[rancid] xrrancid destroys ipv[46] ACLs
Erik Wenzel
erik at code.de
Wed Jan 11 10:11:02 UTC 2012
Am 10.01.2012 um 20.40 schrieb heasley:
> Tue, Jan 10, 2012 at 07:52:14PM +0100, Erik Wenzel:
>>
>> Am 10.01.2012 um 18.36 schrieb heasley:
>>
>>> Tue, Jan 10, 2012 at 05:41:26PM +0100, Erik Wenzel:
>>>> regardless of setting ACLSORT in rancid.conf xrrancid is sorting an ACL like:
>>>> ---snip---
>>>> #sh ipv4 access-lists eriktest-v4
>>>> ipv4 access-list eriktest-v4
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> 1000 deny ipv4 any any
>>>> #sh ipv6 access-lists eriktest
>>>> ipv6 access-list eriktest
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> 1000 deny ipv6 any any
>>>> ---snip---
>>>> to:
>>>> ---snip---
>>>> [?]
>>>> deny ipv6 any any
>>>> ipv6 access-list eriktest
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> [?]
>>>> !
>>>> deny ipv4 any any
>>>> ipv4 access-list eriktest-v4
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> !
>>>> [?]
>>>> ---snip---
>>>> ? in rancid backup. This is completely useless. This can't be used in case of
>>>> recovery. I urge everyone who uses xrrancid and sequence numbers to verify their
>>>> ACLs in CVS. My workaround is to comment out line 1022-1037. Can someone who is
>>>> using IOS-XR in this setup confirm this behavior?
>>>
>>> i'm not sure if i understand what the behavior is that you are trying to
>>> describe. could you explain in more detail?
>> I want a working configuration backup. As you can see in the second snippet above the ACL is crippled. I extracted it from the checked out file from CVS. Why does xrrancid mess around with ACLs? I set ACLSORT to NO and still some code(line 1022-1037 in xrrancid) removes sequence numbers lines containing allow or deny from configuration. Is there a use case I do not see?
>
> removing the sequence numbers is intentional - they're useless and cause diffs
> that obscure what actually changed. removing sequence numbers does not render
> the config for restoration.
Intentional? You do not expect an unchanged backup of your configuration from a rancid user point of view? I do. In my case I need exactly the same sequence number in the backup, because there is a meaning in each.
>
> ACLSORT does not affect the removal of the sequence numbers, which you already
> know.
>
> but, i now understand the behavior and i'll fix it.
If that fix means that the removal of sequence numbers depends on a ACLSORT=YES ...
I think it is not a obvious solution, but it is one. Which is fine with me.
--
Erik Wenzel
erik at code.de
More information about the Rancid-discuss
mailing list