[bind10-dev] ACL Syntax proposal

Shane Kerr shane at isc.org
Mon May 30 14:23:21 UTC 2011


Evan,

On Sat, 2011-05-28 at 20:40 +0000, Evan Hunt wrote:
> > Or, we could come up with one extra composition modifier, which would
> > allow this kind of chaining, which people could use if they really wanted
> > (and it would answer yes/no for itself and the chain could be included in
> > further logic processing), something like this:
> > 
> > {
> >   "CHAIN": [
> >     {"ACCEPT-IF": {"ip": "132.147.67.16"}},
> >     {"DENY-IF": {"ip": "132.147.67.0/24"}},
> >     {"ACCEPT-IP": {"ip": "132.147.0./16"}},
> >     "DENY"
> >   ],
> >   "TSIG": ["tsig1", "tsig2"]
> > }
> 
> I like this!  Best of both worlds.  (I might call it "FIRST-MATCH" or
> just "FIRST", rather than "CHAIN", to clarify the sequential nature of
> the rules, but that's a syntactic quibble.)

Speaking of syntactic quibbles...

I like the "ACCEPT-IF" and "DENY-IF" keywords, but I am a little nervous
about the "AND"/"OR"/"NOT" names as prefix operators. 

Maybe it's just me, but my brain tends to work infix (not enough time
with a stack-based calculator or coding LISP perhaps). However, this can
probably be overcome by changing the names to something that is
naturally prefix:

"AND" -> "ALL-OF"
"OR"  -> "ANY-OF"
"NOT" -> "NONE-OF" 

I realize the "NONE-OF" is not the same as "NOT"... perhaps "NOT" must
stay?
 
--
Shane




More information about the bind10-dev mailing list