Re: [netmod] ACL draft issues found during shepherd writeup

Tue, 27 Feb 2018 09:14:46 -0800 

Guys,

Before we start proposing whole set of changes, please verify that the model is 
not doing what it was supposed to. The only difference between the changes 
below and what is in the model is that instead of it being a repeat for source 
and destination ports, the code below exists as a grouping.

Cheers.

> On Feb 27, 2018, at 3:01 AM, Einar Nilsen-Nygaard (einarnn) 
> <eina...@cisco.com> wrote:
> 
> What Kristian and I discussed, what Sonal and I had discussed, and what I 
> thought we had accepted as a proposed change was something like:
> 
>     choice source-port-range-or-operator {
>       case range {
>         leaf source-port-lower {
>           type inet:port-number;
>           must ". <= ../source-port-upper" {
>             error-message
>               "The source-port-lower must be less than or equal to
>                source-port-upper";
>           }
>           mandatory true;
>           description
>             "Lower boundary for port.";
>         }
>         leaf source-port-upper {
>           type inet:port-number;
>           mandatory true;
>           description
>             "Lower boundary for port.";
>         }
>       }
>       case operator {
>         leaf source-operator {
>           type operator;
>           mandatory true;
>         }
>         leaf source-port {
>           type inet:port-number;
>           mandatory true;
>           description
>             "Port value to match.";
>         }
>       }
>     }
> 
> …and with the same pattern for the destination. The type “operator” was 
> defined as:
> 
>   typedef operator {
>     type enumeration {
>       enum lte {
>         description
>           "Less than or equal to.";
>       }
>       enum gte {
>         description
>           "Greater than or equal to.";
>       }
>       enum eq {
>         description
>           "Equal to.";
>       }
>       enum neq {
>         description
>           "Not equal to.";
>       }
>     }
> 
> Cheers,
> 
> Einar
> 
> 
>> On 27 Feb 2018, at 09:20, Eliot Lear <l...@cisco.com 
>> <mailto:l...@cisco.com>> wrote:
>> 
>> This edit doesn't seem correct to me because now we have a choice with a 
>> single case, with range having been removed.  Can we please revert and 
>> proceed?
>> 
>> On 26.02.18 20:24, Mahesh Jethanandani wrote:
>>> A pull request to address LC, shepherd, this and the other comments, 
>>> including derived-from(), can be reviewed here:
>>> 
>>> https://github.com/netmod-wg/acl-model/pull/24 
>>> <https://github.com/netmod-wg/acl-model/pull/24>
>>> 
>>> Thanks.
>>> 
>>>> On Feb 26, 2018, at 12:15 AM, Eliot Lear <l...@cisco.com 
>>>> <mailto:l...@cisco.com>> wrote:
>>>> 
>>>> 
>>>> 
>>>> On 26.02.18 06:55, Mahesh Jethanandani wrote:
>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>  PS: And this is not a shepherd directive, but I found the whole 
>>>>>>>      "source-port-range-or-operator" syntax clumsy.  I'm surprised
>>>>>>>      it didn't look something like:
>>>>>>> 
>>>>>>>          OLD
>>>>>>>                <source-port-range-or-operator>
>>>>>>>                   <port-range-or-operator>
>>>>>>>                     <range>
>>>>>>>                       <lower-port>16384</lower-port>
>>>>>>>                       <upper-port>65535</upper-port>
>>>>>>>                     </range>
>>>>>>>                   </port-range-or-operator>
>>>>>>>                </source-port-range-or-operator>
>>>>>>> 
>>>>>>>                <source-port-range-or-operator>
>>>>>>>                  <port-range-or-operator>
>>>>>>>                    <operator>
>>>>>>>                      <operator>eq</operator>
>>>>>>>                      <port>21</port>
>>>>>>>                    </operator>
>>>>>>>                  </port-range-or-operator>
>>>>>>>                </source-port-range-or-operator>
>>>>>>> 
>>>>>>>          NEW
>>>>>>> 
>>>>>>>                <source-port>
>>>>>>>                  <range>
>>>>>>>                    <lower>16384</lower>
>>>>>>>                    <upper>65535</upper>
>>>>>>>                  </range>
>>>>>>>                </source-port>
>>>>>>> 
>>>>>>>                <source-port>
>>>>>>>                  <operator>
>>>>>>>                    <operator>eq</operator>
>>>>>>>                    <port>21</port>
>>>>>>>                  </operator>
>>>>>>>                </source-port>
>>>>>>> 
>>>>>>  
>>>>>> Did you try making the change in the model to see if it work? It will 
>>>>>> complain that <range> is already used within the container and that it 
>>>>>> cannot be repeated (for destination-port).
>>>>>> 
>>>>>> <KENT> No, I did not, nor do I intend to get that deep into it.  But I 
>>>>>> recall that Kristian made the same comment before, and was making pull 
>>>>>> requests before, so maybe he can suggest something?
>>>>> 
>>>>> Kristian’s suggestion requires changing the module. It is not an 
>>>>> editorial change. And that change will have an impact on the MUD draft, 
>>>>> which has been sent for publication. 
>>>>> 
>>>> 
>>>> As it happens, we found a bug in our augment statements, and so we will 
>>>> need to rev one more time.  If the change can be made quickly, I can live 
>>>> with it.
>>>> 
>>>> Eliot
>>> 
>>> Mahesh Jethanandani
>>> mjethanand...@gmail.com <mailto:mjethanand...@gmail.com>
>> 
>> _______________________________________________
>> netmod mailing list
>> netmod@ietf.org <mailto:netmod@ietf.org>
>> https://www.ietf.org/mailman/listinfo/netmod 
>> <https://www.ietf.org/mailman/listinfo/netmod>
> 

Mahesh Jethanandani
mjethanand...@gmail.com


_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod

Reply via email to