[tac_plus] Re: Deep command filtering
john heasley
heas at shrubbery.net
Mon Aug 20 19:04:06 UTC 2007
Mon, Aug 20, 2007 at 10:38:02AM -0700, jathan.:
> Hello-
>
> With the announcement of the latest Cisco PSIRT for "'sh ip bgp
> regexp' crashing router". Briefly what happens is that the router
> will crash when you enter the command 'show ip bgp regexp'.
>
> For example:
>
> show ip bgp regexp (.*)(_\1)+
>
> I have been a user of tac_plus for a long time, but this is the first
> time I have been asked to filter deep into a command tree.
>
> I am aware of something like
>
> cmd = show {
> deny ip
> permit .*
> }
>
> I have never had any success going any deeper such as:
>
> cmd = show {
> deny ip bgp regexp
> }
>
> Is this even possible? Any help or feedback would be appreciated.
> It's looking like in the interim my only remedy is to block access to
> 'show ip' period, and that's quite a nuisance.
Yes, this will work just fine, but I believe it is a bigger hammer than
necessary. My suspicion is that
deny ip bgp regexp.*\\
is sufficient. It is likely the [non-sensical & unnecessary in the sense
of AS-paths] reference operator (\N) that is to blame.
More information about the tac_plus
mailing list