[tac_plus] Adding a /29 network on acl

Wed Apr 10 21:40:24 UTC 2013

I'm going to need that functionality myself in do_auth sometime soon[1]
so I might as well write this patch too and send it on to you if you
don't get there first.

[1] "soon" in this context is defined to be "once I've navigated the
political minefield of how each team wants their kit to work and who has
those rights" :-)

On 10/04/2013 23:35, Daniel Schmidt wrote:
> I was going to add this functionality to do_auth, but it would require
> everybody to install IPNetwork egg and I have been too busy to look into
> it.  Would not be hard to add / notation.  Something like: if (net.find
> '/' > -1) then try: the_net = IPNetwork(net), try: the_net2 =
> IPNetwork(net2), return the_net == the_net2, except: print "#*(@, that
> should have worked".
> 
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Wednesday, April 10, 2013 3:09 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Adding a /29 network on acl
> 
> On 10/04/2013 21:58, Asif Iqbal wrote:
>> Hi All,
>>
>> I see example on /24 and /16 on tac_plus.conf(5). How would you add a
>> /29 for acl?
>>
>> Thanks
>>
> 
> The short answer is that you don't :-(
> 
> The ACL is not a network address so you cannot use any of the familiar
> network notations. It is a regex so you have to express it as a regex.
> And that depends highly on the addresses you are working with.
> 
> Using for example 10.0.0.8/29, I would do this:
> 
> acl = whatever {
> 	permit = "^10\.0\.0\.[89]$"
> 	permit = "^10\.0\.0\.1[012345]$
> }
> 
> Note how I used two lines, it just seems easier like that.
> 
> Or, a /29 is just 8 lines, so maybe I would just list all 8 individually
> and spare myself the pain of expanding the addresses and figuring out the
> regex.
> 
> The long answer is that to do it right, you patch the code to be able to
> deal with addresses properly as addresses, announce your patch here, and
> legions of sysadmins will be eternally grateful.
> 
> 
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
> 
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
> 
> E-Mail to and from me, in connection with the transaction 
> of public business, is subject to the Wyoming Public Records 
> Act and may be disclosed to third parties.
> 

-- 
Alan McKinnon
alan.mckinnon at gmail.com