Mailing List Archive: RANCID: Users

xrrancid destroys ipv[46] ACLs

Index | Next | Previous | View Threaded

erik at code

Jan 10, 2012, 8:41 AM

Post #1 of 6 (138 views)
Permalink

xrrancid destroys ipv[46] ACLs

regardless of setting ACLSORT in rancid.conf xrrancid is sorting an ACL like:
---snip---
#sh ipv4 access-lists eriktest-v4
ipv4 access-list eriktest-v4
1 remark erik
10 remark tests
100 remark acls
1000 deny ipv4 any any
#sh ipv6 access-lists eriktest
ipv6 access-list eriktest
1 remark erik
10 remark tests
100 remark acls
1000 deny ipv6 any any
---snip---
to:
---snip---
[…]
deny ipv6 any any
ipv6 access-list eriktest
1 remark erik
10 remark tests
100 remark acls
[…]
!
deny ipv4 any any
ipv4 access-list eriktest-v4
1 remark erik
10 remark tests
100 remark acls
!
[…]
---snip---
… in rancid backup. This is completely useless. This can't be used in case of
recovery. I urge everyone who uses xrrancid and sequence numbers to verify their
ACLs in CVS. My workaround is to comment out line 1022-1037. Can someone who is
using IOS-XR in this setup confirm this behavior?

xrrancid version string: $Id: xrrancid.in 2264 2010-11-04 23:35:17Z heas $

--
Erik Wenzel
erik [at] code

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

heas at shrubbery

Jan 10, 2012, 9:36 AM

Post #2 of 6 (135 views)
Permalink

Re: xrrancid destroys ipv[46] ACLs [In reply to]

Tue, Jan 10, 2012 at 05:41:26PM +0100, Erik Wenzel:
> regardless of setting ACLSORT in rancid.conf xrrancid is sorting an ACL like:
> ---snip---
> #sh ipv4 access-lists eriktest-v4
> ipv4 access-list eriktest-v4
> 1 remark erik
> 10 remark tests
> 100 remark acls
> 1000 deny ipv4 any any
> #sh ipv6 access-lists eriktest
> ipv6 access-list eriktest
> 1 remark erik
> 10 remark tests
> 100 remark acls
> 1000 deny ipv6 any any
> ---snip---
> to:
> ---snip---
> [?]
> deny ipv6 any any
> ipv6 access-list eriktest
> 1 remark erik
> 10 remark tests
> 100 remark acls
> [?]
> !
> deny ipv4 any any
> ipv4 access-list eriktest-v4
> 1 remark erik
> 10 remark tests
> 100 remark acls
> !
> [?]
> ---snip---
> ? in rancid backup. This is completely useless. This can't be used in case of
> recovery. I urge everyone who uses xrrancid and sequence numbers to verify their
> ACLs in CVS. My workaround is to comment out line 1022-1037. Can someone who is
> using IOS-XR in this setup confirm this behavior?

i'm not sure if i understand what the behavior is that you are trying to
describe. could you explain in more detail?

>
> xrrancid version string: $Id: xrrancid.in 2264 2010-11-04 23:35:17Z heas $
>
> --
> Erik Wenzel
> erik [at] code
>
>
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

erik at code

Jan 10, 2012, 10:52 AM

Post #3 of 6 (134 views)
Permalink

Re: xrrancid destroys ipv[46] ACLs [In reply to]

Am 10.01.2012 um 18.36 schrieb heasley:

> Tue, Jan 10, 2012 at 05:41:26PM +0100, Erik Wenzel:
>> regardless of setting ACLSORT in rancid.conf xrrancid is sorting an ACL like:
>> ---snip---
>> #sh ipv4 access-lists eriktest-v4
>> ipv4 access-list eriktest-v4
>> 1 remark erik
>> 10 remark tests
>> 100 remark acls
>> 1000 deny ipv4 any any
>> #sh ipv6 access-lists eriktest
>> ipv6 access-list eriktest
>> 1 remark erik
>> 10 remark tests
>> 100 remark acls
>> 1000 deny ipv6 any any
>> ---snip---
>> to:
>> ---snip---
>> [?]
>> deny ipv6 any any
>> ipv6 access-list eriktest
>> 1 remark erik
>> 10 remark tests
>> 100 remark acls
>> [?]
>> !
>> deny ipv4 any any
>> ipv4 access-list eriktest-v4
>> 1 remark erik
>> 10 remark tests
>> 100 remark acls
>> !
>> [?]
>> ---snip---
>> ? in rancid backup. This is completely useless. This can't be used in case of
>> recovery. I urge everyone who uses xrrancid and sequence numbers to verify their
>> ACLs in CVS. My workaround is to comment out line 1022-1037. Can someone who is
>> using IOS-XR in this setup confirm this behavior?
>
> i'm not sure if i understand what the behavior is that you are trying to
> describe. could you explain in more detail?
I want a working configuration backup. As you can see in the second snippet above the ACL is crippled. I extracted it from the checked out file from CVS. Why does xrrancid mess around with ACLs? I set ACLSORT to NO and still some code(line 1022-1037 in xrrancid) removes sequence numbers lines containing allow or deny from configuration. Is there a use case I do not see?

>
>>
>> xrrancid version string: $Id: xrrancid.in 2264 2010-11-04 23:35:17Z heas $
>>
>> --
>> Erik Wenzel
>> erik [at] code
>>
>>
>>
>>
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss [at] shrubbery
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

heas at shrubbery

Jan 10, 2012, 11:40 AM

Post #4 of 6 (134 views)
Permalink

Re: xrrancid destroys ipv[46] ACLs [In reply to]

Tue, Jan 10, 2012 at 07:52:14PM +0100, Erik Wenzel:
>
> Am 10.01.2012 um 18.36 schrieb heasley:
>
> > Tue, Jan 10, 2012 at 05:41:26PM +0100, Erik Wenzel:
> >> regardless of setting ACLSORT in rancid.conf xrrancid is sorting an ACL like:
> >> ---snip---
> >> #sh ipv4 access-lists eriktest-v4
> >> ipv4 access-list eriktest-v4
> >> 1 remark erik
> >> 10 remark tests
> >> 100 remark acls
> >> 1000 deny ipv4 any any
> >> #sh ipv6 access-lists eriktest
> >> ipv6 access-list eriktest
> >> 1 remark erik
> >> 10 remark tests
> >> 100 remark acls
> >> 1000 deny ipv6 any any
> >> ---snip---
> >> to:
> >> ---snip---
> >> [?]
> >> deny ipv6 any any
> >> ipv6 access-list eriktest
> >> 1 remark erik
> >> 10 remark tests
> >> 100 remark acls
> >> [?]
> >> !
> >> deny ipv4 any any
> >> ipv4 access-list eriktest-v4
> >> 1 remark erik
> >> 10 remark tests
> >> 100 remark acls
> >> !
> >> [?]
> >> ---snip---
> >> ? in rancid backup. This is completely useless. This can't be used in case of
> >> recovery. I urge everyone who uses xrrancid and sequence numbers to verify their
> >> ACLs in CVS. My workaround is to comment out line 1022-1037. Can someone who is
> >> using IOS-XR in this setup confirm this behavior?
> >
> > i'm not sure if i understand what the behavior is that you are trying to
> > describe. could you explain in more detail?
> I want a working configuration backup. As you can see in the second snippet above the ACL is crippled. I extracted it from the checked out file from CVS. Why does xrrancid mess around with ACLs? I set ACLSORT to NO and still some code(line 1022-1037 in xrrancid) removes sequence numbers lines containing allow or deny from configuration. Is there a use case I do not see?

removing the sequence numbers is intentional - they're useless and cause diffs
that obscure what actually changed. removing sequence numbers does not render
the config for restoration.

ACLSORT does not affect the removal of the sequence numbers, which you already
know.

but, i now understand the behavior and i'll fix it.

> >
> >>
> >> xrrancid version string: $Id: xrrancid.in 2264 2010-11-04 23:35:17Z heas $
> >>
> >> --
> >> Erik Wenzel
> >> erik [at] code
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Rancid-discuss mailing list
> >> Rancid-discuss [at] shrubbery
> >> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

erik at code

Jan 11, 2012, 2:11 AM

Post #5 of 6 (129 views)
Permalink

Re: xrrancid destroys ipv[46] ACLs [In reply to]

Am 10.01.2012 um 20.40 schrieb heasley:

> Tue, Jan 10, 2012 at 07:52:14PM +0100, Erik Wenzel:
>>
>> Am 10.01.2012 um 18.36 schrieb heasley:
>>
>>> Tue, Jan 10, 2012 at 05:41:26PM +0100, Erik Wenzel:
>>>> regardless of setting ACLSORT in rancid.conf xrrancid is sorting an ACL like:
>>>> ---snip---
>>>> #sh ipv4 access-lists eriktest-v4
>>>> ipv4 access-list eriktest-v4
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> 1000 deny ipv4 any any
>>>> #sh ipv6 access-lists eriktest
>>>> ipv6 access-list eriktest
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> 1000 deny ipv6 any any
>>>> ---snip---
>>>> to:
>>>> ---snip---
>>>> [?]
>>>> deny ipv6 any any
>>>> ipv6 access-list eriktest
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> [?]
>>>> !
>>>> deny ipv4 any any
>>>> ipv4 access-list eriktest-v4
>>>> 1 remark erik
>>>> 10 remark tests
>>>> 100 remark acls
>>>> !
>>>> [?]
>>>> ---snip---
>>>> ? in rancid backup. This is completely useless. This can't be used in case of
>>>> recovery. I urge everyone who uses xrrancid and sequence numbers to verify their
>>>> ACLs in CVS. My workaround is to comment out line 1022-1037. Can someone who is
>>>> using IOS-XR in this setup confirm this behavior?
>>>
>>> i'm not sure if i understand what the behavior is that you are trying to
>>> describe. could you explain in more detail?
>> I want a working configuration backup. As you can see in the second snippet above the ACL is crippled. I extracted it from the checked out file from CVS. Why does xrrancid mess around with ACLs? I set ACLSORT to NO and still some code(line 1022-1037 in xrrancid) removes sequence numbers lines containing allow or deny from configuration. Is there a use case I do not see?
>
> removing the sequence numbers is intentional - they're useless and cause diffs
> that obscure what actually changed. removing sequence numbers does not render
> the config for restoration.
Intentional? You do not expect an unchanged backup of your configuration from a rancid user point of view? I do. In my case I need exactly the same sequence number in the backup, because there is a meaning in each.

>
> ACLSORT does not affect the removal of the sequence numbers, which you already
> know.
>
> but, i now understand the behavior and i'll fix it.
If that fix means that the removal of sequence numbers depends on a ACLSORT=YES ...
I think it is not a obvious solution, but it is one. Which is fine with me.

--
Erik Wenzel
erik [at] code

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

jward at nero

Jan 19, 2012, 1:30 PM

Post #6 of 6 (116 views)
Permalink

Re: xrrancid destroys ipv[46] ACLs [In reply to]

Hey Erik,

I just subscribed to the list here. I already fixed the problem in xrrancid
where it clobbers ACLs. I haven't tested it with v6 yet but I know that it works
for ipv4 ACLs.

My patch also adds an option in rancid.conf that looks for an option
STRIPACLSEQ=yes or no. If this is set to yes it will remove the ACL sequence
numbers on IOS XR.

I'm still working on the ACL sorting with this. The way I want it to work is
to sort the ACLs in blocks based on remarks in the ACL if they present.
I don't have that working yet (and would love a hand on that if anyone is
willing!). I'll post another patch when I have that working.

-Josh

Here is a patch to rancid 2.3.6 that will fix what you were seeing.

diff --git a/bin/xrrancid.in b/bin/xrrancid.in
index 8481828..031e014 100644
--- a/bin/xrrancid.in
+++ b/bin/xrrancid.in
@@ -67,6 +67,7 @@ my($aclsort) = ("ipsort"); # ACL sorting mode
my($config_register); # configuration register value
my($filter_commstr); # SNMP community string filtering
my($filter_pwds); # password filtering mode
+my ($aclstripseq); # Strip ACL sequence numbers

# This routine is used to print out the router configuration
sub ProcessHistory {
@@ -1026,11 +1027,21 @@ sub WriteTerm {
while (<INPUT>) {
tr/\015//d;
last if (/^$prompt/ || /^\S/);
- if (/^\s+(\d+) (permit|deny) /) {
- ProcessHistory("ACL $nlri $key","keysort","$2"," $2 $'");
- } else {
- ProcessHistory("ACL $nlri $key","keysort","$key","$_");
- }
+ if (/^\s+(\d+) (permit|deny)/ || /^\s(\d+) (remark.*)$/) {
+ if ($aclstripseq == 0) {
+ ProcessHistory("ACL $1 $nlri $key","$aclsort","$2"," $1 $2 $'")
+ }
+ if ($aclstripseq == 1) {
+ ProcessHistory("ACL $nlri $key","$aclsort","$2"," $2 $'");
+ }
+ } else {
+ if ($aclstripseq == 0) {
+ ProcessHistory("ACL $1 $nlri $key","$aclsort","$key","$1 $_");
+ }
+ if ($aclstripseq == 1) {
+ ProcessHistory("ACL $nlri $key","$aclsort","$key"," $_");
+ }
+ }
}
}
# order arp lists
@@ -1245,6 +1256,17 @@ if ($file) {
if ($ENV{"ACLSORT"} =~ /no/i) {
$aclsort = "";
}
+# determine if we want to strip ACL sequence numbers
+if ($ENV{"ACLSTRIPSEQ"} =~ /yes/i) {
+ $aclstripseq = 1;
+}
+else {
+ # If you are not stripping ACL sequence numbers
+ # you cannot sort ACLs
+ $aclstripseq = 0;
+ $aclsort = "";
+}
+
# determine community string filtering mode
if (defined($ENV{"NOCOMMSTR"}) &&
($ENV{"NOCOMMSTR"} =~ /yes/i || $ENV{"NOCOMMSTR"} =~ /^$/)) {
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads