diff --git a/lib/ansible/modules/network/cloudengine/ce_acl.py b/lib/ansible/modules/network/cloudengine/ce_acl.py
new file mode 100644
index 0000000000..11be14ed8a
--- /dev/null
+++ b/lib/ansible/modules/network/cloudengine/ce_acl.py
@@ -0,0 +1,1025 @@
+#!/usr/bin/python
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+#
+
+ANSIBLE_METADATA = {'status': ['preview'],
+ 'supported_by': 'community',
+ 'metadata_version': '1.0'}
+
+DOCUMENTATION = '''
+---
+module: ce_acl
+version_added: "2.4"
+short_description: Manages base ACL configuration on HUAWEI CloudEngine switches.
+description:
+ - Manages base ACL configurations on HUAWEI CloudEngine switches.
+author:
+ - wangdezhuang (@CloudEngine-Ansible)
+options:
+ state:
+ description:
+ - Specify desired state of the resource.
+ required: false
+ default: present
+ choices: ['present','absent','delete_acl']
+ acl_name:
+ description:
+ - ACL number or name.
+ For a numbered rule group, the value ranging from 2000 to 2999 indicates a basic ACL.
+ For a named rule group, the value is a string of 1 to 32 case-sensitive characters starting
+ with a letter, spaces not supported.
+ required: true
+ acl_num:
+ description:
+ - ACL number.
+ The value is an integer ranging from 2000 to 2999.
+ required: false
+ default: null
+ acl_step:
+ description:
+ - ACL step.
+ The value is an integer ranging from 1 to 20. The default value is 5.
+ required: false
+ default: null
+ acl_description:
+ description:
+ - ACL description.
+ The value is a string of 1 to 127 characters.
+ required: false
+ default: null
+ rule_name:
+ description:
+ - Name of a basic ACL rule.
+ The value is a string of 1 to 32 characters.
+ The value is case-insensitive, and cannot contain spaces or begin with an underscore (_).
+ required: false
+ default: null
+ rule_id:
+ description:
+ - ID of a basic ACL rule in configuration mode.
+ The value is an integer ranging from 0 to 4294967294.
+ required: false
+ default: null
+ rule_action:
+ description:
+ - Matching mode of basic ACL rules.
+ required: false
+ default: null
+ choices: ['permit','deny']
+ source_ip:
+ description:
+ - Source IP address.
+ The value is a string of 0 to 255 characters.The default value is 0.0.0.0.
+ The value is in dotted decimal notation.
+ required: false
+ default: null
+ src_mask:
+ description:
+ - Mask of a source IP address.
+ The value is an integer ranging from 1 to 32.
+ required: false
+ default: null
+ frag_type:
+ description:
+ - Type of packet fragmentation.
+ required: false
+ default: null
+ choices: ['fragment', 'clear_fragment']
+ vrf_name:
+ description:
+ - VPN instance name.
+ The value is a string of 1 to 31 characters.The default value is _public_.
+ required: false
+ default: null
+ time_range:
+ description:
+ - Name of a time range in which an ACL rule takes effect.
+ The value is a string of 1 to 32 characters.
+ The value is case-insensitive, and cannot contain spaces. The name must start with an uppercase
+ or lowercase letter. In addition, the word "all" cannot be specified as a time range name.
+ required: false
+ default: null
+ rule_description:
+ description:
+ - Description about an ACL rule.
+ The value is a string of 1 to 127 characters.
+ required: false
+ default: null
+ log_flag:
+ description:
+ - Flag of logging matched data packets.
+ required: false
+ default: false
+ choices: ['true', 'false']
+'''
+
+EXAMPLES = '''
+
+- name: CloudEngine acl test
+ hosts: cloudengine
+ connection: local
+ gather_facts: no
+ vars:
+ cli:
+ host: "{{ inventory_hostname }}"
+ port: "{{ ansible_ssh_port }}"
+ username: "{{ username }}"
+ password: "{{ password }}"
+ transport: cli
+
+ tasks:
+
+ - name: "Config ACL"
+ ce_acl:
+ state: present
+ acl_name: 2200
+ provider: "{{ cli }}"
+
+ - name: "Undo ACL"
+ ce_acl:
+ state: delete_acl
+ acl_name: 2200
+ provider: "{{ cli }}"
+
+ - name: "Config ACL base rule"
+ ce_acl:
+ state: present
+ acl_name: 2200
+ rule_name: test_rule
+ rule_id: 111
+ rule_action: permit
+ source_ip: 10.10.10.10
+ src_mask: 24
+ frag_type: fragment
+ time_range: wdz_acl_time
+ provider: "{{ cli }}"
+
+ - name: "undo ACL base rule"
+ ce_acl:
+ state: absent
+ acl_name: 2200
+ rule_name: test_rule
+ rule_id: 111
+ rule_action: permit
+ source_ip: 10.10.10.10
+ src_mask: 24
+ frag_type: fragment
+ time_range: wdz_acl_time
+ provider: "{{ cli }}"
+'''
+
+RETURN = '''
+changed:
+ description: check to see if a change was made on the device
+ returned: always
+ type: boolean
+ sample: true
+proposed:
+ description: k/v pairs of parameters passed into module
+ returned: always
+ type: dict
+ sample: {"acl_name": "test", "state": "delete_acl"}
+existing:
+ description: k/v pairs of existing aaa server
+ returned: always
+ type: dict
+ sample: {"aclNumOrName": "test", "aclType": "Basic"}
+end_state:
+ description: k/v pairs of aaa params after module execution
+ returned: always
+ type: dict
+ sample: {}
+updates:
+ description: command sent to the device
+ returned: always
+ type: list
+ sample: ["undo acl name test"]
+'''
+
+import socket
+import sys
+from xml.etree import ElementTree
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ce import get_nc_config, set_nc_config, ce_argument_spec
+
+
+# get acl
+CE_GET_ACL_HEADER = """
+
+
+
+
+
+"""
+CE_GET_ACL_TAIL = """
+
+
+
+
+"""
+# merge acl
+CE_MERGE_ACL_HEADER = """
+
+
+
+
+ %s
+"""
+CE_MERGE_ACL_TAIL = """
+
+
+
+
+"""
+# delete acl
+CE_DELETE_ACL_HEADER = """
+
+
+
+
+ %s
+"""
+CE_DELETE_ACL_TAIL = """
+
+
+
+
+"""
+
+# get acl base rule
+CE_GET_ACL_BASE_RULE_HEADER = """
+
+
+
+
+ %s
+
+
+
+"""
+CE_GET_ACL_BASE_RULE_TAIL = """
+
+
+
+
+
+
+"""
+# merge acl base rule
+CE_MERGE_ACL_BASE_RULE_HEADER = """
+
+
+
+
+ %s
+
+
+ %s
+"""
+CE_MERGE_ACL_BASE_RULE_TAIL = """
+
+
+
+
+
+
+"""
+# delete acl base rule
+CE_DELETE_ACL_BASE_RULE_HEADER = """
+
+
+
+
+ %s
+
+
+ %s
+"""
+CE_DELETE_ACL_BASE_RULE_TAIL = """
+
+
+
+
+
+
+"""
+
+
+def check_ip_addr(ipaddr):
+ """ check_ip_addr, Supports IPv4 and IPv6 """
+
+ if not ipaddr or '\x00' in ipaddr:
+ return False
+
+ try:
+ res = socket.getaddrinfo(ipaddr, 0, socket.AF_UNSPEC,
+ socket.SOCK_STREAM,
+ 0, socket.AI_NUMERICHOST)
+ return bool(res)
+ except socket.gaierror:
+ err = sys.exc_info()[1]
+ if err.args[0] == socket.EAI_NONAME:
+ return False
+ raise
+ return True
+
+
+class BaseAcl(object):
+ """ Manages base acl configuration """
+
+ def __init__(self, **kwargs):
+ """ Class init """
+
+ # argument spec
+ argument_spec = kwargs["argument_spec"]
+ self.spec = argument_spec
+ self.module = AnsibleModule(argument_spec=self.spec, supports_check_mode=True)
+
+ # module args
+ self.state = self.module.params['state']
+ self.acl_name = self.module.params['acl_name'] or None
+ self.acl_num = self.module.params['acl_num'] or None
+ self.acl_type = None
+ self.acl_step = self.module.params['acl_step'] or None
+ self.acl_description = self.module.params['acl_description'] or None
+ self.rule_name = self.module.params['rule_name'] or None
+ self.rule_id = self.module.params['rule_id'] or None
+ self.rule_action = self.module.params['rule_action'] or None
+ self.source_ip = self.module.params['source_ip'] or None
+ self.src_mask = self.module.params['src_mask'] or None
+ self.src_wild = None
+ self.frag_type = self.module.params['frag_type'] or None
+ self.vrf_name = self.module.params['vrf_name'] or None
+ self.time_range = self.module.params['time_range'] or None
+ self.rule_description = self.module.params['rule_description'] or None
+ self.log_flag = self.module.params['log_flag']
+
+ # cur config
+ self.cur_acl_cfg = dict()
+ self.cur_base_rule_cfg = dict()
+
+ # state
+ self.changed = False
+ self.updates_cmd = list()
+ self.results = dict()
+ self.proposed = dict()
+ self.existing = dict()
+ self.end_state = dict()
+
+ def netconf_get_config(self, conf_str):
+ """ Get configure by netconf """
+
+ xml_str = get_nc_config(self.module, conf_str)
+
+ return xml_str
+
+ def netconf_set_config(self, conf_str):
+ """ Set configure by netconf """
+
+ xml_str = set_nc_config(self.module, conf_str)
+
+ return xml_str
+
+ def get_wildcard_mask(self):
+ """ convert mask length to ip address wildcard mask, i.e. 24 to 0.0.0.255 """
+
+ mask_int = ["255"] * 4
+ value = int(self.src_mask)
+
+ if value > 32:
+ self.module.fail_json(msg='Error: IPv4 ipaddress mask length is invalid.')
+ if value < 8:
+ mask_int[0] = str(int(~(0xFF << (8 - value % 8)) & 0xFF))
+ if value >= 8:
+ mask_int[0] = '0'
+ mask_int[1] = str(int(~(0xFF << (16 - (value % 16))) & 0xFF))
+ if value >= 16:
+ mask_int[1] = '0'
+ mask_int[2] = str(int(~(0xFF << (24 - (value % 24))) & 0xFF))
+ if value >= 24:
+ mask_int[2] = '0'
+ mask_int[3] = str(int(~(0xFF << (32 - (value % 32))) & 0xFF))
+ if value == 32:
+ mask_int[3] = '0'
+
+ return '.'.join(mask_int)
+
+ def check_acl_args(self):
+ """ Check acl invalid args """
+
+ need_cfg = False
+ find_flag = False
+ self.cur_acl_cfg["acl_info"] = []
+
+ if self.acl_name:
+
+ if self.acl_name.isdigit():
+ if int(self.acl_name) < 2000 or int(self.acl_name) > 2999:
+ self.module.fail_json(
+ msg='Error: The value of acl_name is out of [2000-2999] for base ACL.')
+
+ if self.acl_num:
+ self.module.fail_json(
+ msg='Error: The acl_name is digit, so should not input acl_num at the same time.')
+ else:
+
+ self.acl_type = "Basic"
+
+ if len(self.acl_name) < 1 or len(self.acl_name) > 32:
+ self.module.fail_json(
+ msg='Error: The len of acl_name is out of [1 - 32].')
+
+ if self.state == "present":
+ if not self.acl_num and not self.acl_type and not self.rule_name:
+ self.module.fail_json(
+ msg='Error: Please input acl_num or acl_type when config ACL.')
+
+ if self.acl_num:
+ if self.acl_num.isdigit():
+ if int(self.acl_num) < 2000 or int(self.acl_num) > 2999:
+ self.module.fail_json(
+ msg='Error: The value of acl_name is out of [2000-2999] for base ACL.')
+ else:
+ self.module.fail_json(
+ msg='Error: The acl_num is not digit.')
+
+ if self.acl_step:
+ if self.acl_step.isdigit():
+ if int(self.acl_step) < 1 or int(self.acl_step) > 20:
+ self.module.fail_json(
+ msg='Error: The value of acl_step is out of [1 - 20].')
+ else:
+ self.module.fail_json(
+ msg='Error: The acl_step is not digit.')
+
+ if self.acl_description:
+ if len(self.acl_description) < 1 or len(self.acl_description) > 127:
+ self.module.fail_json(
+ msg='Error: The len of acl_description is out of [1 - 127].')
+
+ conf_str = CE_GET_ACL_HEADER
+
+ if self.acl_type:
+ conf_str += ""
+ if self.acl_num:
+ conf_str += ""
+ if self.acl_step:
+ conf_str += ""
+ if self.acl_description:
+ conf_str += ""
+
+ conf_str += CE_GET_ACL_TAIL
+ recv_xml = self.netconf_get_config(conf_str=conf_str)
+
+ if "" in recv_xml:
+ find_flag = False
+
+ else:
+ xml_str = recv_xml.replace('\r', '').replace('\n', '').\
+ replace('xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"', "").\
+ replace('xmlns="http://www.huawei.com/netconf/vrp"', "")
+
+ root = ElementTree.fromstring(xml_str)
+
+ # parse acl
+ acl_info = root.findall(
+ "data/acl/aclGroups/aclGroup")
+ if acl_info:
+ for tmp in acl_info:
+ tmp_dict = dict()
+ for site in tmp:
+ if site.tag in ["aclNumOrName", "aclType", "aclNumber", "aclStep", "aclDescription"]:
+ tmp_dict[site.tag] = site.text
+
+ self.cur_acl_cfg["acl_info"].append(tmp_dict)
+
+ if self.cur_acl_cfg["acl_info"]:
+ for tmp in self.cur_acl_cfg["acl_info"]:
+ find_flag = True
+
+ if self.acl_name and tmp.get("aclNumOrName") != self.acl_name:
+ find_flag = False
+ if self.acl_type and tmp.get("aclType") != self.acl_type:
+ find_flag = False
+ if self.acl_num and tmp.get("aclNumber") != self.acl_num:
+ find_flag = False
+ if self.acl_step and tmp.get("aclStep") != self.acl_step:
+ find_flag = False
+ if self.acl_description and tmp.get("aclDescription") != self.acl_description:
+ find_flag = False
+
+ if find_flag:
+ break
+ else:
+ find_flag = False
+
+ if self.state == "present":
+ need_cfg = bool(not find_flag)
+ elif self.state == "delete_acl":
+ need_cfg = bool(find_flag)
+ else:
+ need_cfg = False
+
+ self.cur_acl_cfg["need_cfg"] = need_cfg
+
+ def check_base_rule_args(self):
+ """ Check base rule invalid args """
+
+ need_cfg = False
+ find_flag = False
+ self.cur_base_rule_cfg["base_rule_info"] = []
+
+ if self.acl_name:
+
+ if self.state == "absent":
+ if not self.rule_name:
+ self.module.fail_json(
+ msg='Error: Please input rule_name when state is absent.')
+
+ # config rule
+ if self.rule_name:
+ if len(self.rule_name) < 1 or len(self.rule_name) > 32:
+ self.module.fail_json(
+ msg='Error: The len of rule_name is out of [1 - 32].')
+
+ if self.state != "delete_acl" and not self.rule_id:
+ self.module.fail_json(
+ msg='Error: Please input rule_id.')
+
+ if self.rule_id:
+ if self.rule_id.isdigit():
+ if int(self.rule_id) < 0 or int(self.rule_id) > 4294967294:
+ self.module.fail_json(
+ msg='Error: The value of rule_id is out of [0 - 4294967294].')
+ else:
+ self.module.fail_json(
+ msg='Error: The rule_id is not digit.')
+
+ if self.source_ip:
+ if not check_ip_addr(self.source_ip):
+ self.module.fail_json(
+ msg='Error: The source_ip %s is invalid.' % self.source_ip)
+ if not self.src_mask:
+ self.module.fail_json(
+ msg='Error: Please input src_mask.')
+
+ if self.src_mask:
+ if self.src_mask.isdigit():
+ if int(self.src_mask) < 1 or int(self.src_mask) > 32:
+ self.module.fail_json(
+ msg='Error: The src_mask is out of [1 - 32].')
+ self.src_wild = self.get_wildcard_mask()
+ else:
+ self.module.fail_json(
+ msg='Error: The src_mask is not digit.')
+
+ if self.vrf_name:
+ if len(self.vrf_name) < 1 or len(self.vrf_name) > 31:
+ self.module.fail_json(
+ msg='Error: The len of vrf_name is out of [1 - 31].')
+
+ if self.time_range:
+ if len(self.time_range) < 1 or len(self.time_range) > 32:
+ self.module.fail_json(
+ msg='Error: The len of time_range is out of [1 - 32].')
+
+ if self.rule_description:
+ if len(self.rule_description) < 1 or len(self.rule_description) > 127:
+ self.module.fail_json(
+ msg='Error: The len of rule_description is out of [1 - 127].')
+
+ if self.state != "delete_acl" and not self.rule_id:
+ self.module.fail_json(
+ msg='Error: Please input rule_id.')
+
+ conf_str = CE_GET_ACL_BASE_RULE_HEADER % self.acl_name
+
+ if self.rule_id:
+ conf_str += ""
+ if self.rule_action:
+ conf_str += ""
+ if self.source_ip:
+ conf_str += ""
+ if self.src_wild:
+ conf_str += ""
+ if self.frag_type:
+ conf_str += ""
+ if self.vrf_name:
+ conf_str += ""
+ if self.time_range:
+ conf_str += ""
+ if self.rule_description:
+ conf_str += ""
+ conf_str += ""
+
+ conf_str += CE_GET_ACL_BASE_RULE_TAIL
+ recv_xml = self.netconf_get_config(conf_str=conf_str)
+
+ if "" in recv_xml:
+ find_flag = False
+
+ else:
+ xml_str = recv_xml.replace('\r', '').replace('\n', '').\
+ replace('xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"', "").\
+ replace('xmlns="http://www.huawei.com/netconf/vrp"', "")
+
+ root = ElementTree.fromstring(xml_str)
+
+ # parse base rule
+ base_rule_info = root.findall(
+ "data/acl/aclGroups/aclGroup/aclRuleBas4s/aclRuleBas4")
+ if base_rule_info:
+ for tmp in base_rule_info:
+ tmp_dict = dict()
+ for site in tmp:
+ if site.tag in ["aclRuleName", "aclRuleID", "aclAction", "aclSourceIp", "aclSrcWild",
+ "aclFragType", "vrfName", "aclTimeName", "aclRuleDescription",
+ "aclLogFlag"]:
+ tmp_dict[site.tag] = site.text
+
+ self.cur_base_rule_cfg[
+ "base_rule_info"].append(tmp_dict)
+
+ if self.cur_base_rule_cfg["base_rule_info"]:
+ for tmp in self.cur_base_rule_cfg["base_rule_info"]:
+ find_flag = True
+
+ if self.rule_name and tmp.get("aclRuleName") != self.rule_name:
+ find_flag = False
+ if self.rule_id and tmp.get("aclRuleID") != self.rule_id:
+ find_flag = False
+ if self.rule_action and tmp.get("aclAction") != self.rule_action:
+ find_flag = False
+ if self.source_ip:
+ tmp_src_ip = self.source_ip.split(".")
+ tmp_src_wild = self.src_wild.split(".")
+ tmp_addr_item = []
+ for idx in range(4):
+ item1 = 255 - int(tmp_src_wild[idx])
+ item2 = item1 & int(tmp_src_ip[idx])
+ tmp_addr_item.append(item2)
+ tmp_addr = "%s.%s.%s.%s" % (tmp_addr_item[0], tmp_addr_item[1],
+ tmp_addr_item[2], tmp_addr_item[3])
+ if tmp_addr != tmp.get("aclSourceIp"):
+ find_flag = False
+ if self.src_wild and tmp.get("aclSrcWild") != self.src_wild:
+ find_flag = False
+ if self.frag_type and tmp.get("aclFragType") != self.frag_type:
+ find_flag = False
+ if self.vrf_name and tmp.get("vrfName") != self.vrf_name:
+ find_flag = False
+ if self.time_range and tmp.get("aclTimeName") != self.time_range:
+ find_flag = False
+ if self.rule_description and tmp.get("aclRuleDescription") != self.rule_description:
+ find_flag = False
+ if tmp.get("aclLogFlag") != str(self.log_flag).lower():
+ find_flag = False
+
+ if find_flag:
+ break
+ else:
+ find_flag = False
+
+ if self.state == "present":
+ need_cfg = bool(not find_flag)
+ elif self.state == "absent":
+ need_cfg = bool(find_flag)
+ else:
+ need_cfg = False
+
+ self.cur_base_rule_cfg["need_cfg"] = need_cfg
+
+ def get_proposed(self):
+ """ Get proposed state """
+
+ self.proposed["state"] = self.state
+
+ if self.acl_name:
+ self.proposed["acl_name"] = self.acl_name
+ if self.acl_num:
+ self.proposed["acl_num"] = self.acl_num
+ if self.acl_step:
+ self.proposed["acl_step"] = self.acl_step
+ if self.acl_description:
+ self.proposed["acl_description"] = self.acl_description
+ if self.rule_name:
+ self.proposed["rule_name"] = self.rule_name
+ if self.rule_id:
+ self.proposed["rule_id"] = self.rule_id
+ if self.rule_action:
+ self.proposed["rule_action"] = self.rule_action
+ if self.source_ip:
+ self.proposed["source_ip"] = self.source_ip
+ if self.src_mask:
+ self.proposed["src_mask"] = self.src_mask
+ if self.frag_type:
+ self.proposed["frag_type"] = self.frag_type
+ if self.vrf_name:
+ self.proposed["vrf_name"] = self.vrf_name
+ if self.time_range:
+ self.proposed["time_range"] = self.time_range
+ if self.rule_description:
+ self.proposed["rule_description"] = self.rule_description
+ if self.log_flag:
+ self.proposed["log_flag"] = self.log_flag
+
+ def get_existing(self):
+ """ Get existing state """
+
+ self.existing["acl_info"] = self.cur_acl_cfg["acl_info"]
+ self.existing["base_rule_info"] = self.cur_base_rule_cfg[
+ "base_rule_info"]
+
+ def get_end_state(self):
+ """ Get end state """
+
+ self.check_acl_args()
+ self.end_state["acl_info"] = self.cur_acl_cfg["acl_info"]
+
+ self.check_base_rule_args()
+ self.end_state["base_rule_info"] = self.cur_base_rule_cfg[
+ "base_rule_info"]
+
+ def merge_acl(self):
+ """ Merge acl operation """
+
+ conf_str = CE_MERGE_ACL_HEADER % self.acl_name
+
+ if self.acl_type:
+ conf_str += "%s" % self.acl_type
+ if self.acl_num:
+ conf_str += "%s" % self.acl_num
+ if self.acl_step:
+ conf_str += "%s" % self.acl_step
+ if self.acl_description:
+ conf_str += "%s" % self.acl_description
+
+ conf_str += CE_MERGE_ACL_TAIL
+
+ recv_xml = self.netconf_set_config(conf_str=conf_str)
+
+ if "" not in recv_xml:
+ self.module.fail_json(msg='Error: Merge acl failed.')
+
+ if self.acl_name.isdigit():
+ cmd = "acl number %s" % self.acl_name
+ else:
+ if self.acl_type and not self.acl_num:
+ cmd = "acl name %s %s" % (self.acl_name, self.acl_type.lower())
+ elif self.acl_type and self.acl_num:
+ cmd = "acl name %s number %s" % (self.acl_name, self.acl_num)
+ elif not self.acl_type and self.acl_num:
+ cmd = "acl name %s number %s" % (self.acl_name, self.acl_num)
+ self.updates_cmd.append(cmd)
+
+ if self.acl_description:
+ cmd = "description %s" % self.acl_description
+ self.updates_cmd.append(cmd)
+
+ if self.acl_step:
+ cmd = "step %s" % self.acl_step
+ self.updates_cmd.append(cmd)
+
+ self.changed = True
+
+ def delete_acl(self):
+ """ Delete acl operation """
+
+ conf_str = CE_DELETE_ACL_HEADER % self.acl_name
+
+ if self.acl_type:
+ conf_str += "%s" % self.acl_type
+ if self.acl_num:
+ conf_str += "%s" % self.acl_num
+ if self.acl_step:
+ conf_str += "%s" % self.acl_step
+ if self.acl_description:
+ conf_str += "%s" % self.acl_description
+
+ conf_str += CE_DELETE_ACL_TAIL
+
+ recv_xml = self.netconf_set_config(conf_str=conf_str)
+
+ if "" not in recv_xml:
+ self.module.fail_json(msg='Error: Delete acl failed.')
+
+ if self.acl_description:
+ cmd = "undo description"
+ self.updates_cmd.append(cmd)
+
+ if self.acl_step:
+ cmd = "undo step"
+ self.updates_cmd.append(cmd)
+
+ if self.acl_name.isdigit():
+ cmd = "undo acl number %s" % self.acl_name
+ else:
+ cmd = "undo acl name %s" % self.acl_name
+ self.updates_cmd.append(cmd)
+
+ self.changed = True
+
+ def merge_base_rule(self):
+ """ Merge base rule operation """
+
+ conf_str = CE_MERGE_ACL_BASE_RULE_HEADER % (
+ self.acl_name, self.rule_name)
+
+ if self.rule_id:
+ conf_str += "%s" % self.rule_id
+ if self.rule_action:
+ conf_str += "%s" % self.rule_action
+ if self.source_ip:
+ conf_str += "%s" % self.source_ip
+ if self.src_wild:
+ conf_str += "%s" % self.src_wild
+ if self.frag_type:
+ conf_str += "%s" % self.frag_type
+ if self.vrf_name:
+ conf_str += "%s" % self.vrf_name
+ if self.time_range:
+ conf_str += "%s" % self.time_range
+ if self.rule_description:
+ conf_str += "%s" % self.rule_description
+ conf_str += "%s" % str(self.log_flag).lower()
+
+ conf_str += CE_MERGE_ACL_BASE_RULE_TAIL
+
+ recv_xml = self.netconf_set_config(conf_str=conf_str)
+
+ if "" not in recv_xml:
+ self.module.fail_json(msg='Error: Merge acl base rule failed.')
+
+ if self.rule_action:
+ cmd = "rule"
+ if self.rule_id:
+ cmd += " %s" % self.rule_id
+ cmd += " %s" % self.rule_action
+ if self.frag_type == "fragment":
+ cmd += " fragment-type fragment"
+ if self.source_ip and self.src_wild:
+ cmd += " source %s %s" % (self.source_ip, self.src_wild)
+ if self.time_range:
+ cmd += " time-range %s" % self.time_range
+ if self.vrf_name:
+ cmd += " vpn-instance %s" % self.vrf_name
+ if self.log_flag:
+ cmd += " logging"
+ self.updates_cmd.append(cmd)
+
+ if self.rule_description:
+ cmd = "rule %s description %s" % (
+ self.rule_id, self.rule_description)
+ self.updates_cmd.append(cmd)
+
+ self.changed = True
+
+ def delete_base_rule(self):
+ """ Delete base rule operation """
+
+ conf_str = CE_DELETE_ACL_BASE_RULE_HEADER % (
+ self.acl_name, self.rule_name)
+
+ if self.rule_id:
+ conf_str += "%s" % self.rule_id
+ if self.rule_action:
+ conf_str += "%s" % self.rule_action
+ if self.source_ip:
+ conf_str += "%s" % self.source_ip
+ if self.src_wild:
+ conf_str += "%s" % self.src_wild
+ if self.frag_type:
+ conf_str += "%s" % self.frag_type
+ if self.vrf_name:
+ conf_str += "%s" % self.vrf_name
+ if self.time_range:
+ conf_str += "%s" % self.time_range
+ if self.rule_description:
+ conf_str += "%s" % self.rule_description
+ conf_str += "%s" % str(self.log_flag).lower()
+
+ conf_str += CE_DELETE_ACL_BASE_RULE_TAIL
+
+ recv_xml = self.netconf_set_config(conf_str=conf_str)
+
+ if "" not in recv_xml:
+ self.module.fail_json(msg='Error: Delete acl base rule failed.')
+
+ if self.rule_description:
+ if self.acl_name.isdigit():
+ cmd = "acl number %s" % self.acl_name
+ else:
+ cmd = "acl name %s" % self.acl_name
+ self.updates_cmd.append(cmd)
+
+ cmd = "undo rule %s description" % self.rule_id
+ self.updates_cmd.append(cmd)
+
+ if self.rule_id:
+ if self.acl_name.isdigit():
+ cmd = "acl number %s" % self.acl_name
+ else:
+ cmd = "acl name %s" % self.acl_name
+ self.updates_cmd.append(cmd)
+
+ cmd = "undo rule %s" % self.rule_id
+ self.updates_cmd.append(cmd)
+ elif self.rule_action:
+ if self.acl_name.isdigit():
+ cmd = "acl number %s" % self.acl_name
+ else:
+ cmd = "acl name %s" % self.acl_name
+ self.updates_cmd.append(cmd)
+
+ cmd = "undo rule"
+ cmd += " %s" % self.rule_action
+ if self.frag_type == "fragment":
+ cmd += " fragment-type fragment"
+ if self.source_ip and self.src_wild:
+ cmd += " source %s %s" % (self.source_ip, self.src_wild)
+ if self.time_range:
+ cmd += " time-range %s" % self.time_range
+ if self.vrf_name:
+ cmd += " vpn-instance %s" % self.vrf_name
+ if self.log_flag:
+ cmd += " logging"
+ self.updates_cmd.append(cmd)
+
+ self.changed = True
+
+ def work(self):
+ """ Main work function """
+
+ self.check_acl_args()
+ self.check_base_rule_args()
+ self.get_proposed()
+ self.get_existing()
+
+ if self.state == "present":
+ if self.cur_acl_cfg["need_cfg"]:
+ self.merge_acl()
+ if self.cur_base_rule_cfg["need_cfg"]:
+ self.merge_base_rule()
+
+ elif self.state == "absent":
+ if self.cur_base_rule_cfg["need_cfg"]:
+ self.delete_base_rule()
+
+ elif self.state == "delete_acl":
+ if self.cur_acl_cfg["need_cfg"]:
+ self.delete_acl()
+
+ self.get_end_state()
+
+ self.results['changed'] = self.changed
+ self.results['proposed'] = self.proposed
+ self.results['existing'] = self.existing
+ self.results['end_state'] = self.end_state
+ self.results['updates'] = self.updates_cmd
+
+ self.module.exit_json(**self.results)
+
+
+def main():
+ """ Module main """
+
+ argument_spec = dict(
+ state=dict(choices=['present', 'absent',
+ 'delete_acl'], default='present'),
+ acl_name=dict(type='str', required=True),
+ acl_num=dict(type='str'),
+ acl_step=dict(type='str'),
+ acl_description=dict(type='str'),
+ rule_name=dict(type='str'),
+ rule_id=dict(type='str'),
+ rule_action=dict(choices=['permit', 'deny']),
+ source_ip=dict(type='str'),
+ src_mask=dict(type='str'),
+ frag_type=dict(choices=['fragment', 'clear_fragment']),
+ vrf_name=dict(type='str'),
+ time_range=dict(type='str'),
+ rule_description=dict(type='str'),
+ log_flag=dict(required=False, default=False, type='bool')
+ )
+
+ argument_spec.update(ce_argument_spec)
+ module = BaseAcl(argument_spec=argument_spec)
+ module.work()
+
+
+if __name__ == '__main__':
+ main()