From b28632c3e581371f3b0d670d376ab409a4b8fa0e Mon Sep 17 00:00:00 2001 From: Andrew Gunnerson Date: Fri, 25 Feb 2022 13:28:54 -0500 Subject: firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the same name (#236) firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the same name SUMMARY VyOS supports IPv4 and IPv6 rule sets having the same name, but there are a couple places in the Ansible module that don't handle this situation. The fact gathering for ansible_network_resources.firewall_rules has been updated to look for name or ipv6-name instead of just . The vyos_firewall_rules module has been updated to take the afi into consideration when comparing the have and want states. V4-EGRESS and V6-EGRESS have been renamed to just EGRESS in the tests. The existing tests seem to be complete enough to test this same-name situation. (V4-INGRESS and V6-INGRESS were not renamed.) ISSUE TYPE Bugfix Pull Request COMPONENT NAME vyos_facts and vyos_firewall_rules ADDITIONAL INFORMATION An example of a configuration that was originally causing an issue: (Click to expand): name wan-lan { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } } ipv6-name wan-lan { default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 10 { action accept protocol icmpv6 } } With this configuration, ansible_network_resources.firewall_rules would show the icmpv6 rule under both ipv4 and ipv6: (Click to expand): [ { "afi": "ipv4", "rule_sets": [ { "default_action": "drop", "name": "wan-lan", "rules": [ { "action": "accept", "number": 1, "state": { "established": true, "related": true } }, { "action": "drop", "number": 2, "state": { "invalid": true } }, { "action": "accept", "number": 10, "protocol": "icmpv6" } ] }, ] }, { "afi": "ipv6", "rule_sets": [ { "default_action": "drop", "name": "wan-lan", "rules": [ { "action": "accept", "number": 1, "state": { "established": true, "related": true } }, { "action": "drop", "number": 2, "state": { "invalid": true } }, { "action": "accept", "number": 10, "protocol": "icmpv6" } ] }, ] } ] A similar issue would happen when using vyos_firewall_rules as well, where it would attempt to change rules for the wrong afi. Reviewed-by: GomathiselviS Reviewed-by: None --- changelogs/fragments/rule_set_same_name.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 changelogs/fragments/rule_set_same_name.yaml (limited to 'changelogs') diff --git a/changelogs/fragments/rule_set_same_name.yaml b/changelogs/fragments/rule_set_same_name.yaml new file mode 100644 index 00000000..48bf5655 --- /dev/null +++ b/changelogs/fragments/rule_set_same_name.yaml @@ -0,0 +1,5 @@ +--- +minor_changes: + - Update vyos_facts to support IPv4 and IPv6 rule sets having the same name + - Update vyos_firewall_rules to support IPv4 and IPv6 rule sets having the same name + - Rename V4-EGRESS/V6-EGRESS to EGRESS in the tests to test the same-name situation -- cgit v1.2.3