Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Failing Use Cases in Cisco IOS ACL Template #245

Closed
tyler-8 opened this issue Aug 20, 2018 · 1 comment · Fixed by #250
Closed

Multiple Failing Use Cases in Cisco IOS ACL Template #245

tyler-8 opened this issue Aug 20, 2018 · 1 comment · Fixed by #250

Comments

@tyler-8
Copy link

tyler-8 commented Aug 20, 2018
edited
Loading

Using this issue to track progress on fixes.

ISSUE TYPE
  • Bug Report
TEMPLATE USING
Value Required,Filldown ACL_TYPE (Standard|Extended)
Value Required,Filldown ACL_NAME (\S+)
Value LINE_NUM (\d+)
Value ACTION (permit|deny)
Value PROTOCOL ([a-z]+)
Value SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value SRC_ANY (any)
Value SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value SRC_WILDCARD (\d+\.\d+\.\d+\.\d+)
Value SRC_PORT_MATCH (eq|range|lt|gt)
Value SRC_PORT ((?<!range\s)\S+)
Value SRC_PORT_RANGE_START ((?<!range\s)\S+)
Value SRC_PORT_RANGE_END (\S+)
Value DST_HOST (\d+\.\d+\.\d+\.\d+)
Value DST_ANY (any)
Value DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value DST_WILDCARD (\d+\.\d+\.\d+\.\d+)
Value DST_PORT_MATCH (eq|range|lt|gt)
Value DST_PORT ((?<!range\s)\S+)
Value DST_PORT_RANGE_START ((?<=range\s)\S+)
Value DST_PORT_RANGE_END (\S+)
Value LOG (log-input|log)
Value TIME (\S+)
Value STATE (inactive|active)


Start
  ^(Standard|Extended) -> Continue.Clearall
  ^${ACL_TYPE}\s+IP\s+access\s+list\s+${ACL_NAME}\s* -> Record
  ^\s+${LINE_NUM}\s+${ACTION}\s+${PROTOCOL}\s+(host\s+${SRC_HOST}|${SRC_ANY}|${SRC_NETWORK}\s+${SRC_WILDCARD})(\s+${SRC_PORT_MATCH}\s+|)(${SRC_PORT_RANGE_START}\s+${SRC_PORT_RANGE_END}|${SRC_PORT}|)\s+(host\s+${DST_HOST}|${DST_ANY}|${DST_NETWORK}\s+${DST_WILDCARD})(\s+${DST_PORT_MATCH}\s+(${DST_PORT_RANGE_START}\s+${DST_PORT_RANGE_END}|${DST_PORT}|)|)(\s+${LOG}|)(\s+time-range\s+${TIME}\s+\(${STATE}\)|)\s* -> Record
  ^\s+${LINE_NUM}\s+${ACTION}\s+(${SRC_NETWORK},\s+wildcard\s+bits\s+${SRC_WILDCARD}|${SRC_HOST}|${SRC_ANY})(\s+{LOG}|)(\s+time-range\s+${TIME}\s+\(${STATE}\)|)\s* -> Record
  ^.* -> Error "Could not parse line:"

EOF
SAMPLE COMMAND OUTPUT
310 permit udp any range 16384 32767 10.XXX.XXX.0 0.0.XXX.XXX range 16384 32767
330 permit udp any eq snmp bootpc 10.XXX.0.0 0.XXX.XXX.XXX
430 permit ip 10.XXX.XXX.XXX 0.XXX.XXX.XXX object-group SOME_APP_IPS
10 permit tcp any any established
SUMMARY

The template fails on source port ranges, multiple port entries (up to 10 allowed on IOS), and object-groups.

STEPS TO REPRODUCE

(using netmiko)

device.send_command('show ip access-list MY_ACL', use_textfsm=True)
EXPECTED RESULTS

Structured data returned from template.

ACTUAL RESULTS

TextFSM failed parsing on all 3 2 scenarios.

textfsm.TextFSMError: Error: "Could not parse line:". Rule Line: 32. Input Line:     310 permit udp any range 16384 32767 10.XXX.XXX.0 0.0.XXX.XXX range 16384 32767.
Error: "Could not parse line:". Rule Line: 32. Input Line:     310 permit udp any range 16384 32767 10.XXX.XXX.0 0.0.XXX.XXX range 16384 32767.
POTENTIAL FIXES
  • Src Port Range: Value SRC_PORT_RANGE_START ((?<=range\s)\S+) (courtesy @jmcgill298)
  • Multiple Ports:
Value SRC_PORT ((?<!range\s)\S+|(\S+(\s\S+){1,9}))
Value DST_PORT ((?<!range\s)\S+|(\S+(\s\S+){1,9}))
  • Object groups: TBD
  • established line: TBD
jmcgill298 added a commit to jmcgill298/ntc-templates that referenced this issue Aug 20, 2018
@jmcgill298
FIXES networktocode#245 - CISCO_IOS_SHOW_IP_ACCESS-LISTS:
24d6f9c 
* Fix issue where negative look-behind should be a positive look-behind for src ports
* Fix issue with missing  for log variable in standard acl regex
* Fix issue where ports can have multiple values if not a port range
* Add  as a potential port match
This was referenced Aug 20, 2018
Closed
Merged
jmcgill298 added a commit that referenced this issue Aug 20, 2018
@jmcgill298
Merge pull request #247 from jmcgill298/ios_show_ip_access-list
90c93e0 
FIXES #245 - CISCO_IOS_SHOW_IP_ACCESS-LISTS:
@jmcgill298 jmcgill298 mentioned this issue Aug 22, 2018
Merged
jmcgill298 added a commit to jmcgill298/ntc-templates that referenced this issue Oct 14, 2018
@jmcgill298
FIXES networktocode#245 - CISCO_IOS_SHOW_IP_ACCESS-LISTS:
89323d0 
* Fix issue where negative look-behind should be a positive look-behind for src ports
* Fix issue with missing  for log variable in standard acl regex
* Fix issue where ports can have multiple values if not a port range
* Add  as a potential port match
jmcgill298 added a commit to jmcgill298/ntc-templates that referenced this issue Oct 14, 2018
@jmcgill298
FIXES networktocode#245 - CISCO_IOS_SHOW_IP_ACCESS-LISTS:
0f1a693 
* Fix issue where negative look-behind should be a positive look-behind for src ports
* Fix issue with missing  for log variable in standard acl regex
* Fix issue where ports can have multiple values if not a port range
* Add  as a potential port match
@gudgeong
Copy link

I have a similar issue.... Should I just post it here or as a new issue ??

textfsm.parser.TextFSMError: Error: "Could not parse line:". Rule Line: 38. Input Line: 10 permit icmp 23.54.66.128 0.0.0.127 any echo-reply.

show_ip_access-list.txt

Sorry not familiar with Git hub and loggin of bugs and issues...

Cheers

jvanderaa pushed a commit that referenced this issue Nov 10, 2021
@jmcgill298
FIXES #245 - CISCO_IOS_SHOW_IP_ACCESS-LISTS:
0023862 
* Fix issue where negative look-behind should be a positive look-behind for src ports
* Fix issue with missing  for log variable in standard acl regex
* Fix issue where ports can have multiple values if not a port range
* Add  as a potential port match
jvanderaa pushed a commit that referenced this issue Nov 10, 2021
@jmcgill298
Merge pull request #247 from jmcgill298/ios_show_ip_access-list
652062a 
FIXES #245 - CISCO_IOS_SHOW_IP_ACCESS-LISTS:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ios show ip access list networktocode/ntc-templates
2 participants
@tyler-8 @gudgeong