summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--changelogs/fragments/fix-firewall_rules-state-replaced.yaml3
-rw-r--r--plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py22
-rw-r--r--tests/unit/modules/network/vyos/test_vyos_firewall_rules.py34
3 files changed, 54 insertions, 5 deletions
diff --git a/changelogs/fragments/fix-firewall_rules-state-replaced.yaml b/changelogs/fragments/fix-firewall_rules-state-replaced.yaml
new file mode 100644
index 00000000..231cd71b
--- /dev/null
+++ b/changelogs/fragments/fix-firewall_rules-state-replaced.yaml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+ - Fix vyos_firewall_rules with state replaced to only replace the specified rules.
diff --git a/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py b/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py
index fd5a4f59..3c56626f 100644
--- a/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py
+++ b/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py
@@ -167,13 +167,29 @@ class Firewall_rules(ConfigBase):
"""
commands = []
if have:
+ # Iterate over the afi rule sets we already have.
for h in have:
r_sets = self._get_r_sets(h)
+ # Iterate over each rule set we already have.
for rs in r_sets:
- w = self.search_r_sets_in_have(want, rs["name"], "r_list")
- commands.extend(
- self._add_r_sets(h["afi"], rs, w, opr=False)
+ # In the desired configuration, search for the rule set we
+ # already have (to be replaced by our desired
+ # configuration's rule set).
+ wanted_rule_set = self.search_r_sets_in_have(
+ want, rs["name"], "r_list"
)
+ if wanted_rule_set is not None:
+ # Remove the rules that we already have if the wanted
+ # rules exist under the same name.
+ commands.extend(
+ self._add_r_sets(
+ h["afi"],
+ want=rs,
+ have=wanted_rule_set,
+ opr=False,
+ )
+ )
+ # Merge the desired configuration into what we already have.
commands.extend(self._state_merged(want, have))
return commands
diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py b/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py
index 520446ed..dd3dbcea 100644
--- a/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py
+++ b/tests/unit/modules/network/vyos/test_vyos_firewall_rules.py
@@ -788,7 +788,6 @@ class TestVyosFirewallRulesModule(TestVyosModule):
)
commands = [
"delete firewall name V4-INGRESS rule 101 disabled",
- "delete firewall name V4-EGRESS default-action",
"set firewall name V4-INGRESS description 'This is IPv4 INGRESS rule set'",
"set firewall name V4-INGRESS rule 101 protocol 'tcp'",
"set firewall name V4-INGRESS rule 101 description 'Rule 101 is configured by Ansible RM'",
@@ -854,7 +853,6 @@ class TestVyosFirewallRulesModule(TestVyosModule):
)
commands = [
"delete firewall name V4-INGRESS enable-default-log",
- "delete firewall name V4-EGRESS default-action",
]
self.execute_module(changed=True, commands=commands)
@@ -913,6 +911,38 @@ class TestVyosFirewallRulesModule(TestVyosModule):
)
self.execute_module(changed=False, commands=[])
+ def test_vyos_firewall_v4v6_rule_sets_rule_rep_idem_02(self):
+ set_module_args(
+ dict(
+ config=[
+ dict(
+ afi="ipv4",
+ rule_sets=[
+ dict(
+ name="V4-INGRESS",
+ description="This is IPv4 V4-INGRESS rule set",
+ default_action="accept",
+ enable_default_log=True,
+ rules=[
+ dict(
+ number="101",
+ action="accept",
+ description="Rule 101 is configured by Ansible",
+ ipsec="match-ipsec",
+ protocol="icmp",
+ fragment="match-frag",
+ disabled=True,
+ ),
+ ],
+ ),
+ ],
+ ),
+ ],
+ state="replaced",
+ )
+ )
+ self.execute_module(changed=False, commands=[])
+
def test_vyos_firewall_v4v6_rule_sets_rule_mer_idem_01(self):
set_module_args(
dict(
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 18:53:51 +0000