[tac_plus] Adding a /29 network on acl

Daniel Schmidt daniel.schmidt at wyo.gov
Fri Apr 12 20:35:15 UTC 2013 

Fairly easy with netaddr.  I might even finish this myself.

# Send IP,network
def match_net(net,net2):
    try:
        the_net = IPNetwork(net)
    except:
        log.critical("#*@& it, %s isn't valid IPNetwork)" % the_net)
        sys.exit(1)
    try:
        the_net2 = IPNetwork(net2)
    except:
        log.critical("#*@& it, %s isn't valid IPNetwork" % the_net)
        sys.exit(1)
    return the_net in the_net2


-----Original Message-----
From: Alan McKinnon [mailto:alan.mckinnon at gmail.com]
Sent: Wednesday, April 10, 2013 3:40 PM
To: Daniel Schmidt
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Adding a /29 network on acl

I'm going to need that functionality myself in do_auth sometime soon[1] so
I might as well write this patch too and send it on to you if you don't
get there first.


[1] "soon" in this context is defined to be "once I've navigated the
political minefield of how each team wants their kit to work and who has
those rights" :-)



On 10/04/2013 23:35, Daniel Schmidt wrote:
> I was going to add this functionality to do_auth, but it would require
> everybody to install IPNetwork egg and I have been too busy to look
> into it.  Would not be hard to add / notation.  Something like: if
> (net.find '/' > -1) then try: the_net = IPNetwork(net), try: the_net2
> = IPNetwork(net2), return the_net == the_net2, except: print "#*(@,
> that should have worked".
>
> -----Original Message-----
> From: tac_plus-bounces at shrubbery.net
> [mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Alan McKinnon
> Sent: Wednesday, April 10, 2013 3:09 PM
> To: tac_plus at shrubbery.net
> Subject: Re: [tac_plus] Adding a /29 network on acl
>
> On 10/04/2013 21:58, Asif Iqbal wrote:
>> Hi All,
>>
>> I see example on /24 and /16 on tac_plus.conf(5). How would you add a
>> /29 for acl?
>>
>> Thanks
>>
>
> The short answer is that you don't :-(
>
> The ACL is not a network address so you cannot use any of the familiar
> network notations. It is a regex so you have to express it as a regex.
> And that depends highly on the addresses you are working with.
>
> Using for example 10.0.0.8/29, I would do this:
>
> acl = whatever {
> 	permit = "^10\.0\.0\.[89]$"
> 	permit = "^10\.0\.0\.1[012345]$
> }
>
> Note how I used two lines, it just seems easier like that.
>
> Or, a /29 is just 8 lines, so maybe I would just list all 8
> individually and spare myself the pain of expanding the addresses and
> figuring out the regex.
>
> The long answer is that to do it right, you patch the code to be able
> to deal with addresses properly as addresses, announce your patch
> here, and legions of sysadmins will be eternally grateful.
>
>
> --
> Alan McKinnon
> alan.mckinnon at gmail.com
>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
>
> E-Mail to and from me, in connection with the transaction of public
> business, is subject to the Wyoming Public Records Act and may be
> disclosed to third parties.
>


--
Alan McKinnon
alan.mckinnon at gmail.com

E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.

More information about the tac_plus mailing list