summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py25
-rw-r--r--plugins/modules/vyos_firewall_rules.py130
-rw-r--r--tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml4
-rw-r--r--tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml58
-rw-r--r--tests/integration/targets/vyos_firewall_rules/vars/main.yaml41
5 files changed, 45 insertions, 213 deletions
diff --git a/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py b/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py
index e58593f..5c37741 100644
--- a/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py
+++ b/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py
@@ -235,28 +235,11 @@ class Firewall_rules(ConfigBase):
have, rs["name"], "r_list"
)
if h:
- w_rules = rs.get("rules") or []
- h_rules = h.get("rules") or []
- if w_rules and h_rules:
- for rule in w_rules:
- if self.search_r_sets_in_have(
- h_rules, rule["number"], "rules"
- ):
- commands.append(
- self._add_r_base_attrib(
- w["afi"],
- rs["name"],
- "number",
- rule,
- opr=False,
- )
- )
- else:
- commands.append(
- self._compute_command(
- w["afi"], h["name"], remove=True
- )
+ commands.append(
+ self._compute_command(
+ w["afi"], h["name"], remove=True
)
+ )
elif have:
for h in have:
if h["afi"] == w["afi"]:
diff --git a/plugins/modules/vyos_firewall_rules.py b/plugins/modules/vyos_firewall_rules.py
index a9e676b..687eb03 100644
--- a/plugins/modules/vyos_firewall_rules.py
+++ b/plugins/modules/vyos_firewall_rules.py
@@ -37,7 +37,7 @@ ANSIBLE_METADATA = {
}
DOCUMENTATION = """module: vyos_firewall_rules
-short_description: Manage firewall rule-set attributes on VyOS devices
+short_description: This configures and manages attributes of firewall_rules resorce module
description: This module manages firewall rule-set attributes on VyOS devices
notes:
- Tested against VyOS 1.1.8 (helium).
@@ -486,12 +486,22 @@ EXAMPLES = """
# set firewall group address-group 'inbound'
-# Using deleted to delete all the the firewall rules when provided config is empty
+# Using deleted to delete firewall rules based on afi
#
# Before state
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
+# set firewall ipv6-name UPLINK default-action 'accept'
+# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
+# set firewall ipv6-name UPLINK rule 1 action 'accept'
+# set firewall ipv6-name UPLINK rule 1
+# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
+# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
+# set firewall ipv6-name UPLINK rule 2 action 'accept'
+# set firewall ipv6-name UPLINK rule 2
+# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
+# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# set firewall group address-group 'inbound'
# set firewall name Downlink default-action 'accept'
# set firewall name Downlink description 'IPv4 INBOUND rule set'
@@ -501,10 +511,12 @@ EXAMPLES = """
# set firewall name Downlink rule 502 action 'reject'
# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
# set firewall name Downlink rule 502 ipsec 'match-ipsec'
+
#
- name: Delete attributes of given firewall rules.
vyos_firewall_rules:
config:
+ - afi: ipv4
state: deleted
#
#
@@ -514,69 +526,29 @@ EXAMPLES = """
#
# "before": [
# {
-# "afi": "ipv4",
+# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
-# "description": "IPv4 INBOUND rule set",
-# "name": "Downlink",
+# "description": "This is ipv6 specific rule-set",
+# "name": "UPLINK",
# "rules": [
# {
# "action": "accept",
-# "description": "Rule 501 is configured by Ansible",
+# "description": "Fwipv6-Rule 1 is configured by Ansible",
# "ipsec": "match-ipsec",
-# "number": 501
+# "number": 1
# },
# {
-# "action": "reject",
-# "description": "Rule 502 is configured by Ansible",
+# "action": "accept",
+# "description": "Fwipv6-Rule 2 is configured by Ansible",
# "ipsec": "match-ipsec",
-# "number": 502
+# "number": 2
# }
# ]
-# }
+# }
# ]
-# }
-# ]
-# "commands": [
-# "delete firewall name"
-# ]
-#
-# "after": []
-# After state
-# ------------
-# vyos@vyos# run show configuration commands | grep firewall
-# set firewall group address-group 'inbound'
-
-
-# Using deleted to delete the the firewall rules based on afi
-#
-# Before state
-# -------------
-#
-# vyos@vyos:~$ show configuration commands| grep firewall
-# set firewall group address-group 'inbound'
-# set firewall name Downlink default-action 'accept'
-# set firewall name Downlink description 'IPv4 INBOUND rule set'
-# set firewall name Downlink rule 501 action 'accept'
-# set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'
-# set firewall name Downlink rule 501 ipsec 'match-ipsec'
-# set firewall name Downlink rule 502 action 'reject'
-# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
-# set firewall name Downlink rule 502 ipsec 'match-ipsec'
-#
-- name: Delete attributes of given firewall rules.
- vyos_firewall_rules:
- config:
- - afi: ipv4
- state: deleted
-#
-#
-# ------------------------
-# Module Execution Results
-# ------------------------
-#
-# "before": [
+# },
# {
# "afi": "ipv4",
# "rule_sets": [
@@ -603,18 +575,26 @@ EXAMPLES = """
# }
# ]
# "commands": [
-# "delete firewall name",
+# "delete firewall name"
# ]
#
# "after": []
# After state
# ------------
-# vyos@vyos# run show configuration commands | grep firewall
-# set firewall group address-group 'inbound'
-
+# vyos@vyos:~$ show configuration commands| grep firewall
+# set firewall ipv6-name UPLINK default-action 'accept'
+# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
+# set firewall ipv6-name UPLINK rule 1 action 'accept'
+# set firewall ipv6-name UPLINK rule 1
+# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
+# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
+# set firewall ipv6-name UPLINK rule 2 action 'accept'
+# set firewall ipv6-name UPLINK rule 2
+# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
+# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
-# Using deleted to delete the the firewall rules based on rule number/id
+# Using deleted to delete all the the firewall rules when provided config is empty
#
# Before state
# -------------
@@ -633,11 +613,6 @@ EXAMPLES = """
- name: Delete attributes of given firewall rules.
vyos_firewall_rules:
config:
- - afi: ipv4
- rule_sets:
- - name: 'Downlink'
- rules:
- - number: 501
state: deleted
#
#
@@ -672,38 +647,14 @@ EXAMPLES = """
# }
# ]
# "commands": [
-# "delete firewall ipv6-name Downlink rule 501"
+# "delete firewall name"
# ]
#
-# "after": [
-# {
-# "afi": "ipv4",
-# "rule_sets": [
-# {
-# "default_action": "accept",
-# "description": "IPv4 INBOUND rule set",
-# "name": "Downlink",
-# "rules": [
-# {
-# "action": "reject",
-# "description": "Rule 502 is configured by Ansible",
-# "ipsec": "match-ipsec",
-# "number": 502
-# }
-# ]
-# }
-# ]
-# }
-# ]
+# "after": []
# After state
# ------------
-# vyos@vyos:~$ show configuration commands| grep firewall
+# vyos@vyos# run show configuration commands | grep firewall
# set firewall group address-group 'inbound'
-# set firewall name Downlink default-action 'accept'
-# set firewall name Downlink description 'IPv4 INBOUND rule set'
-# set firewall name Downlink rule 502 action 'reject'
-# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
-# set firewall name Downlink rule 502 ipsec 'match-ipsec'
# Using merged
@@ -1546,6 +1497,7 @@ def main():
required_if = [
("state", "merged", ("config",)),
("state", "replaced", ("config",)),
+ ("state", "rendered", ("config",)),
("state", "overridden", ("config",)),
("state", "parsed", ("running_config",)),
]
diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml
index 7acfe65..67bfd3c 100644
--- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml
+++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml
@@ -11,15 +11,11 @@
register: result
vyos.vyos.vyos_firewall_rules: &id001
config:
-
- afi: ipv6
rule_sets:
-
- name: UPLINK
-
- afi: ipv4
rule_sets:
-
- name: INBOUND
state: deleted
diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml
deleted file mode 100644
index d77e2a9..0000000
--- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-- debug:
- msg: Start vyos_firewall_rules deleted integration tests ansible_connection={{
- ansible_connection }}
-
-- include_tasks: _populate.yaml
-
-- block:
-
- - name: Delete firewall rule.
- register: result
- vyos.vyos.vyos_firewall_rules: &id001
- config:
-
- - afi: ipv6
- rule_sets:
-
- - name: UPLINK
- rules:
-
- - number: 1
- state: deleted
-
- - name: Assert that the before dicts were correctly generated
- assert:
- that:
- - "{{ populate | symmetric_difference(result['before']) |length == 0 }}"
-
- - name: Assert that the correct set of commands were generated
- assert:
- that:
- - "{{ deleted_r['commands'] | symmetric_difference(result['commands'])\
- \ |length == 0 }}"
-
- - name: Assert that the after dicts were correctly generated
- assert:
- that:
- - "{{ deleted_r['after'] | symmetric_difference(result['after']) |length\
- \ == 0 }}"
-
- - name: Delete attributes of given interfaces (IDEMPOTENT)
- register: result
- vyos.vyos.vyos_firewall_rules: *id001
-
- - name: Assert that the previous task was idempotent
- assert:
- that:
- - result.changed == false
- - result.commands|length == 0
-
- - name: Assert that the before dicts were correctly generated
- assert:
- that:
- - "{{ deleted_r['after'] | symmetric_difference(result['before']) |length\
- \ == 0 }}"
- always:
-
- - include_tasks: _remove_config.yaml
diff --git a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml
index c15a101..adfc48a 100644
--- a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml
+++ b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml
@@ -229,47 +229,6 @@ deleted_afi_all:
- delete firewall ipv6-name
- delete firewall name
after: []
-deleted_r:
- commands:
- - delete firewall ipv6-name UPLINK rule 1
- after:
- - afi: ipv6
- rule_sets:
- - name: UPLINK
- description: This is ipv6 specific rule-set
- default_action: accept
- rules:
- - number: 2
- action: accept
- description: Fwipv6-Rule 2 is configured by Ansible
- ipsec: match-ipsec
- - afi: ipv4
- rule_sets:
- - name: INBOUND
- description: IPv4 INBOUND rule set
- default_action: accept
- rules:
- - number: 101
- action: accept
- description: Rule 101 is configured by Ansible
- ipsec: match-ipsec
- - number: 102
- action: reject
- description: Rule 102 is configured by Ansible
- ipsec: match-ipsec
- - number: 103
- action: accept
- description: Rule 103 is configured by Ansible
- destination:
- group:
- address_group: inbound
- source:
- address: 192.0.2.0
- state:
- established: true
- new: false
- invalid: false
- related: true
round_trip:
after:
- afi: ipv6