[tac_plus] Adding a /29 network on acl

Daniel Schmidt daniel.schmidt at wyo.gov
Wed Apr 10 21:35:33 UTC 2013


I was going to add this functionality to do_auth, but it would require
everybody to install IPNetwork egg and I have been too busy to look into
it.  Would not be hard to add / notation.  Something like: if (net.find
'/' > -1) then try: the_net = IPNetwork(net), try: the_net2 =
IPNetwork(net2), return the_net == the_net2, except: print "#*(@, that
should have worked".

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
Sent: Wednesday, April 10, 2013 3:09 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Adding a /29 network on acl

On 10/04/2013 21:58, Asif Iqbal wrote:
> Hi All,
>
> I see example on /24 and /16 on tac_plus.conf(5). How would you add a
> /29 for acl?
>
> Thanks
>

The short answer is that you don't :-(

The ACL is not a network address so you cannot use any of the familiar
network notations. It is a regex so you have to express it as a regex.
And that depends highly on the addresses you are working with.

Using for example 10.0.0.8/29, I would do this:

acl = whatever {
	permit = "^10\.0\.0\.[89]$"
	permit = "^10\.0\.0\.1[012345]$
}

Note how I used two lines, it just seems easier like that.

Or, a /29 is just 8 lines, so maybe I would just list all 8 individually
and spare myself the pain of expanding the addresses and figuring out the
regex.

The long answer is that to do it right, you patch the code to be able to
deal with addresses properly as addresses, announce your patch here, and
legions of sysadmins will be eternally grateful.


--
Alan McKinnon
alan.mckinnon at gmail.com

_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.



More information about the tac_plus mailing list