[rancid] Re: 2.3.2.a5: Make ACL sorting configurable

Michael Stefaniuc mstefani at redhat.com
Tue Sep 26 09:30:24 UTC 2006

john heasley wrote:
> Thu, Sep 21, 2006 at 03:06:50PM +0200, Michael Stefaniuc:
>>the attached patch makes the ACL sorting configurable. Default is to
>>still sort the ACLs but this rancid "feature" can now be disabled
>>easily. The patch implements this only for "cisco" type devices as this
>>is what i cared most for now.
>>Copyright and license is whatever it is needed to make this patch go in
>>into the main rancid package.
> I do not see what is wrong with the sorting?  David LaPorte pointed out that
> if the order of statements on the router changed, he would not receive the
> diffs, but the order should not matter and the end result be same.  The
> sorting should only affect lines with the same name (ACL name or number) and
> action (permit/deny/remark).
As others have pointed out it could be a performance problem on devices
with heavy traffic and long permit/deny blocks of ACL rules. I doubt we
are affected by this as we have quite a few comments in our ACLs.

> So, is this just distaste or am I being dense and missing the problem?  An
> example of the problem, please.
I wouldn't call it distaste, more like following the principle of the
least surprise.

We use the configs saved by rancid for recovery purpose but also for
people (even the Network Group) to quickly check the config of a device.
It happened a couple of times that i looked first at the saved config
and then at the ACLs directly on the router and I went "WTF, did
somebody change the ACL in the mean time?". Validating that the
differences are only rancid's ACL sorting takes time and distracts from
the work one needed to do. And I _know_ about rancid's ACL sorting but
my colleagues have probably forgotten about it.

And some people are picky about "their" ACLs and don't like something
messing with those. This is the second ACL sorting discussion i have
seen on this list and i'm subscribed only for a year now.

