module: aoscx_acl - tcp_flags - BUG

[williambargentball]

Hello CX Ansible Team,

I'm having trouble using the tcp_flags parameter now that the tcp_established bool has been depreciated.

I have the following in my playbook:

    - name: "Deploy new access-list"
      aoscx_acl:
        type: ipv4
        state: update    <-- (have also tested 'create')
        name: "VLAN"
        acl_entries: "{{ v4_acl_entries }}"

This v4_acl_entries variable is stored in a separate file in the following format:

v4_acl_entries:
  '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
  '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

This seems to occur for any list item: ack, cwr, ece, established, fin, psh, rst, syn, urg. I have been following the documentation page: https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

The error I receive:

The full traceback is:
  File "/tmp/ansible_aoscx_acl_payload_0abmk9rn/ansible_aoscx_acl_payload.zip/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py", line 632, in main
  File "/home/admin/admin_wb140/.local/lib/python3.9/site-packages/pyaoscx/acl_entry.py", line 198, in __init__
    raise ParameterError(
fatal: [rtr-core]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "acl_entries": {
                "100": {
                    "action": "permit",
                    "comment": "PERMIT ESTABLISHED",
                    "dst_ip": "any",
                    "protocol": "any",
                    "src_ip": "any",
                    "tcp_flags": [
                        "established"
                    ]
                },
                "200": {
                    "action": "deny",
                    "comment": "DEFAULT DENY",
                    "count": true,
                    "dst_ip": "any",
                    "log": true,
                    "protocol": "any",
                    "src_ip": "any"
                }
            },
            "name": "VLAN",
            "state": "update",
            "type": "ipv4"
        }
    },
    "msg": "'PARAMETER ERROR: [ACL VLAN/ipv4 - Entry 100] Parameters not supported: tcp_established'"
}

My versions:

ansible [core 2.15.12]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/admin/admin_wb140/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/admin/admin_wb140/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/admin/admin_wb140/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/admin/admin_wb140/.local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

ansible.netcommon             7.1.0
arubanetworks.aoscx          4.4.0
pyaoscx.                               2.6.0

[alagoutte]

Hi @williambargent

What switch model and firmware ?

[williambargentball]

Good evening @alagoutte,

I have tested with multiple 8360's, the firmware is 10.13.1040, it also occurred on 10.13.1031.

[alagoutte]

Can you try to replace

v4_acl_entries:
  '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
  '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

protocol: tcp by protocol: 6 ? (from ansible aos cx doc it is int not a string...)
and on the output, talk about protocol any

for the error "Parameters not supported: ", it is coming from pyaoscx module about some capabilities not supported

[williambargentball]

Thanks, I have tested with protocol: 6 and protocol: any however I get the same error.

The documentation that I have been referring to mentions that protocol is a str value.
https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

[alagoutte]

Thanks, I have tested with protocol: 6 and protocol: any however I get the same error.

The documentation that I have been referring to mentions that protocol is a str value. https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

but the code say "int" https://github.com/aruba/aoscx-ansible-collection/blob/master/plugins/modules/aoscx_acl.py#L265 :) (i think the doc is regenerated... @tchiapuziowong

you have always "protocol": "any", on verbose ?

[williambargentball]

Good morning,

I still can't seem to get past this bug.

Thanks for your help.

[tchiapuziowong]

hi @williambargent - as a workaround are you able to use the aoscx_config module using SSH?

[williambargentball]

Thanks for your reply @tchiapuziowong. How would I pass my .yml ACL file to aoscx_config please?

[tchiapuziowong]

based on the dictionary you provided you could use Ansible's templating module and create a Jinja2 template to generate your access list. I was able to do the following with what you provided:

Here's the Jinja2 template I used to create the access-list, please note how I hardcoded the ACL name & type, if this is something you want to make a variable you'll need to modify:
templates/acl.j2

access-list ip test
{% for key, value in v4_acl_entries.items() %}
{% set extras = "" %}
{% if value.count is defined and value.count %}
{% set extras = "count" %}
{% endif %}
{% if value.log is defined and value.log%}
{% set extras = extras ~ " " ~ "log" %}
{% endif %}
{% if value.comment is defined %}
  {{ key }} comment {{ value.comment }}
{% endif %}
{% if value.tcp_flags is defined %}
  {{ key }} {{ value.action }} {{ value.protocol }} {{ value.src_ip }} {{ value.dst_ip }} {{ value.tcp_flags | join(' ') }} {{ extras }}
{% else %}
  {{ key }} {{ value.action }} {{ value.protocol }} {{ value.src_ip }} {{ value.dst_ip }} {{ extras }}
{% endif %}
{% endfor %}

here's the Playbook that will generate the ACL based on the template and a dictionary (this can be stored elsewhere in your environment, in this example I provide it in the playbook itself):

- hosts: all
  collections:
    - arubanetworks.aoscx
  vars:
    ansible_connection: network_cli
  tasks:
    - name: generate acl based on template
      template:
        src: acl.j2
        dest: ./generated_acl.txt
      vars:
        v4_acl_entries:
          '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
          '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

    - name: configure ACL using template
      aoscx_config:
        src: ./generated_acl.txt

Here's the generated text that it produces and uses as a source for config:

access-list ip test
  100 comment PERMIT ESTABLISHED
  100 permit tcp any any established
  200 comment DEFAULT DENY
  200 deny any any any count log