Gathered facts for standard acl do not match actual acl and contain unsupported attributes (first octet of ip parsed to protocol_number)
dtryba opened this issue · comments
SUMMARY
Trying to add/replace/modify a standard ACL fails with
Unsupported attribute for standard ACL - protocol_options.
when the playbook doesn't include any protocol_options.
I appears the acls module fails to parse the config in the router correctly. Instead of correctly parsing a source address/host and wildcard. A line like
ip access-list standard SNMP-SECURITY
permit 10.255.236.0 0.0.3.255
results in gathered facts as
{
"grant": "permit",
"protocol_options": {
"protocol_number": 10
}
}
where the first octet of the ip address somehow ends up as a protocol_number.
ISSUE TYPE
- Bug Report
COMPONENT NAME
module: cisco.ios.ios_acls
ANSIBLE VERSION
ansible [core 2.14.3]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/daniel/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
ansible collection location = /home/daniel/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/local/bin/ansible
python version = 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] (/usr/bin/python)
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
cisco.ios 5.2.0
CONFIGURATION
CONFIG_FILE() = /etc/ansible/ansible.cfg
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
OS / ENVIRONMENT
source machine: Debian/12
destination router:
C927-4PLTEGB
Cisco IOS Software, C900 Software (C900-UNIVERSALK9-M), Version 15.9(3)M4, RELEASE SOFTWARE (fc3)
STEPS TO REPRODUCE
playbook:
- name: gather acls
cisco.ios.ios_acls:
config:
state: gathered
tags: acls,aclsv4
- name: acls
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: SNMP-SECURITY
acl_type: standard
aces:
- sequence: 10
grant: permit
source:
address: 185.1.2.3
wildcard_bits: 0.0.0.7
- sequence: 20
grant: permit
source:
address: 10.255.236.0
wildcard_bits: 0.0.3.255
- sequence: 990
grant: deny
source:
any: true
destination:
any: true
state: merged
tags: acls,aclsv4
current ACL in router:
ip access-list standard SNMP-SECURITY
permit 185.1.2.3 0.0.0.7
permit 10.255.236.0 0.0.3.255
deny any
EXPECTED RESULTS
Since the the desired ACL in playbook and router are the same, nothing should happen.
ACTUAL RESULTS
task fails:
Unsupported attribute for standard ACL - protocol_options.
Output from the fail
fatal: [40457]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"config": [
{
"acls": [
{
"aces": [
{
"destination": null,
"dscp": null,
"enable_fragments": null,
"evaluate": null,
"fragments": null,
"grant": "permit",
"log": null,
"log_input": null,
"option": null,
"precedence": null,
"protocol": null,
"protocol_options": null,
"remarks": null,
"sequence": 10,
"source": {
"address": "185.1.2.3",
"any": null,
"host": null,
"object_group": null,
"port_protocol": null,
"wildcard_bits": "0.0.0.7"
},
"time_range": null,
"tos": null,
"ttl": null
},
{
"destination": null,
"dscp": null,
"enable_fragments": null,
"evaluate": null,
"fragments": null,
"grant": "permit",
"log": null,
"log_input": null,
"option": null,
"precedence": null,
"protocol": null,
"protocol_options": null,
"remarks": null,
"sequence": 20,
"source": {
"address": "10.255.236.0",
"any": null,
"host": null,
"object_group": null,
"port_protocol": null,
"wildcard_bits": "0.0.3.255"
},
"time_range": null,
"tos": null,
"ttl": null
},
{
"destination": {
"address": null,
"any": true,
"host": null,
"object_group": null,
"port_protocol": null,
"wildcard_bits": null
},
"dscp": null,
"enable_fragments": null,
"evaluate": null,
"fragments": null,
"grant": "deny",
"log": null,
"log_input": null,
"option": null,
"precedence": null,
"protocol": null,
"protocol_options": null,
"remarks": null,
"sequence": 990,
"source": {
"address": null,
"any": true,
"host": null,
"object_group": null,
"port_protocol": null,
"wildcard_bits": null
},
"time_range": null,
"tos": null,
"ttl": null
}
],
"acl_type": "standard",
"name": "SNMP-SECURITY"
}
],
"afi": "ipv4"
}
],
"running_config": null,
"state": "merged"
}
},
"msg": "Unsupported attribute for standard ACL - protocol_options."
}
Relevant output from the gathered:
ok: [40457] => {
"changed": false,
"gathered": [
{
"acls": [
{
"aces": [
{
"grant": "permit",
"protocol_options": {
"protocol_number": 185
}
},
{
"grant": "permit",
"protocol_options": {
"protocol_number": 10
}
},
{
"grant": "deny"
}
],
"acl_type": "standard",
"name": "SNMP-SECURITY"
},
],
"afi": "ipv4"
}
],
"invocation": {
"module_args": {
"config": null,
"running_config": null,
"state": "gathered"
}
}
}