[tac_plus] Re: Deep command filtering
jathan.
jathan at gmail.com
Mon Aug 20 20:38:08 UTC 2007
Hmm-
Are you absolutely sure? I am running 4.0.4.13 and when I attempt to
restart the daemon I see:
Aug 20 15:21:40 tac-ntc tac_plus[6709]: Reading config
Aug 20 15:21:40 tac-ntc tac_plus[6709]: Error expecting '}' but found
'bgp' on line 61
Aug 20 15:21:40 tac-ntc tac_plus: Error: expecting '}' but found 'bgp'
on line 61
Aug 20 15:21:40 tac-ntc tacacs: tac_plus startup failed
Using your example line 61 is:
60 cmd = show {
61 deny ip bgp regexp.*\\
62 permit .*
63 }
No dice. Any suggestions?
# tac_plus -v
tac_plus version F4.0.4.13
ACLS
FIONBIO
LIBWRAP
LINUX
LITTLE_ENDIAN
LOG_DAEMON
PAM
NO_PWAGE
REAPCHILD
REARMSIGNAL
RETSIGTYPE RETSIGTYPE
SHADOW_PASSWORDS
SIGTSTP
SIGTTIN
SIGTTOU
SO_REUSEADDR
STRERROR
TAC_PLUS_PORT
UENABLE
__STDC__
On 8/20/07, john heasley <heas at shrubbery.net> wrote:
> Mon, Aug 20, 2007 at 10:38:02AM -0700, jathan.:
> > Hello-
> >
> > With the announcement of the latest Cisco PSIRT for "'sh ip bgp
> > regexp' crashing router". Briefly what happens is that the router
> > will crash when you enter the command 'show ip bgp regexp'.
> >
> > For example:
> >
> > show ip bgp regexp (.*)(_\1)+
> >
> > I have been a user of tac_plus for a long time, but this is the first
> > time I have been asked to filter deep into a command tree.
> >
> > I am aware of something like
> >
> > cmd = show {
> > deny ip
> > permit .*
> > }
> >
> > I have never had any success going any deeper such as:
> >
> > cmd = show {
> > deny ip bgp regexp
> > }
> >
> > Is this even possible? Any help or feedback would be appreciated.
> > It's looking like in the interim my only remedy is to block access to
> > 'show ip' period, and that's quite a nuisance.
>
> Yes, this will work just fine, but I believe it is a bigger hammer than
> necessary. My suspicion is that
>
> deny ip bgp regexp.*\\
>
> is sufficient. It is likely the [non-sensical & unnecessary in the sense
> of AS-paths] reference operator (\N) that is to blame.
>
--
jathan.
00bliss.dj.switchstance
www.00bliss.com
--
More information about the tac_plus
mailing list