Merge commit '08ff0af8' into thread-merge-2.16

conf/confbase.Y

@@ -105,7 +105,6 @@ CF_DECLS
   struct adata *ad;
   const struct adata *bs;
   struct aggr_item_node *ai;
-  struct cli_config *cli;
 }
 
 %token END CLI_MARKER INVALID_TOKEN ELSECOL DDOT

doc/bird.sgml

@@ -1298,6 +1298,11 @@ socket multiple times and BIRD may behave weirdly if this happens. On shutdown,
 the additional sockets get removed immediately and only the main socket stays
 until the very end.
 
+<p>The remote control socket can be also set as restricted by
+<cf/cli "name" { restrict; };/ instead of sending the <cf/restrict/ command
+after connecting. The user may still overload the daemon by requesting insanely
+complex filters so you shouldn't expose this socket to public anyway.
+
 <sect>Usage
 <label id="remote-control-usage">
 

nest/cli.c

@@ -272,7 +272,7 @@ cli_event(void *data)
 }
 
 cli *
-cli_new(struct birdsock *sock)
+cli_new(struct birdsock *sock, struct cli_config *cf)
 {
   pool *p = rp_new(cli_pool, the_bird_domain.the_bird, "CLI");
   cli *c = mb_alloc(p, sizeof(cli));
@@ -286,6 +286,10 @@ cli_new(struct birdsock *sock)
   c->cont = cli_hello;
   c->parser_pool = lp_new_default(c->pool);
   c->rx_buf = mb_alloc(c->pool, CLI_RX_BUF_SIZE);
+
+  if (cf->restricted)
+    c->restricted = 1;
+
   ev_schedule(c->event);
   return c;
 }

nest/cli.h

@@ -58,6 +58,7 @@ struct cli_config {
   const char *name;
   struct config *config;
   uint uid, gid, mode;
+  _Bool restricted;
 };
 #include "lib/tlists.h"
 
@@ -78,7 +79,7 @@ static inline void cli_separator(cli *c)
 
 /* Functions provided to sysdep layer */
 
-cli *cli_new(struct birdsock *);
+cli *cli_new(struct birdsock *, struct cli_config *);
 void cli_init(void);
 void cli_free(cli *);
 void cli_kick(cli *);

sysdep/unix/config.Y

@@ -14,6 +14,7 @@ CF_HDR
 CF_DEFINES
 
 static struct log_config *this_log;
+static struct cli_config *this_cli_config;
 
 CF_DECLS
 
@@ -22,7 +23,6 @@ CF_KEYWORDS(NAME, CONFIRM, UNDO, CHECK, TIMEOUT, DEBUG, LATENCY, LIMIT, WATCHDOG
 CF_KEYWORDS(PING, WAKEUP, SOCKETS, SCHEDULING, EVENTS, TIMERS, ALLOCATOR)
 CF_KEYWORDS(GRACEFUL, RESTART, FIXED)
 
-%type <cli> cli_opts
 %type <i> log_mask log_mask_list log_cat cfg_timeout debug_unix latency_debug_mask latency_debug_flag latency_debug_list
 %type <t> cfg_name
 %type <tf> timeformat_which
@@ -126,18 +126,26 @@ mrtdump_base:
 conf: cli ;
 
 cli: CLI text cli_opts {
-  $3->name = $2;
-  cli_config_add_tail(&new_config->cli, $3);
+  this_cli_config->name = $2;
+  cli_config_add_tail(&new_config->cli, this_cli_config);
+  this_cli_config = NULL;
 } ;
 
-cli_opts: ';' {
-  $$ = cfg_alloc(sizeof *$$);
-  *$$ = (typeof (*$$)) {
+cli_opts: cli_opts_begin '{' cli_opts_block '}' ';' | cli_opts_begin ';' ;
+
+cli_opts_begin: {
+  this_cli_config = cfg_alloc(sizeof *this_cli_config);
+  *this_cli_config = (typeof (*this_cli_config)) {
     .config = new_config,
     .mode = 0660,
   };
 };
 
+cli_opts_block:
+  /* EMPTY */ |
+  cli_opts_block RESTRICT { this_cli_config->restricted = 1; }
+;
+
 conf: THREADS expr {
     if ($2 < 1) cf_error("Number of threads must be at least one.");
     new_config->thread_count = $2;

sysdep/unix/main.c

@@ -550,7 +550,7 @@ cli_connect(sock *s, uint size UNUSED)
   s->rx_hook = cli_rx;
   s->tx_hook = cli_tx;
   s->err_hook = cli_err;
-  s->data = c = cli_new(s);
+  s->data = c = cli_new(s, ((struct cli_listener *) s->data)->config);
   s->pool = c->pool;		/* We need to have all the socket buffers allocated in the cli pool */
   s->fast_rx = 1;
   c->rx_pos = c->rx_buf;
@@ -567,7 +567,7 @@ cli_listen(struct cli_config *cf)
   s->type = SK_UNIX_PASSIVE;
   s->rx_hook = cli_connect;
   s->err_hook = cli_connect_err;
-  s->data = cf;
+  s->data = l;
   s->rbsize = 1024;
   s->fast_rx = 1;