Delete an ACL entry with ydk

Hi all, does anyone have a working ydk python script to remove an ACL entry in an existing ACL on IOS-XR 6.1.3. Have tried using CRUD DELETE and ydk.types DELETE, both to no avail. Using Cisco-IOS-XR-ipv4-acl-cfg.yang model.

you can use this sample app to delete ACL entries.

The above mentioned APP can be used as a sample app to delete the whole ACL, but not just an ACL entry in an ACL. Looking for a sample app to delete an ACL entry without having to delete the whole ACL.

Try something like this: 

1. the ace we want to delete

d_ace = Cisco_IOS_XR_ipv4_acl_cfg.Ipv4AclAndPrefixList.Accesses.Access.AccessListEntries.AccessListEntry()

d_ace.sequence_number = 10

1. the ACL we want to delete an entry from

d_acl = Cisco_IOS_XR_ipv4_acl_cfg.Ipv4AclAndPrefixList.Accesses.Access()

d_acl.access_list_name = 'FOO'

1. add the ace to the acl

d_acl.access_list_entries.access_list_entry.append(d_ace)

c.delete(session, d_ace)

 Below is the error message when trying the above code. 

ydk.errors.YPYServiceProviderError: Server reported an error while committing change.

  error-type: application

  error-tag: operation-failed

  error-severity: error

  error-path: ns1:ipv4-acl-and-prefix-list/ns1:accesses/ns1:access[access-list-name = 'ACL1']/ns1:access-list-entries/ns1:access-list-entry[sequence-number = '20']

  error-message: File exists: ACL is being used by the following clients,Detach the access list from all the clients  and then remove ACL

  error-message: process : pkg/bin/netio pid : 327775 node : node0_0_CPU0

 The configuration on the IOS-XR device when the code is attempted is below

RP/0/0/CPU0:xrv1#sh run ipv4 access-list

Fri Jun 23 13:53:53.130 UTC

ipv4 access-list ACL1

10 remark x

20 permit tcp host 172.31.255.1 any match-any +ack +fin +psh +syn +urg

!

ipv4 access-list ACL2

10 remark acl2

! 

RP/0/0/CPU0:xrv1#sh run int g0/0/0/0

Fri Jun 23 14:00:58.201 UTC

interface GigabitEthernet0/0/0/0

shutdown

ipv4 access-group ACL1 egress

! 

RP/0/0/CPU0:xrv1#

 The IOS-XR device tries to remove the ACL upon receiving the request

This is a semantic restriction in IOS-XR. The restriction is that you may not delete all ACEs from an ACL that is in-use. You will get exactly the same error if you tried the same operation via the CLI. you have a remark in the ACL also, but remark entries do not count in this case. The error is actually coming form the underlying logic that deals with activating the ACL. When you try to bind an ACL with only a remark statement in it to an interface, we see this error:

 RP/0/RP0/CPU0:r622prod(config-if)#show configuration failed

Fri Jun 23 13:30:17.034 UTC

!! SEMANTIC ERRORS: This configuration was rejected by

!! the system due to semantic errors. The individual

!! errors with each failed configuration command can be

!! found below. 

 interface GigabitEthernet0/0/0/0

ipv4 access-group FOO ingress

!!% 'pfilter-ma' detected the 'warning' condition 'The verification of the specified access list failed because either it's empty or it has remark ACEs only.'

!

end

 Note that if the ACL wasn't attached to any target this wouldn't be an issue.

 Unfortunately, this kind of restriction can be hard to express in YANG constraints, and so currently we have nothing in the model to describe this.

 As a workaround, and depending on what your overall ACL policy is, can suggest having ether a trailing "deny ip any any" or a trailing "permit ip any any" that is left in place always to allow you to manipulate all other ACEs.

• Is there a way to use ydk to ask for all targets that an ACL is applied on. Instead of modifying a living ACL, able to detach the ACL from all targets, remove the ACL, re-create the ACL with new content and apply the new ACL on all targets therefore it'd be useful to retrieve existing targets of an ACL from the device.

What you need to use as a query if you're doing netconf directly, is a subtree filter like this:

   <interface-configurations xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">

   <interface-configuration>

    <ipv4-packet-filter xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ip-pfilter-cfg">

     <inbound>

      <acl-name-array>FOO</acl-name-array>

     </inbound>

    </ipv4-packet-filter>

   </interface-configuration>

  </interface-configurations>

  When my configuration looks like:

 interface GigabitEthernet0/0/0/0

ipv4 address 10.1.2.1 255.255.255.0

ipv4 access-group FOO ingress

!

interface GigabitEthernet0/0/0/1

shutdown

!

interface GigabitEthernet0/0/0/2

shutdown

ipv4 access-group FOO ingress

!

 ...this subtree filter will return something like:

 (v) â /opt/git-repos/ncc-devnet master ↓·1

16:13 $ python ncc.py --host=127.0.0.1 --port=8300 -g --named-filter ingress-acl-interfaces

<data xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">

  <interface-configurations xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ifmgr-cfg">

   <interface-configuration>

    <active>act</active>

    <interface-name>GigabitEthernet0/0/0/0</interface-name>

    <ipv4-packet-filter xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ip-pfilter-cfg">

     <inbound>

      <acl-name-array>FOO</acl-name-array>

      <is-common-array>false</is-common-array>

     </inbound>

    </ipv4-packet-filter>

   </interface-configuration>

   <interface-configuration>

    <active>act</active>

    <interface-name>GigabitEthernet0/0/0/2</interface-name>

    <ipv4-packet-filter xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-ip-pfilter-cfg">

     <inbound>

      <acl-name-array>FOO</acl-name-array>

      <is-common-array>false</is-common-array>

     </inbound>

    </ipv4-packet-filter>

   </interface-configuration>

  </interface-configurations>

</data>

ncc.py is a Python script you can find at https://github.com/CiscoDevNet/ncc

• Unable to  run ncc.py to retrieve running-config. It throws the error below. I've always had this issue with ncclient to retrieve full running-config, while retrieving a filtered running-config or retrieving capabilities is ok. .
• lxml.etree.XMLSyntaxError: Input is not proper UTF-8, indicate encoding !

 Looking at the debug logs, we can see that the secret leaf is probably the culprit:

   <aaa xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-aaa-lib-cfg">

  <usernames xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-aaa-locald-cfg">

    <username>

    <name>sky</name>

    <secret>«ÍC!</secret>

    </username>

  </usernames>

  </aaa>

  <aaa xmlns="http://cisco.com/ns/yang/Cisco-IOS-XR-aaa-locald-admin-cfg">

  <usernames>

    <username>

    <name>hung</name>

    <usergroup-under-usernames>

      <usergroup-under-username>

      <name>root-system</name>

      </usergroup-under-username>

    </usergroup-under-usernames>

    <secret>«ÍC!</secret>

    </username>

  </usernames>

  </aaa>

 The problem is how the secret is encoded. It is being embedded using characters that are not legal for the XML character set. I would agree that this is an XR issue. I'll forward on to the AAA team.

 This issue can be worked around somewhat by dealing with the returned payload directly and potentially using a different XML parser from what is used by ncclient, or possibly by using the same parser with a different configuration. I looked around a bit, and found some articles talking about similar issues, like:

 python - How to make xml parser ignore invalid characters? - Stack Overflow

 However, we need to fix XR to return data with a valid encoding.

 The issue is on an IOS-XRv version 6.3.1.12I in the lab. Tried pulling running-config from an IOS-XRv 9000 version 6.1.2 and don't see the issue. Below is the output of the authentication config from IOS-XRv 9000 in the lab.

 <aaa xmlns="http://tail-f.com/ns/aaa/1.1">

   <authentication>

    <users>

     <user>

      <name>hung</name>

      <uid>9000</uid>

      <gid>100</gid>

      <password>$1$b1NO$7sg6B6P7ygIaXuEohrPnv0</password>

      <ssh_keydir>/var/confd/homes/hung/.ssh</ssh_keydir>

      <homedir>/var/confd/homes/hung</homedir>

     </user>

There may have already been a fix for this issue that went into 6.3.1.22I. Can you upgrade your image and see if the issue has been addressed?

Have tried loading IOX XRv 6.1.2 and there is no XML encoding issue. will use XRv 6.1.2 from now.

Seen that error when retrieving operational data, but not configuration.  It could be a defect on IOS XR side.

    from ydk.services import CRUDService

    from ydk.providers import NetconfServiceProvider

    from ydk.models.cisco_ios_xr import Cisco_IOS_XR_ifmgr_cfg \

    as xr_ifmgr_cfg 

    provider = NetconfServiceProvider(address=device.hostname,

                                      port=device.port,

                                      username=device.username,

                                      password=device.password,

                                      protocol=device.scheme)

    # create CRUD service

    crud = CRUDService() 

    interface_configurations = xr_ifmgr_cfg.InterfaceConfigurations()  # create object

    interface_foo = xr_ifmgr_cfg.InterfaceConfigurations.InterfaceConfiguration()

    interface_foo.ipv4_packet_filter.inbound.acl_name_array.append('FOO')

    interface_configurations.interface.append(interface_foo) 

    # read data from NETCONF device

    interface_configurations = crud.read(provider, interface_configurations)

Something like the above is the equivalent YDK python script for a CRUD read of the data.

 Note that in the above sample, you need to uncomment the line 78 and add your code to process the read data on line 42.