05-17-2020 07:21 AM - edited 05-17-2020 07:29 AM
I have a task: using spamhaus.org and TCL for update access-list. How can I use tcl to add an entry to access-list from a text file? I thought to add a file to the array, but this principle requires the "read" function, unfortunately IOS doesn't have this function. I need full automation from the script: editing a text file for the access-list syntax, adding an entry to the acess-list. Sorry, if this topic was raised before, I didn’t find it.
P.s. I'am talking about a blacklist "drop.txt", where the entry form differs from access-list.
Solved! Go to Solution.
05-17-2020 09:20 AM - edited 05-17-2020 09:24 AM
Hi,
I am not so sure what do you mean about "read" function is not supported. I used it in the below scripting, but I didn't try in IOS device.
Could you try this:
$ cat update_acl.tcl set fd [open "nvram:/drop.txt" r] set entries [read $fd] set entry [split $entries "\n"] set cmd "ip access-list extended blacklist" foreach line $entry { if {[string length $line] > 0} { set ace [append ace "deny ip host " $line " any log"] ios_config $cmd $ace set ace "" } } ios_config $cmd "no permit ip any any" ios_config $cmd "permit ip any any" ios_config "write memory"
$ cat drop.txt 8.8.8.8 8.8.4.4 1.1.1.1
Upload it to your device
IOU3#copy http://192.168.137.1:8080/update_acl.tcl nvram:/update_acl.tcl Destination filename [update_acl.tcl]? %Warning:There is a file already existing with this name Do you want to over write? [confirm] Accessing http://192.168.137.1:8080/update_acl.tcl... Loading http://192.168.137.1:8080/update_acl.tcl 412 bytes copied in 0.030 secs (13733 bytes/sec)
Execute it
IOU3#tclsh nvram:/update_acl.tcl IOU3# *May 17 16:17:46.371: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0 IOU3#
Verify it:
IOU3#show access-list Extended IP access list blacklist 20 deny ip host 8.8.8.8 any log 40 deny ip host 8.8.4.4 any log 50 deny ip host 1.1.1.1 any log 60 permit ip any any
** WARNING: This automation is vulnerable to command injection, you must have to refine the coding to resolve the vulnerability. **
05-17-2020 09:20 AM - edited 05-17-2020 09:24 AM
Hi,
I am not so sure what do you mean about "read" function is not supported. I used it in the below scripting, but I didn't try in IOS device.
Could you try this:
$ cat update_acl.tcl set fd [open "nvram:/drop.txt" r] set entries [read $fd] set entry [split $entries "\n"] set cmd "ip access-list extended blacklist" foreach line $entry { if {[string length $line] > 0} { set ace [append ace "deny ip host " $line " any log"] ios_config $cmd $ace set ace "" } } ios_config $cmd "no permit ip any any" ios_config $cmd "permit ip any any" ios_config "write memory"
$ cat drop.txt 8.8.8.8 8.8.4.4 1.1.1.1
Upload it to your device
IOU3#copy http://192.168.137.1:8080/update_acl.tcl nvram:/update_acl.tcl Destination filename [update_acl.tcl]? %Warning:There is a file already existing with this name Do you want to over write? [confirm] Accessing http://192.168.137.1:8080/update_acl.tcl... Loading http://192.168.137.1:8080/update_acl.tcl 412 bytes copied in 0.030 secs (13733 bytes/sec)
Execute it
IOU3#tclsh nvram:/update_acl.tcl IOU3# *May 17 16:17:46.371: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.372: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0 *May 17 16:17:46.373: %SYS-5-CONFIG_I: Configured from console by vty0 IOU3#
Verify it:
IOU3#show access-list Extended IP access list blacklist 20 deny ip host 8.8.8.8 any log 40 deny ip host 8.8.4.4 any log 50 deny ip host 1.1.1.1 any log 60 permit ip any any
** WARNING: This automation is vulnerable to command injection, you must have to refine the coding to resolve the vulnerability. **
05-17-2020 09:52 AM
- If you are looking for those kind of solutions then you'd better look into firewall-application-appliances which can offer such solutions in a much more automated and flexible manner.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide