generation of uRPF ACLs

[Marco d'Itri]

This patch, which will be included in the next release, adds support to
generate an ACL of the address space accepted by a peer.
The feature can be enabled by adding "rpfacl: y" to neighbors.

-- 
ciao,
Marco
-------------- next part --------------
diff -urNp rpsltool-1.0/cisco-full.tt2 rpsltool-1.1/cisco-full.tt2
--- rpsltool-1.0/cisco-full.tt2	2006-02-18 12:53:40.000000000 +0100
+++ rpsltool-1.1/cisco-full.tt2	2006-04-25 12:21:42.000000000 +0200
@@ -42,6 +42,22 @@ no [% acltype %] prefix-list [% aclname 
 [% END %]
 !
 [% END %]
+[% IF neigh.rpfacl %]
+[% IF afi.match('^ipv4') %]
+no ip access-list standard [% aclname +%]
+ip access-list standard [% aclname +%]
+[% FOREACH route = neigh.$afi.import_routes %]
+ permit [% route.route2acl +%]
+[% END %]
+[% ELSE %]
+no ipv6 access-list [% aclname +%]
+ipv6 access-list [% aclname +%]
+[% FOREACH route = neigh.$afi.import_routes %]
+ permit [% route +%] any
+[% END %]
+[% END %]
+!
+[% END %]
 [% END %]
 [% END %]
 
diff -urNp rpsltool-1.0/rpsltool rpsltool-1.1/rpsltool
--- rpsltool-1.0/rpsltool	2006-04-19 12:39:06.000000000 +0200
+++ rpsltool-1.1/rpsltool	2006-04-25 12:12:36.000000000 +0200
@@ -164,6 +164,7 @@ sub Template::create_vmethods {
 	my $context = $template->context;
 
 $context->define_vmethod('scalar', 'route2cisco' => \&route2cisco);
+$context->define_vmethod('scalar', 'route2acl'   => \&route2acl);
 
 $context->define_vmethod('list', 'hostroutes' => sub {
     map {
@@ -205,6 +206,20 @@ sub route2cisco {
 	return $s
 }
 
+# converts a prefix with an optional RPSL-like length filter to
+# a network/netmask pair separated by a space
+sub route2acl {
+	my ($prefix, $len) = $_[0] =~ m!
+		^([0-9\.:a-fA-F]+)		# prefix
+		/([0-9]+)				# length
+		(?:\^ [0-9\+\-]+ )?		# ignored range
+	$!ox;
+
+	$len = 32 if $len > 32 or $len < 0;
+	my $bits = '1' x $len . '0' x (32 - $len);
+	return $prefix . ' ' . join('.', unpack('CCCC', pack('B*', $bits)));
+}
+
 sub usage {
 	print STDERR <<END;
 Usage: rpsltool CONFIG-FILE