[Xorp-hackers] show commands

Kristian Larsson kristian@juniks.net
Mon, 17 Oct 2005 13:37:58 +0200 

On Sun, Oct 16, 2005 at 02:20:16PM -0700, Pavlin Radoslavov wrote:
> > Is there a way to combine the "hardcoded" commands
> > withing cli.cc with the template files?
> 
> If there is a way, it will probably require a major rewrite of the
> rtrmgr/xorpsh.
I was afraid of that.
> > I would like to have a "show configuration"
> > command available from the operational mode, but
> > as it is right now it seems I must write a
> > separate program and call it with a few lines in a
> > template file, right?
> > It would be much easier if one could just call
> > show_func...
> 
> I would argue that the users shouldn't be allowed to see the running
> configuration when they are in operational mode. Think of the
> security implications it may have if, say, the running configuration
> contains sensitive information (e.g., passwords).
> Remember that sometimes you may want to give "visitors" access to
> your router so people can run operational commands only, but you
> don't want to allow them to mess with your configuration (or even
> look at it).
I somewhat agree with you. Giving access to
operational/configure mode is quite a crude way. A
better way would be to allow/dissallow commands
based on user but since it's sometime till where
there I would agree that it's better to not have
"show configuration" within the operational mode.

> > Another thing on my mind; I know this has been
> > brought up before, I even think there is a
> > BugZilla entry for it, but shouldn't show commands
> > be available all the time?
> > If you start rtrmgr with a clean configuration
> > there are almost no show commands at all. This
> > confused me and I know it has others as well. If
> > the "%module bgp" line is removed, the bgp
> > commands appear and if run when bgp isn't started
> > you simply get a "No BGP exists" which IMHO is
> > much better than not seing the show command at
> > all.
> > 
> > Other opinions?
> 
> Why a command should be in the tree if it cannot do anything?
> This is a feature that was explicitly added to XORP, and my personal
> preference is to keep it.
It's probably most old habit. I'm used to having
all the configuration commands available.
"show bgp *" is not such a good example, a better
one would be "show interfaces". It's always nice
to have some of these show commands so that you
can easily get a grip on the router.

> Simply removing the "%module foo" line is not the right thing
> because without that line the external command will be executed
> anyway, and the result may be unpredictable.
Ah. The external command would need some error
handling, yes.

> If many other users also prefer to always have all commands in the
> tree and to see the "No foo exists" message, then ideally this
> feature should be configurable. Unfortunately, we don't have a
> mechanism (yet) to configure things like this.
I have given it some thought, and I think you're
right with a few exceptions such as the "show
interfaces" command. What's your opinion on the
"show interfaces" command? 
 
   Kristian.