ACL trouble with established tcp rule

[michalkolar]

Hi

I have a problem generating an ACL if the rules contain tcp flag established.

File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/modules/eos_acls.py", line 932, in <module> File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/modules/eos_acls.py", line 927, in main File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/module_utils/network/eos/config/acls/acls.py", line 89, in execute_module File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/module_utils/network/eos/config/acls/acls.py", line 56, in get_acls_facts File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/module_utils/network/eos/facts/facts.py", line 110, in get_facts File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py", line 131, in get_network_resources_facts File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/module_utils/network/eos/facts/acls/acls.py", line 78, in populate_facts File "/tmp/ansible_arista.eos.eos_acls_payload_Fp0fOC/ansible_arista.eos.eos_acls_payload.zip/ansible_collections/arista/eos/plugins/module_utils/network/eos/facts/acls/acls.py", line 310, in render_config AttributeError: 'list' object has no attribute 'copy'

How to reproduce?

   - afi: ipv4
     acls:
     - name: test2
       aces:
       - sequence: 99
         grant: permit
         protocol: tcp
         source:
           any: yes
         destination:
           any: yes
         protocol_options:
           tcp:
             flags:
               established: yes
       - sequence: 200
         grant: permit
         protocol: tcp
         source:
           host: 1.2.3.4
         destination:
           host: 1.2.3.4
           port_protocol:
             eq: "3389"
       - sequence: 300
         grant: permit
         protocol: udp
         source:
           any: yes
           port_protocol:
             eq: "53"
         destination:
           any: yes
           port_protocol:
             gt: "1023"
       - sequence: 400
         grant: deny
         protocol: ip
         source:
           any: yes
         destination:
           any: yes
   state: overridden

I edited ansible collections file ansible_collections/arista/eos/plugins/module_utils/network/eos/facts/acls/acls.py line 310 and replace copy() function with [:], works fine.

But I have another problem, when testing rule which I wrote at the beginning, parser not working ok.

If I run ansible multiple times ...

"commands": [
    "ip access-list test2",
    "no 300",
    "99 permit tcp any any established",
    "200 permit tcp host 1.2.3.4 host 1.2.3.4 eq 3389",
    "400 deny ip any any",
    "300 permit udp any eq domain any gt 1023"
],

but when i delete ACL list from switch, first run is OK. This problem is in overridden and replaced writing mode.

[GomathiselviS]

Hi @michalkolar , I used your playbook and verified using the state merged, replaced and overridden. I also gathered facts on a device, with acl rule 99 permit tcp any any established. I did not encounter the error you have mentioned. I am not sure if I am missing anything from your config.

Can you please give more information on

• playbooks you used
• after and before state of the device (execute the playbook with -vvvv option)
• which playbook resulted in the error you have mentioned
• ansible version

Once I have the information, I will be glad to work on the fix.

Thank you!

[michalkolar]

Hi @GomathiselviS, thanks you for reply.

My playbook is this:

`- name: "Demonstrate connecting to switches"
hosts: switches
gather_facts: no

tasks:
###
# Collect data
#

• name: override device configuration with provided configuration
  arista.eos.eos_acls:
  config:
  • afi: ipv4
    acls:
    • name: test2
      aces:
      • sequence: 99
        grant: permit
        protocol: tcp
        source:
        any: yes
        destination:
        any: yes
        protocol_options:
        tcp:
        flags:
        established: yes
        state: replaced
        `

and this is error log

https://pastebin.com/zyLUq5D3

i now tested when switch ACL rules is clean...

[GomathiselviS]

Hi @michalkolar Thanks for providing the information. The issue is seen when the play is executed in python 2.7 env . A PR is up with the fix.

[michalkolar]

Hi @GomathiselviS thanks you.

Now i have problem with sorting command to rewrite switch ACL.

for example in overridden:

`- name: "Demonstrate connecting to switches"
hosts: switches
gather_facts: no

tasks:
###
# Collect data
#

• name: override device configuration with provided configuration
  arista.eos.eos_acls:
  config:
  • afi: ipv4
    acls:
    • name: test2
      aces:
      • sequence: 99
        grant: permit
        protocol: tcp
        source:
        any: yes
        destination:
        any: yes
        protocol_options:
        tcp:
        flags:
        established: yes
      • sequence: 200
        grant: permit
        protocol: tcp
        source:
        host: 185.174.171.144
        destination:
        host: 185.174.171.133
        port_protocol:
        eq: "3389"
        state: overridden
        `

when in switch exist this rules make command with non-logic...

https://pastebin.com/6AXz9rmM

when change state to "replaced"

https://pastebin.com/z80AvCFJ

[michalkolar]

Hi @GomathiselviS ,

any news?