issue with sending very long commands with routeros.command:

[satperm]

SUMMARY

i have simple playbook to deploy firewall rules into my mikrotik devices with routeros.command, it doesn't work with long lines, only with short. My lines if short, because i use some checking logic before push commands on device.

ISSUE TYPE

• Bug Report

COMPONENT NAME

routeros.command

ANSIBLE VERSION

ansible [core 2.12.10]
  config file = /Users/leonisa/research_net/ansible.cfg
  configured module search path = ['/Users/leonisa/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/leonisa/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/local/bin/ansible
  python version = 3.10.12 (main, Jun  7 2023, 00:45:35) [Clang 14.0.3 (clang-1403.0.22.14.1)]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

 ansible-galaxy collection list | grep routeros
community.routeros            2.1.0  
community.routeros 2.8.0  

CONFIGURATION

ansible.cfg
[privilege_escalation]
become=True
become_method=sudo
become_user=root
become_ask_pass=False
[defaults]
vault_password_file =  ~/.netdev_vault 
inventory = inventory.yaml
host_key_checking = False
pipelining = True
forks = 50
deprecation_warnings = False
jinja2_extensions = jinja2.ext.do
force_handlers = True
retry_files_enabled = False
transport = paramiko
ansible_managed = # Ansible Managed File
callback_whitelist = profile_tasks
stdout_callback = yaml
interpreter_python = auto_silent
ANSIBLE_PARAMIKO_LOOK_FOR_KEYS=False
DEFAULT_PRIVATE_KEY_FILE=None
[paramiko_connection]
host_key_auto_add = True
[ssh_connection]
ansssh_args = -C -o HostKeyAlgorithms=+ssh-rsa

inventory.yaml
---
localhost:
  vars:
    ansible_connection: local
spb:
  children:
    mikrotik_routers:
      vars: 
        ansible_user: admin+cet512w
        ansible_connection: network_cli
        ansible_network_os: routeros
      hosts:  
        rtr_01:
          ansible_host: <ip>
        rtr_02:
          ansible_host:<ip>

OS / ENVIRONMENT

sw_vers ProductName: macOS ProductVersion: 13.4 BuildVersion: 22F66

STEPS TO REPRODUCE

run playbook with

ansible-playbook spb-routers.yaml --tags rtr_firewall_fitler_rules

host_vars for rtr-01

firewall_filter_lines:

• ":if ( [:put [:len [/ip firewall filter find comment=est_rel_input]]]=0) do={/ip firewall filter add action=accept chain=input comment=est_rel_input connection-state=established,related }"
• ":if ( [:put [:len [/ip firewall filter find comment=permit_icmp]]]=0) do={/ip firewall filter add action=accept chain=input comment=permit_icmp protocol=icmp }"
• ":if ( [:put [:len [/ip firewall filter find comment=permit_private_all]]]=0) do={/ip firewall filter add action=accept chain=input comment=permit_private_all src-address-list=not_in_internet }"
• ":if ( [:put [:len [/ip firewall filter find comment=deny_input]]]=0) do={/ip firewall filter add action=drop chain=input comment=deny_input }"
• ":if ( [:put [:len [/ip firewall filter find comment=fasttrack]]]=0) do={/ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes }"
• ":if ( [:put [:len [/ip firewall filter find comment=est_rel_fwd]]]=0) do={/ip firewall filter add action=accept chain=forward comment=est_rel_fwd connection-state=established,related }"
• ":if ( [:put [:len [/ip firewall filter find comment=drop_invalid]]]=0) do={/ip firewall filter add action=drop chain=forward comment=drop_invalid connection-state=invalid log=yes log-prefix=invalid }"
• ":if ( [:put [:len [/ip firewall filter find comment=drop_not_public_from_inet]]]=0) do={/ip firewall filter add action=drop chain=forward comment=drop_not_public_from_inet in-interface=vlan_internet log=yes log-prefix=!public src-address-list=not_in_internet }"

---
- hosts: rtr-01
  gather_facts: false
    - name: add ip firewall address list
      community.routeros.command:
        commands: "{{ item }}"
      with_items: "{{ firewall_filter_lines }}"
      tags: rtr_firewall_fitler_rules

EXPECTED RESULTS

expected result is receiving changed state for all lines in playbook, but it works only for shortest line:

• ":if ( [:put [:len [/ip firewall filter find comment=deny_input]]]=0) do={/ip firewall filter add action=drop chain=input comment=deny_input }"

ACTUAL RESULTS

error: ssh_type libssh error Negative size passed to PyBytes_FromStringAndSize msg: Failed to write to ssh channel

[satperm]

it's possible that issue related to ansible.netcommon.network_cli or paramiko. if so please close the issue.

[felixfontein]

This sounds like a bug in ansible.netcommon (the error message seems to indicate that paramiko wasn't involved, but instead libssh). Which version of ansible.netcommon are you using?

[satperm]

ansible --version | grep collection ansible collection location = /Users/leonisa/.ansible/collections:/usr/share/ansible/collections

ansible-galaxy collection list

/usr/local/lib/python3.10/site-packages/ansible_collections

Collection Version

---

ansible.netcommon 2.6.1

/Users/leonisa/.ansible/collections/ansible_collections

Collection Version

---

ansible.netcommon 3.1.0

[felixfontein]

You might want to try ansible.netcommon 5.1.1, the latest release.

[satperm]

thanks, i'll try it asap.

[satperm]

doesn't work with

ansible-galaxy collection list 

# /Users/leonisa/.ansible/collections/ansible_collections
Collection         Version
------------------ -------
ansible.netcommon  5.1.1  
ansible.utils      2.10.3 
community.network  4.0.1  
community.routeros 2.8.0  
dzervas.vector     0.1.6  
frr.frr            2.0.0  
netbox.netbox      3.13.0 

same result

failed: [rtr_01] (item=:if ( [:put  [:len [/ip firewall filter find comment=est_rel_input]]]=0) do={/ip firewall filter add action=accept chain=input comment=est_rel_input connection-state=established,related }) => changed=false 
  ansible_loop_var: item
  item: :if ( [:put  [:len [/ip firewall filter find comment=est_rel_input]]]=0) do={/ip firewall filter add action=accept chain=input comment=est_rel_input connection-state=established,related }
  msg: Negative size passed to PyBytes_FromStringAndSize

[satperm]

i have used local rendering of a config and then pushing and importing files on a device as a workaround.

---
  - name: Generate firewall-filter-{{inventory_hostname}}.rsc to check and add user
    template: src=filter.rsc.j2 dest={{role_path}}/files/tmp/firewall-filter-{{inventory_hostname}}.rsc
    delegate_to: localhost

  - name: Send firewall-filter-{{inventory_hostname}}.rsc script
    command: scp -P {{ansible_port}} {{role_path}}/files/tmp/firewall-filter-{{inventory_hostname}}.rsc {{ansible_user}}@{{ansible_host}}:/firewall-filter-{{inventory_hostname}}.rsc
    delegate_to: localhost

  - name: Delete temporary firewall-filter-{{inventory_hostname}}.rsc file
    file: path={{role_path}}/files/tmp/firewall-filter-{{inventory_hostname}}.rsc state=absent
    delegate_to: localhost

  - name: Run firewall-filter-{{inventory_hostname}}.rsc on router
    raw: "/import firewall-filter-{{inventory_hostname}}.rsc"
    tags: mikrotik_firewall_services

[felixfontein]

Which version of ansible_pylibssh (https://github.com/ansible/pylibssh) do you have installed? That library seems to use PyBytes_FromStringAndSize (which is a C function used by Python C extensions; ansible_pylibssh is one such extension), so the error might come from there.

[satperm]

Hello, version of the package ansible-pylibssh is 1.1.0. I am ready to entirely change venv ( version of python, libraries etc)