[tac_plus] Re: Deep command filtering

jathan. jathan at gmail.com
Mon Aug 20 20:38:08 UTC 2007


Hmm-

Are you absolutely sure?  I am running 4.0.4.13 and when I attempt to
restart the daemon I see:

Aug 20 15:21:40 tac-ntc tac_plus[6709]: Reading config
Aug 20 15:21:40 tac-ntc tac_plus[6709]: Error expecting '}' but found
'bgp' on line 61
Aug 20 15:21:40 tac-ntc tac_plus: Error: expecting '}' but found 'bgp'
on line 61
Aug 20 15:21:40 tac-ntc tacacs: tac_plus startup failed

Using your example line 61 is:

     60     cmd = show {
     61         deny ip bgp regexp.*\\
     62         permit .*
     63     }

No dice.  Any suggestions?

# tac_plus -v
tac_plus version F4.0.4.13
ACLS
FIONBIO
LIBWRAP
LINUX
LITTLE_ENDIAN
LOG_DAEMON
PAM
NO_PWAGE
REAPCHILD
REARMSIGNAL
RETSIGTYPE RETSIGTYPE
SHADOW_PASSWORDS
SIGTSTP
SIGTTIN
SIGTTOU
SO_REUSEADDR
STRERROR
TAC_PLUS_PORT
UENABLE
__STDC__

On 8/20/07, john heasley <heas at shrubbery.net> wrote:
> Mon, Aug 20, 2007 at 10:38:02AM -0700, jathan.:
> > Hello-
> >
> > With the announcement of the latest Cisco PSIRT for "'sh ip bgp
> > regexp' crashing router".  Briefly what happens is that the router
> > will crash when you enter the command 'show ip bgp regexp'.
> >
> > For example:
> >
> > show ip bgp regexp (.*)(_\1)+
> >
> > I have been a user of tac_plus for a long time, but this is the first
> > time I have been asked to filter deep into a command tree.
> >
> > I am aware of something like
> >
> > cmd = show {
> >   deny ip
> >   permit .*
> > }
> >
> > I have never had any success going any deeper such as:
> >
> > cmd = show {
> >   deny ip bgp regexp
> > }
> >
> > Is this even possible?  Any help or feedback would be appreciated.
> > It's looking like in the interim my only remedy is to block access to
> > 'show ip' period, and that's quite a nuisance.
>
> Yes, this will work just fine, but I believe it is a bigger hammer than
> necessary.  My suspicion is that
>
>    deny ip bgp regexp.*\\
>
> is sufficient.  It is likely the [non-sensical & unnecessary in the sense
> of AS-paths] reference operator (\N) that is to blame.
>


-- 
jathan.
00bliss.dj.switchstance
www.00bliss.com
--


More information about the tac_plus mailing list