diff options
| author | CaptTrews <capttrews@gmail.com> | 2020-02-25 00:29:36 +0000 |
|---|---|---|
| committer | CaptTrews <capttrews@gmail.com> | 2020-02-25 00:29:36 +0000 |
| commit | 1e35316ae5a079cc5466d97e873f48ae1ec574e2 (patch) | |
| tree | be3cd3beea41c943836fcf8f6c87c6ea837eb8d5 /plugins/modules | |
| parent | cfd3472a4d2b8906a944451341f37af1fde2dd54 (diff) | |
| download | vyos-ansible-old-1e35316ae5a079cc5466d97e873f48ae1ec574e2.tar.gz vyos-ansible-old-1e35316ae5a079cc5466d97e873f48ae1ec574e2.zip | |
Updated from network content collector
Signed-off-by: CaptTrews <capttrews@gmail.com>
Diffstat (limited to 'plugins/modules')
| -rw-r--r-- | plugins/modules/vyos_facts.py | 2 | ||||
| -rw-r--r-- | plugins/modules/vyos_firewall_global.py | 1204 |
2 files changed, 1205 insertions, 1 deletions
diff --git a/plugins/modules/vyos_facts.py b/plugins/modules/vyos_facts.py index 19fb727..eec4c3b 100644 --- a/plugins/modules/vyos_facts.py +++ b/plugins/modules/vyos_facts.py @@ -47,7 +47,7 @@ options: Can specify a list of values to include a larger subset. Values can also be used with an initial C(M(!)) to specify that a specific subset should not be collected. Valid subsets are 'all', 'interfaces', 'l3_interfaces', 'lag_interfaces', - 'lldp_global', 'lldp_interfaces', 'static_routes', 'firewall_rules'. + 'lldp_global', 'lldp_interfaces', 'static_routes', 'firewall_rules', 'firewall_global'. required: false """ diff --git a/plugins/modules/vyos_firewall_global.py b/plugins/modules/vyos_firewall_global.py new file mode 100644 index 0000000..519725a --- /dev/null +++ b/plugins/modules/vyos_firewall_global.py @@ -0,0 +1,1204 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# Copyright 2019 Red Hat +# GNU General Public License v3.0+ +# (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +############################################# +# WARNING # +############################################# +# +# This file is auto generated by the resource +# module builder playbook. +# +# Do not edit this file manually. +# +# Changes to this file will be over written +# by the resource module builder. +# +# Changes should be made in the model used to +# generate this file or in the resource module +# builder template. +# +############################################# + +""" +The module file for vyos_firewall_global +""" + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "network", +} + +DOCUMENTATION = """module: vyos_firewall_global +short_description: Manage global policies or configurations for firewall on VyOS devices. +description: This module manage global policies or configurations for firewall on + VyOS devices. +notes: +- Tested against VyOS 1.1.8 (helium). +- This module works with connection C(network_cli). See L(the VyOS OS Platform Options,../network/user_guide/platform_vyos.html). +author: +- Rohit Thakur (@rohitthakur2590) +options: + config: + description: + - A dictionary of Firewall global configuration options. + type: dict + suboptions: + route_redirects: + description: -A dictionary of Firewall icmp redirect and source route global + configuration options. + type: list + elements: dict + suboptions: + afi: + description: + - Specifies IP address type + type: str + choices: + - ipv4 + - ipv6 + required: true + icmp_redirects: + description: + - Specifies whether to allow sending/receiving of IPv4/v6 ICMP redirect + messages. + type: dict + suboptions: + send: + description: + - Permits or denies transmitting packets ICMP redirect messages. + type: bool + receive: + description: + - Permits or denies receiving packets ICMP redirect messages. + type: bool + ip_src_route: + description: + - Specifies whether or not to process source route IP options. + type: bool + ping: + description: + - Policy for handling of all IPv4 ICMP echo requests. + type: dict + suboptions: + all: + description: + - Enables or disables response to all IPv4 ICMP Echo Request (ping) messages. + - The system responds to IPv4 ICMP Echo Request messages. + type: bool + broadcast: + description: + - Enables or disables response to broadcast IPv4 ICMP Echo Request and + Timestamp Request messages. + - IPv4 ICMP Echo and Timestamp Request messages are not processed. + type: bool + config_trap: + description: + - SNMP trap generation on firewall configuration changes. + type: bool + validation: + description: + - Specifies a policy for source validation by reversed path, as defined in + RFC 3704. + - (disable) No source validation is performed. + - (loose) Enable Loose Reverse Path Forwarding as defined in RFC3704. + - (strict) Enable Strict Reverse Path Forwarding as defined in RFC3704. + type: str + choices: + - strict + - loose + - disable + group: + description: + - Defines a group of objects for referencing in firewall rules. + type: dict + suboptions: + address_group: + description: + - Defines a group of IP addresses for referencing in firewall rules. + type: list + elements: dict + suboptions: + name: + description: + - Name of the firewall address group. + type: str + required: true + description: + description: + - Allows you to specify a brief description for the address group. + type: str + members: + description: + - Address-group members. + - IPv4 address to match. + - IPv4 range to match. + type: list + elements: dict + suboptions: + address: + description: IP address. + type: str + network_group: + description: + - Defines a group of networks for referencing in firewall rules. + type: list + elements: dict + suboptions: + name: + description: + - Name of the firewall network group. + type: str + required: true + description: + description: + - Allows you to specify a brief description for the network group. + type: str + members: + description: + - Adds an IPv4 network to the specified network group. + - The format is ip-address/prefix. + type: list + elements: dict + suboptions: + address: + description: IP address. + type: str + port_group: + description: + - Defines a group of ports for referencing in firewall rules. + type: list + elements: dict + suboptions: + name: + description: + - Name of the firewall port group. + type: str + required: true + description: + description: + - Allows you to specify a brief description for the port group. + type: str + members: + description: + - Port-group member. + type: list + elements: dict + suboptions: + port: + description: Defines the number. + type: str + log_martians: + description: + - Specifies whether or not to record packets with invalid addresses in the + log. + - (True) Logs packets with invalid addresses. + - (False) Does not log packets with invalid addresses. + type: bool + syn_cookies: + description: + - Specifies policy for using TCP SYN cookies with IPv4. + - (True) Enables TCP SYN cookies with IPv4. + - (False) Disables TCP SYN cookies with IPv4. + type: bool + twa_hazards_protection: + description: + - RFC1337 TCP TIME-WAIT assasination hazards protection. + type: bool + state_policy: + description: + - Specifies global firewall state-policy. + type: list + elements: dict + suboptions: + connection_type: + description: Specifies connection type. + type: str + choices: + - established + - invalid + - related + action: + description: + - Action for packets part of an established connection. + type: str + choices: + - accept + - drop + - reject + log: + description: + - Enable logging of packets part of an established connection. + type: bool + running_config: + description: + - The module, by default, will connect to the remote device and retrieve the current + running-config to use as a base for comparing against the contents of source. + There are times when it is not desirable to have the task get the current running-config + for every task in a playbook. The I(running_config) argument allows the implementer + to pass in the configuration to use as the base config for comparison. This + value of this option should be the output received from device by executing + command C(show configuration commands | grep 'firewall') + type: str + state: + description: + - The state the configuration should be left in. + type: str + choices: + - merged + - replaced + - deleted + - gathered + - rendered + - parsed + default: merged +""" +EXAMPLES = """ +# Using merged +# +# Before state: +# ------------- +# +# vyos@vyos# run show configuration commands | grep firewall +# +# +- name: Merge the provided configuration with the exisiting running configuration + vyos_firewall_global: + config: + validation: strict + config_trap: True + log_martians: True + syn_cookies: True + twa_hazards_protection: True + ping: + all: True + broadcast: True + state_policy: + - connection_type: 'established' + action: 'accept' + log: True + - connection_type: 'invalid' + action: 'reject' + route_redirects: + - afi: 'ipv4' + ip_src_route: True + icmp_redirects: + send: True + receive: False + group: + address_group: + - name: 'MGMT-HOSTS' + description: 'This group has the Management hosts address list' + members: + - address: 192.0.1.1 + - address: 192.0.1.3 + - address: 192.0.1.5 + network_group: + - name: 'MGMT' + description: 'This group has the Management network addresses' + members: + - address: 192.0.1.0/24 + state: merged +# +# +# ------------------------- +# Module Execution Result +# ------------------------- +# +# before": [] +# +# "commands": [ +# "set firewall group address-group MGMT-HOSTS address 192.0.1.1", +# "set firewall group address-group MGMT-HOSTS address 192.0.1.3", +# "set firewall group address-group MGMT-HOSTS address 192.0.1.5", +# "set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list'", +# "set firewall group address-group MGMT-HOSTS", +# "set firewall group network-group MGMT network 192.0.1.0/24", +# "set firewall group network-group MGMT description 'This group has the Management network addresses'", +# "set firewall group network-group MGMT", +# "set firewall ip-src-route 'enable'", +# "set firewall receive-redirects 'disable'", +# "set firewall send-redirects 'enable'", +# "set firewall config-trap 'enable'", +# "set firewall state-policy established action 'accept'", +# "set firewall state-policy established log 'enable'", +# "set firewall state-policy invalid action 'reject'", +# "set firewall broadcast-ping 'enable'", +# "set firewall all-ping 'enable'", +# "set firewall log-martians 'enable'", +# "set firewall twa-hazards-protection 'enable'", +# "set firewall syn-cookies 'enable'", +# "set firewall source-validation 'strict'" +# ] +# +# "after": { +# "config_trap": true, +# "group": { +# "address_group": [ +# { +# "description": "This group has the Management hosts address list", +# "members": [ +# { +# "address": "192.0.1.1" +# }, +# { +# "address": "192.0.1.3" +# }, +# { +# "address": "192.0.1.5" +# } +# ], +# "name": "MGMT-HOSTS" +# } +# ], +# "network_group": [ +# { +# "description": "This group has the Management network addresses", +# "members": [ +# { +# "address": "192.0.1.0/24" +# } +# ], +# "name": "MGMT" +# } +# ] +# }, +# "log_martians": true, +# "ping": { +# "all": true, +# "broadcast": true +# }, +# "route_redirects": [ +# { +# "afi": "ipv4", +# "icmp_redirects": { +# "receive": false, +# "send": true +# }, +# "ip_src_route": true +# } +# ], +# "state_policy": [ +# { +# "action": "accept", +# "connection_type": "established", +# "log": true +# }, +# { +# "action": "reject", +# "connection_type": "invalid" +# } +# ], +# "syn_cookies": true, +# "twa_hazards_protection": true, +# "validation": "strict" +# } +# +# After state: +# ------------- +# +# vyos@192# run show configuration commands | grep firewall +# set firewall all-ping 'enable' +# set firewall broadcast-ping 'enable' +# set firewall config-trap 'enable' +# set firewall group address-group MGMT-HOSTS address '192.0.1.1' +# set firewall group address-group MGMT-HOSTS address '192.0.1.3' +# set firewall group address-group MGMT-HOSTS address '192.0.1.5' +# set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' +# set firewall group network-group MGMT description 'This group has the Management network addresses' +# set firewall group network-group MGMT network '192.0.1.0/24' +# set firewall ip-src-route 'enable' +# set firewall log-martians 'enable' +# set firewall receive-redirects 'disable' +# set firewall send-redirects 'enable' +# set firewall source-validation 'strict' +# set firewall state-policy established action 'accept' +# set firewall state-policy established log 'enable' +# set firewall state-policy invalid action 'reject' +# set firewall syn-cookies 'enable' +# set firewall twa-hazards-protection 'enable' +# +# +# Using parsed +# +# +- name: Render the commands for provided configuration + vyos_firewall_global: + running_config: + "set firewall all-ping 'enable' + set firewall broadcast-ping 'enable' + set firewall config-trap 'enable' + set firewall group address-group ENG-HOSTS address '192.0.3.1' + set firewall group address-group ENG-HOSTS address '192.0.3.2' + set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' + set firewall group address-group SALES-HOSTS address '192.0.2.1' + set firewall group address-group SALES-HOSTS address '192.0.2.2' + set firewall group address-group SALES-HOSTS address '192.0.2.3' + set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' + set firewall group network-group MGMT description 'This group has the Management network addresses' + set firewall group network-group MGMT network '192.0.1.0/24' + set firewall ip-src-route 'enable' + set firewall log-martians 'enable' + set firewall receive-redirects 'disable' + set firewall send-redirects 'enable' + set firewall source-validation 'strict' + set firewall state-policy established action 'accept' + set firewall state-policy established log 'enable' + set firewall state-policy invalid action 'reject' + set firewall syn-cookies 'enable' + set firewall twa-hazards-protection 'enable'" + state: parsed +# +# +# ------------------------- +# Module Execution Result +# ------------------------- +# +# +# "parsed": { +# "config_trap": true, +# "group": { +# "address_group": [ +# { +# "description": "Sales office hosts address list", +# "members": [ +# { +# "address": "192.0.3.1" +# }, +# { +# "address": "192.0.3.2" +# } +# ], +# "name": "ENG-HOSTS" +# }, +# { +# "description": "Sales office hosts address list", +# "members": [ +# { +# "address": "192.0.2.1" +# }, +# { +# "address": "192.0.2.2" +# }, +# { +# "address": "192.0.2.3" +# } +# ], +# "name": "SALES-HOSTS" +# } +# ], +# "network_group": [ +# { +# "description": "This group has the Management network addresses", +# "members": [ +# { +# "address": "192.0.1.0/24" +# } +# ], +# "name": "MGMT" +# } +# ] +# }, +# "log_martians": true, +# "ping": { +# "all": true, +# "broadcast": true +# }, +# "route_redirects": [ +# { +# "afi": "ipv4", +# "icmp_redirects": { +# "receive": false, +# "send": true +# }, +# "ip_src_route": true +# } +# ], +# "state_policy": [ +# { +# "action": "accept", +# "connection_type": "established", +# "log": true +# }, +# { +# "action": "reject", +# "connection_type": "invalid" +# } +# ], +# "syn_cookies": true, +# "twa_hazards_protection": true, +# "validation": "strict" +# } +# } +# +# +# Using deleted +# +# Before state +# ------------- +# +# vyos@192# run show configuration commands | grep firewall +# set firewall all-ping 'enable' +# set firewall broadcast-ping 'enable' +# set firewall config-trap 'enable' +# set firewall group address-group MGMT-HOSTS address '192.0.1.1' +# set firewall group address-group MGMT-HOSTS address '192.0.1.3' +# set firewall group address-group MGMT-HOSTS address '192.0.1.5' +# set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' +# set firewall group network-group MGMT description 'This group has the Management network addresses' +# set firewall group network-group MGMT network '192.0.1.0/24' +# set firewall ip-src-route 'enable' +# set firewall log-martians 'enable' +# set firewall receive-redirects 'disable' +# set firewall send-redirects 'enable' +# set firewall source-validation 'strict' +# set firewall state-policy established action 'accept' +# set firewall state-policy established log 'enable' +# set firewall state-policy invalid action 'reject' +# set firewall syn-cookies 'enable' +# set firewall twa-hazards-protection 'enable' +- name: Delete attributes of firewall. + vyos_firewall_global: + config: + state_policy: + config_trap: + log_martians: + syn_cookies: + twa_hazards_protection: + route_redirects: + ping: + group: + state: deleted +# +# +# ------------------------ +# Module Execution Results +# ------------------------ +# +# "before": { +# "config_trap": true, +# "group": { +# "address_group": [ +# { +# "description": "This group has the Management hosts address list", +# "members": [ +# { +# "address": "192.0.1.1" +# }, +# { +# "address": "192.0.1.3" +# }, +# { +# "address": "192.0.1.5" +# } +# ], +# "name": "MGMT-HOSTS" +# } +# ], +# "network_group": [ +# { +# "description": "This group has the Management network addresses", +# "members": [ +# { +# "address": "192.0.1.0/24" +# } +# ], +# "name": "MGMT" +# } +# ] +# }, +# "log_martians": true, +# "ping": { +# "all": true, +# "broadcast": true +# }, +# "route_redirects": [ +# { +# "afi": "ipv4", +# "icmp_redirects": { +# "receive": false, +# "send": true +# }, +# "ip_src_route": true +# } +# ], +# "state_policy": [ +# { +# "action": "accept", +# "connection_type": "established", +# "log": true +# }, +# { +# "action": "reject", +# "connection_type": "invalid" +# } +# ], +# "syn_cookies": true, +# "twa_hazards_protection": true, +# "validation": "strict" +# } +# "commands": [ +# "delete firewall source-validation", +# "delete firewall group", +# "delete firewall log-martians", +# "delete firewall ip-src-route", +# "delete firewall receive-redirects", +# "delete firewall send-redirects", +# "delete firewall config-trap", +# "delete firewall state-policy", +# "delete firewall syn-cookies", +# "delete firewall broadcast-ping", +# "delete firewall all-ping", +# "delete firewall twa-hazards-protection" +# ] +# +# "after": [] +# After state +# ------------ +# vyos@192# run show configuration commands | grep firewall +# set 'firewall' +# +# +# Using replaced +# +# Before state: +# ------------- +# +# vyos@vyos:~$ show configuration commands| grep firewall +# set firewall all-ping 'enable' +# set firewall broadcast-ping 'enable' +# set firewall config-trap 'enable' +# set firewall group address-group MGMT-HOSTS address '192.0.1.1' +# set firewall group address-group MGMT-HOSTS address '192.0.1.3' +# set firewall group address-group MGMT-HOSTS address '192.0.1.5' +# set firewall group address-group MGMT-HOSTS description 'This group has the Management hosts address list' +# set firewall group network-group MGMT description 'This group has the Management network addresses' +# set firewall group network-group MGMT network '192.0.1.0/24' +# set firewall ip-src-route 'enable' +# set firewall log-martians 'enable' +# set firewall receive-redirects 'disable' +# set firewall send-redirects 'enable' +# set firewall source-validation 'strict' +# set firewall state-policy established action 'accept' +# set firewall state-policy established log 'enable' +# set firewall state-policy invalid action 'reject' +# set firewall syn-cookies 'enable' +# set firewall twa-hazards-protection 'enable' +# +- name: Replace firewall global attributes configuration. + vyos_firewall_global: + config: + validation: strict + config_trap: True + log_martians: True + syn_cookies: True + twa_hazards_protection: True + ping: + all: True + broadcast: True + state_policy: + - connection_type: 'established' + action: 'accept' + log: True + - connection_type: 'invalid' + action: 'reject' + route_redirects: + - afi: 'ipv4' + ip_src_route: True + icmp_redirects: + send: True + receive: False + group: + address_group: + - name: 'SALES-HOSTS' + description: 'Sales office hosts address list' + members: + - address: 192.0.2.1 + - address: 192.0.2.2 + - address: 192.0.2.3 + - name: 'ENG-HOSTS' + description: 'Sales office hosts address list' + members: + - address: 192.0.3.1 + - address: 192.0.3.2 + network_group: + - name: 'MGMT' + description: 'This group has the Management network addresses' + members: + - address: 192.0.1.0/24 + state: replaced +# +# +# ------------------------- +# Module Execution Result +# ------------------------- +# +# "before": { +# "config_trap": true, +# "group": { +# "address_group": [ +# { +# "description": "This group has the Management hosts address list", +# "members": [ +# { +# "address": "192.0.1.1" +# }, +# { +# "address": "192.0.1.3" +# }, +# { +# "address": "192.0.1.5" +# } +# ], +# "name": "MGMT-HOSTS" +# } +# ], +# "network_group": [ +# { +# "description": "This group has the Management network addresses", +# "members": [ +# { +# "address": "192.0.1.0/24" +# } +# ], +# "name": "MGMT" +# } +# ] +# }, +# "log_martians": true, +# "ping": { +# "all": true, +# "broadcast": true +# }, +# "route_redirects": [ +# { +# "afi": "ipv4", +# "icmp_redirects": { +# "receive": false, +# "send": true +# }, +# "ip_src_route": true +# } +# ], +# "state_policy": [ +# { +# "action": "accept", +# "connection_type": "established", +# "log": true +# }, +# { +# "action": "reject", +# "connection_type": "invalid" +# } +# ], +# "syn_cookies": true, +# "twa_hazards_protection": true, +# "validation": "strict" +# } +# +# "commands": [ +# "delete firewall group address-group MGMT-HOSTS", +# "set firewall group address-group SALES-HOSTS address 192.0.2.1", +# "set firewall group address-group SALES-HOSTS address 192.0.2.2", +# "set firewall group address-group SALES-HOSTS address 192.0.2.3", +# "set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'", +# "set firewall group address-group SALES-HOSTS", +# "set firewall group address-group ENG-HOSTS address 192.0.3.1", +# "set firewall group address-group ENG-HOSTS address 192.0.3.2", +# "set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'", +# "set firewall group address-group ENG-HOSTS" +# ] +# +# "after": { +# "config_trap": true, +# "group": { +# "address_group": [ +# { +# "description": "Sales office hosts address list", +# "members": [ +# { +# "address": "192.0.3.1" +# }, +# { +# "address": "192.0.3.2" +# } +# ], +# "name": "ENG-HOSTS" +# }, +# { +# "description": "Sales office hosts address list", +# "members": [ +# { +# "address": "192.0.2.1" +# }, +# { +# "address": "192.0.2.2" +# }, +# { +# "address": "192.0.2.3" +# } +# ], +# "name": "SALES-HOSTS" +# } +# ], +# "network_group": [ +# { +# "description": "This group has the Management network addresses", +# "members": [ +# { +# "address": "192.0.1.0/24" +# } +# ], +# "name": "MGMT" +# } +# ] +# }, +# "log_martians": true, +# "ping": { +# "all": true, +# "broadcast": true +# }, +# "route_redirects": [ +# { +# "afi": "ipv4", +# "icmp_redirects": { +# "receive": false, +# "send": true +# }, +# "ip_src_route": true +# } +# ], +# "state_policy": [ +# { +# "action": "accept", +# "connection_type": "established", +# "log": true +# }, +# { +# "action": "reject", +# "connection_type": "invalid" +# } +# ], +# "syn_cookies": true, +# "twa_hazards_protection": true, +# "validation": "strict" +# } +# +# After state: +# ------------- +# +# vyos@192# run show configuration commands | grep firewall +# set firewall all-ping 'enable' +# set firewall broadcast-ping 'enable' +# set firewall config-trap 'enable' +# set firewall group address-group ENG-HOSTS address '192.0.3.1' +# set firewall group address-group ENG-HOSTS address '192.0.3.2' +# set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' +# set firewall group address-group SALES-HOSTS address '192.0.2.1' +# set firewall group address-group SALES-HOSTS address '192.0.2.2' +# set firewall group address-group SALES-HOSTS address '192.0.2.3' +# set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' +# set firewall group network-group MGMT description 'This group has the Management network addresses' +# set firewall group network-group MGMT network '192.0.1.0/24' +# set firewall ip-src-route 'enable' +# set firewall log-martians 'enable' +# set firewall receive-redirects 'disable' +# set firewall send-redirects 'enable' +# set firewall source-validation 'strict' +# set firewall state-policy established action 'accept' +# set firewall state-policy established log 'enable' +# set firewall state-policy invalid action 'reject' +# set firewall syn-cookies 'enable' +# set firewall twa-hazards-protection 'enable' +# +# +# Using gathered +# +# Before state: +# ------------- +# +# vyos@192# run show configuration commands | grep firewall +# set firewall all-ping 'enable' +# set firewall broadcast-ping 'enable' +# set firewall config-trap 'enable' +# set firewall group address-group ENG-HOSTS address '192.0.3.1' +# set firewall group address-group ENG-HOSTS address '192.0.3.2' +# set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' +# set firewall group address-group SALES-HOSTS address '192.0.2.1' +# set firewall group address-group SALES-HOSTS address '192.0.2.2' +# set firewall group address-group SALES-HOSTS address '192.0.2.3' +# set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' +# set firewall group network-group MGMT description 'This group has the Management network addresses' +# set firewall group network-group MGMT network '192.0.1.0/24' +# set firewall ip-src-route 'enable' +# set firewall log-martians 'enable' +# set firewall receive-redirects 'disable' +# set firewall send-redirects 'enable' +# set firewall source-validation 'strict' +# set firewall state-policy established action 'accept' +# set firewall state-policy established log 'enable' +# set firewall state-policy invalid action 'reject' +# set firewall syn-cookies 'enable' +# set firewall twa-hazards-protection 'enable' +# +- name: Gather firewall global config with provided configurations + vyos_firewall_global: + config: + state: gathered +# +# +# ------------------------- +# Module Execution Result +# ------------------------- +# +# "gathered": [ +# { +# "config_trap": true, +# "group": { +# "address_group": [ +# { +# "description": "Sales office hosts address list", +# "members": [ +# { +# "address": "192.0.3.1" +# }, +# { +# "address": "192.0.3.2" +# } +# ], +# "name": "ENG-HOSTS" +# }, +# { +# "description": "Sales office hosts address list", +# "members": [ +# { +# "address": "192.0.2.1" +# }, +# { +# "address": "192.0.2.2" +# }, +# { +# "address": "192.0.2.3" +# } +# ], +# "name": "SALES-HOSTS" +# } +# ], +# "network_group": [ +# { +# "description": "This group has the Management network addresses", +# "members": [ +# { +# "address": "192.0.1.0/24" +# } +# ], +# "name": "MGMT" +# } +# ] +# }, +# "log_martians": true, +# "ping": { +# "all": true, +# "broadcast": true +# }, +# "route_redirects": [ +# { +# "afi": "ipv4", +# "icmp_redirects": { +# "receive": false, +# "send": true +# }, +# "ip_src_route": true +# } +# ], +# "state_policy": [ +# { +# "action": "accept", +# "connection_type": "established", +# "log": true +# }, +# { +# "action": "reject", +# "connection_type": "invalid" +# } +# ], +# "syn_cookies": true, +# "twa_hazards_protection": true, +# "validation": "strict" +# } +# +# After state: +# ------------- +# +# vyos@192# run show configuration commands | grep firewall +# set firewall all-ping 'enable' +# set firewall broadcast-ping 'enable' +# set firewall config-trap 'enable' +# set firewall group address-group ENG-HOSTS address '192.0.3.1' +# set firewall group address-group ENG-HOSTS address '192.0.3.2' +# set firewall group address-group ENG-HOSTS description 'Sales office hosts address list' +# set firewall group address-group SALES-HOSTS address '192.0.2.1' +# set firewall group address-group SALES-HOSTS address '192.0.2.2' +# set firewall group address-group SALES-HOSTS address '192.0.2.3' +# set firewall group address-group SALES-HOSTS description 'Sales office hosts address list' +# set firewall group network-group MGMT description 'This group has the Management network addresses' +# set firewall group network-group MGMT network '192.0.1.0/24' +# set firewall ip-src-route 'enable' +# set firewall log-martians 'enable' +# set firewall receive-redirects 'disable' +# set firewall send-redirects 'enable' +# set firewall source-validation 'strict' +# set firewall state-policy established action 'accept' +# set firewall state-policy established log 'enable' +# set firewall state-policy invalid action 'reject' +# set firewall syn-cookies 'enable' +# set firewall twa-hazards-protection 'enable' + + +# Using rendered +# +# +- name: Render the commands for provided configuration + vyos_firewall_global: + config: + validation: strict + config_trap: True + log_martians: True + syn_cookies: True + twa_hazards_protection: True + ping: + all: True + broadcast: True + state_policy: + - connection_type: 'established' + action: 'accept' + log: True + - connection_type: 'invalid' + action: 'reject' + route_redirects: + - afi: 'ipv4' + ip_src_route: True + icmp_redirects: + send: True + receive: False + group: + address_group: + - name: 'SALES-HOSTS' + description: 'Sales office hosts address list' + members: + - address: 192.0.2.1 + - address: 192.0.2.2 + - address: 192.0.2.3 + - name: 'ENG-HOSTS' + description: 'Sales office hosts address list' + members: + - address: 192.0.3.1 + - address: 192.0.3.2 + network_group: + - name: 'MGMT' + description: 'This group has the Management network addresses' + members: + - address: 192.0.1.0/24 + state: rendered +# +# +# ------------------------- +# Module Execution Result +# ------------------------- +# +# +# "rendered": [ +# "set firewall group address-group SALES-HOSTS address 192.0.2.1", +# "set firewall group address-group SALES-HOSTS address 192.0.2.2", +# "set firewall group address-group SALES-HOSTS address 192.0.2.3", +# "set firewall group address-group SALES-HOSTS description 'Sales office hosts address list'", +# "set firewall group address-group SALES-HOSTS", +# "set firewall group address-group ENG-HOSTS address 192.0.3.1", +# "set firewall group address-group ENG-HOSTS address 192.0.3.2", +# "set firewall group address-group ENG-HOSTS description 'Sales office hosts address list'", +# "set firewall group address-group ENG-HOSTS", +# "set firewall group network-group MGMT network 192.0.1.0/24", +# "set firewall group network-group MGMT description 'This group has the Management network addresses'", +# "set firewall group network-group MGMT", +# "set firewall ip-src-route 'enable'", +# "set firewall receive-redirects 'disable'", +# "set firewall send-redirects 'enable'", +# "set firewall config-trap 'enable'", +# "set firewall state-policy established action 'accept'", +# "set firewall state-policy established log 'enable'", +# "set firewall state-policy invalid action 'reject'", +# "set firewall broadcast-ping 'enable'", +# "set firewall all-ping 'enable'", +# "set firewall log-martians 'enable'", +# "set firewall twa-hazards-protection 'enable'", +# "set firewall syn-cookies 'enable'", +# "set firewall source-validation 'strict'" +# ] +# +# +""" +RETURN = """ +before: + description: The configuration prior to the model invocation. + returned: always + type: list + sample: > + The configuration returned will always be in the same format + of the parameters above. +after: + description: The resulting configuration model invocation. + returned: when changed + type: list + sample: > + The configuration returned will always be in the same format + of the parameters above. +commands: + description: The set of commands pushed to the remote device. + returned: always + type: list + sample: ['set firewall group address-group ENG-HOSTS', + 'set firewall group address-group ENG-HOSTS address 192.0.3.1'] +""" + + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.argspec.firewall_global.firewall_global import ( + Firewall_globalArgs, +) +from ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.config.firewall_global.firewall_global import ( + Firewall_global, +) + + +def main(): + """ + Main entry point for module execution + + :returns: the result form module invocation + """ + required_if = [ + ("state", "merged", ("config",)), + ("state", "replaced", ("config",)), + ("state", "parsed", ("running_config",)), + ] + mutually_exclusive = [("config", "running_config")] + module = AnsibleModule( + argument_spec=Firewall_globalArgs.argument_spec, + required_if=required_if, + supports_check_mode=True, + mutually_exclusive=mutually_exclusive, + ) + + result = Firewall_global(module).execute_module() + module.exit_json(**result) + + +if __name__ == "__main__": + main() |