ironcore-dev
diff --git a/‎go.mod‎
Lines changed: 7 additions & 2 deletions b/‎go.mod‎
Lines changed: 7 additions & 2 deletions
diff --git a/‎go.sum‎
Lines changed: 14 additions & 4 deletions b/‎go.sum‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎internal/provider/cisco/gnmiext/v2/client.go‎
Lines changed: 18 additions & 3 deletions b/‎internal/provider/cisco/gnmiext/v2/client.go‎
Lines changed: 18 additions & 3 deletions
diff --git a/‎internal/provider/cisco/nxos/.gitignore‎
Lines changed: 0 additions & 3 deletions b/‎internal/provider/cisco/nxos/.gitignore‎
Lines changed: 0 additions & 3 deletions
diff --git a/‎internal/provider/cisco/nxos/acl.go‎
Lines changed: 97 additions & 0 deletions b/‎internal/provider/cisco/nxos/acl.go‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎internal/provider/cisco/nxos/acl/acl.go‎
Lines changed: 0 additions & 156 deletions b/‎internal/provider/cisco/nxos/acl/acl.go‎
Lines changed: 0 additions & 156 deletions
@@ -4,8 +4,8 @@ go 1.25
 
 require (
 	github.com/felix-kaestner/copy v0.0.0-20240226161622-4773371af039
+	github.com/go-crypt/crypt v0.4.7-0.20251003122429-450f8065d00b
 	github.com/go-logr/logr v1.4.2
-	github.com/google/go-cmp v0.7.0
 	github.com/onsi/ginkgo/v2 v2.23.3
 	github.com/onsi/gomega v1.36.3
 	github.com/openconfig/gnmi v0.14.1
@@ -14,6 +14,7 @@ require (
 	github.com/openconfig/ygnmi v0.13.1-0.20250924235719-646562b5d0c3
 	github.com/openconfig/ygot v0.32.0
 	github.com/sapcc/go-api-declarations v1.16.0
+	github.com/tidwall/gjson v1.18.0
 	go.uber.org/automaxprocs v1.6.0
 	go.uber.org/zap v1.27.0
 	golang.org/x/crypto v0.36.0
@@ -43,6 +44,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-crypt/x v0.4.8 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-logr/zapr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
@@ -55,6 +57,7 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.22.0 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/pprof v0.0.0-20241210010833-40e02aabc2ad // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -76,6 +79,8 @@ require (
 	github.com/spf13/cobra v1.9.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/stoewer/go-strcase v1.3.0 // indirect
+	github.com/tidwall/match v1.1.1 // indirect
+	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
@@ -91,7 +96,7 @@ require (
 	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/oauth2 v0.25.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.8.0 // indirect
 
@@ -32,6 +32,10 @@ github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
 github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/go-crypt/crypt v0.4.7-0.20251003122429-450f8065d00b h1:5uuOD51gU9ZJkrpxhRmq0DJrKctprg4LKGQ/lDWRK8Q=
+github.com/go-crypt/crypt v0.4.7-0.20251003122429-450f8065d00b/go.mod h1:Ts3T2ORhE0nxel6/2mlQNZTZn7dcxRdtnSJjoDqUkbs=
+github.com/go-crypt/x v0.4.8 h1:Cob6IxrSfWTc+MG8CBbNHBM4UqrBgEZDoK5t/SG4oZ4=
+github.com/go-crypt/x v0.4.8/go.mod h1:ozw9N4MYuLKhR5x2REs1e4T/nrEAkbuVkcsh/HbYksg=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
@@ -150,8 +154,14 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
+github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -209,8 +219,8 @@ golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
 golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 
@@ -244,7 +244,7 @@ func (c *Client) get(ctx context.Context, dt gpb.GetRequest_DataType, conf ...Co
 // configuration. Otherwise, a full replacement is done.
 // If the current configuration equals the desired configuration, the operation
 // is skipped.
-func (c *Client) set(ctx context.Context, patch bool, conf ...Configurable) (err error) {
+func (c *Client) set(ctx context.Context, patch bool, conf ...Configurable) error {
 	if len(conf) == 0 {
 		return nil
 	}
@@ -255,12 +255,13 @@ func (c *Client) set(ctx context.Context, patch bool, conf ...Configurable) (err
 			return err
 		}
 		got := cp.Deep(cf)
-		if err := c.GetConfig(ctx, got); err != nil && !errors.Is(err, ErrNil) {
+		err = c.GetConfig(ctx, got)
+		if err != nil && !errors.Is(err, ErrNil) {
 			return fmt.Errorf("gnmiext: failed to retrieve current config for %s: %w", cf.XPath(), err)
 		}
 		// If the current configuration is equal to the desired configuration, skip the update.
 		// This avoids unnecessary updates and potential disruptions.
-		if reflect.DeepEqual(cf, got) {
+		if err == nil && reflect.DeepEqual(cf, got) {
 			c.logger.V(1).Info("Configuration is already up-to-date", "path", cf.XPath())
 			continue
 		}
@@ -311,6 +312,20 @@ func (c *Client) Marshal(v any) (b []byte, err error) {
 // If the destination implements the [Marshaler] interface, it will be unmarshaled using that.
 // Otherwise, [json.Unmarshal] is used.
 func (c *Client) Unmarshal(b []byte, dst any) (err error) {
+	// NOTE: If you query for list elements on Cisco NX-OS, the encoded payload
+	// will be the wrapped in an array (even if only one element is requested), i.e.
+	//
+	// [
+	// 	{
+	// 		...
+	// 	}
+	// ]
+	_, ok := dst.(interface {
+		IsListItem()
+	})
+	if ok && b[0] == '[' && b[len(b)-1] == ']' {
+		b = b[1 : len(b)-1]
+	}
 	if um, ok := dst.(Marshaler); ok {
 		if err := um.UnmarshalYANG(c.capabilities, b); err != nil {
 			return fmt.Errorf("gnmiext: failed to unmarshal value: %w", err)
 
@@ -0,0 +1,97 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company and IronCore contributors
+// SPDX-License-Identifier: Apache-2.0
+
+package nxos
+
+import (
+	"fmt"
+
+	"github.com/ironcore-dev/network-operator/api/v1alpha1"
+	"github.com/ironcore-dev/network-operator/internal/provider/cisco/gnmiext/v2"
+)
+
+var _ gnmiext.Configurable = (*ACL)(nil)
+
+// ACL represents an IPv4 or IPv6 access control list, depending on the rules it contains.
+// It can only contain either IPv4 or IPv6 rules, never both. It's name must be unique
+// across IPv4 and IPv6 access lists.
+type ACL struct {
+	// Name is the name of the ACL. This name must be unique across IPv4 and IPv6 access lists.
+	Name string `json:"name"`
+	// SeqItems contains the list of ACE entries in the ACL.
+	SeqItems struct {
+		ACEList []*ACLEntry `json:"ACE-list,omitzero"`
+	} `json:"seq-items,omitzero"`
+	// Is6 indicates whether this is an IPv6 ACL. This field is not serialized to JSON
+	// and is only used internally to determine the correct XPath for the ACL.
+	Is6 bool `json:"-"`
+}
+
+func (a *ACL) IsListItem() {}
+
+func (a *ACL) XPath() string {
+	if a.Is6 {
+		return "System/acl-items/ipv6-items/name-items/ACL-list[name=" + a.Name + "]"
+	}
+	return "System/acl-items/ipv4-items/name-items/ACL-list[name=" + a.Name + "]"
+}
+
+type ACLEntry struct {
+	SeqNum          int32    `json:"seqNum"`
+	Action          Action   `json:"action"`
+	Protocol        Protocol `json:"protocol"`
+	Remark          string   `json:"remark,omitempty"`
+	SrcPrefix       string   `json:"srcPrefix"`
+	SrcPrefixLength int      `json:"srcPrefixLength,omitempty"`
+	DstPrefix       string   `json:"dstPrefix"`
+	DstPrefixLength int      `json:"dstPrefixLength,omitempty"`
+}
+
+type Action string
+
+const (
+	ActionPermit Action = "permit"
+	ActionDeny   Action = "deny"
+)
+
+func ActionFrom(act v1alpha1.ACLAction) (Action, error) {
+	switch act {
+	case v1alpha1.ActionPermit:
+		return ActionPermit, nil
+	case v1alpha1.ActionDeny:
+		return ActionDeny, nil
+	default:
+		var zero Action
+		return zero, fmt.Errorf("acl: unsupported action %q", act)
+	}
+}
+
+type Protocol uint8
+
+const (
+	ProtocolIP   Protocol = 0
+	ProtocolICMP Protocol = 1
+	ProtocolTCP  Protocol = 6
+	ProtocolUDP  Protocol = 17
+	ProtocolOSPF Protocol = 89
+	ProtocolPIM  Protocol = 103
+)
+
+func ProtocolFrom(proto v1alpha1.Protocol) Protocol {
+	switch proto {
+	case v1alpha1.ProtocolIP:
+		return ProtocolIP
+	case v1alpha1.ProtocolICMP:
+		return ProtocolICMP
+	case v1alpha1.ProtocolTCP:
+		return ProtocolTCP
+	case v1alpha1.ProtocolUDP:
+		return ProtocolUDP
+	case v1alpha1.ProtocolOSPF:
+		return ProtocolOSPF
+	case v1alpha1.ProtocolPIM:
+		return ProtocolPIM
+	default:
+		return 0 // unknown protocol - default to 0 == "ip"
+	}
+}