[rancid] Re: 2.3.2.a5: Make ACL sorting configurable

john heasley heas at shrubbery.net
Tue Sep 26 22:36:52 UTC 2006 

Tue, Sep 26, 2006 at 11:30:24AM +0200, Michael Stefaniuc:
> john heasley wrote:
> > Thu, Sep 21, 2006 at 03:06:50PM +0200, Michael Stefaniuc:
> > 
> >>Hello,
> >>
> >>the attached patch makes the ACL sorting configurable. Default is to
> >>still sort the ACLs but this rancid "feature" can now be disabled
> >>easily. The patch implements this only for "cisco" type devices as this
> >>is what i cared most for now.
> >>
> >>Copyright and license is whatever it is needed to make this patch go in
> >>into the main rancid package.
> > 
> > 
> > I do not see what is wrong with the sorting?  David LaPorte pointed out that
> > if the order of statements on the router changed, he would not receive the
> > diffs, but the order should not matter and the end result be same.  The
> > sorting should only affect lines with the same name (ACL name or number) and
> > action (permit/deny/remark).
> As others have pointed out it could be a performance problem on devices
> with heavy traffic and long permit/deny blocks of ACL rules. I doubt we
> are affected by this as we have quite a few comments in our ACLs.

ah-ha, so you (as you should) might know that the majority of your traffic
originates from 192.168/16 compared to 10/8 and thus arrive at

	permit ip 192.168/16
	permit ip 10/8

which would be more efficient for your traffic, but rancid would swap the
two while sorting.  There in lies the difference folks have trying to
convey to me.

Have I nailed that part of the argument?  

> > So, is this just distaste or am I being dense and missing the problem?  An
> > example of the problem, please.
> I wouldn't call it distaste, more like following the principle of the
> least surprise.
> 
> We use the configs saved by rancid for recovery purpose but also for
> people (even the Network Group) to quickly check the config of a device.
> It happened a couple of times that i looked first at the saved config
> and then at the ACLs directly on the router and I went "WTF, did
> somebody change the ACL in the mean time?". Validating that the
> differences are only rancid's ACL sorting takes time and distracts from
> the work one needed to do. And I _know_ about rancid's ACL sorting but
> my colleagues have probably forgotten about it.
> 
> And some people are picky about "their" ACLs and don't like something
> messing with those. This is the second ACL sorting discussion i have
> seen on this list and i'm subscribed only for a year now.

Ok, then feature needs to be applied to the other platforms as well.

More information about the Rancid-discuss mailing list