Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

module: aoscx_acl - tcp_flags - BUG #119

Open
williambargent opened this issue Oct 29, 2024 · 5 comments
Open

module: aoscx_acl - tcp_flags - BUG #119

williambargent opened this issue Oct 29, 2024 · 5 comments

Comments

@williambargent
Copy link

Hello CX Ansible Team,

I'm having trouble using the tcp_flags parameter now that the tcp_established bool has been depreciated.

I have the following in my playbook:

    - name: "Deploy new access-list"
      aoscx_acl:
        type: ipv4
        state: update    <-- (have also tested 'create')
        name: "VLAN"
        acl_entries: "{{ v4_acl_entries }}"

This v4_acl_entries variable is stored in a separate file in the following format:

v4_acl_entries:
  '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
  '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

This seems to occur for any list item: ack, cwr, ece, established, fin, psh, rst, syn, urg. I have been following the documentation page: https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

The error I receive:

The full traceback is:
  File "/tmp/ansible_aoscx_acl_payload_0abmk9rn/ansible_aoscx_acl_payload.zip/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py", line 632, in main
  File "/home/admin/admin_wb140/.local/lib/python3.9/site-packages/pyaoscx/acl_entry.py", line 198, in __init__
    raise ParameterError(
fatal: [rtr-core]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "acl_entries": {
                "100": {
                    "action": "permit",
                    "comment": "PERMIT ESTABLISHED",
                    "dst_ip": "any",
                    "protocol": "any",
                    "src_ip": "any",
                    "tcp_flags": [
                        "established"
                    ]
                },
                "200": {
                    "action": "deny",
                    "comment": "DEFAULT DENY",
                    "count": true,
                    "dst_ip": "any",
                    "log": true,
                    "protocol": "any",
                    "src_ip": "any"
                }
            },
            "name": "VLAN",
            "state": "update",
            "type": "ipv4"
        }
    },
    "msg": "'PARAMETER ERROR: [ACL VLAN/ipv4 - Entry 100] Parameters not supported: tcp_established'"
}

My versions:

ansible [core 2.15.12]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/admin/admin_wb140/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/admin/admin_wb140/.local/lib/python3.9/site-packages/ansible
  ansible collection location = /home/admin/admin_wb140/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/admin/admin_wb140/.local/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/usr/bin/python3)
  jinja version = 3.1.4
  libyaml = True

ansible.netcommon             7.1.0
arubanetworks.aoscx          4.4.0
pyaoscx.                               2.6.0
@alagoutte
Copy link
Contributor

Hi @williambargent

What switch model and firmware ?

@williambargent
Copy link
Author

Good evening @alagoutte,

I have tested with multiple 8360's, the firmware is 10.13.1040, it also occurred on 10.13.1031.

@alagoutte
Copy link
Contributor

Can you try to replace

v4_acl_entries:
  '100': { action: permit, protocol: tcp, src_ip: any, dst_ip: any, tcp_flags: [ established ], comment: "PERMIT ESTABLISHED" }
  '200': { action: deny, protocol: any, src_ip: any, dst_ip: any, count: true, log: true, comment: "DEFAULT DENY" }

protocol: tcp by protocol: 6 ? (from ansible aos cx doc it is int not a string...)
and on the output, talk about protocol any

for the error "Parameters not supported: ", it is coming from pyaoscx module about some capabilities not supported

@williambargent
Copy link
Author

Thanks, I have tested with protocol: 6 and protocol: any however I get the same error.

The documentation that I have been referring to mentions that protocol is a str value.
https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

@alagoutte
Copy link
Contributor

Thanks, I have tested with protocol: 6 and protocol: any however I get the same error.

The documentation that I have been referring to mentions that protocol is a str value. https://github.com/aruba/aoscx-ansible-collection/blob/master/docs/aoscx_acl.md

but the code say "int" https://github.com/aruba/aoscx-ansible-collection/blob/master/plugins/modules/aoscx_acl.py#L265 :) (i think the doc is regenerated... @tchiapuziowong

you have always "protocol": "any", on verbose ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alagoutte @williambargent