[tac_plus] IP block with net mask instead of regex in acl
Alan McKinnon
alan.mckinnon at gmail.com
Fri Jun 10 08:14:48 UTC 2011
Apparently, though unproven, at 01:28 on Friday 10 June 2011, Asif Iqbal did
opine thusly:
> Is there a way to define a ip block with netmasks instead of regex in
> tacacs+ config?
Unfortunately not. The parser understands only regexes.
However, I'm sure John will gratefully review high-quality patches.
>
> I looked through the tac_plus mailing list
> www.shrubbery.net/pipermail/tac_plus with avail
>
> So instead of doing it like this
>
> acl = foo_acl {
> deny = 192.168.0.([12][0-9]|[3][01])$ <== not sure if it is
> correct permit = .*
> }
>
> I wonder if there is way to add the above snippet like below
>
> acl = foo_acl {
> deny = 192.168.0.0/27 # or 192.168.0.0 mask 255.255.255.224
> permit = .*
> }
>
> So much easier to manage network list with subnet masking option than
> regex.
>
> Thanks
--
alan dot mckinnon at gmail dot com
More information about the tac_plus
mailing list