[quagga-dev 10039] Re: access-list and prefix-list semantics

Nick Hilliard nick at inex.ie
Tue Nov 27 21:18:26 GMT 2012


On 25/11/2012 10:34, 'Chris Hall' wrote:
> If I:
> 
>   ...> ip prefix-list 1 deny 10.0.0.0/8
> 
> I get an error message:
> 
>   % Insertion failed -- prefix-list entry exists:
>     seq 5 deny 10.0.0.0/8
> 
> Mind you, if I:
> 
>   ...> ip prefix-list 1 seq 5 deny 10.0.0.0/8
> 
> and the result is: no change to the prefix-list and no error/warning
> message or anything.
> 
> Is there some good reason for this inconsistency ?  Does it matter at
> all ?

I don't think it's particularly important to be honest.

> It is clearly a mistake to have two entries which are the same... not
> least because otherwise "no ip prefix-list ..." would then be
> ambiguous.

Yeah, you can't have that in a prefix list because the intention is that
they are searched using a trie lookup.  Duplicates would be contrary to the
semantics of what they are trying to achieve.

> Now, if you have:
> 
>   access-list 1 deny host 10.0.0.0
>   access-list 1 permit host 11.0.0.0
> 
> and you say:
> 
>   ...> access-list 1 permit host 10.0.0.0
> 
> that currently gives:
> 
>   access-list 1 deny host 10.0.0.0
>   access-list 1 permit host 11.0.0.0
>   access-list 1 permit host 10.0.0.0
> 
> which doesn't make a lick of sense.

Yes, but I don't really think this is a problem.  An access list is an
ordered list of prefixes.  If you deny a prefix/host in one stanza and then
permit it in the next, so what?  I don't really think it's quagga's job to
optimise access-lists, because fixing your statement is dealing with a
subset of an access list optimisation procedure.  Quagga probably shouldn't
go there.

>  The prefix-list behaviour is the
> same in this case -- with or without sequence numbers.
> 
> With sequence numbers, the prefix-list stuff allows prefix-list entry
> seq=11 (say) to be completely replaced (provided the result would not
> be the same as an existing entry), but this rule prevents renumbering
> of an entry, for example if you have:
> 
>   prefix-list 1 seq 5 deny 10.0.0.0/8
>   prefix-list 1 seq 11 deny 11.0.0.0/8
> 
> and you say:
> 
>   ...> access-list 10 deny host 11.0.0.0/8
> 
> you will get an error message.

do you mean "prefix-list 1" instead of "access-list 10" here?

This should probably give an error: "host 11.0.0.0/8" doesn't make any sense.

> Are there any general principles to indicate what these things should
> do ?
> 
> I cannot help feeling there should be some consistency, at least !

I'm not completely sure that there's a problem, other than the issue with
the default seq number failing in the first example you gave.  That looks a
little odd, but everything else looks ok to me.

Nick




More information about the Quagga-dev mailing list