From 37ba454f746ab6c4b05fef520ced523e2ad032cb Mon Sep 17 00:00:00 2001 From: Gaige B Paulsen Date: Mon, 18 Nov 2024 07:33:49 -0500 Subject: T6882: fix: firewall global-options (#359) * T6882: fix: firewall global-options Updated a couple of RST files due to pre-commit * T6882: chore: update changelog * T6882: chore: update changelog * T6882: test: update tests to cover change --- changelogs/fragments/cliconf.yml | 1 - changelogs/fragments/firewall_global_parsing.yml | 3 + docs/vyos.vyos.vyos_firewall_global_module.rst | 29 +- docs/vyos.vyos.vyos_firewall_rules_module.rst | 495 ++++++++++++++++++++- .../vyos/facts/firewall_global/firewall_global.py | 4 +- .../vyos/fixtures/vyos_firewall_global_config.cfg | 2 + .../fixtures/vyos_firewall_global_config_v14.cfg | 2 + .../network/vyos/test_vyos_firewall_global.py | 19 +- .../network/vyos/test_vyos_firewall_global14.py | 18 +- 9 files changed, 546 insertions(+), 27 deletions(-) create mode 100644 changelogs/fragments/firewall_global_parsing.yml diff --git a/changelogs/fragments/cliconf.yml b/changelogs/fragments/cliconf.yml index 53c26ada..1eb0880d 100644 --- a/changelogs/fragments/cliconf.yml +++ b/changelogs/fragments/cliconf.yml @@ -1,4 +1,3 @@ --- - minor_changes: - added `network_os_major_version` to facts diff --git a/changelogs/fragments/firewall_global_parsing.yml b/changelogs/fragments/firewall_global_parsing.yml new file mode 100644 index 00000000..cec6cfc9 --- /dev/null +++ b/changelogs/fragments/firewall_global_parsing.yml @@ -0,0 +1,3 @@ +--- +minor_changes: + - Fixed parsing of global-options (1.4+) diff --git a/docs/vyos.vyos.vyos_firewall_global_module.rst b/docs/vyos.vyos.vyos_firewall_global_module.rst index a77ce80f..8c234afb 100644 --- a/docs/vyos.vyos.vyos_firewall_global_module.rst +++ b/docs/vyos.vyos.vyos_firewall_global_module.rst @@ -705,6 +705,33 @@ Parameters
Enable logging of packets part of an established connection.
+ + + + +
+ log_level + +
+ string +
+ + + + + +
Only available in 1.4+
+ + @@ -852,7 +879,6 @@ Examples - connection_type: established action: accept log: true - log_level: emer - connection_type: invalid action: reject route_redirects: @@ -898,7 +924,6 @@ Examples # "set firewall config-trap 'enable'", # "set firewall state-policy established action 'accept'", # "set firewall state-policy established log 'enable'", - # "set firewall state-policy established log-level 'emer'", # "set firewall state-policy invalid action 'reject'", # "set firewall broadcast-ping 'enable'", # "set firewall all-ping 'enable'", diff --git a/docs/vyos.vyos.vyos_firewall_rules_module.rst b/docs/vyos.vyos.vyos_firewall_rules_module.rst index b3d619be..ad363b4e 100644 --- a/docs/vyos.vyos.vyos_firewall_rules_module.rst +++ b/docs/vyos.vyos.vyos_firewall_rules_module.rst @@ -103,13 +103,33 @@ Parameters
  • drop
  • reject
  • accept
    • +
  • jump
    • Default action for rule-set.
    drop (Drop if no prior rules are hit (default))
    reject (Drop and notify source if no prior rules are hit)
    -
    accept (Accept if no prior rules are hit)
    +
    accept (Accept if no prior rules are hit) - jump (Jump to another rule-set, 1.4+)
    + + + + + + +
    + default_jump_target + +
    + string +
    + + + + +
    Default jump target if the default action is jump.
    +
    Only valid in 1.4 and later.
    +
    Only valid when default_action = jump.
    @@ -150,6 +170,29 @@ Parameters
    Option to log packets hitting default-action.
    + + + + +
    + filter + +
    + string +
    + + + + + +
    Filter type (exclusive to "name").
    +
    Supported in 1.4 and later.
    + + @@ -165,6 +208,7 @@ Parameters
    Firewall rule set name.
    +
    Required for 1.3- and optional for 1.4+.
    @@ -203,10 +247,17 @@ Parameters
  • reject
  • accept
  • inspect
    • +
  • continue
    • +
  • return
    • +
  • jump
    • +
  • queue
    • +
  • synproxy
    • Specifying the action.
    +
    inspect is available < 1.4
    +
    continue, return, jump, queue, synproxy are available >= 1.4
    @@ -389,6 +440,7 @@ Parameters
    Option to disable firewall rule.
    +
    aliased to disabled

    aliases: disabled
    @@ -532,6 +584,65 @@ Parameters + + + + + +
    + inbound_interface + +
    + dictionary +
    + + + + +
    Inbound interface.
    +
    Only valid in 1.4 and later.
    + + + + + + + + +
    + group + +
    + string +
    + + + + +
    Interface group.
    + + + + + + + + +
    + name + +
    + string +
    + + + + +
    Interface name.
    +
    Can have wildcards
    + + + @@ -546,10 +657,8 @@ Parameters -
    Option to log packets matching rule
    +
    Log matching packets.
    @@ -701,6 +830,65 @@ Parameters
    Rule number.
    + + + + + +
    + outbound_interface + +
    + dictionary +
    + + + + +
    Match outbound interface.
    +
    Only valid in 1.4 and later.
    + + + + + + + + +
    + group + +
    + string +
    + + + + +
    Interface group.
    + + + + + + + + +
    + name + +
    + string +
    + + + + +
    Interface name.
    +
    Can have wildcards
    + + + @@ -749,6 +937,112 @@ Parameters + + + + + +
    + packet_length + +
    + list + / elements=dictionary +
    + + + + +
    Packet length match.
    +
    Only valid in 1.4 and later.
    +
    Multiple values from 1 to 65535 and ranges are supported
    + + + + + + + + +
    + length + +
    + string +
    + + + + +
    Packet length or range.
    + + + + + + + + +
    + packet_length_exclude + +
    + list + / elements=dictionary +
    + + + + +
    Packet length match.
    +
    Only valid in 1.4 and later.
    +
    Multiple values from 1 to 65535 and ranges are supported
    + + + + + + + + +
    + length + +
    + string +
    + + + + +
    Packet length or range.
    + + + + + + + + +
    + packet_type + +
    + string +
    + + + + + +
    Packet type match.
    + + @@ -772,6 +1066,51 @@ Parameters
    (!)All IP protocols except for the specified name or number.
    + + + + + +
    + queue + +
    + string +
    + + + + +
    Queue options.
    +
    Only valid in 1.4 and later.
    +
    Only valid when action = queue.
    +
    Can be a queue number or range.
    + + + + + + + +
    + queue_options + +
    + string +
    + + + + + +
    Queue options.
    +
    Only valid in 1.4 and later.
    +
    Only valid when action = queue.
    + + @@ -819,13 +1158,14 @@ Parameters time
    - integer + string
    Source addresses seen in the last N seconds.
    +
    Since 1.4, this is a string of second/minute/hour
    @@ -869,6 +1209,26 @@ Parameters
    Source ip address subnet or range.
    + + + + + + +
    + fqdn + +
    + string +
    + + + + +
    Fully qualified domain name.
    +
    Available in 1.4 and later.
    + + @@ -1102,6 +1462,65 @@ Parameters + + + + + +
    + synproxy + +
    + dictionary +
    + + + + +
    SYN proxy options.
    +
    Only valid in 1.4 and later.
    +
    Only valid when action = synproxy.
    + + + + + + + + +
    + mss + +
    + integer +
    + + + + +
    Adjust MSS (501-65535)
    + + + + + + + + +
    + window_scale + +
    + integer +
    + + + + +
    Window scale (1-14).
    + + + @@ -1129,17 +1548,77 @@ Parameters
    flags +
    + list + / elements=dictionary +
    + + + + +
    list of tcp flags to be matched
    +
    5.0 breaking change to support 1.4+ and 1.3-
    + + + + + + + + + +
    + flag +
    string
    + -
    TCP flags to be matched.
    +
    TCP flag to be matched.
    +
    syn, ack, fin, rst, urg, psh, all (1.3-)
    +
    syn, ack, fin, rst, urg, psh, cwr, ecn (1.4+)
    + + + + + + + + + +
    + invert + +
    + boolean +
    + + + + + +
    Invert the match.
    + @@ -2408,7 +2887,7 @@ Common return values are documented `here after
    - list + dictionary
    when changed @@ -2426,7 +2905,7 @@ Common return values are documented `here before
    - list + dictionary
    always diff --git a/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py b/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py index 3f4da3ea..97386e99 100644 --- a/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py +++ b/plugins/module_utils/network/vyos/facts/firewall_global/firewall_global.py @@ -111,7 +111,7 @@ class Firewall_globalFacts(object): rr_lst = [] v6_attr = findall( - r"^set firewall (?:ipv6-src-route|ipv6-receive-redirects) (\S+)", + r"^set firewall (?:global-options )(?:ipv6-src-route|ipv6-receive-redirects) (\S+)", conf, M, ) @@ -121,7 +121,7 @@ class Firewall_globalFacts(object): rr_lst.append(obj) v4_attr = findall( - r"^set firewall (?:ip-src-route|receive-redirects|send-redirects) (\S+)", + r"^set firewall (?:global-options )(?:ip-src-route|receive-redirects|send-redirects) (\S+)", conf, M, ) diff --git a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config.cfg b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config.cfg index 16b7a142..f54a03dc 100644 --- a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config.cfg +++ b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config.cfg @@ -11,3 +11,5 @@ set firewall group ipv6-network-group UNIQUE-LOCAL-v6 network fc00::/7 set firewall group ipv6-network-group UNIQUE-LOCAL-v6 description 'This group encompasses the ULA address space in IPv6' set firewall group port-group SSH port 22 set firewall group port-group SSH description 'This group has the ssh ports' +set firewall ipv6-src-route 'enable' +set firewall send-redirects 'enable' diff --git a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config_v14.cfg b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config_v14.cfg index 7b281de6..0a1247dd 100644 --- a/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config_v14.cfg +++ b/tests/unit/modules/network/vyos/fixtures/vyos_firewall_global_config_v14.cfg @@ -14,3 +14,5 @@ set firewall group port-group SSH description 'This group has the ssh ports' set firewall global-options all-ping enable set firewall global-options state-policy related action 'accept' set firewall global-options state-policy related log-level 'alert' +set firewall global-options ipv6-src-route 'enable' +set firewall global-options send-redirects 'enable' diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_global.py b/tests/unit/modules/network/vyos/test_vyos_firewall_global.py index 0cc611c4..752bb0d6 100644 --- a/tests/unit/modules/network/vyos/test_vyos_firewall_global.py +++ b/tests/unit/modules/network/vyos/test_vyos_firewall_global.py @@ -29,11 +29,11 @@ from ansible_collections.vyos.vyos.tests.unit.modules.utils import set_module_ar from .vyos_module import TestVyosModule, load_fixture -class TestVyosFirewallRulesModule(TestVyosModule): +class TestVyosFirewallGlobalModule(TestVyosModule): module = vyos_firewall_global def setUp(self): - super(TestVyosFirewallRulesModule, self).setUp() + super(TestVyosFirewallGlobalModule, self).setUp() self.mock_get_config = patch( "ansible_collections.ansible.netcommon.plugins.module_utils.network.common.network.Config.get_config", ) @@ -59,15 +59,16 @@ class TestVyosFirewallRulesModule(TestVyosModule): ) self.mock_get_os_version = patch( - "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.config.firewall_global.firewall_global.get_os_version" + "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.config.firewall_global.firewall_global.get_os_version", ) self.get_os_version = self.mock_get_os_version.start() self.get_os_version.return_value = "1.2" self.execute_show_command = self.mock_execute_show_command.start() + self.maxDiff = None def tearDown(self): - super(TestVyosFirewallRulesModule, self).tearDown() + super(TestVyosFirewallGlobalModule, self).tearDown() self.mock_get_resource_connection_config.stop() self.mock_get_resource_connection_facts.stop() self.mock_get_config.stop() @@ -101,6 +102,7 @@ class TestVyosFirewallRulesModule(TestVyosModule): dict(connection_type="invalid", action="reject"), ], route_redirects=[ + dict(ip_src_route=True, afi="ipv6"), dict( afi="ipv4", ip_src_route=True, @@ -177,6 +179,7 @@ class TestVyosFirewallRulesModule(TestVyosModule): "set firewall group port-group TELNET description 'This group has the telnet ports'", "set firewall group port-group TELNET", "set firewall ip-src-route 'enable'", + "set firewall ipv6-src-route 'enable'", "set firewall receive-redirects 'disable'", "set firewall send-redirects 'enable'", "set firewall config-trap 'enable'", @@ -369,7 +372,7 @@ class TestVyosFirewallRulesModule(TestVyosModule): commands = ["delete firewall"] self.execute_module(changed=True, commands=commands) - def test_vyos_firewall_global_set_01_replaced_version(self): + def test_vyos_firewall_global_set_01_merged_version14(self): self.get_os_version.return_value = "1.4" set_module_args( dict( @@ -398,7 +401,7 @@ class TestVyosFirewallRulesModule(TestVyosModule): afi="ipv6", ip_src_route=True, icmp_redirects=dict(receive=False), - ) + ), ], group=dict( address_group=[ @@ -443,12 +446,12 @@ class TestVyosFirewallRulesModule(TestVyosModule): name="TELNET", description="This group has the telnet ports", members=[dict(port="23")], - ) + ), ], ), ), state="merged", - ) + ), ) commands = [ "set firewall group address-group MGMT-HOSTS address 192.0.1.1", diff --git a/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py b/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py index c594a1fe..a25da293 100644 --- a/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py +++ b/tests/unit/modules/network/vyos/test_vyos_firewall_global14.py @@ -59,7 +59,7 @@ class TestVyosFirewallRulesModule14(TestVyosModule): ) self.mock_get_os_version = patch( - "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.config.firewall_global.firewall_global.get_os_version" + "ansible_collections.vyos.vyos.plugins.module_utils.network.vyos.config.firewall_global.firewall_global.get_os_version", ) self.get_os_version = self.mock_get_os_version.start() self.get_os_version.return_value = "1.4" @@ -111,7 +111,7 @@ class TestVyosFirewallRulesModule14(TestVyosModule): afi="ipv6", ip_src_route=True, icmp_redirects=dict(receive=False), - ) + ), ], group=dict( address_group=[ @@ -156,12 +156,12 @@ class TestVyosFirewallRulesModule14(TestVyosModule): name="TELNET", description="This group has the telnet ports", members=[dict(port="23")], - ) + ), ], ), ), state="merged", - ) + ), ) commands = [ "set firewall group address-group MGMT-HOSTS address 192.0.1.1", @@ -184,9 +184,7 @@ class TestVyosFirewallRulesModule14(TestVyosModule): "set firewall group port-group TELNET", "set firewall global-options ip-src-route 'enable'", "set firewall global-options receive-redirects 'disable'", - "set firewall global-options send-redirects 'enable'", "set firewall global-options config-trap 'enable'", - "set firewall global-options ipv6-src-route 'enable'", "set firewall global-options ipv6-receive-redirects 'disable'", "set firewall global-options state-policy established action 'accept'", "set firewall global-options state-policy established log 'enable'", @@ -314,6 +312,8 @@ class TestVyosFirewallRulesModule14(TestVyosModule): "delete firewall group address-group RND-HOSTS address 192.0.2.5", "delete firewall global-options all-ping", "delete firewall global-options state-policy related", + "delete firewall global-options ipv6-src-route", + "delete firewall global-options send-redirects", "set firewall global-options state-policy invalid action 'reject'", "set firewall group address-group RND-HOSTS address 192.0.2.7", "set firewall group address-group RND-HOSTS address 192.0.2.9", @@ -329,6 +329,10 @@ class TestVyosFirewallRulesModule14(TestVyosModule): dict( config=dict( ping=dict(all=True), + route_redirects=[ + dict(ip_src_route=True, afi="ipv6"), + dict(icmp_redirects=dict(send=True), afi="ipv4"), + ], state_policy=[ dict(connection_type="related", action="accept", log_level="alert"), ], @@ -442,6 +446,8 @@ class TestVyosFirewallRulesModule14(TestVyosModule): "delete firewall group address-group RND-HOSTS address 192.0.2.3", "delete firewall group address-group RND-HOSTS address 192.0.2.5", "delete firewall global-options all-ping", + "delete firewall global-options ipv6-src-route", + "delete firewall global-options send-redirects", "set firewall global-options state-policy related action 'drop'", "delete firewall global-options state-policy related log-level", "set firewall global-options state-policy invalid action 'reject'", -- cgit v1.2.3