search

networktocode / ntc-templates

TextFSM templates for parsing show commands of network devices
https://ntc-templates.readthedocs.io/
Other
1.07k stars 699 forks source link

Standard ACL not supported #1694

Open mathlaurent opened 2 months ago

mathlaurent commented 2 months ago
ISSUE TYPE
TEMPLATE USING
Value Required ACL_NAME (\S+)
Value ACL_TOT_ELEM (\d+)
Value ACL_NAME_HASH (0x\w+)
Value TYPE (standard|extended)
Value LINE_NUM (\d+)
Value REMARK (.+?)
Value ACTION (permit|deny)
Value PROTOCOL ([a-z]+)
Value SVC_OBJECT_GRP (\S+)
Value SVC_OBJECT (\S+)
Value SRC_INTFC (\S+)
Value SRC_OBJECT_GRP (\S+)
Value SRC_OBJECT (\S+)
Value SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value SRC_V6HOST ([0-9a-f:]+)
Value SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value SRC_V6NETWORK ([0-9a-f:]+)
Value SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value SRC_V6MASK (\d{1,3})
Value SRC_ANY (any[46]{0,1})
Value DST_INTFC (\S+)
Value DST_OBJECT_GRP (\S+)
Value DST_OBJECT (\S+)
Value DST_HOST (\d+\.\d+\.\d+\.\d+)
Value DST_V6HOST ([0-9a-f:]+)
Value DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value DST_V6NETWORK ([0-9a-f:]+)
Value DST_MASK (\d+\.\d+\.\d+\.\d+)
Value DST_V6MASK (\d{1,3})
Value DST_ANY (any[46]{0,1})
Value DST_PORT (\S+)
Value DST_PORT_LESS_THAN (\S+)
Value DST_PORT_GREATER_THAN (\S+)
Value DST_PORT_RANGE_START (\S+)
Value DST_PORT_RANGE_END (\S+)
Value DST_PORT_GRP (\S+)
Value DST_PORT_OBJECT (\S+)
Value DST_ICMP_TYPE ((?!log|time|inactive)\S+)
Value LOG_LEVEL ([a-z0-9]+)
Value LOG_INTERVAL (\d+)
Value TIME_RANGE (\S+)
Value STATE (inactive)
Value HIT_COUNT (\d+)
Value LINE_HASH (0x\w+)
Value ENTRY_PROTOCOL_ICMP (icmp)
Value ENTRY_PROTOCOL ([a-z\-]+)
Value ENTRY_SRC_FQDN (\S+)
Value ENTRY_SRC_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_V6HOST ([0-9a-f:]+)
Value ENTRY_SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_V6NETWORK ([0-9a-f:]+)
Value ENTRY_SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_V6MASK (\d{1,3})
Value ENTRY_SRC_ANY (any[46]{0,1})
Value ENTRY_SRC_FQDN_STATE (unresolved)
Value ENTRY_DST_FQDN (\S+)
Value ENTRY_DST_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_HOST (\S+)
Value ENTRY_DST_V6HOST ([0-9a-f:]+)
Value ENTRY_DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_V6NETWORK ([0-9a-f:]+)
Value ENTRY_DST_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_V6MASK (\d{1,3})
Value ENTRY_DST_ANY (any[46]{0,1})
Value ENTRY_DST_FQDN_STATE (unresolved)
Value ENTRY_ICMP_TYPE (alternate-address|conversion-error|echo|echo-reply|information-reply|information-request|mask-reply|mask-request|mobile-redirect|parameter-problem|redirect|router-advertisement|router-solicitation|source-quench|time-exceeded|timestamp-reply|timestamp-request|traceroute|unreachable|\d{1,3})
Value ENTRY_ICMP_CODE (\d+)
Value ENTRY_PORT ([a-z\-]+\s+\d+|[\w\-]+)
Value ENTRY_PORT_LESS_THAN ([a-z\-]+\s+\d+|\S+)
Value ENTRY_PORT_GREATER_THAN ([a-z\-]+\s+\d+|\S+)
Value ENTRY_PORT_RANGE_START ([a-z\-]+\s+\d+|\S+)
Value ENTRY_PORT_RANGE_END ([a-z\-]+\s+\d+|\S+)
Value ENTRY_HIT_COUNT (\d+)
Value ENTRY_STATE (inactive)
Value ENTRY_HASH (0x\w+)

Start
  ^access\-list\s+${ACL_NAME};\s+${ACL_TOT_ELEM}\s+elements;\s+name\s+hash:\s+${ACL_NAME_HASH}\s* -> Record
  ^access\-list\s+cached\s+ACL\s+log\s+flows.* -> NoRecord
  ^\s+alert-interval\s+\d+ -> NoRecord
  ^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+remark\s+${REMARK}\s*$$ -> Record
  ^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+${TYPE}\s+${ACTION}\s+(object\-group\s+${SVC_OBJECT_GRP}|object\s+${SVC_OBJECT}|${PROTOCOL})\s+(interface\s+${SRC_INTFC}|object\-group\s+${SRC_OBJECT_GRP}|object\s+${SRC_OBJECT}|host\s+(${SRC_HOST}|${SRC_V6HOST})|${SRC_NETWORK}\s+${SRC_MASK}|${SRC_V6NETWORK}\/${SRC_V6MASK}|${SRC_ANY})\s+(interface\s+${DST_INTFC}|object\-group\s+${DST_OBJECT_GRP}|object\s+${DST_OBJECT}|host\s+(${DST_HOST}|${DST_V6HOST})|${DST_NETWORK}\s+${DST_MASK}|${DST_V6NETWORK}\/${DST_V6MASK}|${DST_ANY})\s+((eq\s+${DST_PORT}|lt\s+${DST_PORT_LESS_THAN}|gt\s+${DST_PORT_GREATER_THAN}|range\s+${DST_PORT_RANGE_START}\s+${DST_PORT_RANGE_END}|object\-group\s+${DST_PORT_GRP}|object\s+${DST_PORT_OBJECT})\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}((log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default))\s+){0,1}(time-range\s+${TIME_RANGE}\s+){0,1}(${STATE}\s+){0,1}\(hitcnt=${HIT_COUNT}\)\s+(\(inactive\)\s+){0,1}${LINE_HASH}\s* -> Record
  ^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+${TYPE}\s+${ACTION}\s+${ENTRY_PROTOCOL_ICMP}\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+(${ENTRY_SRC_HOST}|${ENTRY_SRC_V6HOST})|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_V6NETWORK}\/${ENTRY_SRC_V6MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}(fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+(${ENTRY_DST_HOST}|${ENTRY_DST_V6HOST})|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_V6NETWORK}\/${ENTRY_DST_V6MASK}|${ENTRY_DST_ANY})\s+(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}(log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default)\s+){0,1}(time-range\s+${TIME_RANGE}\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
  ^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+${TYPE}\s+${ACTION}\s+(${ENTRY_PROTOCOL}\s+){0,1}(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+(${ENTRY_SRC_HOST}|${ENTRY_SRC_V6HOST})|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_V6NETWORK}\/${ENTRY_SRC_V6MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}((fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+(${ENTRY_DST_HOST}|${ENTRY_DST_V6HOST})|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_V6NETWORK}\/${ENTRY_DST_V6MASK}|${ENTRY_DST_ANY})\s+){0,1}(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}((eq\s+${ENTRY_PORT}|lt\s+${ENTRY_PORT_LESS_THAN}|gt\s+${ENTRY_PORT_GREATER_THAN}|range\s+${ENTRY_PORT_RANGE_START}\s+${ENTRY_PORT_RANGE_END})\s+){0,1}(log\s+([a-z0-9]+\s+interval\s+\d+|disable|default)\s+){0,1}(time-range\s+${TIME_RANGE}\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
  ^.* -> Error "Did not match any rules"

EOF
SAMPLE COMMAND OUTPUT
access-list third-acl; 2 elements; name hash: 0x178be4f2
access-list third-acl line 1 extended permit object-group telssh any object ip-friend (hitcnt=0) 0xb8411547
  access-list third-acl line 1 extended permit tcp any host 198.18.0.1 eq ssh (hitcnt=0) 0xb86c056b
  access-list third-acl line 1 extended permit tcp any host 198.18.0.1 eq telnet (hitcnt=0) 0x5eb7814e
access-list fifth-acl; 1 elements; name hash: 0x6f26777b
access-list fifth-acl line 1 standard permit any4 (hitcnt=0) 0x35bc84d3
access-list sixth-acl; 1 elements; name hash: 0x9d252764
access-list sixth-acl line 1 standard deny 198.18.0.0 255.254.0.0 (hitcnt=0) 0xce26b1f0
access-list fourth-acl; 1 elements; name hash: 0x5d7174ae
access-list fourth-acl line 1 standard deny host 198.18.0.1 (hitcnt=0) 0x18e858ae
SUMMARY

Extended ACL are working fine, but not standard ACL

STEPS TO REPRODUCE
EXPECTED RESULTS
{'acl_name': 'fifth', 'acl_tot_elem': '1', 'acl_name_hash': '0x7f0f9426', 'type': '', 'line_num': '', 'remark': '', 'action': '', 'protocol': '', 'svc_object_grp': '', 'svc_object': '', 'src_intfc': '', 'src_object_grp': '', 'src_object': '', 'src_host': '', 'src_v6host': '', 'src_network': '', 'src_v6network': '', 'src_mask': '', 'src_v6mask': '', 'src_any': '', 'dst_intfc': '', 'dst_object_grp': '', 'dst_object': '', 'dst_host': '', 'dst_v6host': '', 'dst_network': '', 'dst_v6network': '', 'dst_mask': '', 'dst_v6mask': '', 'dst_any': '', 'dst_port': '', 'dst_port_less_than': '', 'dst_port_greater_than': '', 'dst_port_range_start': '', 'dst_port_range_end': '', 'dst_port_grp': '', 'dst_port_object': '', 'dst_icmp_type': '', 'log_level': '', 'log_interval': '', 'time_range': '', 'state': '', 'hit_count': '', 'line_hash': '', 'entry_protocol_icmp': '', 'entry_protocol': '', 'entry_src_fqdn': '', 'entry_src_range_start': '', 'entry_src_range_end': '', 'entry_src_host': '', 'entry_src_v6host': '', 'entry_src_network': '', 'entry_src_v6network': '', 'entry_src_mask': '', 'entry_src_v6mask': '', 'entry_src_any': '', 'entry_src_fqdn_state': '', 'entry_dst_fqdn': '', 'entry_dst_range_start': '', 'entry_dst_range_end': '', 'entry_dst_host': '', 'entry_dst_v6host': '', 'entry_dst_network': '', 'entry_dst_v6network': '', 'entry_dst_mask': '', 'entry_dst_v6mask': '', 'entry_dst_any': '', 'entry_dst_fqdn_state': '', 'entry_icmp_type': '', 'entry_icmp_code': '', 'entry_port': '', 'entry_port_less_than': '', 'entry_port_greater_than': '', 'entry_port_range_start': '', 'entry_port_range_end': '', 'entry_hit_count': '', 'entry_state': '', 'entry_hash': ''},
 {'acl_name': 'fifth', 'acl_tot_elem': '', 'acl_name_hash': '', 'type': 'extended', 'line_num': '1', 'remark': '', 'action': 'permit', 'protocol': 'tcp', 'svc_object_grp': '', 'svc_object': '', 'src_intfc': '', 'src_object_grp': '', 'src_object': '', 'src_host': '', 'src_v6host': '', 'src_network': '', 'src_v6network': '', 'src_mask': '', 'src_v6mask': '', 'src_any': 'any', 'dst_intfc': '', 'dst_object_grp': '', 'dst_object': '', 'dst_host': '', 'dst_v6host': '', 'dst_network': '', 'dst_v6network': '', 'dst_mask': '', 'dst_v6mask': '', 'dst_any': 'any', 'dst_port': '', 'dst_port_less_than': '', 'dst_port_greater_than': '', 'dst_port_range_start': '', 'dst_port_range_end': '', 'dst_port_grp': '', 'dst_port_object': '', 'dst_icmp_type': '', 'log_level': '', 'log_interval': '', 'time_range': '', 'state': '', 'hit_count': '0', 'line_hash': '0x603f5e9d', 'entry_protocol_icmp': '', 'entry_protocol': '', 'entry_src_fqdn': '', 'entry_src_range_start': '', 'entry_src_range_end': '', 'entry_src_host': '', 'entry_src_v6host': '', 'entry_src_network': '', 'entry_src_v6network': '', 'entry_src_mask': '', 'entry_src_v6mask': '', 'entry_src_any': '', 'entry_src_fqdn_state': '', 'entry_dst_fqdn': '', 'entry_dst_range_start': '', 'entry_dst_range_end': '', 'entry_dst_host': '', 'entry_dst_v6host': '', 'entry_dst_network': '', 'entry_dst_v6network': '', 'entry_dst_mask': '', 'entry_dst_v6mask': '', 'entry_dst_any': '', 'entry_dst_fqdn_state': '', 'entry_icmp_type': '', 'entry_icmp_code': '', 'entry_port': '', 'entry_port_less_than': '', 'entry_port_greater_than': '', 'entry_port_range_start': '', 'entry_port_range_end': '', 'entry_hit_count': '', 'entry_state': '', 'entry_hash': ''}]

And so on for every rule

ACTUAL RESULTS
textfsm.parser.TextFSMError: Error: "Did not match any rules". Rule Line: 89. Input Line: access-list sixth-acl line 1 standard deny 123.53.23.0 255.255.255.0 (hitcnt=0) 0xce26b1f0 .
jvanderaa commented 2 months ago

What platform is this in reference to @mathlaurent ?

mathlaurent commented 1 month ago

Hello @jvanderaa , indeed i forgot to include the platform : platform : cisco ASA template : show access rules