ACL: remove skip-list, search by longest prefix match
Why is it broken
The benefit of this is mostly codebase cleanup, since this would solve only an issue when say 10.10.10.0/24
is allowed only with associated TSIG key, but 10.10.10.10
(or any subset) is allowed without key. The current implementation would prefer the match having TSIG key. But this doesn't make much sense to do in real world, so it's not a serious issue. Still, the ACLs depend on a lot of obsolete code so simplification is desirable.
What is going to change
Since the prefix is a CIDR bitmask, we would either need a special structure that can branch by bits (like bit trie, ...), not bytes as most of the string structures/algorithms. Or inflate addresses to a string of bits (inefficient). Or keep whatever structure and compare searched/current address using special comparison function. Presuming that ACL lists are never very long, even O(n) is good enough. If we sort the ACL list according to the prefix length, first matching key would be the longest prefix match.