netscaler.adc.nsacl module – Configuration for ACL entry resource.

Note

This module is part of the netscaler.adc collection (version 2.6.2).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install netscaler.adc.

To use it in a playbook, specify: netscaler.adc.nsacl.

New in netscaler.adc 2.0.0

Synopsis 

Configuration for ACL entry resource.

Parameters 

Parameter	Comments
aclaction string	Action to perform on incoming IPv4 packets that match the extended ACL rule. Available settings function as follows: * `ALLOW` - The Citrix ADC processes the packet. * `BRIDGE` - The Citrix ADC bridges the packet to the destination without processing it. * `DENY` - The Citrix ADC drops the packet. Choices: `"BRIDGE"` `"DENY"` `"ALLOW"`
aclname string	Name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
api_path string	Base NITRO API path. Define only in case of an ADM service proxy call Default: `"nitro/v1/config"`
destip boolean	IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189. Choices: `false` `true`
destipdataset string	Policy dataset which can have multiple IP ranges bound to it.
destipop string	Either the equals (=) or does not equal (!=) logical operator. Choices: `"="` `"!="` `"EQ"` `"NEQ"`
destipval string	IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
destport boolean	Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90. Note: The destination port can be specified only for TCP and UDP protocols. Choices: `false` `true`
destportdataset string	Policy dataset which can have multiple port ranges bound to it.
destportop string	Either the equals (=) or does not equal (!=) logical operator. Choices: `"="` `"!="` `"EQ"` `"NEQ"`
destportval string	Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90. Note: The destination port can be specified only for TCP and UDP protocols.
dfdhash string	Specifies the type hashmethod to be applied, to steer the packet to the FP of the packet. Choices: `"SIP-SPORT-DIP-DPORT"` `"SIP"` `"DIP"` `"SIP-DIP"` `"SIP-SPORT"` `"DIP-DPORT"`
established boolean	Allow only incoming TCP packets that have the ACK or RST bit set, if the action set for the ACL rule is ALLOW and these packets match the other conditions in the ACL rule. Choices: `false` `true`
icmpcode float	Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code. If you set this parameter, you must set the ICMP Type parameter.
icmptype float	ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type. Note: This parameter can be specified only for the ICMP protocol.
interface string	ID of an interface. The Citrix ADC applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.
logstate string	Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server. Choices: `"ENABLED"` `"DISABLED"`
managed_netscaler_instance_id string added in netscaler.adc 2.6.0	The ID of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call
managed_netscaler_instance_ip string added in netscaler.adc 2.6.0	The IP of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call
managed_netscaler_instance_name string added in netscaler.adc 2.6.0	The name of the managed NetScaler instance to which NetScaler Console has to configure as a proxy server. Define only in case of an ADM service proxy call
managed_netscaler_instance_password string added in netscaler.adc 2.6.0	The password of the managed NetScaler instance. Define only in case of an ADM service proxy call In Settings > Administration > System Configurations > Basic Settings, if you select Prompt Credentials for Instance Login, ensure to configure username and password of a managed instance.
managed_netscaler_instance_username string added in netscaler.adc 2.6.0	The username of the managed NetScaler instance. Define only in case of an ADM service proxy call In Settings > Administration > System Configurations > Basic Settings, if you select Prompt Credentials for Instance Login, ensure to configure username and password of a managed instance.
netscaler_console_as_proxy_server boolean added in netscaler.adc 2.6.0	The IP address of the NetScaler ADC appliance acting as a proxy server. Define only in case of an ADM service proxy call Choices: `false` ← (default) `true`
newname string	New name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.
nitro_auth_token string	The authentication token provided by a login operation.
nitro_pass string	The password with which to authenticate to the NetScaler ADC node.
nitro_protocol string	Which protocol to use when accessing the nitro API objects. Choices: `"http"` `"https"` ← (default)
nitro_user string	The username with which to authenticate to the NetScaler ADC node.
nsip string / required	The ip address of the NetScaler ADC appliance where the nitro API calls will be made. The port can be specified with the colon (:). E.g. 192.168.1.1:555.
priority float	Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created.
protocol string	Protocol to match against the protocol of an incoming IPv4 packet. Choices: `"ICMP"` `"IGMP"` `"TCP"` `"EGP"` `"IGP"` `"ARGUS"` `"UDP"` `"RDP"` `"RSVP"` `"EIGRP"` `"L2TP"` `"ISIS"` `"GGP"` `"IPoverIP"` `"ST"` `"CBT"` `"BBN-RCC-M"` `"NVP-II"` `"PUP"` `"EMCON"` `"XNET"` `"CHAOS"` `"MUX"` `"DCN-MEAS"` `"HMP"` `"PRM"` `"XNS-IDP"` `"TRUNK-1"` `"TRUNK-2"` `"LEAF-1"` `"LEAF-2"` `"IRTP"` `"ISO-TP4"` `"NETBLT"` `"MFE-NSP"` `"MERIT-INP"` `"SEP"` `"3PC"` `"IDPR"` `"XTP"` `"DDP"` `"IDPR-CMTP"` `"TP++"` `"IL"` `"IPv6"` `"SDRP"` `"IPv6-Route"` `"IPv6-Frag"` `"IDRP"` `"GRE"` `"MHRP"` `"BNA"` `"ESP"` `"AH"` `"I-NLSP"` `"SWIPE"` `"NARP"` `"MOBILE"` `"TLSP"` `"SKIP"` `"ICMPV6"` `"IPv6-NoNx"` `"IPv6-Opts"` `"Any-Host-Internal-Protocol"` `"CFTP"` `"Any-Local-Network"` `"SAT-EXPAK"` `"KRYPTOLAN"` `"RVD"` `"IPPC"` `"Any-Distributed-File-System"` `"TFTP"` `"VISA"` `"IPCV"` `"CPNX"` `"CPHB"` `"WSN"` `"PVP"` `"BR-SAT-MO"` `"SUN-ND"` `"WB-MON"` `"WB-EXPAK"` `"ISO-IP"` `"VMTP"` `"SECURE-VM"` `"VINES"` `"TTP"` `"NSFNET-IG"` `"DGP"` `"TCF"` `"OSPFIGP"` `"Sprite-RP"` `"LARP"` `"MTP"` `"AX.25"` `"IPIP"` `"MICP"` `"SCC-SP"` `"ETHERIP"` `"Any-Private-Encryption-Scheme"` `"GMTP"` `"IFMP"` `"PNNI"` `"PIM"` `"ARIS"` `"SCPS"` `"QNX"` `"A/N"` `"IPComp"` `"SNP"` `"Compaq-Pe"` `"IPX-in-IP"` `"VRRP"` `"PGM"` `"Any-0-Hop-Protocol"` `"ENCAP"` `"DDX"` `"IATP"` `"STP"` `"SRP"` `"UTI"` `"SMP"` `"SM"` `"PTP"` `"FIRE"` `"CRTP"` `"CRUDP"` `"SSCOPMCE"` `"IPLT"` `"SPS"` `"PIPE"` `"SCTP"` `"FC"` `"RSVP-E2E-IGNORE"` `"Mobility-Header"` `"UDPLite"`
protocolnumber float	Protocol to match against the protocol of an incoming IPv4 packet.
ratelimit float	Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.
save_config boolean	If `true` the module will save the configuration on the NetScaler ADC node if it makes any changes. The module will not save the configuration on the NetScaler ADC node if it made no changes. Choices: `false` ← (default) `true`
srcip boolean	IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189. Choices: `false` `true`
srcipdataset string	Policy dataset which can have multiple IP ranges bound to it.
srcipop string	Either the equals (=) or does not equal (!=) logical operator. Choices: `"="` `"!="` `"EQ"` `"NEQ"`
srcipval string	IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example:10.102.29.30-10.102.29.189.
srcmac string	MAC address to match against the source MAC address of an incoming IPv4 packet.
srcmacmask string	Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value “000000111111”.
srcport boolean	Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90. Choices: `false` `true`
srcportdataset string	Policy dataset which can have multiple port ranges bound to it.
srcportop string	Either the equals (=) or does not equal (!=) logical operator. Choices: `"="` `"!="` `"EQ"` `"NEQ"`
srcportval string	Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
state string	The state of the resource being configured by the module on the NetScaler ADC node. When `present`, the resource will be added/updated configured according to the module’s parameters. When `absent`, the resource will be deleted from the NetScaler ADC node. When `enabled`, the resource will be enabled on the NetScaler ADC node. When `disabled`, the resource will be disabled on the NetScaler ADC node. When `unset`, the resource will be unset on the NetScaler ADC node. Choices: `"present"` ← (default) `"absent"` `"enabled"` `"disabled"` `"unset"`
stateful string	If stateful option is enabled, transparent sessions are created for the traffic hitting this ACL and not hitting any other features like LB, INAT etc. Choices: `"YES"` `"NO"`
td float	Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.
ttl float	Number of seconds, in multiples of four, after which the extended ACL rule expires. If you do not want the extended ACL rule to expire, do not specify a TTL value.
type string	Type of the acl ,default will be `CLASSIC`. Available options as follows: * `CLASSIC` - specifies the regular extended acls. * `DFD` - cluster specific acls,specifies hashmethod for steering of the packet in cluster . Choices: `"CLASSIC"` `"DFD"`
validate_certs boolean	If `false`, SSL certificates will not be validated. This should only be used on personally controlled sites using self-signed certificates. Choices: `false` `true` ← (default)
vlan float	ID of the VLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs.
vxlan float	ID of the VXLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs.

Notes 

Note

For more information on using Ansible to manage NetScaler ADC Network devices see https://www.ansible.com/integrations/networks/citrixadc.

Examples 

---
- name: Sample nsacl playbook
  hosts: demo_netscalers
  gather_facts: false
  tasks:
    - name: Configure nsacl
      delegate_to: localhost
      netscaler.adc.nsacl:
        state: present
        aclname: ACL_SF_Allow_USE1-B
        aclaction: ALLOW
        srcip: true
        srcipop: '='
        srcipval: 10.189.96.60
        destip: true
        destipop: '='
        destipdataset: SF_LBVIP
        priority: '15'
        kernelstate: SFAPPLIED61

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
changed boolean	Indicates if any change is made by the module Returned: always Sample: `true`
diff dictionary	Dictionary of before and after changes Returned: always Sample: `{"after": {"key2": "pqr"}, "before": {"key1": "xyz"}, "prepared": "changes done"}`
diff_list list / elements=string	List of differences between the actual configured object and the configuration specified in the module Returned: when changed Sample: ["Attribute `key1` differs. Desired: (<class 'str'>) XYZ. Existing: (<class 'str'>) PQR"]
failed boolean	Indicates if the module failed or not Returned: always Sample: `false`
loglines list / elements=string	list of logged messages by the module Returned: always Sample: `["message 1", "message 2"]`

Authors

Sumanth Lingappa (@sumanth-lingappa)
Shiva Shankar Vaddepally (@shivashankar-vaddepally)

netscaler.adc.nsacl module – Configuration for ACL entry resource.

Synopsis

Parameters

Notes

Examples

Return Values