Capirca ACL Collection for Ansible

This repo hosts an unofficial Capirca Ansible Collection.

This collection includes a module (translate) to use Capirca from your Ansible playbooks as well as a lookup plugins for resolving symbols into networks and services.

Included content

Click on the name of a plugin or module to view that content's documentation:

Modules:
- translate
Plugins:
- network: Lookup network definition.
- service: Lookup service definition.

Installation and Usage

Installing the Collection from Ansible Galaxy

Before using this collection, you need to install it with the Ansible Galaxy CLI:

ansible-galaxy collection install nleiva.capirca_acl

You can also include it in a requirements.yml file and install it via ansible-galaxy collection install -r requirements.yml, using the format:

---
collections:
  - name: nleiva.capirca_acl
    version: 0.3.1

Using modules from the Capirca ACL Collection in your playbooks

You can either call modules by their Fully Qualified Collection Namespace (FQCN), like nleiva.capirca_acl.translate, or you can call modules by their short name if you list the nleiva.capirca_acl collection in the playbook's collections, like so:

---
- hosts: localhost
  gather_facts: no
  connection: local

  collections:
    - nleiva.capirca_acl

  tasks:
    - name: Run this module to generate an ACL
      translate:
        platform: 'ciscoxr'
        filter_options:
          - ipv6-test-filter
          - inet6
        def_folder: "files/def"
        pol_file: "files/policies/terms.pol"
      register: testout

    - name: Dump the resulting ACL
      debug:
        msg: '{{ testout.message }}'

See translate for more details.

Using plugins from the Capirca ACL Collection in your playbooks

    - name: Lookup services
      ansible.builtin.debug:
        msg:
          - "{{ lookup('nleiva.capirca_acl.service', 'HTTP', 'HTTPS', def_folder='tests/integration/targets/translate/files/def') }}"
    #  '80/tcp,443/tcp'

  - name: Lookup network
      ansible.builtin.debug:
        msg:
          - "{{ lookup('nleiva.capirca_acl.network', 'WEB_SERVERS', def_folder='tests/integration/targets/translate/files/def') }}"
    # [IPv4('200.1.1.1/32'), IPv4('200.1.1.2/32')]

Run an example

The example documented in translate can be run with:

make example

Testing and Development

Testing with `ansible-test`

The tests directory contains configuration for running sanity and integration tests using ansible-test.

You can run the collection's test suites with the command:

make test-remote

Testing locally with Ansible

You can run the collection's test suites without ansible-test with the command:

make test-local

Publishing New Versions

We first need to make sure the test cases run successfully:

make test-local

Then we need to TAG the version with a version number greater than the latest one: And finally, build:

make build

It will end up on Capirca Collection Galaxy page](https://galaxy.ansible.com/nleiva/capirca_acl) if you have access to the namespace.

More Information

For more information about Capirca, join the #capirca channel on NetworkToCode Slack, and browse the resources in the Capirca Wiki page.

License

GNU General Public License v3.0 or later

See LICENCE to see the full text.

Nftables

Hi,
I am in the process of moving from iptables to nftables.
I try to re-use as mutch as possible of my actual configuration.

After testing my policy files with capirca I am confiant that they are generating the need policies.

I have created a new task like this

  - name: Nftables - Generate ACL for INPUT
    nleiva.capirca_acl.translate:
      platform: 'nftables'
      filter_options:
          - inet
      def_folder: "{{ def_folder }}"
      pol_file: "{{ input }}"
      comment: "INPUT policy for nftables."
    register: input_res

First I have some doubt about filter_options values in nftables and the documentation is not clear for me.
How can I specify :

inet
input
0 (for weight)

Second I have try with a polici file like that :

header {
  target:: nftables
}

# Default policies

# This NFTables ACL generator generates stateful policies via conntrack

term base-allow-icmp-in {
  protocol:: icmp
  icmp-type:: echo-request
  action:: accept
}

I have an error :

raise NoTermsError('no terms found')\ncapirca.lib.policy.NoTermsError: no terms found\n"

And with a policy file like that :

# Default policies

# This NFTables ACL generator generates stateful policies via conntrack

term base-allow-icmp-in {
  protocol:: icmp
  icmp-type:: echo-request
  action:: accept
}

I have an error :

capirca.lib.nftables.HeaderError: Invalid header for Nftables. Required fields missing.

I have tried several different options but can find the right one. Do you have an example for nftables ?
Thanks.

I have check in capirca documentation and i see :

target:: nftables [chain name] [filter name] [priority] [inet|inet6]

So for me the good filter_options is

filter_options: ['nftables','INPUT','0','inet']

But error here is :

The error was: capirca.lib.nftables.HeaderError: Invalid address family in header: nftables. Supported: frozenset({'mixed', 'inet6', 'inet'})

nleiva / capirca_acl Goto Github PK

capirca_acl's Introduction

Capirca ACL Collection for Ansible

Included content

Installation and Usage

Installing the Collection from Ansible Galaxy

Using modules from the Capirca ACL Collection in your playbooks

Using plugins from the Capirca ACL Collection in your playbooks

Run an example

Testing and Development

Testing with ansible-test

Testing locally with Ansible

Publishing New Versions

More Information

License

capirca_acl's People

Contributors

Stargazers

Watchers

Forkers

capirca_acl's Issues

Recommend Projects

Recommend Topics

Recommend Org

Testing with `ansible-test`