[tac_plus] tac_plus acl match on everything
Alan McKinnon
alan.mckinnon at gmail.com
Thu Jan 19 20:52:14 UTC 2012
On Thu, 19 Jan 2012 20:58:36 +0100
Andreas Jacobi <andreasjacobi85 at gmail.com> wrote:
> Hi,
>
> I have a tac_plus installation on a Slackware server. Everything
> works fine except my acls.
> It seems that whatever I type in an acl, it will match.
>
> For example an acl with the regexp test will match any of my network
> equipments source IP addresses. I tested it with a deny acl and here
> is the debug output (ip is replaced with a fake but you get the idea):
> ip 11.111.11.1 matched deny regex test of acl filter test-acl
>
> The acl config:
> acl = test-acl {
> deny = test
> allow = .*
> }
>
> I then apply the acl to a group.
> group = test-group {
> acl = test-acl
> }
>
>
> tac_plus version F4.0.4.20
>
> What am I missing here?
You aren't missing anything :-)
Your syntax is correct and it should do exactly what you expect. My
config works along the same lines here and it does the job 100% with
several version <=4.0.4.19
You are the second person in a week to raise this very issue with
4.0.4.19 so I would advise you try it with 4.0.4.19 or earlier and see
if it occurs there too.
As a data point, my tac-plus runs on FreeBSD from ports using the
standard setup in the ports Makefile. What platform are you running on?
--
Alan McKinnnon
alan.mckinnon at gmail.com
More information about the tac_plus
mailing list