NX-OS syntax for ICMPv6 is wrong

[mf84]

Using Aerleon v1.70.0.

If you have a policy file like this:

---
filters:
- header:
    comment: 
    targets:
      cisconx: icmp_v6-out inet6
  terms:
  - name: accept-icmp
    protocol: icmp6
    action: accept

And you generate the ACL, the code looks like this:

! $Id:$
! $Date:$
! $Revision:$
no ipv6 access-list icmp_v6-out
ipv6 access-list icmp_v6-out
 remark "$Date:$"
 remark "$Revision:$"


 remark accept-icmp
 permit icmp6 any any

exit

However, icmp6 is not valid syntax for NX-OS (tested on version 10.1(1)).

Config Session started, Session ID is 1
Enter configuration commands, one per line. End with CNTL/Z.
router(config-s)# no ipv6 access-list icmp_v6-out
ERROR: ACL with given name and type does not exist
router(config-s)# ipv6 access-list icmp_v6-out
router(config-s-ipv6-acl)#  remark "$Date:$"
router(config-s-ipv6-acl)#  remark "$Revision:$"
router(config-s-ipv6-acl)# 
router(config-s-ipv6-acl)# 
router(config-s-ipv6-acl)#  remark accept-icmp
router(config-s-ipv6-acl)#  permit icmp6 any any
                                                          ^
% Invalid parameter detected at '^' marker.
router(config-s-ipv6-acl)# abort

It must be icmp, without the 6. But if I change the protocol in the policy file, it throws an error during compile:

I0408 17:02:10.246660 140159453622272 aclgen.py:447] rendering one file
I0408 17:02:10.260283 140159453622272 plugin_supervisor.py:253] 0 plugins active.
I0408 17:02:10.260336 140159453622272 plugin_supervisor.py:254] 30 generators registered.
W0408 17:02:10.260611 140159453622272 cisco.py:458] Term accept-icmp will not be rendered, as it has icmp match specified but the ACL is of inet6 address family.

[ankenyr]

Yea searching for documentation it seems we just need to output icmp as you said. This should be a simple fix we can get in.

[ankenyr]

Just wanted to get back to you @mf84 it looks like what cisco is looking for is protocol icmpv6

try

  terms:
  - name: accept-icmp
    protocol: icmpv6
    icmp-type: echo-reply destination-unreachable time-exceeded
    action: accept

and you will see it works

Then try replacing icmpv6 with icmp6` and you will see it errors out

error encountered in rendering process:
Error generating target ACL for policies/pol/foo.yaml:
icmp-types specified for non-icmp protocols in term:  accept-icmp

You can also put in a BS protocol

  terms:
  - name: accept-icmp
    protocol: asdmo1m
    action: accept

results in the following

! $Id:$
! $Date:$
! $Revision:$
no ipv6 access-list icmp_v6-out
ipv6 access-list icmp_v6-out
 remark "$Date:$"
 remark "$Revision:$"


 remark accept-icmp
 permit asdmo1m any any

exit

[ankenyr]

While the above is a workaround we are discussing the solutions to this as there is inconsistency in how policies are defined now.

[mf84]

I see thanks for the clarification. If I search for "icmpv6" in the aerleon docs, I only get one page:

https://aerleon.readthedocs.io/en/latest/reference/generators/

And there it is under the "Juniper EVO" section. It should be made clearer which protocols are available.