On Thu, 4 Jan 2001, Philip Hazel wrote:
> I have been giving some thought to the choice between the "ACL" and
> "AND/OR" syntax for checking incoming recipients. The following seem to
> me to be relevant to the choice:
>
> 1. Which will be easier for the beginner? (Experienced people will cope
> either way.)
I suspect that AND/OR syntax will SEEM easier for the beginner. But
as you note below, it gets messy much sooner.
> 2. Is one easier to implement than the other? Would one be faster than
> the other?
Parsing an ACL really just takes an finite state machine. Parsing a
parenthized expression with logical connectives takes context free parser.
[Aside to a particular member of this list: You see some of that theory
that they made you learn for your degree can, occassionally, be relevant]
> 3. Does one offer more or better facilities than the other?
Something that is effectively
(if X require Y) and (if Z require W)
That can be done with the former syntax like
!(X and !Y) and !(Z and !W)
or less transparently but with "fewer" parenteses
(!X or Y) and (!Z or W)
I don't think that that can be done with ACLs, but I don't have a proof.
(actually the more I think about it, the more I think it CAN be done with
ACLs. But I'm not sure how.)
> 4. Is there overwhelming user support for one or the other?
Not from me.
> 1. [...] One possibly relevant point is that if a newbie learns about
> accept/deny lists, this knowledge may be relevant for other
> applications [...]
True. My first real grotty experience with them was with squid (then
harvest).
> 2. ACL would be easier to implement, because there isn't any need to do
> messy parsing of parenthesized sublists.
Yes.
> As a consequence, it may also run faster (marginally).
And can be parsed with less memory (marginally).
> I challenged people to find the bug in this setting,
> but nobody has responded.
>
> accept_recipient = address = postmaster@??? OR \
> sender = !bad@??? AND \
> ( \
> address = +local_domains AND verify OR \
> authenticated OR \
> address = +relay_domains OR \
> host = 192.168.23.0/24 \
> ) \
> AND notlisted = dul.maps.vix.com \
> AND sender_verify
One possible bug in that (though this probably isn't it) is that the line
address = +local_domains AND verify OR \
assumes that AND binds more tightly than OR. Otherwise, you need more
parentheses. Another thing is that you need to ensure that nothing in
192.168.23.0/24 in in DUL. So it would be best to scope that out. But
these aren't the "bugs" you were talking about.
-j
--
Jeffrey Goldberg
I have recently moved, see
http://www.goldmark.org/jeff/contact.html
Relativism is the triumph of authority over truth, convention over justice