home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
ftp.ee.lbl.gov
/
2014.05.ftp.ee.lbl.gov.tar
/
ftp.ee.lbl.gov
/
acld-1.11.tar.gz
/
acld-1.11.tar
/
acld-1.11
/
acl.exp.in
< prev
next >
Wrap
Text File
|
2011-11-03
|
13KB
|
508 lines
#!@EXPECT@ -f
# @(#) $Id: acl.exp.in 802 2011-11-04 00:51:21Z leres $ (LBL)
#
# acl.exp - talk to acld
#
# Copyright (c) 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010, 2011
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that: (1) source code distributions
# retain the above copyright notice and this paragraph in its entirety, (2)
# distributions including binary code include the above copyright notice and
# this paragraph in its entirety in the documentation or other materials
# provided with the distribution, and (3) all advertising materials mentioning
# features or use of this software display the following acknowledgement:
# ``This product includes software developed by the University of California,
# Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
# the University nor the names of its contributors may be used to endorse
# or promote products derived from this software without specific prior
# written permission.
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
set prog $argv0
set len [string length $prog]
for { set i $len } { $i > 0 } { set i [expr $i - 1] } {
if { [string index $prog $i ] == "/" } {
incr i
set prog [string range $prog $i $len]
break
}
}
match_max 2048
set f "[string trimright $prog ".exp"].log"
if [catch {log_file -a /var/log/acld/$f} err] {
send_error "$prog: warning: $err\n"
if [catch {log_file -a $f} err] {
send_error "$prog: warning: $err\n"
}
}
log_user 0
if [catch {set ident $env(USER)} err] {
set ident "[exec id -un]"
}
if [catch {set host $env(HOST)} err] {
if [catch {set host $env(HOSTNAME)} err] {
set host "[exec hostname]"
}
}
# Adjust path to pick up socket
set env(PATH) "/usr/local/bin:$env(PATH)"
if { $host != "" } {
append ident "@$host"
}
#
# Print usage and exit
#
proc usage {} {
global prog
set version "@VERSION@"
send_error "Version: $version\n"
set c "\[-c comment ...\]"
send_error "usage: $prog \[drop|restore|query] addr $c\n"
send_error " $prog \[drop|restore|query] network/mask $c\n"
send_error " $prog \[drop|restore|query] -f file $c\n"
send_error " $prog \[blockhosthost|restorehosthost] addr1 addr2 $c\n"
send_error " $prog \[blockhosthost|restorehosthost] -f file $c\n"
send_error " $prog \[dropudpport|restoreudpport] port ACL $c\n"
send_error " $prog \[droptcpport|restoretcpport] port ACL $c\n"
send_error " $prog \[permitudpdsthostport|unpermitudpdsthostport] addr port \\\n\t\t$c\n"
send_error " $prog \[permittcpdsthostport|unpermittcpdsthostport] addr port \\\n\t\t$c\n"
send_error " $prog \[droptcpdsthostport|restoretcpdsthostport] addr port \\\n\t\t$c\n"
send_error " $prog \[nullzero|nonullzero|querynullzero] addr $c\n"
send_error " $prog \[nullzero|nonullzero|querynullzero] network/mask $c\n"
send_error " $prog \[nullzero|nonullzero|querynullzero] -f file $c\n"
send_error " $prog \[addwhitelist|remwhitelist|querywhitelist] \\\n\t\t\[addr|net/width|net mask] $c\n"
send_error " $prog \[addwhitelist|remwhitelist|querywhitelist] -f file \\\n\t\t$c\n"
send_error " $prog listacl ACL $c\n"
send_error " $prog compact ACL $c\n"
send_error " $prog listroute $c\n"
send_error " $prog whitelist $c\n"
send_error " $prog state $c\n"
exit 1
}
#
# Reap response
#
proc getresponse { what cookie } {
global prog
global comment
global lasttime
global dst
set response "^(\[0-9]+\.\[0-9]+) $cookie $what"
set doingcomment 0
set comment ""
set status 0
set lasttime 0
if { $what == "compact" || $what == "listacl" } {
set timeout 3600
} else {
set timeout 90
}
expect {
-re "$response\r\n" {
set lasttime $expect_out(1,string)
# done
}
-re "$response -\r\n" {
set lasttime $expect_out(1,string)
set doingcomment 1
# done
}
-re "$response-failed\r\n" {
set lasttime $expect_out(1,string)
set status 1
# done
}
-re "$response-failed -\r\n" {
set lasttime $expect_out(1,string)
set doingcomment 1
set status 1
# done
}
-re "^(.*)\[\r\n]*\r\n" {
send_error "$prog: $expect_out(1,string)\n"
exp_continue
}
timeout {
send_error "$prog: $dst: timeout $what ($timeout secs)\n"
exit 1
}
eof {
send_error "$prog: $dst: child exited\n"
exit 1
}
}
if { $doingcomment != 0 } {
expect {
"^.\r\n" {
if { $lasttime == 0 } {
send_error \
"$prog: missing lasttime at EOM\n"
exit 1
}
# done
}
-re "^(\[^\r\n]*)\r\n" {
append comment "$expect_out(1,string)\n"
exp_continue
}
timeout {
send_error \
"$prog: timeout2 $what ($timeout secs)\n"
exit 1
}
eof {
send_error "$prog: child exited2\n"
exit 1
}
}
}
if { $comment != "" } {
if { $status != 0 } {
send_error "$prog: acld error: $comment"
} elseif { $what != "acld" } {
send_user "$comment"
}
}
return $status
}
# Send acld commands with identification
proc sendcmd {line} {
global ident
global usercomment
send -- "$line -\r"
send -- "{$ident}\r"
if { [string length $usercomment] > 0 } {
send -- "$usercomment\r"
}
send -- ".\r"
}
##############################################################################
#
# Main program
#
if { $argc < 1 } {
usage
}
set what [lindex $argv 0]
set file ""
set addr1 ""
set addr2 ""
set port ""
set acl ""
set acl
if [catch {set aclipaddr $env(ACLIPADDR)} err] {
set aclipaddr "127.0.0.1"
}
if [catch {set aclport $env(ACLPORT)} err] {
set aclport "1965"
}
# Optional user comment (must trail due to the way expect processes arguments)
set usercomment ""
for { set i 0 } { $i < $argc } { set i [expr $i + 1] } {
if { [lindex $argv $i] == "-c" } {
set usercomment "[lrange $argv [expr $i + 1] [expr $argc - 1]]"
if { $usercomment == "." } {
set $usercomment ".$usercomment"
}
set argc $i
break
}
}
# Validate flags
for { set i 1 } { $i < $argc } { set i [expr $i + 1] } {
set a [lindex $argv $i]
if { [string index $a 0] == "-" } {
if { $a == "-f" &&
( $what == "drop" || \
$what == "restore" || \
$what == "query" || \
$what == "blockhosthost" || \
$what == "restorehosthost" || \
$what == "nullzero" || \
$what == "nonullzero" || \
$what == "querynullzero" || \
$what == "addwhitelist" || \
$what == "remwhitelist" || \
$what == "querywhitelist" ) } {
continue
}
usage
}
}
if { $what == "drop" || $what == "restore" || $what == "query" } {
if { [lindex $argv 1] == "-f" } {
if { $argc != 3 } {
usage
}
set file [lindex $argv 2]
if [catch {open $file} fd] {
send_error "$prog: $fd\n"
exit 1
}
set fd [open $file]
} elseif { $argc == 2 } {
set addr1 [lindex $argv 1]
} else {
usage
}
} elseif { $what == "blockhosthost" || $what == "restorehosthost" } {
if { [lindex $argv 1] == "-f" } {
if { $argc != 3 } {
usage
}
set file [lindex $argv 2]
if [catch {open $file} fd] {
send_error "$prog: $fd\n"
exit 1
}
set fd [open $file]
} elseif { $argc == 3 } {
set addr1 [lindex $argv 1]
set addr2 [lindex $argv 2]
} else {
usage
}
} elseif { $what == "dropudpport" || $what == "droptcpport" ||
$what == "restoreudpport" || $what == "restoretcpport" } {
if { $argc != 3 } {
usage
}
set port [lindex $argv 1]
set acl [lindex $argv 2]
} elseif { $what == "permitudpdsthostport" ||
$what == "unpermitudpdsthostport" ||
$what == "permittcpdsthostport" ||
$what == "unpermittcpdsthostport" } {
if { $argc != 3 } {
usage
}
set addr1 [lindex $argv 1]
set port [lindex $argv 2]
} elseif { $what == "droptcpdsthostport" ||
$what == "restoretcpdsthostport" } {
if { $argc != 3 } {
usage
}
set addr1 [lindex $argv 1]
set port [lindex $argv 2]
} elseif { $what == "nullzero" || $what == "nonullzero" ||
$what == "querynullzero" } {
if { [lindex $argv 1] == "-f" } {
if { $argc != 3 } {
usage
}
set file [lindex $argv 2]
if [catch {open $file} fd] {
send_error "$prog: $fd\n"
exit 1
}
set fd [open $file]
} elseif { $argc == 2 } {
set addr1 [lindex $argv 1]
} else {
usage
}
} elseif { $what == "addwhitelist" || $what == "remwhitelist" ||
$what == "querywhitelist" } {
if { [lindex $argv 1] == "-f" } {
if { $argc != 3 } {
usage
}
set file [lindex $argv 2]
if [catch {open $file} fd] {
send_error "$prog: $fd\n"
exit 1
}
set fd [open $file]
} elseif { $argc == 2 } {
set addr1 [lindex $argv 1]
} elseif { $argc == 3 } {
set addr1 [lrange $argv 1 2]
} else {
usage
}
} elseif { $argc == 2 && ( $what == "compact" || $what == "listacl" ) } {
if { $argc != 2 } {
usage
}
set acl [lindex $argv 1]
} elseif { $what == "state" || $what == "listroute" || $what == "whitelist" } {
if { $argc != 1 } {
usage
}
} else {
usage
}
send_error "$prog: [clock format [clock seconds] -format "%b %d %T"] $argv\n"
#
# Connect to the acl daemon
#
set stty_init "-echo"
set dst "$aclipaddr.$aclport"
set cmd "socket -v -c $aclipaddr $aclport"
eval spawn $cmd
set timeout 60
expect {
# Support socket 1.4
-re "^connected to (\[^ ]*) \[^ ]* port (\[0-9]*)\r\n" {
set dst "$expect_out(1,string).$expect_out(2,string)"
}
# Unfortunately there are different messages depending on USE_INET6
-re "^connected to (\[^ ]*) with address \[^ ]* at port (\[0-9]*)\r\n" {
set dst "$expect_out(1,string).$expect_out(2,string)"
}
# Unfortunately socket tries to convert the port to a string
-re "^connected to (\[^ ]*) with address \[^ ]* at port (\[^\r\n]*)\r\n" {
set dst "$expect_out(1,string).$expect_out(2,string)"
}
# "connected to 127.0.0.1 port 1965 (tivoli-npm)"
-re "^connected to (\[^ ]*) port (\[0-9]*) \(\[^\r\n]*\)\r\n" {
set dst "$expect_out(1,string).$expect_out(2,string)"
}
# "connected to 127.0.0.1 (hosed.lbl.gov) port 1965 (tivoli-npm)"
-re "^connected to (\[^ ]*) \(\[^\r\n]*\) port (\[0-9]*) \(\[^\r\n]*\)\r\n" {
set dst "$expect_out(1,string).$expect_out(2,string)"
}
# "connected to 127.0.0.1 port 1965"
-re "^connected to (\[^ ]*) port (\[0-9]*)\r\n" {
set dst "$expect_out(1,string).$expect_out(2,string)"
}
-re "^(.*)\[\r\n]*\r\n" {
send_error "$prog: $expect_out(1,string)\n"
exp_continue
}
timeout {
send_error "$prog: $dst: timeout socket ($timeout secs)\n"
exit 1
}
eof {
send_error "$prog: $dst: child exited\n"
exit 1
}
}
if { [getresponse "acld" 0] != 0 } {
send_error "$prog: \"$cmd\" failed\n"
exit 1
}
set start $lasttime
set lastcookie 0
set firstcookie 1
set outstanding 0
set estatus 0
if { $what == "compact" || $what == "listacl" } {
#
# list/compact an ACL
#
incr lastcookie
sendcmd "$what $lastcookie $acl"
incr outstanding
} elseif { $what == "state" || $what == "listroute" || $what == "whitelist" } {
#
# state inquiry, route list or whitelist
#
incr lastcookie
sendcmd "$what $lastcookie"
incr outstanding
} elseif { $addr1 != "" && $addr2 != "" } {
#
# Handle hosthost (two addresses)
#
incr lastcookie
sendcmd "$what $lastcookie $addr1 $addr2"
incr outstanding
} elseif { $addr1 != "" && $port != "" } {
#
# Handle an address and port
#
incr lastcookie
sendcmd "$what $lastcookie $addr1 $port $acl"
incr outstanding
} elseif { $addr1 != "" } {
#
# Handle a single address
#
incr lastcookie
sendcmd "$what $lastcookie $addr1"
incr outstanding
} elseif { $port != "" } {
#
# Handle a port
#
incr lastcookie
sendcmd "$what $lastcookie $port $acl"
incr outstanding
} else {
#
# Loop on addrs from the file
#
set maxoutstanding 5
while {[gets $fd addr1] != -1} {
if { [regexp "^\[ \t]*$" $addr1] } {
# eat blank lines
continue
}
incr lastcookie
sendcmd "$what $lastcookie $addr1"
incr outstanding
if { $outstanding >= $maxoutstanding } {
if { [getresponse $what $firstcookie] != 0 } {
set estatus 1
}
incr firstcookie
set outstanding [expr $outstanding - 1]
}
}
}
# Finish up
while { $outstanding > 0 } {
if { [getresponse $what $firstcookie] != 0 } {
set estatus 1
}
incr firstcookie
set outstanding [expr $outstanding - 1]
}
flush stdout
#send_error "(start $start finish $lasttime)\n"
set delta [format "%.3f" [expr $lasttime - $start]]
send_error "$prog: (took $delta seconds)\n"
incr lastcookie
send -- "exit $lastcookie\r"
expect "^(\[0-9]+\.\[0-9]+) $lastcookie exit"
if { $estatus != 0 } {
send_error "$prog: $what FAILED\n"
}
exit $estatus