refdef.sh

1. $ cat refdef.sh
2. #!/bin/sh
3. # find IOS filters defined but not referenced and referenced but not defined
4. #
5. # refdef.sh config-file-1 ... config-file-N
6.  
7. DEBUG=${DEBUG:-0}
8.  
9. for FILE in $*
10. do
11.  
12. if [ ! -f $FILE ] || [ ! -r $FILE ] ; then
13. echo "$FILE is not a readable file"
14. continue
15. fi
16.  
17. awk -v extfilename="$FILE" -v debug="$DEBUG" '
18. BEGIN {
19.  
20. ## hack for "wr net" adding "-confg" to filename
21. ##
22. filename = extfilename
23. if ( filename ~ /-confg$/ ) filename = substr(filename, 1, length(filename)-6)
24. if ( debug>2 ) printf("extfilename=%s filename=%s\n", extfilename, filename)
25.  
26. ## remove directory names - eg: /tftpboot/foo-confg becomes foo-confg
27. while ( (n = index(filename, "/" )) > 0 ) {
28. filename = substr(filename, n+1, length(filename)-n)
29. if ( debug>4 ) print "filename(" n ") = " filename
30. }
31. if ( debug>2 ) printf("extfilename=%s filename=%s\n", extfilename, filename)
32.  
33.  
34.  
35. # default COPP directives that are added automatically but not referenced
36. # showed up in sup2t 15.1(2)SY6
37. ciscoDefaultCoppUnreferenced["class-map class-copp-dhcp-snooping"] = 1
38. ciscoDefaultCoppUnreferenced["class-map class-copp-unknown-protocol"] = 1
39. ciscoDefaultCoppUnreferenced["class-map class-copp-receive"] = 1
40. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-rpf-fail"] = 1
41. ciscoDefaultCoppUnreferenced["class-map class-copp-service-insertion"] = 1
42. ciscoDefaultCoppUnreferenced["class-map class-copp-mac-pbf"] = 1
43. ciscoDefaultCoppUnreferenced["class-map class-copp-wccp"] = 1
44. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-acl-bridged"] = 1
45. ciscoDefaultCoppUnreferenced["class-map class-copp-ttl-fail"] = 1
46. ciscoDefaultCoppUnreferenced["class-map class-copp-slb"] = 1
47. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-ipv6-control"] = 1
48. ciscoDefaultCoppUnreferenced["class-map class-copp-ucast-egress-acl-bridged"] = 1
49. ciscoDefaultCoppUnreferenced["class-map class-copp-arp-snooping"] = 1
50. ciscoDefaultCoppUnreferenced["class-map class-copp-ip-admission"] = 1
51. ciscoDefaultCoppUnreferenced["class-map class-copp-ucast-ingress-acl-bridged"] = 1
52. ciscoDefaultCoppUnreferenced["class-map class-copp-mtu-fail"] = 1
53. ciscoDefaultCoppUnreferenced["class-map class-copp-options"] = 1
54. ciscoDefaultCoppUnreferenced["class-map class-copp-mcast-ip-control"] = 1
55. ciscoDefaultCoppUnreferenced["class-map class-copp-nd"] = 1
56. ciscoDefaultCoppUnreferenced["class-map class-copp-glean"] = 1
57. ciscoDefaultCoppUnreferenced["class-map class-copp-unsupp-rewrite"] = 1
58. ciscoDefaultCoppUnreferenced["class-map class-copp-broadcast"] = 1
59.  
60. } # end of Begin section
61.  
62.  
63. /\r/ { gsub("\r", ""); } # removed any stray carriage returns
64.  
65. /^!/ { next } # ignore comment lines
66.  
67. ########################
68. ###### referenced ######
69.  
70. ## access-list
71.  
72. /^ *access-class / { addAclRef("access-list", $2) } # line vty ; access-class NNN in
73. /^ distribute-list [0-9]+ out /{ addAclRef("access-list", $2) } # router eigrp ; distribute-list NN out ifName
74. /^ distribute-list prefix / { addAclRef("prefix-list", $3) } # router eigrp ; distribute-list prefix NNN in ifname
75. /^ *ip access-group / { addAclRef("access-list", $3) } # int foo ; ip access-group NNN in
76. /^ ip directed-broadcast / { addAclRef("access-list", $3) } # int foo ; ip directed-broadcast NNN
77. /^ ip multicast boundary / { addAclRef("access-list", $4) } # int foo ; ip multicast boundary NNN
78. /^ ip verify unicast source reachable-via rx allow-default [0-9]/ { addAclRef("access-list", $8); next }
79. /^ ipv6 verify unicast source reachable-via rx / {
80. n=7
81. if ( $(n) == "allow-default" ) n++
82. if ( NF >= n ) addAclRef("access-list", $(n))
83. next
84. }
85. /^ *ipv6 access-class / { addAclRef("access-list", $3) } # line vty ; ipv6 access-class bar in
86. /^ ipv6 traffic-filter / { addAclRef("access-list", $3) } # int foo ; ipv6 traffic-filter bar
87. /^ *match access-group [0-9]/ { addAclRef("access-list", $3) } # class-map match-any NNN; match access-group NNN
88. /^ *match access-group name / { addAclRef("access-list", $4) } # class-map match-any NNN; match access-group name XXX
89. # drat: can be one or two leading spaces for match access-group
90. /^ match address / { addAclRef("access-list", $3) } # crypto map ; match address NNN
91. /^ *match ip address / { # route-map foo ; match ip address [prexix-list] NNN
92. if ( $4 == "prefix-list" ) addAclRef("prefix-list", $5) # route-map foo ; match ip address prexix-list NNN
93. else addAclRef("access-list", $4) # route-map foo ; match ip address NNN
94. }
95. /^ip http access-class / { addAclRef("access-list", $4) } # ip http access-class NNN
96. /^ip pim rp-address / {
97. if ( $5 == "group-list" ) { # ip pim rp-address 148.129.1.3 group-list 224.0.0.0/4
98. #
99. } else if ( NF > 4 ) { # ip pim rp-address a.d.d.r NNN
100. # ip pim rp-address a.d.d.r NNN override
101. # ip pim rp-address a.d.d.r override
102. if ( $5 != "override" ) {
103. addAclRef("access-list", $5)
104. }
105. }
106. }
107. /^ip wccp [0-9]+ redirect-list / { addAclRef("access-list", $5) } # ip wccp NN redirect-list NNN accelerated
108. /^ip wccp web-cache redirect-list / { addAclRef("access-list", $5) } # ip wccp web-cache redirect-list NNN
109. /^ipv6 wccp [^ ]+ redirect-list / { addAclRef("access-list", $5) } # ipv6 wccp 80 redirect-list wccp-ipv6-in
110. /^snmp-server community / {
111. if ( ( $4 ~ /^R(O|W)/ && NF > 4 ) ||
112. ( $4 == "view" && NF > 6 ) ) {
113. # snmp-server community foo RO NNN
114. # snmp-server community foo view bar RO NNN
115. addAclRef("access-list", $(NF))
116. }
117. else if ( $4 == "group" ) {
118. # snmp-server community foo group network-operator
119. }
120. else if ( $4 == "use-acl" ) {
121. # snmp-server community foo use-acl 20
122. addAclRef("access-list", $5)
123. }
124. else warnMsg(" WTF ?? " $0)
125. }
126. /^snmp-server tftp-server-list / { addAclRef("access-list", $3) }
127.  
128. ## class-map
129.  
130. /^ *class / { if ( $2 != "class-default" ) addAclRef("class-map", $2) } # policy-map foo; class bar; police ...
131. # drat: can be one or two leading spaces
132.  
133. ## policy-map
134.  
135. /^ *service-policy / {
136. # system qos; service-policy type queuing output default-out-policy
137. # int foo; service-policy (input|output) bar
138. # policy-map foo; service-policy bar
139. if ( $2 == "type" ) { }
140. else if ( $2 == "input" || $2 == "output" ) addAclRef("policy-map", $3)
141. else addAclRef("policy-map", $2)
142. }
143.  
144. ## prefix-list
145.  
146. /^ *match ipv6 address prefix-list / { addAclRef("prefix-list", $5); next } # route-map foo ; match ipv6 address prefix-list XXX
147. /^ *neighbor [^ ]+ prefix-list / { addAclRef("prefix-list", $4) } # router bgp ; neighbor XXX prefix-list NNN in|out
148.  
149. # router bgp NNN
150. # neighbor XXX
151. # address-family ipv(4|6) unicast
152. # prefix-list XXX (in|out)
153. /^ *prefix-list / { addAclRef("prefix-list", $2); next }
154.  
155. ## route-map
156.  
157. /^ ip policy route-map / { addAclRef("route-map", $4); next } # int foo ; ip policy route-map NNN
158. /^ *neighbor [0-9A-F.:]+ route-map / { addAclRef("route-map", $4); next } # router bgp ; neighbor XXX route-map NNN in|out
159. ### could be 1 or 2 leading spaces ++ and account for ipv6 neighbor address
160. /^ *redistribute static route-map / { addAclRef("route-map", $4); next } # router eigrp ; redist static route-map NNN
161. /^ *redistribute .* route-map / {
162. # router eigrp N
163. # redistribute static route-map NNN
164. # redistribute bgp ASN route-map NNN
165. addAclRef("route-map", $(NF))
166. next
167. }
168.  
169. # router bgp NNN
170. # neighbor XXX
171. # address-family ipv4 unicast
172. # route-map XXX (in|out)
173. /^ *route-map / { addAclRef("route-map", $2); next }
174.  
175.  
176. ## transform-set
177.  
178. /^ set transform-set / { addAclRef("transform-set", $3) } # crypto-map foo; set transform-set bar
179.  
180.  
181.  
182.  
183. #######################
184. ###### ACLs configured:
185. ######
186. /^access-list / { addAclDef("access-list", $2); next }
187. /^ip access-list extended / { addAclDef("access-list", $4); next }
188. /^ip access-list standard / { addAclDef("access-list", $4); next }
189. /^ip access-list / { addAclDef("access-list", $3); next }
190. /^ipv6 access-list / { addAclDef("access-list", $3); next }
191.  
192. /^class-map match-/ { addAclDef("class-map", $3) } # class-map match-(any|all) NNN
193.  
194. /^ip prefix-list / { addAclDef("prefix-list", $3) }
195. /^ipv6 prefix-list / { addAclDef("prefix-list", $3) }
196.  
197. /^policy-map type control-plane / { addAclDef("policy-map", $4); next } # policy-map type control-plane copp-system-policy
198. /^policy-map / { addAclDef("policy-map", $2) } # policy-map foo
199.  
200. /^route-map / { addAclDef("route-map", $2) } # route-map foo
201.  
202. /^crypto ipsec transform-set / { addAclDef("transform-set", $4) }
203.  
204. ##
205. ## end getting ACLs configured/referenced
206.  
207.  
208.  
209.  
210.  
211. function addAclRef(type, aclName) {
212. ## add ACL name to list of referenced access lists
213. ##
214. aclRef[type " " aclName] = 1
215. if ( debug > 4 ) printf("+add aclRef[\"%s %s\"] = 1\n", type, aclName )
216. } # end func addAclRef
217.  
218. function addAclDef(type, aclName) {
219. ### add access list to list of configured ACLs
220. ###
221. aclDef[type " " aclName] = 1
222. if ( debug > 4 ) printf("+add aclDef[\"%s %s\"] = 1\n", type, aclName )
223. } # end func addAclDef
224.  
225.  
226.  
227.  
228.  
229. function printHeader( ) {
230. hdr = 1
231. printf("%s missing commands:\n",filename)
232. } # end func printHeader
233.  
234.  
235. function warnMsg(s) {
236. if ( ! hdr ) printHeader()
237. printf("%s\n", s)
238. } # end func warnMsg
239.  
240.  
241.  
242.  
243. END {
244. for ( i in aclRef ) if ( aclDef[i] != 1 ) {
245. ### FIXME: WTF?
246. if ( i ~ /access-list copp-system-acl-/ ) continue
247. if ( i ~ /class-map copp-system-class-/ ) continue
248. if ( i ~ /policy-map copp-system-policy/ ) continue
249. ###
250.  
251. warnMsg( " *** Warning: " i " referenced but not configured!" )
252. }
253.  
254. for ( i in aclDef ) if ( aclRef[i] != 1 ) {
255. #
256. # no warnings for "standard" acls, policies, etc. not referenced
257. if ( i == "access-list 113" ) continue
258. if ( i == "policy-map vtc" ) continue
259. if ( i == "policy-map IP-PHONES" ) continue
260.  
261. if ( ! ( i in ciscoDefaultCoppUnreferenced ) )
262. warnMsg( " *** Warning: " i " configured but not referenced!" )
263. }
264.  
265. if ( hdr ) printf("\n\n")
266.  
267. } # end of End section
268.  
269. ' $FILE
270.  
271. done