netconf_config not recognizing a change

[cmadamsgit]

SUMMARY

When using netconf_config to delete an entry from an ACL, the task doesn't recognize a change

ISSUE TYPE

• Bug Report

COMPONENT NAME

netconf_config

ANSIBLE VERSION

ansible [core 2.18.9]
  config file = /home/cmadams/src/ansible/ansible.cfg
  configured module search path = ['/home/cmadams/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.14/site-packages/ansible
  ansible collection location = /home/cmadams/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.14.0 (main, Oct  7 2025, 00:00:00) [GCC 15.2.1 20250924 (Red Hat 15.2.1-2)] (/usr/bin/python3)
  jinja version = 3.1.6
  libyaml = True

COLLECTION VERSION

# /usr/share/ansible/collections/ansible_collections
Collection        Version
----------------- -------
ansible.netcommon 8.0.1

CONFIGURATION

CONFIG_FILE() = /home/cmadams/src/ansible/ansible.cfg
DEFAULT_GATHERING(/home/cmadams/src/ansible/ansible.cfg) = explicit
DEFAULT_HOST_LIST(/home/cmadams/src/ansible/ansible.cfg) = ['/home/cmadams/src/>
DEFAULT_ROLES_PATH(/home/cmadams/src/ansible/ansible.cfg) = ['/home/cmadams/src>
DEPRECATION_WARNINGS(/home/cmadams/src/ansible/ansible.cfg) = False
EDITOR(env: EDITOR) = /usr/bin/vim
PAGER(env: PAGER) = /usr/bin/less

GALAXY_SERVERS:

OS / ENVIRONMENT

Fedora Linux 43, talking to FiberStore N5860_FSOS 12.5(1)B0506

STEPS TO REPRODUCE

Have a playbook to manage an ACL, if I delete the last non-default entry (so no entry numbers change), the task reports no change. Adding a get before and after and showing a diff shows the change applied. In the example playbook, I add/remove the comment before the 10.254.254.253 line between runs - when the entry is added, the task says it changed, when the entry is removed, the task says ok.

---
- hosts: routers
  vars:
    block_aclname: edgeblock
    block_list:
    # who needs this
    - 172.16.0.0/12
    # RFC 1918 go away
    - 192.168.0.0/16
    # some bad guy
    #- 10.254.254.253

  tasks:
  - name: Build the ACL entries
    set_fact:
      acl_entries: "{{ acl_entries | default([]) + [{
        'rule-name': ansible_loop.index,
        'action': 'deny',
        'protocol': '0',
        'source-ipv4-network': item | ansible.utils.ipaddr('network'),
        'source-ipv4-network-mask': item | ansible.utils.ipaddr('hostmask'),
        'destination-ipv4-network': '0.0.0.0',
        'destination-ipv4-network-mask': '255.255.255.255',
      }] }}"
    loop: "{{ block_list }}"
    loop_control:
      extended: true
      extended_allitems: false

  - name: ACL default allow
    set_fact:
      acl_entries: "{{ acl_entries | default([]) + [{
        'rule-name': '9999',
        'action': 'permit',
        'protocol': '0',
        'source-ipv4-network': '0.0.0.0',
        'source-ipv4-network-mask': '255.255.255.255',
        'destination-ipv4-network': '0.0.0.0',
        'destination-ipv4-network-mask': '255.255.255.255',
      }] }}"

  - name: Set the ACL filter
    set_fact:
      acl_filter:
        "access-lists":
          "@xmlns": "urn:fs:params:xml:ns:yang:access-control-list"
          "acl":
            "acl-name": "{{ block_aclname }}"

  - name: Get the pre ACL
    register: aclpre
    ansible.netcommon.netconf_get:
      source: running
      filter: "{{ acl_filter }}"
      display: native

  - name: Set the ACL
    register: aclset
    ansible.netcommon.netconf_config:
      default_operation: merge
      target: candidate
      get_filter: "{{ acl_filter }}"
      content:
        "config":
          "@xmlns": "urn:ietf:params:xml:ns:netconf:base:1.0"
          "@xmlns:nc": "urn:ietf:params:xml:ns:netconf:base:1.0"
          "access-lists":
            "@xmlns": "urn:fs:params:xml:ns:yang:access-control-list"
            "acl":
              "@nc:operation": "replace"
              "acl-name": "{{ block_aclname }}"
              "acl-type": "2"
              "counter-enable": "true"
              "access-list-entries":
                "{{ acl_entries | ansible.builtin.to_json }}"

  - name: Get the post ACL
    register: aclpost
    ansible.netcommon.netconf_get:
      source: running
      filter: "{{ acl_filter }}"
      display: native

  - name: Show the differences
    ansible.utils.fact_diff:
      before: "{{ aclpre.output.data }}"
      after: "{{ aclpost.output.data }}"

EXPECTED RESULTS

Changing the ACL in any way should have the task show changed.

ACTUAL RESULTS

Task is changed: false despite it actually making the change (will attach output).

https://gist.github.com/cmadamsgit/7ffe35a9c8ea01c6d554b326982ccf1e