Cisco IOS - show ip access-lists does not parse object-groups

Question

Cisco IOS - show ip access-lists does not parse object-groups

Closed this issue 2 years ago · 2 comments

ISSUE TYPE

Bug Report

TEMPLATE USING

Value Required,Filldown ACL_TYPE (Standard|Extended)
Value Required,Filldown ACL_NAME (\S+)
Value LINE_NUM (\d+)
Value ACTION (permit|deny)
Value PROTOCOL (\S+)
Value SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value SRC_ANY (any)
Value SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value SRC_WILDCARD (\d+\.\d+\.\d+\.\d+)
Value SRC_PORT_MATCH (eq|neq|precedence|range|tos|lt|gt)
Value SRC_PORT ((?<!range\s).+?)
Value SRC_PORT_RANGE_START ((?<=range\s)\S+)
Value SRC_PORT_RANGE_END (\S+)
Value DST_HOST (\d+\.\d+\.\d+\.\d+)
Value DST_ANY (any)
Value DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value DST_WILDCARD (\d+\.\d+\.\d+\.\d+)
Value DST_PORT_MATCH (eq|neq|precedence|range|tos|lt|gt)
Value DST_PORT ((?<!range\s).+?)
Value DST_PORT_RANGE_START ((?<=range\s)\S+)
Value DST_PORT_RANGE_END (\S+)
Value FLAGS_MATCH (match-all|match-any)
Value TCP_FLAG (((\+|-|)ack(\s*?)|(\+|-|)established(\s*?)|(\+|-|)fin(\s*?)|(\+|-|)fragments(\s*?)|(\+|-|)psh(\s*?)|(\+|-|)rst(\s*?)|(\+|-|)syn(\s*?)|urg(\s*?))+)
Value LOG (log-input|log)
Value LOG_TAG (\S+)
Value ICMP_TYPE (administratively-prohibited|echo|echo-reply|mask-request|packet-too-big|parameter-problem|port-unreachable|redirect|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|unreachable)
Value TIME (\S+)
Value STATE (inactive|active)
Value MATCHES (\d+)

Start
  ^(Standard|Extended) -> Continue.Clearall
  ^${ACL_TYPE}\s+IP\s+access\s+list\s+${ACL_NAME}\s* -> Record
  ^\s+${LINE_NUM}\s+${ACTION}\s+${PROTOCOL}\s+(host\s+${SRC_HOST}|${SRC_ANY}|${SRC_NETWORK}\s+${SRC_WILDCARD})(\s+${SRC_PORT_MATCH}\s+|)(${SRC_PORT_RANGE_START}\s+${SRC_PORT_RANGE_END}|${SRC_PORT}|)\s+(host\s+${DST_HOST}|${DST_ANY}|${DST_NETWORK}\s+${DST_WILDCARD})(\s+${DST_PORT_MATCH}\s+(${DST_PORT_RANGE_START}\s+${DST_PORT_RANGE_END}|${DST_PORT}|)|\s+(${FLAGS_MATCH}\s+|)${TCP_FLAG}|)(\s+${ICMP_TYPE}|)(\s+${LOG}|)(\s+time-range\s+${TIME}\s+\(${STATE}\)|)(?:\s+\(${MATCHES}\s+\S+\)|)(\s+\(tag\s+=\s+${LOG_TAG}\)|)\s*$$ -> Record
  ^\s+${LINE_NUM}\s+${ACTION}\s+(${SRC_NETWORK},\s+wildcard\s+bits\s+${SRC_WILDCARD}|${SRC_HOST}|${SRC_ANY})(\s+${LOG}|)(\s+time-range\s+${TIME}\s+\(${STATE}\)|)(?:\s+\(${MATCHES}\s+\S+\)|)(\s+\(tag\s+=\s+${LOG_TAG}\)|)\s*$$ -> Record
  ^\s*$$
  # Capture time-stamp if vty line has command time-stamping turned on
  ^Load\s+for\s+
  ^Time\s+source\s+is
  ^.* -> Error "Could not parse line:"

EOF

SAMPLE COMMAND OUTPUT

Extended IP access list access-acl
    10 permit udp object-group SRC_OBJ_GRP object-group DST_OBJ_GRP eq www

SUMMARY

The current template for parsing show ip access-lists is unable to parse object groups.

STEPS TO REPRODUCE

I verified this by running tox from the top-level directory.

tox

EXPECTED RESULTS

I knew this doesn't work and created this issue as a reference for a future Pull Request.

ACTUAL RESULTS

textfsm.parser.TextFSMError: Error: "Could not parse line:". Rule Line: 40. Input Line:     10 permit udp object-group SRC_OBJ_GRP object-group DST_OBJ_GRP eq domain.

Answer 1 · 2022-04-01T09:03:18.000Z

@mjuenema can you add the full cisco output, that we can add as a test, to fix the parsing ?

Answer 2 · 2022-04-02T19:22:39.000Z

Hi, I am already working on a fix and it's 99% complete. Expect a pull request soon.