cisco show access list parse error #2

Question

cisco show access list parse error #2

Closed this issue 2 months ago · 1 comments

ISSUE TYPE

Bug Report

TEMPLATE USING

Latest master commit e72650d

Value Required ACL_NAME (\S+)
Value ACL_TOT_ELEM (\d+)
Value ACL_NAME_HASH (0x\w+)
Value TYPE (standard|extended)
Value LINE_NUM (\d+)
Value REMARK (.+?)
Value ACTION (permit|deny)
Value PROTOCOL ([a-z]+)
Value SVC_OBJECT_GRP (\S+)
Value SVC_OBJECT (\S+)
Value SRC_INTFC (\S+)
Value SRC_OBJECT_GRP (\S+)
Value SRC_OBJECT (\S+)
Value SRC_HOST (\S+)
Value SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value SRC_ANY (any[46]{0,1})
Value DST_INTFC (\S+)
Value DST_OBJECT_GRP (\S+)
Value DST_OBJECT (\S+)
Value DST_HOST (\S+)
Value DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value DST_MASK (\d+\.\d+\.\d+\.\d+)
Value DST_ANY (any[46]{0,1})
Value DST_PORT (\S+)
Value DST_PORT_GRP (\S+)
Value DST_PORT_OBJECT (\S+)
Value LOG_LEVEL ([a-z0-9]+)
Value LOG_INTERVAL (\d+)
Value STATE (inactive)
Value HIT_COUNT (\d+)
Value LINE_HASH (0x\w+)
Value ENTRY_PROTOCOL_ICMP (icmp)
Value ENTRY_PROTOCOL ([a-z\-]+)
Value ENTRY_SRC_FQDN (\S+)
Value ENTRY_SRC_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_SRC_ANY (any[46]{0,1})
Value ENTRY_SRC_FQDN_STATE (unresolved)
Value ENTRY_DST_FQDN (\S+)
Value ENTRY_DST_RANGE_START (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_RANGE_END (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_HOST (\S+)
Value ENTRY_DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_MASK (\d+\.\d+\.\d+\.\d+)
Value ENTRY_DST_ANY (any[46]{0,1})
Value ENTRY_DST_FQDN_STATE (unresolved)
Value ENTRY_ICMP_TYPE (echo-reply|unreachable|echo|time-exceeded)
Value ENTRY_ICMP_CODE (\d+)
Value ENTRY_PORT ([a-z\-]+\s+\d+|[\w\-]+)
Value ENTRY_PORT_LESS_THAN ([a-z\-]+\s+\d+|\w+)
Value ENTRY_PORT_GREATER_THAN ([a-z\-]+\s+\d+|\w+)
Value ENTRY_PORT_RANGE_START ([a-z\-]+\s+\d+|\w+)
Value ENTRY_PORT_RANGE_END ([a-z\-]+\s+\d+|\w+)
Value ENTRY_HIT_COUNT (\d+)
Value ENTRY_STATE (inactive)
Value ENTRY_HASH (0x\w+)

Start
  ^access\-list\s+${ACL_NAME};\s+${ACL_TOT_ELEM}\s+elements;\s+name\s+hash:\s+${ACL_NAME_HASH}\s* -> Record
  ^access-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+remark\s+${REMARK}\s*$$ -> Record
  ^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+${TYPE}\s+${ACTION}\s+(object\-group\s+${SVC_OBJECT_GRP}|object\s+${SVC_OBJECT}|${PROTOCOL})\s+(interface\s+${SRC_INTFC}|object\-group\s+${SRC_OBJECT_GRP}|object\s+${SRC_OBJECT}|host\s+${SRC_HOST}|${SRC_NETWORK}\s+${SRC_MASK}|${SRC_ANY})\s+(interface\s+${DST_INTFC}|object\-group\s+${DST_OBJECT_GRP}|object\s+${DST_OBJECT}|host\s+${DST_HOST}|${DST_NETWORK}\s+${DST_MASK}|${DST_ANY})\s+((eq\s+${DST_PORT}|object\-group\s+${DST_PORT_GRP}|object\s+${DST_PORT_OBJECT})\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}((log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default))\s+){0,1}(${STATE}\s+){0,1}\(hitcnt=${HIT_COUNT}\)\s+(\(inactive\)\s+){0,1}${LINE_HASH}\s* -> Record
  ^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+${ENTRY_PROTOCOL_ICMP}\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}(fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_ANY})\s+(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}(${ENTRY_ICMP_TYPE}(\s+${ENTRY_ICMP_CODE}){0,1}\s+){0,1}(log\s+(${LOG_LEVEL}\s+interval\s+${LOG_INTERVAL}|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
  ^\s+access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(${ENTRY_PROTOCOL}\s+){0,1}(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+(\(${ENTRY_SRC_FQDN_STATE}\)\s+){0,1}((fqdn\s+${ENTRY_DST_FQDN}|range\s+${ENTRY_DST_RANGE_START}\s+${ENTRY_DST_RANGE_END}|host\s+${ENTRY_DST_HOST}|${ENTRY_DST_NETWORK}\s+${ENTRY_DST_MASK}|${ENTRY_DST_ANY})\s+){0,1}(\(${ENTRY_DST_FQDN_STATE}\)\s+){0,1}((eq\s+${ENTRY_PORT}|lt\s+${ENTRY_PORT_LESS_THAN}|gt\s+${ENTRY_PORT_GREATER_THAN}|range\s+${ENTRY_PORT_RANGE_START}\s+${ENTRY_PORT_RANGE_END})\s+){0,1}(log\s+([a-z0-9]+\s+interval\s+\d+|disable|default)\s+){0,1}(inactive){0,1}\s*(\(hitcnt=${ENTRY_HIT_COUNT}\)){0,1}\s*(\(${ENTRY_STATE}\)){0,1}\s+${ENTRY_HASH}\s* -> Record
  ^access\-list\s+${ACL_NAME}\s+line\s+${LINE_NUM}\s+(standard|extended)\s+(permit|deny)\s+(fqdn\s+${ENTRY_SRC_FQDN}|range\s+${ENTRY_SRC_RANGE_START}\s+${ENTRY_SRC_RANGE_END}|host\s+${ENTRY_SRC_HOST}|${ENTRY_SRC_NETWORK}\s+${ENTRY_SRC_MASK}|${ENTRY_SRC_ANY})\s+\((hitcnt=${ENTRY_HIT_COUNT})\)\s+${ENTRY_HASH}\s* -> Record
  ^.* -> Error "Did not match any rules"

EOF

SAMPLE COMMAND OUTPUT

access-list ACL-INTERNET line 140 extended permit tcp any host 10.1.1.13 range 11000 13000 (hitcnt=79079) 0x60a21418
access-list ACL-INTERNET line 178 extended permit tcp any object IP_1.1.4.8 range 60000 65535 (hitcnt=144263) 0xa0ba93ac
  access-list ACL-INTERNET line 178 extended permit tcp any host 1.1.4.8 range 60000 65535 (hitcnt=144263) 0xa0ba93ac

SUMMARY

STEPS TO REPRODUCE

from ntc_templates.parse import parse_output
import os
import pprint

os.environ["NTC_TEMPLATES_DIR"] = "./ntc-templates/ntc_templates/templates"
input_file = open("./test.txt", encoding='utf-8')
all_rules = parse_output(platform="cisco_asa", command="show access-lists", data=input_file.read())
pprint.pprint(all_rules)

EXPECTED RESULTS

Successful parse of data

ACTUAL RESULTS

Traceback (most recent call last):
  File "/Users/pto/Documents/SOS/aclparse.py", line 15, in <module>
    all_rules = parse_output(platform="cisco_asa", command="show access-lists", data=input_file.read())
  File "/opt/homebrew/lib/python3.9/site-packages/ntc_templates/parse.py", line 57, in parse_output
    cli_table.ParseCmd(data, attrs)
  File "/opt/homebrew/lib/python3.9/site-packages/textfsm/clitable.py", line 282, in ParseCmd
    self.table = self._ParseCmdItem(self.raw, template_file=template_files[0])
  File "/opt/homebrew/lib/python3.9/site-packages/textfsm/clitable.py", line 315, in _ParseCmdItem
    for record in fsm.ParseText(cmd_input):
  File "/opt/homebrew/lib/python3.9/site-packages/textfsm/parser.py", line 897, in ParseText
    self._CheckLine(line)
  File "/opt/homebrew/lib/python3.9/site-packages/textfsm/parser.py", line 946, in _CheckLine
    if self._Operations(rule, line):
  File "/opt/homebrew/lib/python3.9/site-packages/textfsm/parser.py", line 1023, in _Operations
    raise TextFSMError('Error: %s. Rule Line: %s. Input Line: %s.'
textfsm.parser.TextFSMError: Error: "Did not match any rules". Rule Line: 69. Input Line: access-list ACL-INTERNET line 140 extended permit tcp any host 10.1.1.13 range 11000 13000 (hitcnt=79079) 0x60a21418.

Answer 1 · 2024-07-29T11:27:01.000Z

@jmcgill298
This was the 2nd of 4 issues mentioned in PR #1351 so it can be resolved.