Remix clone Hacker News

Would this work for network ACLs?

▲ Patryk27 2 days ago | parent [-]

ACLs are more like a binary function, right?

    f(packet, time, ...) = { reject, allow }

In that case evaluating the function once is enough to know whether the packet should be let through or not, there's no way to sort of "differentiate" this function, no way to step through it.

But this got me thinking about cases where policy _modifies_ the packet, like:

    f(packet, time, ...) = ({ reject, allow }, new-packet)

In this case you'd be looking for a fixed-point, evaluating this function until new-packet = packet (or you exhaust some time and give up). Not sure on the potential utility, though - just a random thought.

	▲	UltraSane a day ago \| parent [-]
		Makes sense. Advanced ACL analyzers translate them into first order logic and then use something like Z3 to find the packets that satisfy them but they rarely support the time based ACLs. But those are not used much in practice.