Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

asa_acl: Push entire ACL when differences are detected #39981

Open
wants to merge 2 commits into
base: devel
from

Conversation

@twheeles
Copy link

twheeles commented May 10, 2018

When a difference is detected between the currently configured ACL and the playbook commands only the missing lines are pushed to the device. Following the example in the asa_acl module documentation, where the current ACL is deleted before pushing commands, results in an incomplete ACL.

For example:

Playbook:

---
- asa_acl:
    lines:
      - access-list ACL-ANSIBLE extended permit tcp any any eq 82
      - access-list ACL-ANSIBLE extended permit tcp any any eq www
      - access-list ACL-ANSIBLE extended permit tcp any any eq 97
      - access-list ACL-ANSIBLE extended permit tcp any any eq 98
      - access-list ACL-ANSIBLE extended permit tcp any any eq 99
    before: clear configure access-list ACL-ANSIBLE
    match: strict
    replace: block
    provider: "{{ cli }}"

Running config:

access-list ACL-ANSIBLE extended permit tcp any any eq 82
access-list ACL-ANSIBLE extended permit tcp any any eq www
access-list ACL-ANSIBLE extended permit tcp any any eq 97
access-list ACL-ANSIBLE extended permit tcp any any eq 98

Running config after running playbook:

access-list ACL-ANSIBLE extended permit tcp any any eq 99
SUMMARY
ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME

asa_acl.py

ANSIBLE VERSION

ADDITIONAL INFORMATION

Push entire ACL when differences are detected
When a difference is detected between the currently configured ACL and the playbook commands only the missing lines are pushed to the device. Following the example in the asa_acl module documentation, where the current ACL is deleted before pushing commands, results in an incomplete ACL.

For example:

Playbook:
---
- asa_acl:
    lines:
      - access-list ACL-ANSIBLE extended permit tcp any any eq 82
      - access-list ACL-ANSIBLE extended permit tcp any any eq www
      - access-list ACL-ANSIBLE extended permit tcp any any eq 97
      - access-list ACL-ANSIBLE extended permit tcp any any eq 98
      - access-list ACL-ANSIBLE extended permit tcp any any eq 99
    before: clear configure access-list ACL-ANSIBLE
    match: strict
    replace: block
    provider: "{{ cli }}"

Running config:
access-list ACL-ANSIBLE extended permit tcp any any eq 82
access-list ACL-ANSIBLE extended permit tcp any any eq www
access-list ACL-ANSIBLE extended permit tcp any any eq 97
access-list ACL-ANSIBLE extended permit tcp any any eq 98

Running config after running playbook:

access-list ACL-ANSIBLE extended permit tcp any any eq 99
@ansibot

This comment has been minimized.

Copy link
Contributor

ansibot commented May 10, 2018

@ansibot ansibot added the bug label May 10, 2018

@mkrizek mkrizek removed the needs_triage label May 11, 2018

@gundalow gundalow changed the title Push entire ACL when differences are detected asa_acl: Push entire ACL when differences are detected May 11, 2018

@gundalow gundalow added this to In progress in zzz NOT USED: Networking Bugs May 16, 2018

@ansibot ansibot added the small_patch label Jun 20, 2018

@gundalow gundalow removed the feature label Aug 30, 2018

@ansibot ansibot removed the stale_ci label Aug 30, 2018

@gdpak

This comment has been minimized.

Copy link
Contributor

gdpak commented Aug 31, 2018

@twheeles I think module documentation needs some clarifications-

  1. Below example on module doc would clear the previous ACL and would play the diff between candidate ACL and ACL existing on the device. So if you do not have any common terms between existing ACL and terms in 'lines' args, you should use below example
- asa_acl:
    lines:
      - access-list ACL-ANSIBLE extended permit tcp any any eq 82
      - access-list ACL-ANSIBLE extended permit tcp any any eq www
      - access-list ACL-ANSIBLE extended permit tcp any any eq 97
      - access-list ACL-ANSIBLE extended permit tcp any any eq 98
      - access-list ACL-ANSIBLE extended permit tcp any any eq 99
    before: clear configure access-list ACL-ANSIBLE
    match: strict
    replace: block
  1. Say you want to clean the existing terms on ACL and want to reprogram with terms in 'lines' arguments, then you can use below two options
    a) Use 'force' argument as 'yes' in example 1)
    b) Use below task before example 1)
- name: setup
  asa_config:   
    commands:  
      - clear configure access-list ACL-ANSIBLE
  ignore_errors: yes
  1. Say you want to insert the line 'access-list ACL-ANSIBLE extended permit tcp any any eq 99' in the line number 5 of the existing ACL then you should use below task
- asa_acl:
    lines:
      - access-list ACL-ANSIBLE line 5 extended permit tcp any any eq 99
    match: strict
    replace: block

Hope this clarifies.

@gdpak
Copy link
Contributor

gdpak left a comment

This change is not required. Need to clarify documents.

@ansibot ansibot added the stale_ci label Sep 11, 2018

@gundalow gundalow added this to Needs Triage in Networking via automation Dec 7, 2018

@gundalow gundalow removed this from In progress in zzz NOT USED: Networking Bugs Dec 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.