Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

module asa_acls doesn't work if there are network-object-group in ACL #24

Closed
sebrower opened this issue Apr 23, 2020 · 2 comments · Fixed by #37
Closed

module asa_acls doesn't work if there are network-object-group in ACL #24

sebrower opened this issue Apr 23, 2020 · 2 comments · Fixed by #37
Assignees
@justjais

Comments

@sebrower
Copy link

sebrower commented Apr 23, 2020
edited by justjais
Loading

SUMMARY

If we have ACL where there are network-object-group, and I play a playbook with the module asa_acls with the state: gathered, I obtain an issue.

ISSUE TYPE
  • Feature request
COMPONENT NAME
ANSIBLE VERSION
ansible 2.9.6
CONFIGURATION
--
OS / ENVIRONMENT

I have this list of ACLs.
access-list ACI-PBR line 51 extended permit tcp object-group devaccess-dockertest object-group devaccess-dockertest-endpoints eq 3389 (hitcnt=0) 0x961626dc
access-list ACI-PBR line 51 extended permit tcp host 1.1.1.1 host 1.1.1.1 eq 3389 (hitcnt=0) 0xcf956318
access-list ACI-PBR line 51 extended permit tcp host 172.19.4.74 host 1.1.1.1 eq 3389 (hitcnt=0) 0x08b394cc
access-list ACI-PBR line 51 extended permit tcp host 172.25.7.134 host 1.1.1.1 eq 3389 (hitcnt=0) 0x753ed89c
access-list ACI-PBR line 51 extended permit tcp host 172.26.5.167 host 1.1.1.1 eq 3389 (hitcnt=0) 0x27a90068
access-list ACI-PBR line 51 extended permit tcp host 172.30.5.81 host 1.1.1.1 eq 3389 (hitcnt=0) 0x8de1b244
access-list ACI-PBR line 51 extended permit tcp host 192.168.1.72 host 1.1.1.1 eq 3389 (hitcnt=0) 0x3b079250
access-list ACI-PBR line 52 extended permit tcp object-group devaccess-dockertest object-group devaccess-dockertest-endpoints eq 5900 (hitcnt=0) 0x7b6b76d7
access-list ACI-PBR line 52 extended permit tcp host 1.1.1.1 host 1.1.1.1 eq 5900 (hitcnt=0) 0x695a0127
access-list ACI-PBR line 52 extended permit tcp host 172.19.4.74 host 1.1.1.1 eq 5900 (hitcnt=0) 0xf6e22d3a
access-list ACI-PBR line 52 extended permit tcp host 172.25.7.134 host 1.1.1.1 eq 5900 (hitcnt=0) 0x7314f207
access-list ACI-PBR line 52 extended permit tcp host 172.26.5.167 host 1.1.1.1 eq 5900 (hitcnt=0) 0x07da2b97
access-list ACI-PBR line 52 extended permit tcp host 172.30.5.81 host 1.1.1.1 eq 5900 (hitcnt=0) 0xcfdb417c
access-list ACI-PBR line 52 extended permit tcp host 192.168.1.72 host 1.1.1.1 eq 5900 (hitcnt=0) 0x87525554

The playbook that I use is the following:

---
- hosts: asa
  gather_facts: false
  connection: network_cli

  collections:
    - cisco.asa

  tasks:
  - name: Gather listed ACLs with provided configurations
    cisco.asa.asa_acls:
      config:
      state: gathered
EXPECTED RESULTS
ACTUAL RESULTS

It's failed with the following message.

....
File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
  File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
  File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol

      File "/tmp/ansible_cisco.asa.asa_acls_payload_3F2REH/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
      File "/tmp/ansible_cisco.asa.asa_acls_payload_3F2REH/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 96, in populate_port_protocol
    RuntimeError: maximum recursion depth exceeded in cmp
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1
@justjais justjais self-assigned this Apr 26, 2020
@justjais
Copy link
Member

@sebrower Thanks for logging the issue, I'll triage the issue and update more on the issue.

@justjais
Copy link
Member

@sebrower seems like for source and destination I missed the implementation of following combos:

  interface              Use interface address as source address
  object                 Keyword to enter source object name
  object-group           Network object-group for source address
  object-group-security  Keyword to specify security object-group for source
  object-group-user      Keyword to specify user object-group for source
  security-group         Keyword to specify inline security-group
  user                   Keyword to specify user for source
  user-group             Keyword to specify user-group for source

Thanks for testing the module, I'll include the support for both from source and destination end and update the module.

@justjais justjais mentioned this issue Apr 26, 2020
Closed
@justjais justjais mentioned this issue Jun 8, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@justjais justjais

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@sebrower @justjais