[vty] Add support for a 'restricted mode' with anonymous vty connections

	* lib/command.h: Add a RESTRICTED_NODE, intended for use with
	  anonymous, 'no login' vtys, to provide a subset of 'view' mode
	  commands.
	* lib/command.c: Add RESTRICTED_NODE bits, nothing special, just
	  following VIEW_NODE.
	* lib/vty.c: (vty_auth) enable authentication should fall back to
	  restricted/view node as appropriate.
	  (vty_create) init vty's to restricted/view node as appropriate,
	  for the 'no login' case.
	  (vty_{no_,}restricted_mode_cmd) config commands to enable
	  'anonymous restricted' in vty configuration.
	  (vty_config_write) 'anonymous restricted' config.
	  (vty_init) Install some commands to restricted mode, and the
	  'anonymous restricted' config commands into VTY_NODE.
	* bgpd/*.c: Install some of the safe(r) BGP commands into
	  'restricted mode', i.e. lookup commands of non-sensitive data.
	  Useful with looking-glass route-servers.

1 files changed, 43 insertions, 3 deletions

diff --git a/lib/vty.c b/lib/vty.c
index 32084713..14a36c16 100644
--- a/lib/vty.c
+++ b/lib/vty.c
@@ -82,6 +82,10 @@ static int vty_config;
 /* Login password check. */
 static int no_password_check = 0;
 
+/* Restrict unauthenticated logins? */
+static const u_char restricted_mode_default = 0;
+static u_char restricted_mode = 0;
+
 /* Integrated configuration file path */
 char integrate_default[] = SYSCONFDIR INTEGRATE_DEFAULT_CONFIG;
 
@@ -383,7 +387,7 @@ vty_auth (struct vty *vty, char *buf)
 	      /* AUTH_ENABLE_NODE */
 	      vty->fail = 0;
 	      vty_out (vty, "%% Bad enable passwords, too many failures!%s", VTY_NEWLINE);
-	      vty->node = VIEW_NODE;
+	      vty->node = restricted_mode ? RESTRICTED_NODE : VIEW_NODE;
 	    }
 	}
     }
@@ -687,6 +691,7 @@ vty_end_config (struct vty *vty)
     {
     case VIEW_NODE:
     case ENABLE_NODE:
+    case RESTRICTED_NODE:
       /* Nothing to do. */
       break;
     case CONFIG_NODE:
@@ -1094,6 +1099,7 @@ vty_stop_input (struct vty *vty)
     {
     case VIEW_NODE:
     case ENABLE_NODE:
+    case RESTRICTED_NODE:
       /* Nothing to do. */
       break;
     case CONFIG_NODE:
@@ -1613,7 +1619,9 @@ vty_create (int vty_sock, union sockunion *su)
   vty->address = sockunion_su2str (su);
   if (no_password_check)
     {
-      if (host.advanced)
+      if (restricted_mode)
+        vty->node = RESTRICTED_NODE;
+      else if (host.advanced)
 	vty->node = ENABLE_NODE;
       else
 	vty->node = VIEW_NODE;
@@ -2715,6 +2723,26 @@ DEFUN (no_vty_login,
   return CMD_SUCCESS;
 }
 
+/* initial mode. */
+DEFUN (vty_restricted_mode,
+       vty_restricted_mode_cmd,
+       "anonymous restricted",
+       "Restrict view commands available in anonymous, unauthenticated vty\n")
+{
+  restricted_mode = 1;
+  return CMD_SUCCESS;
+}
+
+DEFUN (vty_no_restricted_mode,
+       vty_no_restricted_mode_cmd,
+       "no anonymous restricted",
+       NO_STR
+       "Enable password checking\n")
+{
+  restricted_mode = 0;
+  return CMD_SUCCESS;
+}
+
 DEFUN (service_advanced_vty,
        service_advanced_vty_cmd,
        "service advanced-vty",
@@ -2812,7 +2840,15 @@ vty_config_write (struct vty *vty)
   /* login */
   if (no_password_check)
     vty_out (vty, " no login%s", VTY_NEWLINE);
-
+    
+  if (restricted_mode != restricted_mode_default)
+    {
+      if (restricted_mode_default)
+        vty_out (vty, " no anonymous restricted%s", VTY_NEWLINE);
+      else
+        vty_out (vty, " anonymous restricted%s", VTY_NEWLINE);
+    }
+  
   vty_out (vty, "!%s", VTY_NEWLINE);
 
   return CMD_SUCCESS;
@@ -2923,6 +2959,8 @@ vty_init (struct thread_master *master_thread)
   /* Install bgp top node. */
   install_node (&vty_node, vty_config_write);
 
+  install_element (RESTRICTED_NODE, &config_who_cmd);
+  install_element (RESTRICTED_NODE, &show_history_cmd);
   install_element (VIEW_NODE, &config_who_cmd);
   install_element (VIEW_NODE, &show_history_cmd);
   install_element (ENABLE_NODE, &config_who_cmd);
@@ -2943,6 +2981,8 @@ vty_init (struct thread_master *master_thread)
   install_element (VTY_NODE, &no_vty_access_class_cmd);
   install_element (VTY_NODE, &vty_login_cmd);
   install_element (VTY_NODE, &no_vty_login_cmd);
+  install_element (VTY_NODE, &vty_restricted_mode_cmd);
+  install_element (VTY_NODE, &vty_no_restricted_mode_cmd);
 #ifdef HAVE_IPV6
   install_element (VTY_NODE, &vty_ipv6_access_class_cmd);
   install_element (VTY_NODE, &no_vty_ipv6_access_class_cmd);