[rancid] Re: 2.3.2.a5: Make ACL sorting configurable
Lance Vermilion
rancid at gheek.net
Tue Sep 26 22:48:03 UTC 2006
John,
That would be correct if someone has it setup like that. When you are making
granular ACLs you might have something like this. How would ipsort sort this?
permit host 1.1.1.3 host 2.2.2.2 port 53
permit 1.1.1.1 255.255.255.0 host 2.2.2.2 port 161
deny 1.1.1.1 255.255.255.0 host 2.2.2.2
--
-Lance <rancid at gheek.net>
On Tue, Sep 26, 2006 at 03:36:52PM -0700, john heasley wrote:
> Tue, Sep 26, 2006 at 11:30:24AM +0200, Michael Stefaniuc:
> > john heasley wrote:
> > > Thu, Sep 21, 2006 at 03:06:50PM +0200, Michael Stefaniuc:
> > >
> > >>Hello,
> > >>
> > >>the attached patch makes the ACL sorting configurable. Default is to
> > >>still sort the ACLs but this rancid "feature" can now be disabled
> > >>easily. The patch implements this only for "cisco" type devices as this
> > >>is what i cared most for now.
> > >>
> > >>Copyright and license is whatever it is needed to make this patch go in
> > >>into the main rancid package.
> > >
> > >
> > > I do not see what is wrong with the sorting? David LaPorte pointed out that
> > > if the order of statements on the router changed, he would not receive the
> > > diffs, but the order should not matter and the end result be same. The
> > > sorting should only affect lines with the same name (ACL name or number) and
> > > action (permit/deny/remark).
> > As others have pointed out it could be a performance problem on devices
> > with heavy traffic and long permit/deny blocks of ACL rules. I doubt we
> > are affected by this as we have quite a few comments in our ACLs.
>
> ah-ha, so you (as you should) might know that the majority of your traffic
> originates from 192.168/16 compared to 10/8 and thus arrive at
>
> permit ip 192.168/16
> permit ip 10/8
>
> which would be more efficient for your traffic, but rancid would swap the
> two while sorting. There in lies the difference folks have trying to
> convey to me.
>
> Have I nailed that part of the argument?
>
> > > So, is this just distaste or am I being dense and missing the problem? An
> > > example of the problem, please.
> > I wouldn't call it distaste, more like following the principle of the
> > least surprise.
> >
> > We use the configs saved by rancid for recovery purpose but also for
> > people (even the Network Group) to quickly check the config of a device.
> > It happened a couple of times that i looked first at the saved config
> > and then at the ACLs directly on the router and I went "WTF, did
> > somebody change the ACL in the mean time?". Validating that the
> > differences are only rancid's ACL sorting takes time and distracts from
> > the work one needed to do. And I _know_ about rancid's ACL sorting but
> > my colleagues have probably forgotten about it.
> >
> > And some people are picky about "their" ACLs and don't like something
> > messing with those. This is the second ACL sorting discussion i have
> > seen on this list and i'm subscribed only for a year now.
>
> Ok, then feature needs to be applied to the other platforms as well.
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
More information about the Rancid-discuss
mailing list