On Mon, Apr 21, 2025 at 01:17:22PM +0000, Jeff Haas wrote: > As-list is designed to be removed when empty.
Thanks for clarification. > > While I realize this may violate principle of least astonishment vs. similar > features you highlight that take empty match elements, if I could go back in > time I'd similarly make those fail as well. The semantics of such empty > matching elements have resulted in outages because they themselves fail POLA. > Do they match everything? Nothing? Bah. Hmm... For me it looks pretty straightforward that empty prefix-list matches nothing: it has no elements, so there is nothing to compare input with, so there can't be positive match or "no input can't be matched by empty prefix-list". Of course, it can result in outage (f.e, matching upstream routes by empty prefix-list may kill your connectivity), but it's not a vendor who shall be blamed for such configurations.. > > -- Jeff > > > On 4/20/25, 13:20, "juniper-nsp on behalf of Alexandre Snarskii via > juniper-nsp" <[email protected] > <mailto:[email protected]> on behalf of > [email protected] <mailto:[email protected]>> wrote: > > > [External Email. Be cautious of content] > > > > > Hi! > > > Somewhat stupid question: are there any way to configure as-list that > does not contain any member ? With prefix-lists/route-filter-lists it's > trivial (delete policy-options prefix-list NNN; set policy-options > prefix-list NNN;), > with classic as-path filters it's possible albeit a bit tricky > (set policy-options as-path none "!.*"), but I don't see any way to > create empty as-list or empty current one: on emptying it gets fully > removed from configuration and policy-options referencing it are not > valid anymore :( > > > Test scenario: create as-list with some members, reference it in policy: > > > [edit policy-options] > + policy-statement as-test { > + term ok { > + from { > + as-path-origins as-list-group as0; > + } > + then accept; > + } > + then reject; > + } > [edit policy-options] > + as-list-group as0 { > + as-list as0 members [ 65533 65534 ]; > + } > > > so far so good, commit check succeeds. Now, some days/weeks/years after > as-set becomes empty or nonexistant for whatever reason, generated as-list > becomes empty, and attempt to upload it on router results in warning and > commit check failure: > > > load replace terminal relative > [Type ^D at a new line to end input] > policy-options { > replace: > as-list-group as0 { > } > } > [edit policy-options] > 'as-list-group as0' > warning: statement has no contents; ignored > load complete > > > commit check > [edit] > 'policy-options' > Policy error: as0 as-list-group referenced (in term ok) but not defined > error: configuration check-out failed > > > Ok, let's try to generate "not that empty" as-list, indicating that > "yes, it's empty, but it is deliberately": > > > [Type ^D at a new line to end input] > policy-options { > replace: > as-list-group as0 { > as-list aNone members [ ]; > } > } > load complete > > > ok, warning is not here anymore, but commit check still fails with > the same error.. > > > Are there any other options better than encoding some fake ASN into > empty as-list ? > > > PS: tested with 22.4R3-S3.3 and 23.4R2-S2.1 if that matters. > _______________________________________________ > juniper-nsp mailing list [email protected] > <mailto:[email protected]> > https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!H4GUzT7gmQOzKucMtNlwqposcLAWgUZKEtSdhqivSY69DQD2pxhmXHwSg0tpKlTvgwSs4wqV7Zs55pbMoiNSr_Y$ > > <https://urldefense.com/v3/__https://puck.nether.net/mailman/listinfo/juniper-nsp__;!!NEt6yMaO-gk!H4GUzT7gmQOzKucMtNlwqposcLAWgUZKEtSdhqivSY69DQD2pxhmXHwSg0tpKlTvgwSs4wqV7Zs55pbMoiNSr_Y$> > > > > > Juniper Business Use Only _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
