ACL ACEs with - in port_protocol get replaced by _

[TheRealBecks]

SUMMARY

Arista EOS uses port number translation, e.g. port 22 is ssh in Arista ACLs. When using port names with an - like bfd-echo will be used as bfd_echo internally

ISSUE TYPE

• Bug Report

COMPONENT NAME

eos_acls (the corresponding facts module to be precisely)

ANSIBLE VERSION

ansible [core 2.15.6]
  config file = /home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg
  configured module search path = ['/home/mbeckert/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/mbeckert/.local/share/virtualenvs/lightning-vg2lOQBb/lib/python3.11/site-packages/ansible
  ansible collection location = /home/mbeckert/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/mbeckert/.local/share/virtualenvs/lightning-vg2lOQBb/bin/ansible
  python version = 3.11.6 (main, Nov 15 2023, 09:22:27) [GCC] (/home/mbeckert/.local/share/virtualenvs/lightning-vg2lOQBb/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

Collection        Version
----------------- -------
community.general 7.5.1

CONFIGURATION

CONFIG_FILE() = /home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg
DEFAULT_FORKS(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = 10
DEFAULT_HASH_BEHAVIOUR(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = merge
DEFAULT_HOST_LIST(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = ['/home/mbeckert/Entwicklung/Strato/lightning/lightning/inventory.yml']
DEFAULT_ROLES_PATH(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = ['/home/mbeckert/Entwicklung/Strato/lightning/lightning/roles']
DEFAULT_VAULT_PASSWORD_FILE(/home/mbeckert/Entwicklung/Strato/lightning/lightning/ansible.cfg) = /home/mbeckert/Entwicklung/Strato/lightning/lightning/.vault_passphrase/open_vault.sh
EDITOR(env: EDITOR) = nano
PAGER(env: PAGER) = less

OS / ENVIRONMENT

Arista EOS 4.28.4M

STEPS TO REPRODUCE

task.yml:

---
- name: ACL
  arista.eos.eos_acls:
    state: "replaced"
    config:
      - afi: ipv4
        acls:
          - name: test-acl
            aces:
              - sequence: 10
                grant: permit
                protocol: udp
                source:
                  any: true
                destination:
                  any: true
                  port_protocol:
                    eq: bfd-echo

-> bfd-echo as being configured in EOS

EXPECTED RESULTS

From the second run on the configuration will be listed with ok status.

ACTUAL RESULTS

From the second run on the configuration will be listed with changed status.

Output commands:

"commands": [
    "ip access-list test-acl",
    "no 10",
    "10 permit udp any any eq bfd-echo"
],

-> The first run will be configuring the ACL as expected, but from the second run on the ACEs with an - in the port name will be deleted and re-configured once again

Output invocation:

"invocation": {
    "module_args": {
        "config": [
            {
                "acls": [
                    {
                        "aces": [
                            {
                                "destination": {
                                    "address": null,
                                    "any": true,
                                    "host": null,
                                    "port_protocol": {
                                        "eq": "bfd-echo"
                                    },
                                    "subnet_address": null,
                                    "wildcard_bits": null
                                },
                                "fragment_rules": null,
                                "fragments": null,
                                "grant": "permit",
                                "hop_limit": null,
                                "line": null,
                                "log": null,
                                "protocol": "udp",
                                "protocol_options": null,
                                "remark": null,
                                "sequence": 10,
                                "source": {
                                    "address": null,
                                    "any": true,
                                    "host": null,
                                    "port_protocol": null,
                                    "subnet_address": null,
                                    "wildcard_bits": null
                                },
                                "tracked": null,
                                "ttl": null,
                                "vlan": null
                            }
                        ],
                        "name": "test-acl",
                        "standard": null
                    }
                ],
                "afi": "ipv4"
            }
        ],
        "running_config": null,
        "state": "replaced"
    }
}

Before:

dev_config: '10 permit udp any any eq bfd-echo'

After:

dev_config: '10 permit udp any any eq bfd_echo'

When the have variable will be filled the facts module for acl will be called. Here the string conversion from - to _ will happen:

arista.eos/plugins/module_utils/network/eos/facts/acls/acls.py

Line 146 in 2342353

dev_config = re.sub("-", "_", dev_config)

❓ What is that string conversion good for? Do we need this? I tested it without that code line and it's working for me