diff options
| author | maxime <37832743+mlk-89@users.noreply.github.com> | 2024-11-18 20:37:36 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-11-18 21:37:36 +0200 |
| commit | 67cda0147ab54136ef0604427c5a01a7f4b21986 (patch) | |
| tree | 4d78ab585fcf90f2dfd6315294969199aef9ed33 /plugins/modules | |
| parent | 37ba454f746ab6c4b05fef520ced523e2ad032cb (diff) | |
| download | vyos.vyos-67cda0147ab54136ef0604427c5a01a7f4b21986.tar.gz vyos.vyos-67cda0147ab54136ef0604427c5a01a7f4b21986.zip | |
Add feature for bonding/vlan interface in the firewall_interfaces (#246)
* - Add feature for bonding interface in the firewall_interfaces
- Add feature for vlan interface in the firewall_interfaces
* fix a bug when invoking replaced in the module firewall_rules.
* - Add feature for bonding interface in the firewall_interfaces
- Add feature for vlan interface in the firewall_interfaces
* test: add tests
* fix: support for interface types
* docs: fixed for 1.4 deprecation
---------
Co-authored-by: Maxime.L <maxime@nfrance.com>
Co-authored-by: Gaige B. Paulsen <gaige@cluetrust.com>
Co-authored-by: Gaige B Paulsen <gaige@cluetrust.net>
Diffstat (limited to 'plugins/modules')
| -rw-r--r-- | plugins/modules/vyos_firewall_interfaces.py | 408 |
1 files changed, 171 insertions, 237 deletions
diff --git a/plugins/modules/vyos_firewall_interfaces.py b/plugins/modules/vyos_firewall_interfaces.py index 11f3e527..2feabe49 100644 --- a/plugins/modules/vyos_firewall_interfaces.py +++ b/plugins/modules/vyos_firewall_interfaces.py @@ -31,14 +31,24 @@ from __future__ import absolute_import, division, print_function __metaclass__ = type +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "network", +} DOCUMENTATION = """ +--- module: vyos_firewall_interfaces -short_description: FIREWALL interfaces resource module -description: Manage firewall rules of interfaces on VyOS network devices. -version_added: 1.0.0 +version_added: '2.10.0' +short_description: Manage firewall rules attributes of interfaces on VyOS devices +description: Manage firewall rules of interfaces on VyOS network devices. (1.3-) author: - Rohit Thakur (@rohitthakur2590) +notes: +- Deprecated in VyOS 1.4+, firewalls are no longer connected directly to interfaces. + See the Firewall Configuration documentation for how to establish a + connection betwen the firewall rulesets and the flow, interface, or zone. options: config: description: A list of firewall rules options for interfaces. @@ -107,7 +117,6 @@ options: - rendered - gathered default: merged - """ EXAMPLES = """ # Using merged @@ -275,206 +284,121 @@ EXAMPLES = """ # Using merged -# + # Before state: # ------------- -# -# vyos@vyos:~$ show configuration commands| grep firewall -# set firewall ipv6-name 'V6-LOCAL' -# set firewall name 'INBOUND' -# set firewall name 'LOCAL' -# set firewall name 'OUTBOUND' -# set interfaces ethernet eth1 firewall in name 'INBOUND' -# set interfaces ethernet eth1 firewall local ipv6-name 'V6-LOCAL' -# set interfaces ethernet eth1 firewall local name 'LOCAL' -# set interfaces ethernet eth1 firewall out name 'OUTBOUND' -# set interfaces ethernet eth3 firewall in name 'INBOUND' -# set interfaces ethernet eth3 firewall local ipv6-name 'V6-LOCAL' -# set interfaces ethernet eth3 firewall local name 'LOCAL' -# set interfaces ethernet eth3 firewall out name 'OUTBOUND' -# -- name: Merge the provided configuration with the existing running configuration - vyos.vyos.vyos_firewall_interfaces: +# vyos@vyos:~$ show configuration commands | grep interfaces +# set interfaces bonding 'bond0' +# set interfaces bonding 'bond1' +# set interfaces bonding bond2 'ip' +# set interfaces bonding bond2 'ipv6' +# set interfaces ethernet eth0 address 'dhcp' +# set interfaces ethernet eth0 duplex 'auto' +# set interfaces ethernet eth0 'ip' +# set interfaces ethernet eth0 'ipv6' +# set interfaces ethernet eth0 smp_affinity 'auto' +# set interfaces ethernet eth0 speed 'auto' +# set interfaces ethernet 'eth1' +# set interfaces ethernet 'eth2' + +- name: Merge provided configuration with device configuration + vyos.vyos.vyos_interfaces: config: - - access_rules: - - afi: ipv4 - rules: - - name: OUTBOUND - direction: in - - name: INBOUND - direction: out - name: eth1 + - name: eth2 + description: Configured by Ansible + enabled: true + vifs: + - vlan_id: 200 + description: VIF 200 - ETH2 + - name: eth3 + description: Configured by Ansible + mtu: 1500 + - name: bond1 + description: Bond - 1 + mtu: 1200 + - name: vti2 + description: VTI - 2 + enabled: false state: merged -# -# -# ------------------------- -# Module Execution Result -# ------------------------- -# -# "before": [ -# { -# "name": "eth0" -# }, -# { -# "access_rules": [ -# { -# "afi": "ipv4", -# "rules": [ -# { -# "direction": "in", -# "name": "INBOUND" -# }, -# { -# "direction": "local", -# "name": "LOCAL" -# }, -# { -# "direction": "out", -# "name": "OUTBOUND" -# } -# ] -# }, -# { -# "afi": "ipv6", -# "rules": [ -# { -# "direction": "local", -# "name": "V6-LOCAL" -# } -# ] -# } -# ], -# "name": "eth1" -# }, -# { -# "name": "eth2" -# }, -# { -# "access_rules": [ -# { -# "afi": "ipv4", -# "rules": [ -# { -# "direction": "in", -# "name": "INBOUND" -# }, -# { -# "direction": "local", -# "name": "LOCAL" -# }, -# { -# "direction": "out", -# "name": "OUTBOUND" -# } -# ] -# }, -# { -# "afi": "ipv6", -# "rules": [ -# { -# "direction": "local", -# "name": "V6-LOCAL" -# } -# ] -# } -# ], -# "name": "eth3" -# } -# ] -# -# "commands": [ -# "set interfaces ethernet eth1 firewall in name 'OUTBOUND'", -# "set interfaces ethernet eth1 firewall out name 'INBOUND'" -# ] -# -# "after": [ -# { -# "name": "eth0" -# }, -# { -# "access_rules": [ -# { -# "afi": "ipv4", -# "rules": [ -# { -# "direction": "in", -# "name": "OUTBOUND" -# }, -# { -# "direction": "local", -# "name": "LOCAL" -# }, -# { -# "direction": "out", -# "name": "INBOUND" -# } -# ] -# }, -# { -# "afi": "ipv6", -# "rules": [ -# { -# "direction": "local", -# "name": "V6-LOCAL" -# } -# ] -# } -# ], -# "name": "eth1" -# }, -# { -# "name": "eth2" -# }, -# { -# "access_rules": [ -# { -# "afi": "ipv4", -# "rules": [ -# { -# "direction": "in", -# "name": "INBOUND" -# }, -# { -# "direction": "local", -# "name": "LOCAL" -# }, -# { -# "direction": "out", -# "name": "OUTBOUND" -# } -# ] -# }, -# { -# "afi": "ipv6", -# "rules": [ -# { -# "direction": "local", -# "name": "V6-LOCAL" -# } -# ] -# } -# ], -# "name": "eth3" -# } -# ] -# +# Task Output +# ----------- +# before: +# - enabled: true +# name: lo +# - enabled: true +# name: eth3 +# - enabled: true +# name: eth2 +# - enabled: true +# name: eth1 +# - duplex: auto +# enabled: true +# name: eth0 +# speed: auto +# commands: +# - set interfaces ethernet eth2 description 'Configured by Ansible' +# - set interfaces ethernet eth2 vif 200 +# - set interfaces ethernet eth2 vif 200 description 'VIF 200 - ETH2' +# - set interfaces ethernet eth3 description 'Configured by Ansible' +# - set interfaces ethernet eth3 mtu '1500' +# - set interfaces bonding bond1 +# - set interfaces bonding bond1 description 'Bond - 1' +# - set interfaces bonding bond1 mtu '1200' +# - set interfaces vti vti2 +# - set interfaces vti vti2 description 'VTI - 2' +# - set interfaces vti vti2 disable +# after: +# - description: Bond - 1 +# enabled: true +# mtu: 1200 +# name: bond1 +# - enabled: true +# name: lo +# - description: VTI - 2 +# enabled: false +# name: vti2 +# - description: Configured by Ansible +# enabled: true +# mtu: 1500 +# name: eth3 +# - description: Configured by Ansible +# enabled: true +# name: eth2 +# vifs: +# - description: VIF 200 - ETH2 +# enabled: true +# vlan_id: '200' +# - enabled: true +# name: eth1 +# - duplex: auto +# enabled: true +# name: eth0 +# speed: auto + # After state: -# ------------- -# -# vyos@vyos:~$ show configuration commands| grep firewall -# set firewall ipv6-name 'V6-LOCAL' -# set firewall name 'INBOUND' -# set firewall name 'LOCAL' -# set firewall name 'OUTBOUND' -# set interfaces ethernet eth1 firewall in name 'OUTBOUND' -# set interfaces ethernet eth1 firewall local ipv6-name 'V6-LOCAL' -# set interfaces ethernet eth1 firewall local name 'LOCAL' -# set interfaces ethernet eth1 firewall out name 'INBOUND' -# set interfaces ethernet eth3 firewall in name 'INBOUND' -# set interfaces ethernet eth3 firewall local ipv6-name 'V6-LOCAL' -# set interfaces ethernet eth3 firewall local name 'LOCAL' -# set interfaces ethernet eth3 firewall out name 'OUTBOUND' +# ------------ +# vyos@vyos:~$ show configuration commands | grep interfaces +# set interfaces bonding bond1 description 'Bond - 1' +# set interfaces bonding bond1 mtu '1200' +# set interfaces ethernet eth0 address 'dhcp' +# set interfaces ethernet eth0 address 'dhcpv6' +# set interfaces ethernet eth0 duplex 'auto' +# set interfaces ethernet eth0 hw-id '08:00:27:30:f0:22' +# set interfaces ethernet eth0 smp-affinity 'auto' +# set interfaces ethernet eth0 speed 'auto' +# set interfaces ethernet eth1 hw-id '08:00:27:ea:0f:b9' +# set interfaces ethernet eth1 smp-affinity 'auto' +# set interfaces ethernet eth2 description 'Configured by Ansible' +# set interfaces ethernet eth2 hw-id '08:00:27:c2:98:23' +# set interfaces ethernet eth2 smp-affinity 'auto' +# set interfaces ethernet eth2 vif 200 description 'VIF 200 - ETH2' +# set interfaces ethernet eth3 description 'Configured by Ansible' +# set interfaces ethernet eth3 hw-id '08:00:27:43:70:8c' +# set interfaces ethernet eth3 mtu '1500' +# set interfaces loopback lo +# set interfaces vti vti2 description 'VTI - 2' +# set interfaces vti vti2 disable # Using replaced @@ -518,7 +442,6 @@ EXAMPLES = """ - name: INBOUND direction: in state: replaced - # # # ------------------------- @@ -749,7 +672,7 @@ EXAMPLES = """ # "delete interfaces ethernet eth1 firewall", # "delete interfaces ethernet eth3 firewall in name", # "set interfaces ethernet eth3 firewall out name 'INBOUND'" -# +# ] # # "after": [ # { @@ -897,20 +820,7 @@ EXAMPLES = """ # "delete interfaces ethernet eth3 firewall" # ] # -# "after": [ -# { -# "name": "eth0" -# }, -# { -# "name": "eth1" -# }, -# { -# "name": "eth2" -# }, -# { -# "name": "eth3" -# } -# ] +# "after" : [] # After state # ------------ # vyos@vyos# run show configuration commands | grep firewall @@ -968,6 +878,7 @@ EXAMPLES = """ # set firewall name 'LOCAL' # set firewall name 'OUTBOUND' + # Using deleted without config # # Before state @@ -990,6 +901,13 @@ EXAMPLES = """ - name: Delete firewall interfaces config when empty config provided. vyos.vyos.vyos_firewall_interfaces: state: deleted +# After state +# ------------ +# vyos@vyos# run show configuration commands | grep firewall +# set firewall ipv6-name 'V6-LOCAL' +# set firewall name 'INBOUND' +# set firewall name 'LOCAL' +# set firewall name 'OUTBOUND' # # # ------------------------ @@ -1001,17 +919,11 @@ EXAMPLES = """ # "delete interfaces ethernet eth1 firewall" # ] # -# After state -# ------------ -# vyos@vyos# run show configuration commands | grep firewall -# set firewall ipv6-name 'V6-LOCAL' -# set firewall name 'INBOUND' -# set firewall name 'LOCAL' -# set firewall name 'OUTBOUND' # Using parsed # +# - name: Parse the provided configuration vyos.vyos.vyos_firewall_interfaces: running_config: @@ -1202,14 +1114,13 @@ EXAMPLES = """ access_rules: - afi: ipv4 rules: - - direction: in - name: INGRESS - - direction: out - name: OUTGRESS - - direction: local - name: DROP + - name: INGRESS + direction: in + - name: OUTGRESS + direction: out + - name: DROP + direction: local state: rendered - # # # ------------------------- @@ -1226,19 +1137,19 @@ EXAMPLES = """ """ RETURN = """ before: - description: The configuration prior to the model invocation. - returned: always - type: list + description: The configuration prior to the module execution. + returned: when I(state) is C(merged), C(replaced), C(overridden), C(deleted) or C(purged) + type: dict sample: > - The configuration returned will always be in the same format - of the parameters above. + This output will always be in the same format as the + module argspec. after: - description: The resulting configuration model invocation. + description: The resulting configuration after module execution. returned: when changed - type: list + type: dict sample: > - The configuration returned will always be in the same format - of the parameters above. + This output will always be in the same format as the + module argspec. commands: description: The set of commands pushed to the remote device. returned: always @@ -1246,6 +1157,28 @@ commands: sample: - "set interfaces ethernet eth1 firewall local ipv6-name 'V6-LOCAL'" - "set interfaces ethernet eth3 firewall in name 'INBOUND'" +rendered: + description: The provided configuration in the task rendered in device-native format (offline). + returned: when I(state) is C(rendered) + type: list + sample: + - "set interfaces ethernet eth1 firewall local ipv6-name 'V6-LOCAL'" + - "set interfaces ethernet eth3 firewall in name 'INBOUND'" +gathered: + description: Facts about the network resource gathered from the remote device as structured data. + returned: when I(state) is C(gathered) + type: list + sample: > + This output will always be in the same format as the + module argspec. +parsed: + description: The device native config provided in I(running_config) option parsed into structured data as per module argspec. + returned: when I(state) is C(parsed) + type: list + sample: > + This output will always be in the same format as the + module argspec. + """ @@ -1268,6 +1201,7 @@ def main(): required_if = [ ("state", "merged", ("config",)), ("state", "replaced", ("config",)), + ("state", "rendered", ("config",)), ("state", "overridden", ("config",)), ("state", "parsed", ("running_config",)), ] |