mirror of
https://gitlab.nic.cz/labs/bird.git
synced 2024-12-22 17:51:53 +00:00
Additional CLI sockets may now be restricted
This allows to have one main socket for the heavy operations very restricted just for the appropriate users, whereas the looking glass socket may be more open. Implemented an idea originally submitted and requested by Akamai.
This commit is contained in:
parent
5b53fe36e7
commit
064ac4dbb4
@ -100,7 +100,6 @@ CF_DECLS
|
|||||||
mpls_label_stack *mls;
|
mpls_label_stack *mls;
|
||||||
const struct adata *bs;
|
const struct adata *bs;
|
||||||
struct aggr_item_node *ai;
|
struct aggr_item_node *ai;
|
||||||
struct cli_config *cli;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
%token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT
|
%token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT
|
||||||
|
@ -1253,6 +1253,11 @@ socket multiple times and BIRD may behave weirdly if this happens. On shutdown,
|
|||||||
the additional sockets get removed immediately and only the main socket stays
|
the additional sockets get removed immediately and only the main socket stays
|
||||||
until the very end.
|
until the very end.
|
||||||
|
|
||||||
|
<p>The remote control socket can be also set as restricted by
|
||||||
|
<cf/cli "name" { restrict; };/ instead of sending the <cf/restrict/ command
|
||||||
|
after connecting. The user may still overload the daemon by requesting insanely
|
||||||
|
complex filters so you shouldn't expose this socket to public anyway.
|
||||||
|
|
||||||
<sect>Usage
|
<sect>Usage
|
||||||
<label id="remote-control-usage">
|
<label id="remote-control-usage">
|
||||||
|
|
||||||
|
@ -306,7 +306,7 @@ cli_event(void *data)
|
|||||||
}
|
}
|
||||||
|
|
||||||
cli *
|
cli *
|
||||||
cli_new(void *priv)
|
cli_new(void *priv, struct cli_config *cf)
|
||||||
{
|
{
|
||||||
pool *p = rp_new(cli_pool, "CLI");
|
pool *p = rp_new(cli_pool, "CLI");
|
||||||
cli *c = mb_alloc(p, sizeof(cli));
|
cli *c = mb_alloc(p, sizeof(cli));
|
||||||
@ -321,6 +321,12 @@ cli_new(void *priv)
|
|||||||
c->parser_pool = lp_new_default(c->pool);
|
c->parser_pool = lp_new_default(c->pool);
|
||||||
c->show_pool = lp_new_default(c->pool);
|
c->show_pool = lp_new_default(c->pool);
|
||||||
c->rx_buf = mb_alloc(c->pool, CLI_RX_BUF_SIZE);
|
c->rx_buf = mb_alloc(c->pool, CLI_RX_BUF_SIZE);
|
||||||
|
|
||||||
|
c->config = cf;
|
||||||
|
config_add_obstacle(cf->config);
|
||||||
|
if (cf->restricted)
|
||||||
|
c->restricted = 1;
|
||||||
|
|
||||||
ev_schedule(c->event);
|
ev_schedule(c->event);
|
||||||
return c;
|
return c;
|
||||||
}
|
}
|
||||||
@ -413,6 +419,7 @@ cli_free(cli *c)
|
|||||||
c->cleanup(c);
|
c->cleanup(c);
|
||||||
if (c == cmd_reconfig_stored_cli)
|
if (c == cmd_reconfig_stored_cli)
|
||||||
cmd_reconfig_stored_cli = NULL;
|
cmd_reconfig_stored_cli = NULL;
|
||||||
|
config_del_obstacle(c->config->config);
|
||||||
rfree(c->pool);
|
rfree(c->pool);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -29,6 +29,7 @@ struct cli_out {
|
|||||||
|
|
||||||
typedef struct cli {
|
typedef struct cli {
|
||||||
node n; /* Node in list of all log hooks */
|
node n; /* Node in list of all log hooks */
|
||||||
|
struct cli_config *config; /* Configuration of the appropriate cli */
|
||||||
pool *pool;
|
pool *pool;
|
||||||
void *priv; /* Private to sysdep layer */
|
void *priv; /* Private to sysdep layer */
|
||||||
byte *rx_buf, *rx_pos; /* sysdep */
|
byte *rx_buf, *rx_pos; /* sysdep */
|
||||||
@ -60,6 +61,7 @@ struct cli_config {
|
|||||||
const char *name;
|
const char *name;
|
||||||
struct config *config;
|
struct config *config;
|
||||||
uint uid, gid, mode;
|
uint uid, gid, mode;
|
||||||
|
_Bool restricted;
|
||||||
};
|
};
|
||||||
#include "lib/tlists.h"
|
#include "lib/tlists.h"
|
||||||
|
|
||||||
@ -81,7 +83,7 @@ static inline void cli_separator(cli *c)
|
|||||||
|
|
||||||
/* Functions provided to sysdep layer */
|
/* Functions provided to sysdep layer */
|
||||||
|
|
||||||
cli *cli_new(void *);
|
cli *cli_new(void *, struct cli_config *);
|
||||||
void cli_init(void);
|
void cli_init(void);
|
||||||
void cli_free(cli *);
|
void cli_free(cli *);
|
||||||
void cli_kick(cli *);
|
void cli_kick(cli *);
|
||||||
|
@ -14,6 +14,7 @@ CF_HDR
|
|||||||
CF_DEFINES
|
CF_DEFINES
|
||||||
|
|
||||||
static struct log_config *this_log;
|
static struct log_config *this_log;
|
||||||
|
static struct cli_config *this_cli_config;
|
||||||
|
|
||||||
CF_DECLS
|
CF_DECLS
|
||||||
|
|
||||||
@ -21,7 +22,6 @@ CF_KEYWORDS(LOG, SYSLOG, NAME, STDERR, UDP, PORT, CLI)
|
|||||||
CF_KEYWORDS(ALL, DEBUG, TRACE, INFO, REMOTE, WARNING, ERROR, AUTH, FATAL, BUG)
|
CF_KEYWORDS(ALL, DEBUG, TRACE, INFO, REMOTE, WARNING, ERROR, AUTH, FATAL, BUG)
|
||||||
CF_KEYWORDS(DEBUG, LATENCY, LIMIT, WATCHDOG, WARNING, TIMEOUT, THREADS)
|
CF_KEYWORDS(DEBUG, LATENCY, LIMIT, WATCHDOG, WARNING, TIMEOUT, THREADS)
|
||||||
|
|
||||||
%type <cli> cli_opts
|
|
||||||
%type <i> log_mask log_mask_list log_cat cfg_timeout
|
%type <i> log_mask log_mask_list log_cat cfg_timeout
|
||||||
%type <t> cfg_name
|
%type <t> cfg_name
|
||||||
%type <tf> timeformat_which
|
%type <tf> timeformat_which
|
||||||
@ -127,18 +127,26 @@ mrtdump_base:
|
|||||||
conf: cli ;
|
conf: cli ;
|
||||||
|
|
||||||
cli: CLI text cli_opts {
|
cli: CLI text cli_opts {
|
||||||
$3->name = $2;
|
this_cli_config->name = $2;
|
||||||
cli_config_add_tail(&new_config->cli, $3);
|
cli_config_add_tail(&new_config->cli, this_cli_config);
|
||||||
|
this_cli_config = NULL;
|
||||||
} ;
|
} ;
|
||||||
|
|
||||||
cli_opts: ';' {
|
cli_opts: cli_opts_begin '{' cli_opts_block '}' ';' | cli_opts_begin ';' ;
|
||||||
$$ = cfg_alloc(sizeof *$$);
|
|
||||||
*$$ = (typeof (*$$)) {
|
cli_opts_begin: {
|
||||||
|
this_cli_config = cfg_alloc(sizeof *this_cli_config);
|
||||||
|
*this_cli_config = (typeof (*this_cli_config)) {
|
||||||
.config = new_config,
|
.config = new_config,
|
||||||
.mode = 0660,
|
.mode = 0660,
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
cli_opts_block:
|
||||||
|
/* EMPTY */ |
|
||||||
|
cli_opts_block RESTRICT { this_cli_config->restricted = 1; }
|
||||||
|
;
|
||||||
|
|
||||||
conf: debug_unix ;
|
conf: debug_unix ;
|
||||||
|
|
||||||
debug_unix:
|
debug_unix:
|
||||||
|
@ -538,7 +538,7 @@ cli_connect(sock *s, uint size UNUSED)
|
|||||||
s->rx_hook = cli_rx;
|
s->rx_hook = cli_rx;
|
||||||
s->tx_hook = cli_tx;
|
s->tx_hook = cli_tx;
|
||||||
s->err_hook = cli_err;
|
s->err_hook = cli_err;
|
||||||
s->data = c = cli_new(s);
|
s->data = c = cli_new(s, ((struct cli_listener *) s->data)->config);
|
||||||
s->pool = c->pool; /* We need to have all the socket buffers allocated in the cli pool */
|
s->pool = c->pool; /* We need to have all the socket buffers allocated in the cli pool */
|
||||||
s->fast_rx = 1;
|
s->fast_rx = 1;
|
||||||
c->rx_pos = c->rx_buf;
|
c->rx_pos = c->rx_buf;
|
||||||
@ -555,7 +555,7 @@ cli_listen(struct cli_config *cf)
|
|||||||
s->type = SK_UNIX_PASSIVE;
|
s->type = SK_UNIX_PASSIVE;
|
||||||
s->rx_hook = cli_connect;
|
s->rx_hook = cli_connect;
|
||||||
s->err_hook = cli_connect_err;
|
s->err_hook = cli_connect_err;
|
||||||
s->data = cf;
|
s->data = l;
|
||||||
s->rbsize = 1024;
|
s->rbsize = 1024;
|
||||||
s->fast_rx = 1;
|
s->fast_rx = 1;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user