On Thu, 19 May 2005, John Horne wrote:
> Odd question - is there any difference between the following 2 ACL
> statements:
>
> hosts = ! +local_domains
> ! hosts = +local_domains
>
> I'm assuming there is no difference.
They are the same. It gets more interesting when you have more than one
thing on the rhs, and some positive and negative items:
hosts = some.thing.else : ! +local_domains
! hosts = some.thing.else : +local_domains
(Incidentally, it looks odd comparing "hosts" with "local_domains".)
^^^^^ ^^^^^^^
> Secondly, using a named ACL is there a difference between:
>
> acl = ! some_other_acl
> ! acl = some_other_acl
>
> We currently don't use named ACL's but am about to do so. As far as I
> can tell (read) the 'some_other_acl' acts like any other ACL and returns
> 'accept' or 'deny'. As such a '!' will just negate that answer, so the
> above 2 statements are again the same. Correct?
Yes, I think so.
> It's not always accept or deny that is returned... You can have "defer" or
> "drop" for instance. How would you invert that in your nested acl?! ;-)
For !some_other_acl, "accept" becomes "condition failed"; "deny" or
"drop" becomes "condition succeeded". Other results are not affected. In
other words "defer" becomes "condition defer".
Regards,
Philip
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
