cisco_ios_show_ip_access-lists is not accounting for log tags

Question

cisco_ios_show_ip_access-lists is not accounting for log tags

Closed this issue 3 years ago · 1 comments

ISSUE TYPE

Bug Report

TEMPLATE USING

Value Required,Filldown ACL_TYPE (Standard|Extended)
Value Required,Filldown ACL_NAME (\S+)
Value LINE_NUM (\d+)
Value ACTION (permit|deny)
Value PROTOCOL (\S+)
Value SRC_HOST (\d+\.\d+\.\d+\.\d+)
Value SRC_ANY (any)
Value SRC_NETWORK (\d+\.\d+\.\d+\.\d+)
Value SRC_WILDCARD (\d+\.\d+\.\d+\.\d+)
Value SRC_PORT_MATCH (eq|neq|precedence|range|tos|lt|gt)
Value SRC_PORT ((?<!range\s).+?)
Value SRC_PORT_RANGE_START ((?<=range\s)\S+)
Value SRC_PORT_RANGE_END (\S+)
Value DST_HOST (\d+\.\d+\.\d+\.\d+)
Value DST_ANY (any)
Value DST_NETWORK (\d+\.\d+\.\d+\.\d+)
Value DST_WILDCARD (\d+\.\d+\.\d+\.\d+)
Value DST_PORT_MATCH (eq|neq|precedence|range|tos|lt|gt)
Value DST_PORT ((?<!range\s).+?)
Value DST_PORT_RANGE_START ((?<=range\s)\S+)
Value DST_PORT_RANGE_END (\S+)
Value FLAGS_MATCH (match-all|match-any)
Value TCP_FLAG (((\+|-|)ack(\s*?)|(\+|-|)established(\s*?)|(\+|-|)fin(\s*?)|(\+|-|)fragments(\s*?)|(\+|-|)psh(\s*?)|(\+|-|)rst(\s*?)|(\+|-|)syn(\s*?)|urg(\s*?))+)
Value LOG (log-input|log)
Value ICMP_TYPE (administratively-prohibited|echo|echo-reply|mask-request|packet-too-big|parameter-problem|port-unreachable|redirect|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|unreachable)
Value TIME (\S+)
Value STATE (inactive|active)
Value MATCHES (\d+)

Start
  ^(Standard|Extended) -> Continue.Clearall
  ^${ACL_TYPE}\s+IP\s+access\s+list\s+${ACL_NAME}\s* -> Record
  ^\s+${LINE_NUM}\s+${ACTION}\s+${PROTOCOL}\s+(host\s+${SRC_HOST}|${SRC_ANY}|${SRC_NETWORK}\s+${SRC_WILDCARD})(\s+${SRC_PORT_MATCH}\s+|)(${SRC_PORT_RANGE_START}\s+${SRC_PORT_RANGE_END}|${SRC_PORT}|)\s+(host\s+${DST_HOST}|${DST_ANY}|${DST_NETWORK}\s+${DST_WILDCARD})(\s+${DST_PORT_MATCH}\s+(${DST_PORT_RANGE_START}\s+${DST_PORT_RANGE_END}|${DST_PORT}|)|\s+(${FLAGS_MATCH}\s+|)${TCP_FLAG}|)(\s+${ICMP_TYPE}|)(\s+${LOG}|)(\s+time-range\s+${TIME}\s+\(${STATE}\)|)(?:\s+\(${MATCHES}\s+\S+\)|)\s*$$ -> Record
  ^\s+${LINE_NUM}\s+${ACTION}\s+(${SRC_NETWORK},\s+wildcard\s+bits\s+${SRC_WILDCARD}|${SRC_HOST}|${SRC_ANY})(\s+${LOG}|)(\s+time-range\s+${TIME}\s+\(${STATE}\)|)(?:\s+\(${MATCHES}\s+matches\)|)\s*$$ -> Record
  ^\s*$$
  # Capture time-stamp if vty line has command time-stamping turned on
  ^Load\s+for\s+
  ^Time\s+source\s+is
  ^.* -> Error "Could not parse line:"

EOF

SAMPLE COMMAND OUTPUT

Extended IP access list Joe-Test
    10 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 log (tag = established)

SUMMARY

When creating an extended extended ACL you can add many match settings such as established, time-range, ttl, etc. If you want to log as well, log (log-input) must be the last entry. Both of these options take a single WORD as the log tag. So, if you try and add established after the word log, for example, you have inadvertently tagged your logs with the word "established" instead of matching on established traffic as intended.

Examples:

# show run:
ip access-list extended Joe-Test
 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 log established

# show ip access-list:
Extended IP access list Joe-Test
    10 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 log (tag = established)

=======================================================

# show run:
ip access-list extended Joe-Test
 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 established log

# show ip access-list:
Extended IP access list Joe-Test
    20 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 established log

=======================================================

# show run:
ip access-list extended Joe-Test
 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 established log tag_name

# show ip access-list:
Extended IP access list Joe-Test
    20 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 established log (tag = tag_name)

STEPS TO REPRODUCE

Use send_command('show ip access-lists', use_textfsm=True) with an ACL that has a log or log-input tag.

EXPECTED RESULTS

It should parse the log tag

ACTUAL RESULTS

[ERROR] root: TextFSMError Error occurred while running "show ip access-list".
[DEBUG] root: Error: "Could not parse line:". Rule Line: 39. Input Line:     90 permit tcp host 169.254.3.3 gt 1023 169.254.3.4 0.0.0.1 log (tag = established).

Answer 1 · 2021-08-26T17:04:01.000Z

The template and raw output shows time-range can come after log, but that doesn't seem to be the case for the device I'm using:

cisco_ios#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
cisco_ios(config)#ip access-list extended Joe-Test
cisco_ios(config-ext-nacl)#permit ahp any any log-input ?
  WORD  User defined cookie (max of 64 char)
  <cr>

cisco_ios(config-ext-nacl)#permit ahp any any log-input test ?
  <cr>

cisco_ios(config-ext-nacl)#permit ahp any any log-input time-range test ?
% Unrecognized command
cisco_ios(config-ext-nacl)#permit ahp any any log-input time-range test
                                                                        ^
% Invalid input detected at '^' marker.

cisco_ios(config-ext-nacl)#permit ahp any any log ?
  WORD  User defined cookie (max of 64 char)
  <cr>

cisco_ios(config-ext-nacl)#permit ahp any any log time-range test ?
% Unrecognized command
cisco_ios(config-ext-nacl)#permit ahp any any log time-range test
                                                                  ^
% Invalid input detected at '^' marker.

cisco_ios(config-ext-nacl)#