lg.cgi

Network Management Information System

# clogin setup
if (defined($LG_CLOGINRC)) {
    $cloginrc = $LG_CLOGINRC;
} else {
    $cloginrc = "$BASEDIR/.cloginrc";
}

$query = new CGI;

# get form data and validate
$type = ($query->param('query'))[0];
$router_param = ($query->param('router'))[0];
$remote_user = $ENV{REMOTE_USER};
$arg = ($query->param('args'))[0];
# handle multiple args
$arg =~ s/["'`]//g;			# these are BS in any arg for any query
@arg = split(' ', $arg);

# verify router, commands, arguments, etc.
($router, $mfg) = split(':', $router_param);
if (!defined($type) || !defined($router)) {
    $results[0] = "You must at least choose a Query and a router.  Try buying a clue.\n";
    &Error("You must at least choose a Query and a router.  Try buying a clue.\n");
}

if (! arraymember(\@rtrlist, $router)) {
    my($timestr) = strftime("%a %b %e %H:%M:%S %Y", gmtime);
    dolog(LOG_WARNING, sprintf("%s %s %s %s\n",
	$ENV{REMOTE_HOST}, $ENV{REMOTE_ADDR}, $ENV{REMOTE_USER},
	"- - [$timestr] lg.cgi: attempt to access $router\n"));
    Error("access to $router not permitted");
}

# conversion of command "type" passed from lgform.cgi to the vendor's syntax.
%ciscoCmd = (
		#acl => "show access-list",
		#aspath => "show ip as-path-access-list",
		#communitylist => "show ip community-list",
		damp => "show ip bgp dampened-paths",
		framerelay => "show frame-relay pvc",
		interface => "show interface",
		intbrief => "show ip interface",	# switch in {interface}
		log => "show logging",
		mbgp => "show ip mbgp",
		mbgpsum => "show ip mbgp summary",
		mneighbor => "show ip bgp neighbor",
		neighbor => "show ip bgp neighbor",
		regex => "show ip bgp regex",
		route => "show ip route",
		routemap => "show route-map",
		ping => "ping",
		prefix => "show ip bgp",
		prefixlist => "show ip prefix-list",
		summary => "show ip bgp summary",
		trace => "traceroute",
		version => "show version",
		intbrief => "show ip interface brief",
		arp => "show arp",
		mac => "show mac-address-table",
		cpu => "show processes cpu",
		flow => "show ip cache flow",
		nat => "show ip nat translations",
		cdp => "show cdp neighbor detail",
		eigrp => "show ip eigrp neighbors",
		intstat => "show interface status",
		mac => "show mac-address-table"
	);
%foundryCmd = (
		#acl => "show access-list",
		#aspath => "show ip as-path-access-list",
		#communitylist => "show ip community-list",
		damp => "show ip bgp dampened-paths",
		#framerelay => "show frame-relay pvc", # no frame relay
		interface => "show interface",
		log => "show log",
		#mbgp => "show ip mbgp",
		#mbgpsum => "show bgp summary",
		#mneighbor => "show ip bgp neighbor",
		neighbor => "show ip bgp neighbor",
		#regex => "show ip bgp aspath-regex",
		route => "show ip route",
		routemap => "show route-map",
		ping => "ping",
		prefix => "show ip bgp",
		prefixlist => "show ip prefix-list",
		summary => "show ip bgp summary",
		trace => "traceroute"
	);
%juniperCmd = (
		#acl => "show access-list",
		#aspath => "show ip as-path-access-list",
		#communitylist => "show ip community-list",
		damp => "show route damping suppressed terse table inet.0",
		framerelay => "show frame-relay pvc",
		interface => "show interface",
		log => "show log messages",
		mbgp => "show route table inet.2 terse",
		mbgpsum => "show bgp summary",
		mneighbor => "show bgp neighbor",
		neighbor => "show bgp neighbor",
		regex => "show route table inet.0 aspath-regex",
		route => "show route table inet.0 terse",
		routemap => "show policy",
		ping => "ping rapid count 5",
		prefix => "show route table inet.0",
		prefixlist => "show policy",
		summary => "show bgp summary",
		trace => "traceroute"
	);
%cmdDisp = (
		acl => "show access-list",
		aspath => "show ip as-path-access-list",
		communitylist => "show ip community-list",
		damp => "show ip bgp dampened-paths",
		framerelay => "show frame-relay pvc",
		interface => "show interface",
		log => "show logging",
		mbgp => "show ip mbgp",
		mbgpsum => "show ip mbgp summary",
		mneighbor => "show ip mbgp neighbor",
		neighbor => "show ip bgp neighbor",
		regex => "show ip bgp regex",
		route => "show ip route",
		routemap => "show route-map",
		ping => "ping",
		prefix => "show ip bgp",
		prefixlist => "show ip prefix-list",
		summary => "show ip bgp summary",
		trace => "traceroute",
		version => "show version",
		intbrief => "show ip interface brief",
		arp => "show arp",
		mac => "show mac-address-table",
		cpu => "show processes cpu",
		flow => "show ip cache flow",
		nat => "show ip nat translations",
		cdp => "show cdp neighbor detail",
		eigrp => "show ip eigrp neighbors",
		intstat => "show interface status",
		mac => "show mac-address-table"
	);

# not all cmds/queries are implemented for junipers
if ($mfg =~ /juniper/) {
    if (! defined($juniperCmd{$type})) {
	Error("$cmdDisp{$type} not implemented for junipers.  sorry.\n");
    }
    $cmd = $juniperCmd{$type};
} elsif ($mfg =~ /foundry/) {
    if(! defined($foundryCmd{$type})) {
	Error("$cmdDisp{$type} not implemented for foundrys.  sorry.\n");
    }
    $cmd = $foundryCmd{$type};
} else {
    if(! defined($ciscoCmd{$type})) {
	Error("$cmdDisp{$type} not implemented for cisco.  sorry.\n");
    }
    $cmd = $ciscoCmd{$type};
}

if ($type eq "prefix" || $type eq "mbgp" || $type eq "route" ) {
    if ($arg[0] !~ /^\d+\.\d+\.\d+\.\d+$/) {
	&Error("The IP address \"$arg[0]\" is not valid and lacking an address would over-burden our router.\n");
    } elsif (defined($arg[1]) && $arg[1] !~ /^\d+\.\d+\.\d+\.\d+$/) {
	&Error("The IP netmask \"$arg[1]\" is not valid.\n");
    }
    if ($mfg =~ /juniper/i && defined($arg[1])) {
	$arg = $arg[0] . "/" . mask2len($arg[1]);
    }
} elsif ($type eq "framerelay") {
    if ($mfg =~ /juniper/) {
	&Error("Juniper does not have a show frame-relay pvc command.  " .
		"Use show interface.\n");
    }
    if ($arg[0] > 15 && $arg[0] < 1024) {
	$arg = $arg[0];
    } else {
	undef($arg);
    }
} elsif ($type eq "interface") {
    if ($mfg =~ /(cisco|foundry)/) {
	if ($arg[0] !~ /^b[^ ]+[0-9]/i && $arg[0] =~ /^b/i) {
	    $type = "intbrief";
	    $arg = "brief";
	} else {
	    $arg = $arg[0];
	}
    } elsif ($mfg =~ /juniper/) {
	my($optind) = 0;
	# arg 0 may be an intf name or a display option, but there can
	# only be 2 args
	$arg = "";
	while ($optind <= $#arg && $optind < 2) {
	    $arg[$optind] =~ s/brief/terse/;
	    if ($arg[$optind] =~ /^([a-z0-9]{2}\-\d+\/\d+\/\d+(:\d+)?)/i) {
		$arg .= " $1";
	    } elsif ($arg[$optind] =~ /^det/i) {
		$arg .= " detail";
	    } elsif ($arg[$optind] =~ /^ter/i) {
		$arg .= " terse";
	    } elsif ($arg[$optind] =~ /^ext/i) {
		$arg .= " extensive";
	    }
	    $optind += 1;
	}
    }
} elsif ($type eq "log") {
    if ($arg[0] =~ /^\s*\|?$/) {
	shift(@arg);
    }
    $arg[0] =~ s/^\s*\|?//;
    if ($arg[0] !~ /^\s*$/) {
	if ($mfg =~ /cisco/i) {
	    $arg = " | include " . join(' ', @arg);
	} elsif ($mfg =~ /juniper/i) {
	    $arg = " | match \"" . join(' ', @arg) . "\"";
	} else {
	    undef($arg);
	}
    } else {
	undef($arg);
    }
} elsif ($type eq "cpu") {
    $arg = " | e 0.00";
} elsif ($type eq "ping" || $type eq "trace") {
    if ($arg[0] !~ /^\d+\.\d+\.\d+\.\d+$/) {
	if ($arg[0] !~ /^[A-Za-z0-9._-]+$/) {
	    &Error("That argument ($arg[0]) is not valid.\n");
	}
    }
    $arg = $arg[0];
} elsif ($type eq "aspath" || $type eq "communitylist") {
    if ($arg[0] !~ /^\d+$/ || ($arg[0] < 1 && $arg[0] > 199)) {
	&Error("That argument ($arg[0]) is not valid.\n");
    }
    $arg = $arg[0];
} elsif ($type eq "acl") {
    if ($arg[0] !~ /^\d+$/ || ($arg[0] < 100 && $arg[0] > 199) ||
					($arg[0] < 1300 && $arg[0] > 2699)) {
	&Error("That argument ($arg[0]) is not valid.\n");
    }
    $arg = $arg[0];
    # don't show the jewels
    # XXX: this error msg is useless, but show acl is un-implemented.
    &Error($mfg) if ($arg == 98 || $arg == 99);
} elsif ($type eq "prefixlist" || $type eq "routemap") {
    if ($arg[0] !~ /^[0-9A-Za-z][^\s\"]*$/) {
	&Error("That argument ($arg[0]) is not valid.\n");
    }
    $arg = $arg[0];
} elsif ($type eq "regex") {
    $arg = $arg[0];
    if ($#arg >= 1) {
	for ($n = 1; $n <= $#arg; $n++) { $arg .= " " . $arg[$n]; }
    }
    # remove leading/trailing whitespace
    $arg =~ s/^\s*//; $arg =~ s/\s*$//;
    if ($arg !~ /^[0-9_ ^.*+?[\])\(-]*\$?$/ || $arg =~ /^\s*$/) {
	&Error("That argument ($arg[0]) is not valid.\n");
    }
    # pathetic excuses for lookups
    if ($arg =~ /^[_.* ^]*(\*|1|701|1239|1280|1740|3561|5462|10303)+[_\$]*$/ ||
	$arg =~ /^[_.* ^]*(1|701|1239|1280|1740|3561|5462|10303)+[_ .]*[\[*.]/) {
	&Error("Get real.  Such a query has potential to over-burden our " .
		"router.\nLook that up on your own router.\n");
    }
    if ($mfg =~ /juniper/) {
	$arg =~ s/_/ /g;
	# pre-junos 4.4 do not allow anchors
	if ($arg =~ /\^\$/) {
	    $arg =~ "()";
	} else {
	    $arg =~ s/[\$^]/ /g;
	}
	$arg = "\"$arg\"";
    }
    # escape any ()s
    $arg =~ s/([\(\)])/\\$1/g;
} elsif ($type eq "neighbor") {
    if ($arg[0] !~ /^\d+\.\d+\.\d+\.\d+$/) {
	if ($arg[0] !~ /([A-Za-z0-9-]*.)*[A-Za-z0-9-]*.(com|edu|net|org)/) {
	    &Error("That argument ($arg[0]) is not valid.\n");
	}
    }
    $arg = $arg[0];
    if (defined($arg[1]) && $arg[1] =~ /^(a|ro|f|re)/) {
	if ($mfg =~ /juniper/) {
	    if ($arg[1] =~ /^a/) {
		if (defined($LG_BGP_RT)) {
		    $cmd = "show route table inet.0 all advertising-protocol ".
			"bgp";
		}
	    } elsif ($arg[1] =~ /^f/) {
		if (defined($LG_BGP_RT)) {
		    $cmd = "show route damping table inet.0 all ".
			"receive-protocol bgp";
		}
	    } elsif ($arg[1] =~ /^r/) {
		if (defined($LG_BGP_RT)) {
		    $cmd = "show route table inet.0 all receive-protocol bgp";
		}
	    }
	} else {
	    if ($arg[1] =~ /^a/) {
		if (defined($LG_BGP_RT)) { $arg .= " advertised-routes"; }
	    } elsif ($arg[1] =~ /^f/) {
		$arg .= " flap-statistics";
	    } elsif ($arg[1] =~ /^ro/) {
		if (defined($LG_BGP_RT)) { $arg .= " routes"; }
	    } elsif ($arg[1] =~ /^re/) {
		if (defined($LG_BGP_RT)) { $arg .= " received-routes"; }
	    }
	}
    }
} elsif ($type eq "mneighbor") {
    if ($arg[0] !~ /^\d+\.\d+\.\d+\.\d+$/) {
	if ($arg[0] !~ /([A-Za-z0-9-]*.)*[A-Za-z0-9-]*.(com|edu|net|org)/) {
	    &Error("That argument ($arg[0]) is not valid.\n");
	}
    }
    $arg = $arg[0];
    if (defined($arg[1]) && $arg[1] =~ /^(a|ro|f|re)/) {
	if ($mfg =~ /juniper/) {
	    if ($arg[1] =~ /^a/) {
		$cmd .= " advertised-routes";
	    } elsif ($arg[1] =~ /^f/) {
		$cmd .= " flap-statistics";
	    } elsif ($arg[1] =~ /^ro/) {
		$cmd .= " routes";
	    } elsif ($arg[1] =~ /^re/) {
		$cmd .= " received-routes";
	    }
	} else {
	    if ($arg[1] =~ /^a/) {
		$arg .= " advertised-routes";
	    } elsif ($arg[1] =~ /^f/) {
		$arg .= " flap-statistics";
	    } elsif ($arg[1] =~ /^ro/) {
		$arg .= " routes";
	    } elsif ($arg[1] =~ /^re/) {
		$arg .= " received-routes";
	    }
	}
    }
} elsif ($type eq "damp" || $type eq "summary" || $type eq "mbgpsum") {
    undef($arg);
}

# make stdout unbuffered, so result page streams.
$| = 1;
start_page();

# cache the following
if ($type eq "summary" || $type eq "mbgpsu" || $type eq "damp"
			|| $type eq "log") {
    if (!$arg) {
	# cache requests with no addr/argument
	local(*CACHE);

	my($file) = "$cache_dir/$type" ;
	$file =~ s/\s+/_/g;
	$file .= "_$router";

	if (-e $file) {
	    # see if cache exists
	    @stat = stat($file);
	    $ftime = $stat[9];
	    $dtime = time() - $stat[9];

	    # see if we are within cache time
	    if ($dtime <= $max_time_diff) {
		if (open(CACHE, "<$file") == 0) {
		    dolog(LOG_ERR, "couldnt open cache file $file: $!\n");
		} else {
		    print "<b>From cache (number of seconds old (max " .
			"$max_time_diff)):</b> $dtime\n\n";
		    while (<CACHE>) { print $_; }
		    close(CACHE);
		    &end_page();
		}
	    }
	}

	# else, execute command and save to a new cache file
	if (! &DoRsh($router, $mfg, $cmd, $arg)) {
	    if (open(CACHE, ">$file") == 0) {
		dolog(LOG_ERR, "couldnt create cache file $file: $!\n");
		exit(1);
	    } else {
		printf(CACHE "@results");
		close(CACHE);
	    }
	}
    } else {
	&DoRsh($router, $mfg, $cmd, $arg);
    }
    &end_page();
} else {
    &DoRsh($router, $mfg, $cmd, $arg);
    &end_page();
}

exit(0);