diff options
| author | omnom62 <75066712+omnom62@users.noreply.github.com> | 2025-01-25 21:38:00 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-01-25 06:38:00 -0500 |
| commit | d0c73e6bdd3ca3ff9d87c8339b2c5611b694d6dc (patch) | |
| tree | 3b4f957ae38250dd4062e35ae44d7bb7bf66d635 /tests/integration/targets/vyos_firewall_rules | |
| parent | af5b93277699b2dc3732f08573ef127b784cb2ce (diff) | |
| download | vyos.vyos-d0c73e6bdd3ca3ff9d87c8339b2c5611b694d6dc.tar.gz vyos.vyos-d0c73e6bdd3ca3ff9d87c8339b2c5611b694d6dc.zip | |
T6817 & T6825 & T7004 updates - fw_rules override and replaced fixes (#368)
* T6817 updates
* updates / additions to unit tests and code for fw_rules (t6817)
* code and use cases for override fw_rules
* ovr idem unit test for fw rules v14 in WIP
* Fixed replace add_rule func to remove unmatching confug - t6825
* first cut of unit tests for t6825 and t6817 - dfaft
* Fixed replaced unit tests and code for inbound/outbound interface attributes
* use network_cli's remove_empties
* fixed disabled=True and a few unit tests in v1.3
* add_log func for firewall_rules updated
* firewall_rules log attribute processing for v1.4 and idemp
* + In overriden :
- Added func to compare r_sets
- Added code to isolate r_set changes to only targeted
- Fixed parsers for packet_length_exclude
- started to troubleshoot filter processing
* completed fixes and unit tests for firewall_rules as in T6817 and T6825
* T7004 integration tests init fix
* 'state' attrib processing fix
* deleted and merged integration tests fixed for 1.3- and 1.4+
* fixed deleted, parsed, replaced integration tests for 1.3- and 1.4+
* fixed _remove_config, merged integration tests
* added comments to unit tests
* more v1.3- unit tests moved to 1.4+ unit test suite
* 1.3/1.4 unit test suite synced
* overridden integration test fixed
* fixed replaced idempotency
* moved data to vars (integration tests)
* updated parsed (integration tests)
* D.R.Y. for integration tests for firewall_rules plugin
* vanilla data set for integration tests to support 1.5
Diffstat (limited to 'tests/integration/targets/vyos_firewall_rules')
17 files changed, 398 insertions, 189 deletions
diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml new file mode 100644 index 0000000..dda9fcc --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml @@ -0,0 +1,31 @@ +- name: make sure to get facts + vyos.vyos.vyos_facts: + vars: + ansible_connection: ansible.netcommon.network_cli + register: vyos_facts + when: vyos_version is not defined + +- name: debug vyos_facts + debug: + var: vyos_facts + +- name: pull version from facts + set_fact: + vyos_version: "{{ vyos_facts.ansible_facts.ansible_net_version.split('-')[0].split(' ')[-1] }}" + when: vyos_version is not defined + +- name: fix '.0' versions + set_fact: + vyos_version: "{{ vyos_version }}.0" + when: vyos_version.count('.') == 1 + +- name: include correct vars + include_vars: pre-v1_4.yaml + when: vyos_version is version('1.4.0', '<', version_type='semver') + +- name: include correct vars + include_vars: v1_4.yaml + when: vyos_version is version('1.4.0', '>=', version_type='semver') + +- name: include common vars + include_vars: main.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_3.cfg index b54c109..bb8bc23 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_3.cfg @@ -3,18 +3,18 @@ set firewall ipv6-name UPLINK default-action 'accept' set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' set firewall ipv6-name UPLINK rule 1 action 'accept' set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' -set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' +set firewall ipv6-name UPLINK rule 1 protocol 'tcp' set firewall ipv6-name UPLINK rule 2 action 'accept' set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' -set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' +set firewall ipv6-name UPLINK rule 2 protocol 'tcp' set firewall name INBOUND default-action 'accept' set firewall name INBOUND description 'IPv4 INBOUND rule set' set firewall name INBOUND rule 101 action 'accept' set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' -set firewall name INBOUND rule 101 ipsec 'match-ipsec' +set firewall name INBOUND rule 101 protocol 'tcp' set firewall name INBOUND rule 102 action 'reject' set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' -set firewall name INBOUND rule 102 ipsec 'match-ipsec' +set firewall name INBOUND rule 102 protocol 'tcp' set firewall name INBOUND rule 103 action 'accept' set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' set firewall name INBOUND rule 103 destination group address-group 'inbound' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg new file mode 100644 index 0000000..315ae95 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg @@ -0,0 +1,23 @@ +set firewall group address-group 'inbound' +set firewall ipv6 name UPLINK default-action 'accept' +set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' +set firewall ipv6 name UPLINK rule 1 action 'accept' +set firewall ipv6 name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' +set firewall ipv6 name UPLINK rule 1 protocol 'tcp' +set firewall ipv6 name UPLINK rule 2 action 'accept' +set firewall ipv6 name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' +set firewall ipv6 name UPLINK rule 2 protocol 'tcp' +set firewall ipv4 name INBOUND default-action 'accept' +set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' +set firewall ipv4 name INBOUND rule 101 action 'accept' +set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' +set firewall ipv4 name INBOUND rule 101 protocol 'tcp' +set firewall ipv4 name INBOUND rule 102 action 'reject' +set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' +set firewall ipv4 name INBOUND rule 102 protocol 'tcp' +set firewall ipv4 name INBOUND rule 103 action 'accept' +set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' +set firewall ipv4 name INBOUND rule 103 destination group address-group 'inbound' +set firewall ipv4 name INBOUND rule 103 source address '192.0.2.0' +set firewall ipv4 name INBOUND rule 103 state established +set firewall ipv4 name INBOUND rule 103 state related diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml index 31e0d13..6c235be 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml @@ -1,31 +1,11 @@ --- -- name: Setup +- ansible.builtin.include_tasks: _remove_config.yaml + +- name: ensure facts + include_tasks: _get_version.yaml + +- name: Setup {{ vyos_version }} + vyos.vyos.vyos_config: + lines: "{{ populate_config }}" vars: - lines: |- - set firewall group address-group 'inbound' - set firewall ipv6-name UPLINK default-action 'accept' - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - set firewall ipv6-name UPLINK rule 1 action 'accept' - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' - set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' - set firewall ipv6-name UPLINK rule 2 action 'accept' - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' - set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' - set firewall name INBOUND default-action 'accept' - set firewall name INBOUND description 'IPv4 INBOUND rule set' - set firewall name INBOUND rule 101 action 'accept' - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - set firewall name INBOUND rule 102 action 'reject' - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - set firewall name INBOUND rule 103 action 'accept' - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - set firewall name INBOUND rule 103 destination group address-group 'inbound' - set firewall name INBOUND rule 103 source address '192.0.2.0' - set firewall name INBOUND rule 103 state established 'enable' - set firewall name INBOUND rule 103 state invalid 'disable' - set firewall name INBOUND rule 103 state new 'disable' - set firewall name INBOUND rule 103 state related 'enable' - ansible.netcommon.cli_config: - config: "{{ lines }}" + ansible_connection: ansible.netcommon.network_cli diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml index b4fc796..31f527f 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml @@ -1,6 +1,10 @@ --- -- name: Remove Config +- name: ensure facts + include_tasks: _get_version.yaml + +- name: Remove pre-existing firewall rules + vyos.vyos.vyos_config: + lines: "{{ remove_config }}" + ignore_errors: true vars: - lines: "delete firewall ipv6-name\ndelete firewall name\n" - ansible.netcommon.cli_config: - config: "{{ lines }}" + ansible_connection: ansible.netcommon.network_cli diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml index 97b3ae8..2784c2d 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml @@ -5,7 +5,7 @@ - include_tasks: _populate.yaml - block: - - name: Delete firewall rule set. + - name: Delete firewall rule set register: result vyos.vyos.vyos_firewall_rules: &id001 config: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml index c7a2278..3df19cd 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml @@ -5,7 +5,7 @@ - include_tasks: _populate.yaml - block: - - name: Delete firewall rule. + - name: Delete firewall rule register: result vyos.vyos.vyos_firewall_rules: &id001 config: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml index c55a4c5..84c66bd 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml @@ -5,7 +5,7 @@ - include_tasks: _populate.yaml - block: - - name: Delete all the firewall rules. + - name: Delete all the firewall rules register: result vyos.vyos.vyos_firewall_rules: &id001 config: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml index 674b437..27973d8 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml @@ -20,12 +20,12 @@ - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: @@ -36,13 +36,13 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp disabled: true - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp disable: true - number: 103 diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml index 6e1b3a3..3b64939 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml @@ -20,14 +20,18 @@ - number: 501 action: accept description: Rule 501 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 502 action: reject description: Rule 502 is configured by Ansible - ipsec: match-ipsec + protocol: tcp state: overridden + - name: Print result + debug: + msg: "Result: {{ result }}" + - name: Assert that before dicts were correctly generated assert: that: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml index e6eae78..85a7c33 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml @@ -2,13 +2,22 @@ - debug: msg: START vyos_firewall_rules parsed integration tests on connection={{ ansible_connection }} -- name: Parse externally provided Firewall rules config to agnostic model - register: result - vyos.vyos.vyos_firewall_rules: - running_config: "{{ lookup('file', '_parsed_config.cfg') }}" - state: parsed +- name: ensure facts + include_tasks: _get_version.yaml + +- name: version {{ vyos_version }} + block: + - name: Parse externally provided Firewall rules config to agnostic model + register: result + vyos.vyos.vyos_firewall_rules: + running_config: "{{ lookup('file', parsed_config_file) }}" + state: parsed + - name: set result + set_fact: + parsed_result: "{{ result }}" - name: Assert that config was correctly parsed assert: that: - - "{{ parsed['after'] | symmetric_difference(result['parsed']) |length == 0 }}" + - parsed_result.changed == false + - "{{ parsed['after'] | symmetric_difference(parsed_result['parsed']) |length == 0 }}" diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml index 36feb69..229ceb0 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml @@ -24,12 +24,12 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml index 5959c22..b194462 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml @@ -26,12 +26,12 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 104 action: reject description: Rule 104 is configured by Ansible - ipsec: match-none + protocol: udp state: replaced - name: Assert that correct set of commands were generated diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml index dcf5b28..be066f9 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml @@ -2,6 +2,8 @@ - debug: msg: START vyos_firewall_rules round trip integration tests on connection={{ ansible_connection }} +- include_tasks: _populate.yaml + - include_tasks: _remove_config.yaml - block: @@ -18,12 +20,12 @@ - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: @@ -34,12 +36,12 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp state: merged - name: Gather firewall_rules facts diff --git a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml index e2b3e10..c249b34 100644 --- a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml +++ b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml @@ -1,38 +1,7 @@ --- merged: before: [] - commands: - - set firewall ipv6-name UPLINK default-action 'accept' - - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - - set firewall ipv6-name UPLINK rule 1 action 'accept' - - set firewall ipv6-name UPLINK rule 1 - - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' - - set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' - - set firewall ipv6-name UPLINK rule 2 action 'accept' - - set firewall ipv6-name UPLINK rule 2 - - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' - - set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' - - set firewall name INBOUND default-action 'accept' - - set firewall name INBOUND description 'IPv4 INBOUND rule set' - - set firewall name INBOUND rule 101 action 'accept' - - set firewall name INBOUND rule 101 disable - - set firewall name INBOUND rule 101 - - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - - set firewall name INBOUND rule 102 action 'reject' - - set firewall name INBOUND rule 102 disable - - set firewall name INBOUND rule 102 - - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - - set firewall name INBOUND rule 103 destination group address-group inbound - - set firewall name INBOUND rule 103 - - set firewall name INBOUND rule 103 source address 192.0.2.0 - - set firewall name INBOUND rule 103 state established enable - - set firewall name INBOUND rule 103 state related enable - - set firewall name INBOUND rule 103 state invalid disable - - set firewall name INBOUND rule 103 state new disable - - set firewall name INBOUND rule 103 action 'accept' + commands: "{{ merged_commands }}" after: - afi: ipv6 rule_sets: @@ -43,11 +12,11 @@ merged: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -57,13 +26,13 @@ merged: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp disable: true - number: 102 action: reject disable: true description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible @@ -72,11 +41,8 @@ merged: address_group: inbound source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true + state: "{{ state_dict }}" + populate: - afi: ipv6 rule_sets: @@ -87,11 +53,11 @@ populate: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -101,11 +67,11 @@ populate: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible @@ -114,21 +80,10 @@ populate: address_group: inbound source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true + state: "{{ state_dict }}" + replaced: - commands: - - delete firewall ipv6-name UPLINK rule 1 - - delete firewall ipv6-name UPLINK rule 2 - - delete firewall name INBOUND rule 102 - - delete firewall name INBOUND rule 103 - - set firewall name INBOUND rule 104 action 'reject' - - set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' - - set firewall name INBOUND rule 104 - - set firewall name INBOUND rule 104 ipsec 'match-none' + commands: "{{ replaced_commands }}" after: - afi: ipv6 rule_sets: @@ -144,11 +99,11 @@ replaced: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 104 action: reject description: Rule 104 is configured by Ansible - ipsec: match-none + protocol: udp overridden: before: - afi: ipv6 @@ -165,24 +120,12 @@ overridden: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 104 action: reject description: Rule 104 is configured by Ansible - ipsec: match-none - commands: - - delete firewall ipv6-name UPLINK - - delete firewall name INBOUND - - set firewall name Downlink default-action 'accept' - - set firewall name Downlink description 'IPv4 INBOUND rule set' - - set firewall name Downlink rule 501 action 'accept' - - set firewall name Downlink rule 501 - - set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' - - set firewall name Downlink rule 501 ipsec 'match-ipsec' - - set firewall name Downlink rule 502 action 'reject' - - set firewall name Downlink rule 502 - - set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' - - set firewall name Downlink rule 502 ipsec 'match-ipsec' + protocol: udp + commands: "{{ overridden_commands }}" after: - afi: ipv4 rule_sets: @@ -193,11 +136,11 @@ overridden: - number: 501 action: accept description: Rule 501 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 502 action: reject description: Rule 502 is configured by Ansible - ipsec: match-ipsec + protocol: tcp parsed: after: - afi: ipv6 @@ -209,11 +152,11 @@ parsed: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -223,11 +166,11 @@ parsed: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible @@ -236,44 +179,8 @@ parsed: address_group: inbound source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true -rendered: - commands: - - set firewall ipv6-name UPLINK default-action 'accept' - - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - - set firewall name INBOUND default-action 'accept' - - set firewall name INBOUND description 'IPv4 INBOUND rule set' - - set firewall name INBOUND rule 101 action 'accept' - - set firewall name INBOUND rule 101 - - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - - set firewall name INBOUND rule 102 action 'reject' - - set firewall name INBOUND rule 102 - - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - - set firewall name INBOUND rule 103 destination group address-group inbound - - set firewall name INBOUND rule 103 - - set firewall name INBOUND rule 103 source address 192.0.2.0 - - set firewall name INBOUND rule 103 state established enable - - set firewall name INBOUND rule 103 state related enable - - set firewall name INBOUND rule 103 state invalid disable - - set firewall name INBOUND rule 103 state new disable - - set firewall name INBOUND rule 103 action 'accept' -deleted_rs: - commands: - - delete firewall ipv6-name UPLINK - - delete firewall name INBOUND - after: [] -deleted_afi_all: - commands: - - delete firewall ipv6-name - - delete firewall name - after: [] + state: "{{ state_dict }}" + round_trip: after: - afi: ipv6 @@ -285,11 +192,11 @@ round_trip: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -299,18 +206,14 @@ round_trip: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true + state: "{{ state_dict }}" diff --git a/tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml b/tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml new file mode 100644 index 0000000..c7d7398 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml @@ -0,0 +1,130 @@ +--- +merged_commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6-name UPLINK rule 1 action 'accept' + - set firewall ipv6-name UPLINK rule 1 + - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6-name UPLINK rule 2 action 'accept' + - set firewall ipv6-name UPLINK rule 2 + - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 2 protocol 'tcp' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 disable + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 protocol 'tcp' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 disable + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 protocol 'tcp' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' + +populate_config: + - set firewall group address-group 'inbound' + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6-name UPLINK rule 1 action 'accept' + - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6-name UPLINK rule 2 action 'accept' + - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 2 protocol 'tcp' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 protocol 'tcp' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 protocol 'tcp' + - set firewall name INBOUND rule 103 action 'accept' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group 'inbound' + - set firewall name INBOUND rule 103 source address '192.0.2.0' + - set firewall name INBOUND rule 103 state established 'enable' + - set firewall name INBOUND rule 103 state invalid 'disable' + - set firewall name INBOUND rule 103 state new 'disable' + - set firewall name INBOUND rule 103 state related 'enable' + +remove_config: + - delete firewall name + - delete firewall ipv6-name + +parsed_config_file: "_parsed_config_1_3.cfg" + +replaced_commands: + - delete firewall ipv6-name UPLINK rule 1 + - delete firewall ipv6-name UPLINK rule 2 + - delete firewall name INBOUND rule 102 + - delete firewall name INBOUND rule 103 + - set firewall name INBOUND rule 104 action 'reject' + - set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' + - set firewall name INBOUND rule 104 + - set firewall name INBOUND rule 104 protocol 'udp' + +overridden_commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + - set firewall name Downlink default-action 'accept' + - set firewall name Downlink description 'IPv4 INBOUND rule set' + - set firewall name Downlink rule 501 action 'accept' + - set firewall name Downlink rule 501 + - set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' + - set firewall name Downlink rule 501 protocol 'tcp' + - set firewall name Downlink rule 502 action 'reject' + - set firewall name Downlink rule 502 + - set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' + - set firewall name Downlink rule 502 protocol 'tcp' + +rendered: + commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 protocol 'tcp' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 protocol 'tcp' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' +deleted_rs: + commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + after: [] +deleted_afi_all: + commands: + - delete firewall ipv6-name + - delete firewall name + after: [] + +state_dict: + established: true + new: false + invalid: false + related: true diff --git a/tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml b/tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml new file mode 100644 index 0000000..267803f --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml @@ -0,0 +1,123 @@ +--- +merged_commands: + - set firewall ipv6 name UPLINK default-action 'accept' + - set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6 name UPLINK rule 1 action 'accept' + - set firewall ipv6 name UPLINK rule 1 + - set firewall ipv6 name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6 name UPLINK rule 2 action 'accept' + - set firewall ipv6 name UPLINK rule 2 + - set firewall ipv6 name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 2 protocol 'tcp' + - set firewall ipv4 name INBOUND default-action 'accept' + - set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' + - set firewall ipv4 name INBOUND rule 101 action 'accept' + - set firewall ipv4 name INBOUND rule 101 disable + - set firewall ipv4 name INBOUND rule 101 + - set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 101 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 102 action 'reject' + - set firewall ipv4 name INBOUND rule 102 disable + - set firewall ipv4 name INBOUND rule 102 + - set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 102 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 103 destination group address-group inbound + - set firewall ipv4 name INBOUND rule 103 + - set firewall ipv4 name INBOUND rule 103 source address 192.0.2.0 + - set firewall ipv4 name INBOUND rule 103 state established + - set firewall ipv4 name INBOUND rule 103 state related + - set firewall ipv4 name INBOUND rule 103 action 'accept' + +populate_config: + - set firewall group address-group 'inbound' + - set firewall ipv6 name UPLINK default-action 'accept' + - set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6 name UPLINK rule 1 action 'accept' + - set firewall ipv6 name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6 name UPLINK rule 2 action 'accept' + - set firewall ipv6 name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 2 protocol 'tcp' + - set firewall ipv4 name INBOUND default-action 'accept' + - set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' + - set firewall ipv4 name INBOUND rule 101 action 'accept' + - set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 101 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 102 action 'reject' + - set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 102 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 103 action 'accept' + - set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 103 destination group address-group 'inbound' + - set firewall ipv4 name INBOUND rule 103 source address '192.0.2.0' + - set firewall ipv4 name INBOUND rule 103 state established + - set firewall ipv4 name INBOUND rule 103 state related + +remove_config: + - delete firewall ipv4 + - delete firewall ipv6 + +parsed_config_file: "_parsed_config_1_4.cfg" + +replaced_commands: + - delete firewall ipv6 name UPLINK rule 1 + - delete firewall ipv6 name UPLINK rule 2 + - delete firewall ipv4 name INBOUND rule 102 + - delete firewall ipv4 name INBOUND rule 103 + - set firewall ipv4 name INBOUND rule 104 action 'reject' + - set firewall ipv4 name INBOUND rule 104 description 'Rule 104 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 104 + - set firewall ipv4 name INBOUND rule 104 protocol 'udp' + +overridden_commands: + - delete firewall ipv6 name UPLINK + - delete firewall ipv4 name INBOUND + - set firewall ipv4 name Downlink default-action 'accept' + - set firewall ipv4 name Downlink description 'IPv4 INBOUND rule set' + - set firewall ipv4 name Downlink rule 501 action 'accept' + - set firewall ipv4 name Downlink rule 501 + - set firewall ipv4 name Downlink rule 501 description 'Rule 501 is configured by Ansible' + - set firewall ipv4 name Downlink rule 501 protocol 'tcp' + - set firewall ipv4 name Downlink rule 502 action 'reject' + - set firewall ipv4 name Downlink rule 502 + - set firewall ipv4 name Downlink rule 502 description 'Rule 502 is configured by Ansible' + - set firewall ipv4 name Downlink rule 502 protocol 'tcp' + + +rendered: + commands: + - set firewall ipv6 name UPLINK default-action 'accept' + - set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv4 name INBOUND default-action 'accept' + - set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' + - set firewall ipv4 name INBOUND rule 101 action 'accept' + - set firewall ipv4 name INBOUND rule 101 + - set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 101 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 102 action 'reject' + - set firewall ipv4 name INBOUND rule 102 + - set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 102 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 103 destination group address-group inbound + - set firewall ipv4 name INBOUND rule 103 + - set firewall ipv4 name INBOUND rule 103 source address 192.0.2.0 + - set firewall ipv4 name INBOUND rule 103 state established + - set firewall ipv4 name INBOUND rule 103 state related + - set firewall ipv4 name INBOUND rule 103 action 'accept' +deleted_rs: + commands: + - delete firewall ipv6 name UPLINK + - delete firewall ipv4 name INBOUND + after: [] +deleted_afi_all: + commands: + - delete firewall ipv6 + - delete firewall ipv4 + after: [] + +state_dict: + established: true + related: true |