API tools faq
paste
Guest User

refdef.sh

a guest
Oct 7th, 2016
284
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.50 KB
raw download clone embed print report
  1. $ cat refdef.sh
  2. #!/bin/sh
  3. # find IOS filters defined but not referenced and referenced but not defined
  4. #
  5. # refdef.sh config-file-1 ... config-file-N
  6.  
  7. DEBUG=${DEBUG:-0}
  8.  
  9. for FILE in $*
  10. do
  11.  
  12. if [ ! -f $FILE ] || [ ! -r $FILE ] ; then
  13. echo "$FILE is not a readable file"
  14. continue
  15. fi
  16.  
  17. awk -v extfilename="$FILE" -v debug="$DEBUG" '
  18. BEGIN {
  19.  
  20. ## hack for "wr net" adding "-confg" to filename
  21. ##
  22. filename = extfilename
  23. if ( filename ~ /-confg$/ ) filename = substr(filename, 1, length(filename)-6)
  24. if ( debug>2 ) printf("extfilename=%s filename=%s\n", extfilename, filename)
  25.  
  26. ## remove directory names - eg: /tftpboot/foo-confg becomes foo-confg
  27. while ( (n = index(filename, "/" )) > 0 ) {
  28. filename = substr(filename, n+1, length(filename)-n)
  29. if ( debug>4 ) print "filename(" n ") = " filename
  30. }
  31. if ( debug>2 ) printf("extfilename=%s filename=%s\n", extfilename, filename)
  32.  
  33.  
  34.  
  35. # default COPP directives that are added automatically but not referenced
  36. # showed up in sup2t 15.1(2)SY6
  37. ciscoDefaultCoppUnreferenced["class-map class-copp-dhcp-snooping"] = 1
  38. ciscoDefaultCoppUnreferenced["class-map class-copp-unknown-protocol"] = 1
  39. ciscoDefaultCoppUnreferenced["class-map class-copp-receive"] = 1
  40. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-rpf-fail"] = 1
  41. ciscoDefaultCoppUnreferenced["class-map class-copp-service-insertion"] = 1
  42. ciscoDefaultCoppUnreferenced["class-map class-copp-mac-pbf"] = 1
  43. ciscoDefaultCoppUnreferenced["class-map class-copp-wccp"] = 1
  44. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-acl-bridged"] = 1
  45. ciscoDefaultCoppUnreferenced["class-map class-copp-ttl-fail"] = 1
  46. ciscoDefaultCoppUnreferenced["class-map class-copp-slb"] = 1
  47. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-ipv6-control"] = 1
  48. ciscoDefaultCoppUnreferenced["class-map class-copp-ucast-egress-acl-bridged"] = 1
  49. ciscoDefaultCoppUnreferenced["class-map class-copp-arp-snooping"] = 1
  50. ciscoDefaultCoppUnreferenced["class-map class-copp-ip-admission"] = 1
  51. ciscoDefaultCoppUnreferenced["class-map class-copp-ucast-ingress-acl-bridged"] = 1
  52. ciscoDefaultCoppUnreferenced["class-map class-copp-mtu-fail"] = 1
  53. ciscoDefaultCoppUnreferenced["class-map class-copp-options"] = 1
  54. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-ip-control"] = 1
  55. ciscoDefaultCoppUnreferenced["class-map class-copp-nd"] = 1
  56. ciscoDefaultCoppUnreferenced["class-map class-copp-glean"] = 1
  57. ciscoDefaultCoppUnreferenced["class-map class-copp-unsupp-rewrite"] = 1
  58. ciscoDefaultCoppUnreferenced["class-map class-copp-broadcast"] = 1
  59.  
  60. } # end of Begin section
  61.  
  62.  
  63. /\r/ { gsub("\r", ""); } # removed any stray carriage returns
  64.  
  65. /^!/ { next } # ignore comment lines
  66.  
  67. ########################
  68. ###### referenced ######
  69.  
  70. ## access-list
  71.  
  72. /^ *access-class / { addAclRef("access-list", $2) } # line vty ; access-class NNN in
  73. /^ distribute-list [0-9]+ out /{ addAclRef("access-list", $2) } # router eigrp ; distribute-list NN out ifName
  74. /^ distribute-list prefix / { addAclRef("prefix-list", $3) } # router eigrp ; distribute-list prefix NNN in ifname
  75. /^ *ip access-group / { addAclRef("access-list", $3) } # int foo ; ip access-group NNN in
  76. /^ ip directed-broadcast / { addAclRef("access-list", $3) } # int foo ; ip directed-broadcast NNN
  77. /^ ip multicast boundary / { addAclRef("access-list", $4) } # int foo ; ip multicast boundary NNN
  78. /^ ip verify unicast source reachable-via rx allow-default [0-9]/ { addAclRef("access-list", $8); next }
  79. /^ ipv6 verify unicast source reachable-via rx / {
  80. n=7
  81. if ( $(n) == "allow-default" ) n++
  82. if ( NF >= n ) addAclRef("access-list", $(n))
  83. next
  84. }
  85. /^ *ipv6 access-class / { addAclRef("access-list", $3) } # line vty ; ipv6 access-class bar in
  86. /^ ipv6 traffic-filter / { addAclRef("access-list", $3) } # int foo ; ipv6 traffic-filter bar
  87. /^ *match access-group [0-9]/ { addAclRef("access-list", $3) } # class-map match-any NNN; match access-group NNN
  88. /^ *match access-group name / { addAclRef("access-list", $4) } # class-map match-any NNN; match access-group name XXX
  89. # drat: can be one or two leading spaces for match access-group
  90. /^ match address / { addAclRef("access-list", $3) } # crypto map ; match address NNN
  91. /^ *match ip address / { # route-map foo ; match ip address [prexix-list] NNN
  92. if ( $4 == "prefix-list" ) addAclRef("prefix-list", $5) # route-map foo ; match ip address prexix-list NNN
  93. else addAclRef("access-list", $4) # route-map foo ; match ip address NNN
  94. }
  95. /^ip http access-class / { addAclRef("access-list", $4) } # ip http access-class NNN
  96. /^ip pim rp-address / {
  97. if ( $5 == "group-list" ) { # ip pim rp-address 148.129.1.3 group-list 224.0.0.0/4
  98. #
  99. } else if ( NF > 4 ) { # ip pim rp-address a.d.d.r NNN
  100. # ip pim rp-address a.d.d.r NNN override
  101. # ip pim rp-address a.d.d.r override
  102. if ( $5 != "override" ) {
  103. addAclRef("access-list", $5)
  104. }
  105. }
  106. }
  107. /^ip wccp [0-9]+ redirect-list / { addAclRef("access-list", $5) } # ip wccp NN redirect-list NNN accelerated
  108. /^ip wccp web-cache redirect-list / { addAclRef("access-list", $5) } # ip wccp web-cache redirect-list NNN
  109. /^ipv6 wccp [^ ]+ redirect-list / { addAclRef("access-list", $5) } # ipv6 wccp 80 redirect-list wccp-ipv6-in
  110. /^snmp-server community / {
  111. if ( ( $4 ~ /^R(O|W)/ && NF > 4 ) ||
  112. ( $4 == "view" && NF > 6 ) ) {
  113. # snmp-server community foo RO NNN
  114. # snmp-server community foo view bar RO NNN
  115. addAclRef("access-list", $(NF))
  116. }
  117. else if ( $4 == "group" ) {
  118. # snmp-server community foo group network-operator
  119. }
  120. else if ( $4 == "use-acl" ) {
  121. # snmp-server community foo use-acl 20
  122. addAclRef("access-list", $5)
  123. }
  124. else warnMsg(" WTF ?? " $0)
  125. }
  126. /^snmp-server tftp-server-list / { addAclRef("access-list", $3) }
  127.  
  128. ## class-map
  129.  
  130. /^ *class / { if ( $2 != "class-default" ) addAclRef("class-map", $2) } # policy-map foo; class bar; police ...
  131. # drat: can be one or two leading spaces
  132.  
  133. ## policy-map
  134.  
  135. /^ *service-policy / {
  136. # system qos; service-policy type queuing output default-out-policy
  137. # int foo; service-policy (input|output) bar
  138. # policy-map foo; service-policy bar
  139. if ( $2 == "type" ) { }
  140. else if ( $2 == "input" || $2 == "output" ) addAclRef("policy-map", $3)
  141. else addAclRef("policy-map", $2)
  142. }
  143.  
  144. ## prefix-list
  145.  
  146. /^ *match ipv6 address prefix-list / { addAclRef("prefix-list", $5); next } # route-map foo ; match ipv6 address prefix-list XXX
  147. /^ *neighbor [^ ]+ prefix-list / { addAclRef("prefix-list", $4) } # router bgp ; neighbor XXX prefix-list NNN in|out
  148.  
  149. # router bgp NNN
  150. # neighbor XXX
  151. # address-family ipv(4|6) unicast
  152. # prefix-list XXX (in|out)
  153. /^ *prefix-list / { addAclRef("prefix-list", $2); next }
  154.  
  155. ## route-map
  156.  
  157. /^ ip policy route-map / { addAclRef("route-map", $4); next } # int foo ; ip policy route-map NNN
  158. /^ *neighbor [0-9A-F.:]+ route-map / { addAclRef("route-map", $4); next } # router bgp ; neighbor XXX route-map NNN in|out
  159. ### could be 1 or 2 leading spaces ++ and account for ipv6 neighbor address
  160. /^ *redistribute static route-map / { addAclRef("route-map", $4); next } # router eigrp ; redist static route-map NNN
  161. /^ *redistribute .* route-map / {
  162. # router eigrp N
  163. # redistribute static route-map NNN
  164. # redistribute bgp ASN route-map NNN
  165. addAclRef("route-map", $(NF))
  166. next
  167. }
  168.  
  169. # router bgp NNN
  170. # neighbor XXX
  171. # address-family ipv4 unicast
  172. # route-map XXX (in|out)
  173. /^ *route-map / { addAclRef("route-map", $2); next }
  174.  
  175.  
  176. ## transform-set
  177.  
  178. /^ set transform-set / { addAclRef("transform-set", $3) } # crypto-map foo; set transform-set bar
  179.  
  180.  
  181.  
  182.  
  183. #######################
  184. ###### ACLs configured:
  185. ######
  186. /^access-list / { addAclDef("access-list", $2); next }
  187. /^ip access-list extended / { addAclDef("access-list", $4); next }
  188. /^ip access-list standard / { addAclDef("access-list", $4); next }
  189. /^ip access-list / { addAclDef("access-list", $3); next }
  190. /^ipv6 access-list / { addAclDef("access-list", $3); next }
  191.  
  192. /^class-map match-/ { addAclDef("class-map", $3) } # class-map match-(any|all) NNN
  193.  
  194. /^ip prefix-list / { addAclDef("prefix-list", $3) }
  195. /^ipv6 prefix-list / { addAclDef("prefix-list", $3) }
  196.  
  197. /^policy-map type control-plane / { addAclDef("policy-map", $4); next } # policy-map type control-plane copp-system-policy
  198. /^policy-map / { addAclDef("policy-map", $2) } # policy-map foo
  199.  
  200. /^route-map / { addAclDef("route-map", $2) } # route-map foo
  201.  
  202. /^crypto ipsec transform-set / { addAclDef("transform-set", $4) }
  203.  
  204. ##
  205. ## end getting ACLs configured/referenced
  206.  
  207.  
  208.  
  209.  
  210.  
  211. function addAclRef(type, aclName) {
  212. ## add ACL name to list of referenced access lists
  213. ##
  214. aclRef[type " " aclName] = 1
  215. if ( debug > 4 ) printf("+add aclRef[\"%s %s\"] = 1\n", type, aclName )
  216. } # end func addAclRef
  217.  
  218. function addAclDef(type, aclName) {
  219. ### add access list to list of configured ACLs
  220. ###
  221. aclDef[type " " aclName] = 1
  222. if ( debug > 4 ) printf("+add aclDef[\"%s %s\"] = 1\n", type, aclName )
  223. } # end func addAclDef
  224.  
  225.  
  226.  
  227.  
  228.  
  229. function printHeader( ) {
  230. hdr = 1
  231. printf("%s missing commands:\n",filename)
  232. } # end func printHeader
  233.  
  234.  
  235. function warnMsg(s) {
  236. if ( ! hdr ) printHeader()
  237. printf("%s\n", s)
  238. } # end func warnMsg
  239.  
  240.  
  241.  
  242.  
  243. END {
  244. for ( i in aclRef ) if ( aclDef[i] != 1 ) {
  245. ### FIXME: WTF?
  246. if ( i ~ /access-list copp-system-acl-/ ) continue
  247. if ( i ~ /class-map copp-system-class-/ ) continue
  248. if ( i ~ /policy-map copp-system-policy/ ) continue
  249. ###
  250.  
  251. warnMsg( " *** Warning: " i " referenced but not configured!" )
  252. }
  253.  
  254. for ( i in aclDef ) if ( aclRef[i] != 1 ) {
  255. #
  256. # no warnings for "standard" acls, policies, etc. not referenced
  257. if ( i == "access-list 113" ) continue
  258. if ( i == "policy-map vtc" ) continue
  259. if ( i == "policy-map IP-PHONES" ) continue
  260.  
  261. if ( ! ( i in ciscoDefaultCoppUnreferenced ) )
  262. warnMsg( " *** Warning: " i " configured but not referenced!" )
  263. }
  264.  
  265. if ( hdr ) printf("\n\n")
  266.  
  267. } # end of End section
  268.  
  269. ' $FILE
  270.  
  271. done
RAW Paste Data
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×