Skip to content
Permalink
Browse files

New config option to validate AS path regexp.

This introduces a new configuration option allowing users to create a
list of AS path regexp to blacklist and reject. This could be used to
avoid some potential harmful AS patch regexp that could be used to
overload the control plane of some routers (especially ones with low
CPU and RAM). Closes #53.

By default this option will blacklist regexps making routers return a
full routing table. These defaults can be ovewritten by using the
`unset` keywork before the option name
`$config['filters']['aspath_regexp']`.

This commit also renames the option `$config['filters']` to
`$config['filters']['output']` so users using this configuration option
will need to modify their configuration files.
  • Loading branch information...
respawner committed Nov 1, 2018
1 parent 29ec745 commit e678b41faca744a3a30c95229a5f5948e22fa7bf
@@ -22,10 +22,10 @@ $config['frontpage']['image'] = 'logo.png';
$config['frontpage']['disclaimer'] = 'This is a disclaimer!';

// Things to remove from the output (PHP compatible regex)
$config['filters'][] = '/(client1|client2)/';
$config['filters'][] = '/^NotToShow/';
$config['filters']['output'][] = '/(client1|client2)/';
$config['filters']['output'][] = '/^NotToShow/';
// If telnet is used in combination with extreme_netiron, uncomment the following filter
//$config['filters'][] = '/([^\x20-\x7E]|User|Please|Disable|telnet|^\s*$)/';
//$config['filters']['output'][] = '/([^\x20-\x7E]|User|Please|Disable|telnet|^\s*$)/';

// Google reCaptcha integration
$config['recaptcha']['enabled'] = false;
@@ -245,12 +245,30 @@ logs file.
### Filters

```php
$config['filters'][] = '/(client1|client2)/';
$config['filters'][] = '/^NotToShow/';
$config['filters']['output'][] = '/(client1|client2)/';
$config['filters']['output'][] = '/^NotToShow/';
```
Defines filters to eliminate some lines from the output. Do not define any
filters if there is no nothing to filter.

```php
// Use the unset command if you don't want to use pre-defined filters
// unset $config['filters']['aspath_regexp'];
$config['filters']['aspath_regexp'][] = '.* 64546 .*';
```
Defines AS path regexp values that must not be executed for some reasons. It
can be used to avoid people trying to enter potential harmful AS path regexps.

Pre-defined regexps are the following:
* `.`
* `.*`
* `.[,]*`
* `.[0-9,0-9]*`
* `.[0-9,0-9]+`

To reset the default filter, the `unset` command must be used first before
adding new values.

### Google reCAPTCHA

```php
@@ -3,7 +3,7 @@
The following companies and organizations trust this looking glass to expose a
small view of their networks.

* [LUXNETWORK S.A.](https://luxnetwork.eu/) - [Looking Glass](https://lg.luxnetwork.eu/)
* [LuxNetwork S.A.](https://luxnetwork.eu/) - [Looking Glass](https://lg.luxnetwork.eu/)
* [TRINAPS](https://www.trinaps.com/) - [Looking Glass](https://lg.trinaps.net/)
* [GLaNET](https://glanet.org/)
* [SysEleven GmbH](https://www.syseleven.de/)
@@ -92,7 +92,18 @@ function set_defaults_for_routers(&$parsed_config) {
),
// Filters
'filters' => array(),
'filters' => array(
// Lines (based on regexp) not to show in the output
'output' => array(),
// AS path regexps to disallow
'aspath_regexp' => array(
'.',
'.*',
'.[,]*',
'.[0-9,0-9]*',
'.[0-9,0-9]+'
)
),
// Google reCaptcha
'recaptcha' => array(
@@ -208,24 +208,33 @@ function match_as($as) {
return true;
}
function match_aspath_regex($aspath_regex) {
// Empty AS path regex
if (empty($aspath_regex)) {
function match_aspath_regexp($aspath_regexp) {
global $config;
// Empty AS path regexp
if (empty($aspath_regexp)) {
return false;
}
// AS path containing a ; (not a valid character)
if (strpos($aspath_regex, ';') !== false) {
if (strpos($aspath_regexp, ';') !== false) {
return false;
}
// AS path containing a " (not a valid character, the string is automatically
// quoted if needed)
if (strpos($aspath_regex, '"') !== false) {
if (strpos($aspath_regexp, '"') !== false) {
return false;
}
// TODO: validate a regex with a regex?
// Check if the AS path regexp in in the list of regexp considered as
// invalid (see config option)
foreach ($config['filters']['aspath_regexp'] as $invalid_aspath_regexp) {
if ($invalid_aspath_regexp === $aspath_regexp) {
return false;
}
}
return true;
}
@@ -125,7 +125,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = $birdc6.' \'show route where bgp_path ~ [= '.
$parameter.' =]'.$bgpdetail.'\'';
@@ -88,7 +88,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = 'show bgp ipv6 unicast quote-regexp "'.$parameter.
'"';
@@ -116,7 +116,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = 'show bgp ipv6 unicast regexp "'.$parameter.
'"';
@@ -125,7 +125,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = "skip-page-display\r\nshow ipv6 bgp routes ".$bgpdetail."regular-expression \"".$parameter.
'"';
@@ -118,7 +118,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = $vtysh.'show bgp ipv6 regexp '.$parameter.'"';
}
@@ -81,7 +81,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = 'show route aspath-regex "'.$parameter.
'" protocol bgp table inet6.0'.$bgpdetail;
@@ -80,7 +80,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = 'ipv6 route print '.$bgpdetail.' where bgp-as-path="'.$parameter.'"';
}
@@ -118,7 +118,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = $vtysh.'show ipv6 bgp regexp '.$parameter.'"';
}
@@ -63,7 +63,7 @@ public function __construct($global_config, $config, $id, $requester) {
private function sanitize_output($output) {
// No filters defined
if (count($this->global_config['filters']) < 1) {
if (count($this->global_config['filters']['output']) < 1) {
return preg_replace('/(?:\n|\r\n|\r)$/D', '', $output);
}
@@ -72,7 +72,7 @@ private function sanitize_output($output) {
foreach (preg_split("/((\r?\n)|(\r\n?))/", $output) as $line) {
$valid = true;
foreach ($this->global_config['filters'] as $filter) {
foreach ($this->global_config['filters']['output'] as $filter) {
// Line has been marked as invalid
// Or filtered based on the configuration
if (!$valid || (preg_match($filter, $line) === 1)) {
@@ -116,7 +116,7 @@ protected function build_commands($command, $parameter) {
break;
case 'as-path-regex':
if (match_aspath_regex($parameter)) {
if (match_aspath_regexp($parameter)) {
if (!$this->config['disable_ipv6']) {
$commands[] = $wrapper.'show ipv6 bgp regexp '.$parameter;
}

0 comments on commit e678b41

Please sign in to comment.
You can’t perform that action at this time.