in distrbute lists

Alain Ritoux alain.ritoux at 6wind.com
Thu Sep 28 10:44:03 BST 2006


Within ABR context, if an acces-list is used but not defined, then the 
result
is somehow PERMIT. The same behaviour can be seen with distribute-lists 
as well.

But if take a look at route-map management, this is the opposite behaviour,
i.e. when an acces-list is used in a a test, but not defined, the result is
NOMATCH.

I think the second behaviour is better. Here after the suggested modifs,
relying on the fact that access_list_apply() result is FILTER_DENY when
the access-list ptr is NULL

This will change behaviour for what I think is a mis-configured thing, but
in my opinion it will be safer.

Your opinions ?

Note: From a first view, the same kind of pb exists in ripd (but needs
more modifs, as ri->list should be keep the ACL name to be able
to differantiat no acl used from no acl found), and maube others ...

Regards,
Alain




Code samples

_ospfd/ospf_abr.c

_...
static int
ospf_abr_should_announce (struct ospf *ospf,
struct prefix_ipv4 *p, struct ospf_route *or)
{
  struct ospf_area *area;
  area = ospf_area_lookup_by_area_id (ospf, or->u.std.area_id);
  assert (area);
  if (EXPORT_NAME (area))
    {
      if (EXPORT_LIST (area) == NULL)
        EXPORT_LIST (area) = access_list_lookup (AFI_IP, EXPORT_NAME 
(area));

*==>   /* if (EXPORT_LIST (area)) */*
**        if (access_list_apply (EXPORT_LIST (area), p) == FILTER_DENY)
          return 0;
    }
  return 1;
}
...
static int
ospf_abr_should_accept (struct prefix_ipv4 *p, struct ospf_area *area)
{
  if (IMPORT_NAME (area))
    {
      if (IMPORT_LIST (area) == NULL)
      IMPORT_LIST (area) = access_list_lookup (AFI_IP, IMPORT_NAME (area));

*==>     /* if (IMPORT_LIST (area)) */*
        if (access_list_apply (IMPORT_LIST (area), p) == FILTER_DENY)
          return 0;
    }
  return 1;
}
...


_ospfd/ospf_zebra.c

_...
/* return 1 if external LSA must be originated, 0 otherwise */
int
ospf_redistribute_check (struct ospf *ospf,
                         struct external_info *ei, int *changed)

...
 if (!DEFAULT_ROUTE_TYPE (type) && DISTRIBUTE_NAME (ospf, type))
    /* distirbute-list exists, but access-list may not? */
*==>  /* if (DISTRIBUTE_LIST (ospf, type)) */*
      if (access_list_apply (DISTRIBUTE_LIST (ospf, type), p) == 
FILTER_DENY)
        {
          if (IS_DEBUG_OSPF (zebra, ZEBRA_REDISTRIBUTE))
            zlog_debug ("Redistribute[%s]: %s/%d filtered by 
ditribute-list.",
                       LOOKUP (ospf_redistributed_proto, type),
                       inet_ntoa (p->prefix), p->prefixlen);
          return 0;
        }
...


as compared  to already existing code (that can be clean-up)

_ospfd/ospf_routemap.c
_
...
route_map_result_t
route_match_ip_address (void *rule, struct prefix *prefix,
                        route_map_object_t type, void *object)
{
  struct access_list *alist;
  /* struct prefix_ipv4 match; */

  if (type == RMAP_OSPF)
    {
      alist = access_list_lookup (AFI_IP, (char *) rule);
*==> /* This is un-necessary
**      if (alist == NULL)
        return RMAP_NOMATCH;
     */
*      return (access_list_apply (alist, prefix) == FILTER_DENY ?
              RMAP_NOMATCH : RMAP_MATCH);
    }
  return RMAP_NOMATCH;

...



-- 
Alain RITOUX
Tel +33-1-39-30-92-32
Fax +33-1-39-30-92-11
visit our web http://www.6wind.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20060928/16186e55/attachment-0001.html>


More information about the Quagga-dev mailing list