[rancid] Re: 2.3.2.a5: Make ACL sorting configurable

Lance Vermilion rancid at gheek.net
Tue Sep 26 05:20:29 UTC 2006 

John,

I don't know how you guys do it at your organization but when you make heavy use of ACLs and they get out of order, that can impact the processor of the router/pix/switch. This is important if you are using these configs to restore from.

Maybe I am misunderstanding the original grip, but I recall the issue being with the ACLs being sorted and them differing from the orignal order that the ACLs were on the router/pix/switch.

-- 

-Lance <rancid at gheek.net>

On Mon, Sep 25, 2006 at 09:55:08PM -0700, john heasley wrote:
> Thu, Sep 21, 2006 at 03:06:50PM +0200, Michael Stefaniuc:
> > Hello,
> > 
> > the attached patch makes the ACL sorting configurable. Default is to
> > still sort the ACLs but this rancid "feature" can now be disabled
> > easily. The patch implements this only for "cisco" type devices as this
> > is what i cared most for now.
> > 
> > Copyright and license is whatever it is needed to make this patch go in
> > into the main rancid package.
> 
> I do not see what is wrong with the sorting?  David LaPorte pointed out that
> if the order of statements on the router changed, he would not receive the
> diffs, but the order should not matter and the end result be same.  The
> sorting should only affect lines with the same name (ACL name or number) and
> action (permit/deny/remark).
> 
> So, is this just distaste or am I being dense and missing the problem?  An
> example of the problem, please.
> 
> > --- ./bin/rancid.in.aclsort	2006-08-12 04:34:22.000000000 +0200
> > +++ ./bin/rancid.in	2006-09-13 20:40:36.000000000 +0200
> > @@ -35,6 +35,7 @@
> >  $found_env = 0;
> >  $found_diag = 0;
> >  $timeo = 90;				# clogin timeout in seconds
> > +$aclsort = "ipsort";
> >  
> >  my(@commandtable, %commands, @commands);# command lists
> >  my(%filter_pwds);			# password filtering mode
> > @@ -1593,14 +1594,14 @@
> >  	s/\$(Revision|Id):/ $1:/;
> >  	# order access-lists
> >  	/^access-list\s+(\d\d?)\s+(\S+)\s+(\S+)/ &&
> > -	    ProcessHistory("ACL $1 $2","ipsort","$3","$_") && next;
> > +	    ProcessHistory("ACL $1 $2","$aclsort","$3","$_") && next;
> >  	# order extended access-lists
> >  	/^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+host\s+(\S+)/ &&
> > -	    ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next;
> > +	    ProcessHistory("EACL $1 $2","$aclsort","$3","$_") && next;
> >  	/^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+(\d\S+)/ &&
> > -	    ProcessHistory("EACL $1 $2","ipsort","$3","$_") && next;
> > +	    ProcessHistory("EACL $1 $2","$aclsort","$3","$_") && next;
> >  	/^access-list\s+(\d\d\d)\s+(\S+)\s+ip\s+any/ &&
> > -	    ProcessHistory("EACL $1 $2","ipsort","0.0.0.0","$_") && next;
> > +	    ProcessHistory("EACL $1 $2","$aclsort","0.0.0.0","$_") && next;
> >  	# order arp lists
> >  	/^arp\s+(\d+\.\d+\.\d+\.\d+)\s+/ &&
> >  	    ProcessHistory("ARP","ipsort","$1","$_") && next;
> > @@ -1819,6 +1820,11 @@
> >      $filter_pwds = 1;
> >  }
> >  
> > +# check ACL sorting mode
> > +if (defined($ENV{"ACLSORT"}) && $ENV{"ACLSORT"} =~ /no/i) {
> > +    $aclsort = "";
> > +}
> > +
> >  ProcessHistory("","","","!RANCID-CONTENT-TYPE: cisco\n!\n");
> >  ProcessHistory("COMMENTS","keysort","B0","!\n");
> >  ProcessHistory("COMMENTS","keysort","D0","!\n");
> > --- ./etc/rancid.conf.sample.in.aclsort	2005-08-15 02:42:50.000000000 +0200
> > +++ ./etc/rancid.conf.sample.in	2006-09-13 20:47:08.000000000 +0200
> > @@ -41,6 +41,9 @@
> >  # if NOCOMMSTR is set, snmp community strings will be stripped from the configs
> >  #NOCOMMSTR=YES; export NOCOMMSTR
> >  #
> > +# Set ACLSORT to NO to disable the sorting of the ACLs.
> > +#ACLSORT=YES
> > +#
> >  # How many times failed collections are retried (for each run) before
> >  # giving up.  Minimum: 1
> >  #MAX_ROUNDS=4; export MAX_ROUNDS
> 
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list