From d0c73e6bdd3ca3ff9d87c8339b2c5611b694d6dc Mon Sep 17 00:00:00 2001 From: omnom62 <75066712+omnom62@users.noreply.github.com> Date: Sat, 25 Jan 2025 21:38:00 +1000 Subject: T6817 & T6825 & T7004 updates - fw_rules override and replaced fixes (#368) * T6817 updates * updates / additions to unit tests and code for fw_rules (t6817) * code and use cases for override fw_rules * ovr idem unit test for fw rules v14 in WIP * Fixed replace add_rule func to remove unmatching confug - t6825 * first cut of unit tests for t6825 and t6817 - dfaft * Fixed replaced unit tests and code for inbound/outbound interface attributes * use network_cli's remove_empties * fixed disabled=True and a few unit tests in v1.3 * add_log func for firewall_rules updated * firewall_rules log attribute processing for v1.4 and idemp * + In overriden : - Added func to compare r_sets - Added code to isolate r_set changes to only targeted - Fixed parsers for packet_length_exclude - started to troubleshoot filter processing * completed fixes and unit tests for firewall_rules as in T6817 and T6825 * T7004 integration tests init fix * 'state' attrib processing fix * deleted and merged integration tests fixed for 1.3- and 1.4+ * fixed deleted, parsed, replaced integration tests for 1.3- and 1.4+ * fixed _remove_config, merged integration tests * added comments to unit tests * more v1.3- unit tests moved to 1.4+ unit test suite * 1.3/1.4 unit test suite synced * overridden integration test fixed * fixed replaced idempotency * moved data to vars (integration tests) * updated parsed (integration tests) * D.R.Y. for integration tests for firewall_rules plugin * vanilla data set for integration tests to support 1.5 --- .../tests/cli/_get_version.yaml | 31 ++++ .../tests/cli/_parsed_config.cfg | 25 ---- .../tests/cli/_parsed_config_1_3.cfg | 25 ++++ .../tests/cli/_parsed_config_1_4.cfg | 23 +++ .../vyos_firewall_rules/tests/cli/_populate.yaml | 38 ++--- .../tests/cli/_remove_config.yaml | 12 +- .../vyos_firewall_rules/tests/cli/deleted.yaml | 2 +- .../vyos_firewall_rules/tests/cli/deleted_afi.yaml | 2 +- .../vyos_firewall_rules/tests/cli/deleted_all.yaml | 2 +- .../vyos_firewall_rules/tests/cli/merged.yaml | 8 +- .../vyos_firewall_rules/tests/cli/overridden.yaml | 8 +- .../vyos_firewall_rules/tests/cli/parsed.yaml | 21 ++- .../vyos_firewall_rules/tests/cli/rendered.yaml | 4 +- .../vyos_firewall_rules/tests/cli/replaced.yaml | 4 +- .../targets/vyos_firewall_rules/tests/cli/rtt.yaml | 10 +- .../targets/vyos_firewall_rules/vars/main.yaml | 161 ++++----------------- .../targets/vyos_firewall_rules/vars/pre-v1_4.yaml | 130 +++++++++++++++++ .../targets/vyos_firewall_rules/vars/v1_4.yaml | 123 ++++++++++++++++ 18 files changed, 419 insertions(+), 210 deletions(-) create mode 100644 tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml delete mode 100644 tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg create mode 100644 tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_3.cfg create mode 100644 tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg create mode 100644 tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml create mode 100644 tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml (limited to 'tests/integration') diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml new file mode 100644 index 00000000..dda9fcc5 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_get_version.yaml @@ -0,0 +1,31 @@ +- name: make sure to get facts + vyos.vyos.vyos_facts: + vars: + ansible_connection: ansible.netcommon.network_cli + register: vyos_facts + when: vyos_version is not defined + +- name: debug vyos_facts + debug: + var: vyos_facts + +- name: pull version from facts + set_fact: + vyos_version: "{{ vyos_facts.ansible_facts.ansible_net_version.split('-')[0].split(' ')[-1] }}" + when: vyos_version is not defined + +- name: fix '.0' versions + set_fact: + vyos_version: "{{ vyos_version }}.0" + when: vyos_version.count('.') == 1 + +- name: include correct vars + include_vars: pre-v1_4.yaml + when: vyos_version is version('1.4.0', '<', version_type='semver') + +- name: include correct vars + include_vars: v1_4.yaml + when: vyos_version is version('1.4.0', '>=', version_type='semver') + +- name: include common vars + include_vars: main.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg deleted file mode 100644 index b54c1094..00000000 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config.cfg +++ /dev/null @@ -1,25 +0,0 @@ -set firewall group address-group 'inbound' -set firewall ipv6-name UPLINK default-action 'accept' -set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' -set firewall ipv6-name UPLINK rule 1 action 'accept' -set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' -set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' -set firewall ipv6-name UPLINK rule 2 action 'accept' -set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' -set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' -set firewall name INBOUND default-action 'accept' -set firewall name INBOUND description 'IPv4 INBOUND rule set' -set firewall name INBOUND rule 101 action 'accept' -set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' -set firewall name INBOUND rule 101 ipsec 'match-ipsec' -set firewall name INBOUND rule 102 action 'reject' -set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' -set firewall name INBOUND rule 102 ipsec 'match-ipsec' -set firewall name INBOUND rule 103 action 'accept' -set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' -set firewall name INBOUND rule 103 destination group address-group 'inbound' -set firewall name INBOUND rule 103 source address '192.0.2.0' -set firewall name INBOUND rule 103 state established 'enable' -set firewall name INBOUND rule 103 state invalid 'disable' -set firewall name INBOUND rule 103 state new 'disable' -set firewall name INBOUND rule 103 state related 'enable' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_3.cfg b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_3.cfg new file mode 100644 index 00000000..bb8bc23e --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_3.cfg @@ -0,0 +1,25 @@ +set firewall group address-group 'inbound' +set firewall ipv6-name UPLINK default-action 'accept' +set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' +set firewall ipv6-name UPLINK rule 1 action 'accept' +set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' +set firewall ipv6-name UPLINK rule 1 protocol 'tcp' +set firewall ipv6-name UPLINK rule 2 action 'accept' +set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' +set firewall ipv6-name UPLINK rule 2 protocol 'tcp' +set firewall name INBOUND default-action 'accept' +set firewall name INBOUND description 'IPv4 INBOUND rule set' +set firewall name INBOUND rule 101 action 'accept' +set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' +set firewall name INBOUND rule 101 protocol 'tcp' +set firewall name INBOUND rule 102 action 'reject' +set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' +set firewall name INBOUND rule 102 protocol 'tcp' +set firewall name INBOUND rule 103 action 'accept' +set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' +set firewall name INBOUND rule 103 destination group address-group 'inbound' +set firewall name INBOUND rule 103 source address '192.0.2.0' +set firewall name INBOUND rule 103 state established 'enable' +set firewall name INBOUND rule 103 state invalid 'disable' +set firewall name INBOUND rule 103 state new 'disable' +set firewall name INBOUND rule 103 state related 'enable' diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg new file mode 100644 index 00000000..315ae958 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_parsed_config_1_4.cfg @@ -0,0 +1,23 @@ +set firewall group address-group 'inbound' +set firewall ipv6 name UPLINK default-action 'accept' +set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' +set firewall ipv6 name UPLINK rule 1 action 'accept' +set firewall ipv6 name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' +set firewall ipv6 name UPLINK rule 1 protocol 'tcp' +set firewall ipv6 name UPLINK rule 2 action 'accept' +set firewall ipv6 name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' +set firewall ipv6 name UPLINK rule 2 protocol 'tcp' +set firewall ipv4 name INBOUND default-action 'accept' +set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' +set firewall ipv4 name INBOUND rule 101 action 'accept' +set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' +set firewall ipv4 name INBOUND rule 101 protocol 'tcp' +set firewall ipv4 name INBOUND rule 102 action 'reject' +set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' +set firewall ipv4 name INBOUND rule 102 protocol 'tcp' +set firewall ipv4 name INBOUND rule 103 action 'accept' +set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' +set firewall ipv4 name INBOUND rule 103 destination group address-group 'inbound' +set firewall ipv4 name INBOUND rule 103 source address '192.0.2.0' +set firewall ipv4 name INBOUND rule 103 state established +set firewall ipv4 name INBOUND rule 103 state related diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml index 31e0d131..6c235be3 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_populate.yaml @@ -1,31 +1,11 @@ --- -- name: Setup +- ansible.builtin.include_tasks: _remove_config.yaml + +- name: ensure facts + include_tasks: _get_version.yaml + +- name: Setup {{ vyos_version }} + vyos.vyos.vyos_config: + lines: "{{ populate_config }}" vars: - lines: |- - set firewall group address-group 'inbound' - set firewall ipv6-name UPLINK default-action 'accept' - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - set firewall ipv6-name UPLINK rule 1 action 'accept' - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' - set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' - set firewall ipv6-name UPLINK rule 2 action 'accept' - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' - set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' - set firewall name INBOUND default-action 'accept' - set firewall name INBOUND description 'IPv4 INBOUND rule set' - set firewall name INBOUND rule 101 action 'accept' - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - set firewall name INBOUND rule 102 action 'reject' - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - set firewall name INBOUND rule 103 action 'accept' - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - set firewall name INBOUND rule 103 destination group address-group 'inbound' - set firewall name INBOUND rule 103 source address '192.0.2.0' - set firewall name INBOUND rule 103 state established 'enable' - set firewall name INBOUND rule 103 state invalid 'disable' - set firewall name INBOUND rule 103 state new 'disable' - set firewall name INBOUND rule 103 state related 'enable' - ansible.netcommon.cli_config: - config: "{{ lines }}" + ansible_connection: ansible.netcommon.network_cli diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml index b4fc7965..31f527f9 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/_remove_config.yaml @@ -1,6 +1,10 @@ --- -- name: Remove Config +- name: ensure facts + include_tasks: _get_version.yaml + +- name: Remove pre-existing firewall rules + vyos.vyos.vyos_config: + lines: "{{ remove_config }}" + ignore_errors: true vars: - lines: "delete firewall ipv6-name\ndelete firewall name\n" - ansible.netcommon.cli_config: - config: "{{ lines }}" + ansible_connection: ansible.netcommon.network_cli diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml index 97b3ae87..2784c2da 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml @@ -5,7 +5,7 @@ - include_tasks: _populate.yaml - block: - - name: Delete firewall rule set. + - name: Delete firewall rule set register: result vyos.vyos.vyos_firewall_rules: &id001 config: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml index c7a22787..3df19cd2 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_afi.yaml @@ -5,7 +5,7 @@ - include_tasks: _populate.yaml - block: - - name: Delete firewall rule. + - name: Delete firewall rule register: result vyos.vyos.vyos_firewall_rules: &id001 config: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml index c55a4c55..84c66bdf 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_all.yaml @@ -5,7 +5,7 @@ - include_tasks: _populate.yaml - block: - - name: Delete all the firewall rules. + - name: Delete all the firewall rules register: result vyos.vyos.vyos_firewall_rules: &id001 config: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml index 674b4371..27973d80 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/merged.yaml @@ -20,12 +20,12 @@ - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: @@ -36,13 +36,13 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp disabled: true - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp disable: true - number: 103 diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml index 6e1b3a39..3b649390 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/overridden.yaml @@ -20,14 +20,18 @@ - number: 501 action: accept description: Rule 501 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 502 action: reject description: Rule 502 is configured by Ansible - ipsec: match-ipsec + protocol: tcp state: overridden + - name: Print result + debug: + msg: "Result: {{ result }}" + - name: Assert that before dicts were correctly generated assert: that: diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml index e6eae78a..85a7c33b 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml @@ -2,13 +2,22 @@ - debug: msg: START vyos_firewall_rules parsed integration tests on connection={{ ansible_connection }} -- name: Parse externally provided Firewall rules config to agnostic model - register: result - vyos.vyos.vyos_firewall_rules: - running_config: "{{ lookup('file', '_parsed_config.cfg') }}" - state: parsed +- name: ensure facts + include_tasks: _get_version.yaml + +- name: version {{ vyos_version }} + block: + - name: Parse externally provided Firewall rules config to agnostic model + register: result + vyos.vyos.vyos_firewall_rules: + running_config: "{{ lookup('file', parsed_config_file) }}" + state: parsed + - name: set result + set_fact: + parsed_result: "{{ result }}" - name: Assert that config was correctly parsed assert: that: - - "{{ parsed['after'] | symmetric_difference(result['parsed']) |length == 0 }}" + - parsed_result.changed == false + - "{{ parsed['after'] | symmetric_difference(parsed_result['parsed']) |length == 0 }}" diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml index 36feb69a..229ceb0e 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml @@ -24,12 +24,12 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml index 5959c226..b1944626 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/replaced.yaml @@ -26,12 +26,12 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 104 action: reject description: Rule 104 is configured by Ansible - ipsec: match-none + protocol: udp state: replaced - name: Assert that correct set of commands were generated diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml index dcf5b282..be066f9a 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rtt.yaml @@ -2,6 +2,8 @@ - debug: msg: START vyos_firewall_rules round trip integration tests on connection={{ ansible_connection }} +- include_tasks: _populate.yaml + - include_tasks: _remove_config.yaml - block: @@ -18,12 +20,12 @@ - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: @@ -34,12 +36,12 @@ - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp state: merged - name: Gather firewall_rules facts diff --git a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml index e2b3e10c..c249b346 100644 --- a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml +++ b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml @@ -1,38 +1,7 @@ --- merged: before: [] - commands: - - set firewall ipv6-name UPLINK default-action 'accept' - - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - - set firewall ipv6-name UPLINK rule 1 action 'accept' - - set firewall ipv6-name UPLINK rule 1 - - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' - - set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' - - set firewall ipv6-name UPLINK rule 2 action 'accept' - - set firewall ipv6-name UPLINK rule 2 - - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' - - set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' - - set firewall name INBOUND default-action 'accept' - - set firewall name INBOUND description 'IPv4 INBOUND rule set' - - set firewall name INBOUND rule 101 action 'accept' - - set firewall name INBOUND rule 101 disable - - set firewall name INBOUND rule 101 - - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - - set firewall name INBOUND rule 102 action 'reject' - - set firewall name INBOUND rule 102 disable - - set firewall name INBOUND rule 102 - - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - - set firewall name INBOUND rule 103 destination group address-group inbound - - set firewall name INBOUND rule 103 - - set firewall name INBOUND rule 103 source address 192.0.2.0 - - set firewall name INBOUND rule 103 state established enable - - set firewall name INBOUND rule 103 state related enable - - set firewall name INBOUND rule 103 state invalid disable - - set firewall name INBOUND rule 103 state new disable - - set firewall name INBOUND rule 103 action 'accept' + commands: "{{ merged_commands }}" after: - afi: ipv6 rule_sets: @@ -43,11 +12,11 @@ merged: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -57,13 +26,13 @@ merged: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp disable: true - number: 102 action: reject disable: true description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible @@ -72,11 +41,8 @@ merged: address_group: inbound source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true + state: "{{ state_dict }}" + populate: - afi: ipv6 rule_sets: @@ -87,11 +53,11 @@ populate: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -101,11 +67,11 @@ populate: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible @@ -114,21 +80,10 @@ populate: address_group: inbound source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true + state: "{{ state_dict }}" + replaced: - commands: - - delete firewall ipv6-name UPLINK rule 1 - - delete firewall ipv6-name UPLINK rule 2 - - delete firewall name INBOUND rule 102 - - delete firewall name INBOUND rule 103 - - set firewall name INBOUND rule 104 action 'reject' - - set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' - - set firewall name INBOUND rule 104 - - set firewall name INBOUND rule 104 ipsec 'match-none' + commands: "{{ replaced_commands }}" after: - afi: ipv6 rule_sets: @@ -144,11 +99,11 @@ replaced: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 104 action: reject description: Rule 104 is configured by Ansible - ipsec: match-none + protocol: udp overridden: before: - afi: ipv6 @@ -165,24 +120,12 @@ overridden: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 104 action: reject description: Rule 104 is configured by Ansible - ipsec: match-none - commands: - - delete firewall ipv6-name UPLINK - - delete firewall name INBOUND - - set firewall name Downlink default-action 'accept' - - set firewall name Downlink description 'IPv4 INBOUND rule set' - - set firewall name Downlink rule 501 action 'accept' - - set firewall name Downlink rule 501 - - set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' - - set firewall name Downlink rule 501 ipsec 'match-ipsec' - - set firewall name Downlink rule 502 action 'reject' - - set firewall name Downlink rule 502 - - set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' - - set firewall name Downlink rule 502 ipsec 'match-ipsec' + protocol: udp + commands: "{{ overridden_commands }}" after: - afi: ipv4 rule_sets: @@ -193,11 +136,11 @@ overridden: - number: 501 action: accept description: Rule 501 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 502 action: reject description: Rule 502 is configured by Ansible - ipsec: match-ipsec + protocol: tcp parsed: after: - afi: ipv6 @@ -209,11 +152,11 @@ parsed: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -223,11 +166,11 @@ parsed: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible @@ -236,44 +179,8 @@ parsed: address_group: inbound source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true -rendered: - commands: - - set firewall ipv6-name UPLINK default-action 'accept' - - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - - set firewall name INBOUND default-action 'accept' - - set firewall name INBOUND description 'IPv4 INBOUND rule set' - - set firewall name INBOUND rule 101 action 'accept' - - set firewall name INBOUND rule 101 - - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - - set firewall name INBOUND rule 102 action 'reject' - - set firewall name INBOUND rule 102 - - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - - set firewall name INBOUND rule 103 destination group address-group inbound - - set firewall name INBOUND rule 103 - - set firewall name INBOUND rule 103 source address 192.0.2.0 - - set firewall name INBOUND rule 103 state established enable - - set firewall name INBOUND rule 103 state related enable - - set firewall name INBOUND rule 103 state invalid disable - - set firewall name INBOUND rule 103 state new disable - - set firewall name INBOUND rule 103 action 'accept' -deleted_rs: - commands: - - delete firewall ipv6-name UPLINK - - delete firewall name INBOUND - after: [] -deleted_afi_all: - commands: - - delete firewall ipv6-name - - delete firewall name - after: [] + state: "{{ state_dict }}" + round_trip: after: - afi: ipv6 @@ -285,11 +192,11 @@ round_trip: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - afi: ipv4 rule_sets: - name: INBOUND @@ -299,18 +206,14 @@ round_trip: - number: 101 action: accept description: Rule 101 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 102 action: reject description: Rule 102 is configured by Ansible - ipsec: match-ipsec + protocol: tcp - number: 103 action: accept description: Rule 103 is configured by Ansible source: address: 192.0.2.0 - state: - established: true - new: false - invalid: false - related: true + state: "{{ state_dict }}" diff --git a/tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml b/tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml new file mode 100644 index 00000000..c7d7398b --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/vars/pre-v1_4.yaml @@ -0,0 +1,130 @@ +--- +merged_commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6-name UPLINK rule 1 action 'accept' + - set firewall ipv6-name UPLINK rule 1 + - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6-name UPLINK rule 2 action 'accept' + - set firewall ipv6-name UPLINK rule 2 + - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 2 protocol 'tcp' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 disable + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 protocol 'tcp' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 disable + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 protocol 'tcp' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' + +populate_config: + - set firewall group address-group 'inbound' + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6-name UPLINK rule 1 action 'accept' + - set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6-name UPLINK rule 2 action 'accept' + - set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6-name UPLINK rule 2 protocol 'tcp' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 protocol 'tcp' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 protocol 'tcp' + - set firewall name INBOUND rule 103 action 'accept' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group 'inbound' + - set firewall name INBOUND rule 103 source address '192.0.2.0' + - set firewall name INBOUND rule 103 state established 'enable' + - set firewall name INBOUND rule 103 state invalid 'disable' + - set firewall name INBOUND rule 103 state new 'disable' + - set firewall name INBOUND rule 103 state related 'enable' + +remove_config: + - delete firewall name + - delete firewall ipv6-name + +parsed_config_file: "_parsed_config_1_3.cfg" + +replaced_commands: + - delete firewall ipv6-name UPLINK rule 1 + - delete firewall ipv6-name UPLINK rule 2 + - delete firewall name INBOUND rule 102 + - delete firewall name INBOUND rule 103 + - set firewall name INBOUND rule 104 action 'reject' + - set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' + - set firewall name INBOUND rule 104 + - set firewall name INBOUND rule 104 protocol 'udp' + +overridden_commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + - set firewall name Downlink default-action 'accept' + - set firewall name Downlink description 'IPv4 INBOUND rule set' + - set firewall name Downlink rule 501 action 'accept' + - set firewall name Downlink rule 501 + - set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' + - set firewall name Downlink rule 501 protocol 'tcp' + - set firewall name Downlink rule 502 action 'reject' + - set firewall name Downlink rule 502 + - set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' + - set firewall name Downlink rule 502 protocol 'tcp' + +rendered: + commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 protocol 'tcp' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 protocol 'tcp' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' +deleted_rs: + commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + after: [] +deleted_afi_all: + commands: + - delete firewall ipv6-name + - delete firewall name + after: [] + +state_dict: + established: true + new: false + invalid: false + related: true diff --git a/tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml b/tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml new file mode 100644 index 00000000..267803f6 --- /dev/null +++ b/tests/integration/targets/vyos_firewall_rules/vars/v1_4.yaml @@ -0,0 +1,123 @@ +--- +merged_commands: + - set firewall ipv6 name UPLINK default-action 'accept' + - set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6 name UPLINK rule 1 action 'accept' + - set firewall ipv6 name UPLINK rule 1 + - set firewall ipv6 name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6 name UPLINK rule 2 action 'accept' + - set firewall ipv6 name UPLINK rule 2 + - set firewall ipv6 name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 2 protocol 'tcp' + - set firewall ipv4 name INBOUND default-action 'accept' + - set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' + - set firewall ipv4 name INBOUND rule 101 action 'accept' + - set firewall ipv4 name INBOUND rule 101 disable + - set firewall ipv4 name INBOUND rule 101 + - set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 101 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 102 action 'reject' + - set firewall ipv4 name INBOUND rule 102 disable + - set firewall ipv4 name INBOUND rule 102 + - set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 102 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 103 destination group address-group inbound + - set firewall ipv4 name INBOUND rule 103 + - set firewall ipv4 name INBOUND rule 103 source address 192.0.2.0 + - set firewall ipv4 name INBOUND rule 103 state established + - set firewall ipv4 name INBOUND rule 103 state related + - set firewall ipv4 name INBOUND rule 103 action 'accept' + +populate_config: + - set firewall group address-group 'inbound' + - set firewall ipv6 name UPLINK default-action 'accept' + - set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv6 name UPLINK rule 1 action 'accept' + - set firewall ipv6 name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 1 protocol 'tcp' + - set firewall ipv6 name UPLINK rule 2 action 'accept' + - set firewall ipv6 name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' + - set firewall ipv6 name UPLINK rule 2 protocol 'tcp' + - set firewall ipv4 name INBOUND default-action 'accept' + - set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' + - set firewall ipv4 name INBOUND rule 101 action 'accept' + - set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 101 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 102 action 'reject' + - set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 102 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 103 action 'accept' + - set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 103 destination group address-group 'inbound' + - set firewall ipv4 name INBOUND rule 103 source address '192.0.2.0' + - set firewall ipv4 name INBOUND rule 103 state established + - set firewall ipv4 name INBOUND rule 103 state related + +remove_config: + - delete firewall ipv4 + - delete firewall ipv6 + +parsed_config_file: "_parsed_config_1_4.cfg" + +replaced_commands: + - delete firewall ipv6 name UPLINK rule 1 + - delete firewall ipv6 name UPLINK rule 2 + - delete firewall ipv4 name INBOUND rule 102 + - delete firewall ipv4 name INBOUND rule 103 + - set firewall ipv4 name INBOUND rule 104 action 'reject' + - set firewall ipv4 name INBOUND rule 104 description 'Rule 104 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 104 + - set firewall ipv4 name INBOUND rule 104 protocol 'udp' + +overridden_commands: + - delete firewall ipv6 name UPLINK + - delete firewall ipv4 name INBOUND + - set firewall ipv4 name Downlink default-action 'accept' + - set firewall ipv4 name Downlink description 'IPv4 INBOUND rule set' + - set firewall ipv4 name Downlink rule 501 action 'accept' + - set firewall ipv4 name Downlink rule 501 + - set firewall ipv4 name Downlink rule 501 description 'Rule 501 is configured by Ansible' + - set firewall ipv4 name Downlink rule 501 protocol 'tcp' + - set firewall ipv4 name Downlink rule 502 action 'reject' + - set firewall ipv4 name Downlink rule 502 + - set firewall ipv4 name Downlink rule 502 description 'Rule 502 is configured by Ansible' + - set firewall ipv4 name Downlink rule 502 protocol 'tcp' + + +rendered: + commands: + - set firewall ipv6 name UPLINK default-action 'accept' + - set firewall ipv6 name UPLINK description 'This is ipv6 specific rule-set' + - set firewall ipv4 name INBOUND default-action 'accept' + - set firewall ipv4 name INBOUND description 'IPv4 INBOUND rule set' + - set firewall ipv4 name INBOUND rule 101 action 'accept' + - set firewall ipv4 name INBOUND rule 101 + - set firewall ipv4 name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 101 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 102 action 'reject' + - set firewall ipv4 name INBOUND rule 102 + - set firewall ipv4 name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 102 protocol 'tcp' + - set firewall ipv4 name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall ipv4 name INBOUND rule 103 destination group address-group inbound + - set firewall ipv4 name INBOUND rule 103 + - set firewall ipv4 name INBOUND rule 103 source address 192.0.2.0 + - set firewall ipv4 name INBOUND rule 103 state established + - set firewall ipv4 name INBOUND rule 103 state related + - set firewall ipv4 name INBOUND rule 103 action 'accept' +deleted_rs: + commands: + - delete firewall ipv6 name UPLINK + - delete firewall ipv4 name INBOUND + after: [] +deleted_afi_all: + commands: + - delete firewall ipv6 + - delete firewall ipv4 + after: [] + +state_dict: + established: true + related: true -- cgit v1.2.3