DocBug: Missing info re: ACL's

[GoogleCodeExporter]

Was working with ACLs and had a devil of a time getting them to work until 
I discovered the "trick". The code for mongoose searches for a match 
through the list of permissions and seems to pick the LAST one that 
matches. This was unexpected, as I'm used to the Cisco ordering, which is 
the reverse, using the FIRST that matches. 

The -0.0.0.0/0 ("deny any") needed to be up front, and the +'s ("permit"s) 
then follow it. In Cisco ACLs, the "deny any" is the last entry in the ACL.

Not asking for a change in the code, just a notation in the ACL entry of 
the documentation to call attention to the ordering.

What version of the product are you using? On what operating system?
 mongoose-2.6, documentation as of 2009-05-22 3:56am EST.

Original issue reported on code.google.com by roza.cho...@gmail.com on 22 May 2009 at 8:03

[GoogleCodeExporter]

You are right, in Mongoose last match wins. Docs are updated.
Also note a special case for -ssl_cert and -ports combination, where -ssl_cert 
must
always come first. This is also added to the docs.

Original comment by valenok on 22 May 2009 at 9:11

• Changed state: Fixed

[GoogleCodeExporter]

Is it possible to allow an entire subnet?

For example:

acl -0.0.0.0/0,+192.168.0.0/32,+127.0.0.1

should mean: allow only the local computer, or any computer on the subnet 
192.168.0.0
through 192.168.0.1000 .

or is this incorrect? I'm not sure if the "/" is IP notation or mask notation. 
It's
not clear in the manual when last I looked.

Original comment by googl...@springtimesoftware.com on 23 May 2009 at 6:41

[GoogleCodeExporter]

Yes it is possible to allow/deny whole subnet. In x.x.x.x/y notation 'y' is a 
mask
notation meaning number of bits designated to a subnet. 0 means whole IP address
range, 32 means one single address (and thus can be omitted).
For example, class C addresses have mask 24, thus 1.2.3.0/24 means addresses 
from
1.2.3.0 to 1.2.3.255, and so on.

Original comment by valenok on 23 May 2009 at 7:22