W3cubDocs

/Ansible

ce_acl_advance - Manages advanced ACL configuration on HUAWEI CloudEngine switches.

New in version 2.4.

Synopsis

  • Manages advanced ACL configurations on HUAWEI CloudEngine switches.

Options

parameter required default choices comments
acl_description
no
ACL description. The value is a string of 1 to 127 characters.
acl_name
yes
ACL number or name. For a numbered rule group, the value ranging from 3000 to 3999 indicates a advance ACL. For a named rule group, the value is a string of 1 to 32 case-sensitive characters starting with a letter, spaces not supported.
acl_num
no
ACL number. The value is an integer ranging from 3000 to 3999.
acl_step
no
ACL step. The value is an integer ranging from 1 to 20. The default value is 5.
dest_ip
no
Destination IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
dest_mask
no
Destination IP address mask. The value is an integer ranging from 1 to 32.
dest_pool_name
no
Name of a destination pool. The value is a string of 1 to 32 characters.
dest_port_begin
no
Start port number of the destination port. The value is an integer ranging from 0 to 65535.
dest_port_end
no
End port number of the destination port. The value is an integer ranging from 0 to 65535.
dest_port_op
no
  • lt
  • eq
  • gt
  • range
Range type of the destination port.
dest_port_pool_name
no
Name of a destination port pool. The value is a string of 1 to 32 characters.
dscp
no
Differentiated Services Code Point. The value is an integer ranging from 0 to 63.
established
no
  • true
  • false
Match established connections.
frag_type
no
  • fragment
  • clear_fragment
Type of packet fragmentation.
icmp_code
no
ICMP message code. Data packets can be filtered based on the ICMP message code. The value is an integer ranging from 0 to 255.
icmp_name
no
  • unconfiged
  • echo
  • echo-reply
  • fragmentneed-DFset
  • host-redirect
  • host-tos-redirect
  • host-unreachable
  • information-reply
  • information-request
  • net-redirect
  • net-tos-redirect
  • net-unreachable
  • parameter-problem
  • port-unreachable
  • protocol-unreachable
  • reassembly-timeout
  • source-quench
  • source-route-failed
  • timestamp-reply
  • timestamp-request
  • ttl-exceeded
  • address-mask-reply
  • address-mask-request
  • custom
ICMP name.
icmp_type
no
ICMP type. This parameter is available only when the packet protocol is ICMP. The value is an integer ranging from 0 to 255.
igmp_type
no
  • host-query
  • mrouter-adver
  • mrouter-solic
  • mrouter-termi
  • mtrace-resp
  • mtrace-route
  • v1host-report
  • v2host-report
  • v2leave-group
  • v3host-report
Internet Group Management Protocol.
log_flag
no
  • true
  • false
Flag of logging matched data packets.
precedence
no
Data packets can be filtered based on the priority field. The value is an integer ranging from 0 to 7.
protocol
no
  • ip
  • icmp
  • igmp
  • ipinip
  • tcp
  • udp
  • gre
  • ospf
Protocol type.
rule_action
no
  • permit
  • deny
Matching mode of basic ACL rules.
rule_description
no
Description about an ACL rule.
rule_id
no
ID of a basic ACL rule in configuration mode. The value is an integer ranging from 0 to 4294967294.
rule_name
no
Name of a basic ACL rule. The value is a string of 1 to 32 characters.
source_ip
no
Source IP address. The value is a string of 0 to 255 characters.The default value is 0.0.0.0. The value is in dotted decimal notation.
src_mask
no
Source IP address mask. The value is an integer ranging from 1 to 32.
src_pool_name
no
Name of a source pool. The value is a string of 1 to 32 characters.
src_port_begin
no
Start port number of the source port. The value is an integer ranging from 0 to 65535.
src_port_end
no
End port number of the source port. The value is an integer ranging from 0 to 65535.
src_port_op
no
  • lt
  • eq
  • gt
  • range
Range type of the source port.
src_port_pool_name
no
Name of a source port pool. The value is a string of 1 to 32 characters.
state
no present
  • present
  • absent
  • delete_acl
Specify desired state of the resource.
syn_flag
no
TCP flag value. The value is an integer ranging from 0 to 63.
tcp_flag_mask
no
TCP flag mask value. The value is an integer ranging from 0 to 63.
time_range
no
Name of a time range in which an ACL rule takes effect.
tos
no
ToS value on which data packet filtering is based. The value is an integer ranging from 0 to 15.
ttl_expired
no
  • true
  • false
Whether TTL Expired is matched, with the TTL value of 1.
vrf_name
no
VPN instance name. The value is a string of 1 to 31 characters.The default value is _public_.

Examples

- name: CloudEngine advance acl test
  hosts: cloudengine
  connection: local
  gather_facts: no
  vars:
    cli:
      host: "{{ inventory_hostname }}"
      port: "{{ ansible_ssh_port }}"
      username: "{{ username }}"
      password: "{{ password }}"
      transport: cli

  tasks:

  - name: "Config ACL"
    ce_acl_advance:
      state: present
      acl_name: 3200
      provider: "{{ cli }}"

  - name: "Undo ACL"
    ce_acl_advance:
      state: delete_acl
      acl_name: 3200
      provider: "{{ cli }}"

  - name: "Config ACL advance rule"
    ce_acl_advance:
      state: present
      acl_name: test
      rule_name: test_rule
      rule_id: 111
      rule_action: permit
      protocol: tcp
      source_ip: 10.10.10.10
      src_mask: 24
      frag_type: fragment
      provider: "{{ cli }}"

  - name: "Undo ACL advance rule"
    ce_acl_advance:
      state: absent
      acl_name: test
      rule_name: test_rule
      rule_id: 111
      rule_action: permit
      protocol: tcp
      source_ip: 10.10.10.10
      src_mask: 24
      frag_type: fragment
      provider: "{{ cli }}"

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name description returned type sample
end_state k/v pairs of aaa params after module execution always dict {}
changed check to see if a change was made on the device always boolean True
updates command sent to the device always list ['undo acl name test']
proposed k/v pairs of parameters passed into module always dict {'state': 'delete_acl', 'acl_name': 'test'}
existing k/v pairs of existing aaa server always dict {'aclNumOrName': 'test', 'aclType': 'Advance'}

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Support

This module is community maintained without core committer oversight.

For more information on what this means please read Module Support

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2017 Michael DeHaan
© 2017 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/ce_acl_advance_module.html