.. _vyos.vyos.vyos_firewall_rules_module: ***************************** vyos.vyos.vyos_firewall_rules ***************************** **FIREWALL rules resource module** Version added: 1.0.0 .. contents:: :local: :depth: 1 Synopsis -------- - This module manages firewall rule-set attributes on VyOS devices Parameters ---------- .. raw:: html

Parameter						Choices/Defaults	Comments
config list / elements=dictionary							A dictionary of Firewall rule-set options.
	afi string / required					Choices: ipv4 ipv6	Specifies the type of rule-set.
	rule_sets list / elements=dictionary						The Firewall rule-set list.
		default_action string				Choices: drop reject accept jump	Default action for rule-set. drop (Drop if no prior rules are hit (default)) reject (Drop and notify source if no prior rules are hit) accept (Accept if no prior rules are hit) - jump (Jump to another rule-set, 1.4+)
		default_jump_target string					Default jump target if the default action is jump. Only valid in 1.4 and later. Only valid when default_action = jump.
		description string					Rule set description.
		enable_default_log boolean				Choices: no yes	Option to log packets hitting default-action.
		filter string				Choices: input output forward	Filter type (exclusive to "name"). Supported in 1.4 and later.
		name string					Firewall rule set name. Required for 1.3- and optional for 1.4+.
		rules list / elements=dictionary					A dictionary that specifies the rule-set configurations.
			action string			Choices: drop reject accept inspect continue return jump queue synproxy	Specifying the action. inspect is available < 1.4 continue, return, jump, queue, synproxy are available >= 1.4
			description string				Description of this rule.
			destination dictionary				Specifying the destination parameters.
				address string			Destination ip address subnet or range. IPv4/6 address, subnet or range to match. Match everything except the specified address, subnet or range. Destination ip address subnet or range.
				group dictionary			Destination group.
					address_group string		Group of addresses.
					network_group string		Group of networks.
					port_group string		Group of ports.
				port string			Multiple destination ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. For example:'!22,telnet,http,123,1001-1005'.
			disable boolean			Choices: no yes	Option to disable firewall rule. aliased to disabled aliases: disabled
			fragment string			Choices: match-frag match-non-frag	IP fragment match.
			icmp dictionary				ICMP type and code information.
				code integer			ICMP code.
				type integer			ICMP type.
				type_name string		Choices: any echo-reply destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS-host-redirect echo-request router-advertisement router-solicitation time-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply ping pong ttl-exceeded	ICMP type-name.
			inbound_interface dictionary				Inbound interface. Only valid in 1.4 and later.
				group string			Interface group.
				name string			Interface name. Can have wildcards
			ipsec string			Choices: match-ipsec match-none match-ipsec-in match-ipsec-out match-none-in match-none-out	Inbound ip sec packets.
			jump_target string				Jump target if the action is jump. Only valid in 1.4 and later. Only valid when action = jump.
			limit dictionary				Rate limit using a token bucket filter.
				burst integer			Maximum number of packets to allow in excess of rate.
				rate dictionary			format for rate (integer/time unit). any one of second, minute, hour or day may be used to specify time unit. eg. 1/second implies rule to be matched at an average of once per second.
					number integer		This is the integer value.
					unit string		This is the time unit.
			log string			Choices: disable enable	Log matching packets.
			number integer / required				Rule number.
			outbound_interface dictionary				Match outbound interface. Only valid in 1.4 and later.
				group string			Interface group.
				name string			Interface name. Can have wildcards
			p2p list / elements=dictionary				P2P application packets.
				application string		Choices: all applejuice bittorrent directconnect edonkey gnutella kazaa	Name of the application.
			packet_length list / elements=dictionary				Packet length match. Only valid in 1.4 and later. Multiple values from 1 to 65535 and ranges are supported
				length string			Packet length or range.
			packet_length_exclude list / elements=dictionary				Packet length match. Only valid in 1.4 and later. Multiple values from 1 to 65535 and ranges are supported
				length string			Packet length or range.
			packet_type string			Choices: broadcast multicast host other	Packet type match.
			protocol string				Protocol to match (protocol name in /etc/protocols or protocol number or all). <text> IP protocol name from /etc/protocols (e.g. "tcp" or "udp"). <0-255> IP protocol number. tcp_udp Both TCP and UDP. all All IP protocols. (!)All IP protocols except for the specified name or number.
			queue string				Queue options. Only valid in 1.4 and later. Only valid when action = queue. Can be a queue number or range.
			queue_options string			Choices: bypass fanout	Queue options. Only valid in 1.4 and later. Only valid when action = queue.
			recent dictionary				Parameters for matching recently seen sources.
				count integer			Source addresses seen more than N times.
				time string			Source addresses seen in the last N seconds. Since 1.4, this is a string of second/minute/hour
			source dictionary				Source parameters.
				address string			Source ip address subnet or range. IPv4/6 address, subnet or range to match. Match everything except the specified address, subnet or range. Source ip address subnet or range.
				fqdn string			Fully qualified domain name. Available in 1.4 and later.
				group dictionary			Source group.
					address_group string		Group of addresses.
					network_group string		Group of networks.
					port_group string		Group of ports.
				mac_address string			<MAC address> MAC address to match. <!MAC address> Match everything except the specified MAC address.
				port string			Multiple source ports can be specified as a comma-separated list. The whole list can also be "negated" using '!'. For example:'!22,telnet,http,123,1001-1005'.
			state dictionary				Session state.
				established boolean		Choices: no yes	Established state.
				invalid boolean		Choices: no yes	Invalid state.
				new boolean		Choices: no yes	New state.
				related boolean		Choices: no yes	Related state.
			synproxy dictionary				SYN proxy options. Only valid in 1.4 and later. Only valid when action = synproxy.
				mss integer			Adjust MSS (501-65535)
				window_scale integer			Window scale (1-14).
			tcp dictionary				TCP flags to match.
				flags list / elements=dictionary			list of tcp flags to be matched 5.0 breaking change to support 1.4+ and 1.3-
					flag string	Choices: ack cwr ecn fin psh rst syn urg all	TCP flag to be matched. syn, ack, fin, rst, urg, psh, all (1.3-) syn, ack, fin, rst, urg, psh, cwr, ecn (1.4+)
					invert boolean	Choices: no yes	Invert the match.
			time dictionary				Time to match rule.
				monthdays string			Monthdays to match rule on.
				startdate string			Date to start matching rule.
				starttime string			Time of day to start matching rule.
				stopdate string			Date to stop matching rule.
				stoptime string			Time of day to stop matching rule.
				utc boolean		Choices: no yes	Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
				weekdays string			Weekdays to match rule on.
running_config string							This option is used only with state parsed. The value of this option should be the output received from the VyOS device by executing the command show configuration commands \| grep firewall. The state parsed reads the configuration from `running_config` option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
state string						Choices: merged ← replaced overridden deleted gathered rendered parsed	The state the configuration should be left in

Notes ----- .. note:: - Tested against VyOS 1.1.8 (helium). - This module works with connection ``ansible.netcommon.network_cli``. See `the VyOS OS Platform Options <../network/user_guide/platform_vyos.html>`_. Examples -------- .. code-block:: yaml # Using deleted to delete firewall rules based on rule-set name # # Before state # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall name Downlink default-action 'accept' # set firewall name Downlink description 'IPv4 INBOUND rule set' # set firewall name Downlink rule 501 action 'accept' # set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' # set firewall name Downlink rule 501 ipsec 'match-ipsec' # set firewall name Downlink rule 502 action 'reject' # set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' # set firewall name Downlink rule 502 ipsec 'match-ipsec' - name: Delete attributes of given firewall rules. vyos.vyos.vyos_firewall_rules: config: - afi: ipv4 rule_sets: - name: Downlink state: deleted # # # ------------------------ # Module Execution Results # ------------------------ # # "before": [ # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "Downlink", # "rules": [ # { # "action": "accept", # "description": "Rule 501 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 501 # }, # { # "action": "reject", # "description": "Rule 502 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 502 # } # ] # } # ] # } # ] # "commands": [ # "delete firewall name Downlink" # ] # # "after": [] # After state # ------------ # vyos@vyos# run show configuration commands | grep firewall # set firewall group address-group 'inbound' # Using deleted to delete firewall rules based on afi # # Before state # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall ipv6-name UPLINK rule 1 action 'accept' # set firewall ipv6-name UPLINK rule 1 # set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' # set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' # set firewall ipv6-name UPLINK rule 2 action 'accept' # set firewall ipv6-name UPLINK rule 2 # set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' # set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # set firewall group address-group 'inbound' # set firewall name Downlink default-action 'accept' # set firewall name Downlink description 'IPv4 INBOUND rule set' # set firewall name Downlink rule 501 action 'accept' # set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' # set firewall name Downlink rule 501 ipsec 'match-ipsec' # set firewall name Downlink rule 502 action 'reject' # set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' # set firewall name Downlink rule 502 ipsec 'match-ipsec' - name: Delete attributes of given firewall rules. vyos.vyos.vyos_firewall_rules: config: - afi: ipv4 state: deleted # # # ------------------------ # Module Execution Results # ------------------------ # # "before": [ # { # "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", # "description": "This is ipv6 specific rule-set", # "name": "UPLINK", # "rules": [ # { # "action": "accept", # "description": "Fwipv6-Rule 1 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 1 # }, # { # "action": "accept", # "description": "Fwipv6-Rule 2 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 2 # } # ] # } # ] # }, # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "Downlink", # "rules": [ # { # "action": "accept", # "description": "Rule 501 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 501 # }, # { # "action": "reject", # "description": "Rule 502 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 502 # } # ] # } # ] # } # ] # "commands": [ # "delete firewall name" # ] # # "after": [] # After state # ------------ # vyos@vyos:~$ show configuration commands| grep firewall # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall ipv6-name UPLINK rule 1 action 'accept' # set firewall ipv6-name UPLINK rule 1 # set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' # set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' # set firewall ipv6-name UPLINK rule 2 action 'accept' # set firewall ipv6-name UPLINK rule 2 # set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' # set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # Using deleted to delete all the the firewall rules when provided config is empty # # Before state # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall name Downlink default-action 'accept' # set firewall name Downlink description 'IPv4 INBOUND rule set' # set firewall name Downlink rule 501 action 'accept' # set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' # set firewall name Downlink rule 501 ipsec 'match-ipsec' # set firewall name Downlink rule 502 action 'reject' # set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' # set firewall name Downlink rule 502 ipsec 'match-ipsec' # - name: Delete attributes of given firewall rules. vyos.vyos.vyos_firewall_rules: state: deleted # # # ------------------------ # Module Execution Results # ------------------------ # # "before": [ # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "Downlink", # "rules": [ # { # "action": "accept", # "description": "Rule 501 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 501 # }, # { # "action": "reject", # "description": "Rule 502 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 502 # } # ] # } # ] # } # ] # "commands": [ # "delete firewall name" # ] # # "after": [] # After state # ------------ # vyos@vyos# run show configuration commands | grep firewall # set firewall group address-group 'inbound' # Using merged # # Before state: # ------------- # # vyos@vyos# run show configuration commands | grep firewall # set firewall group address-group 'inbound' # - name: Merge the provided configuration with the existing running configuration vyos.vyos.vyos_firewall_rules: config: - afi: ipv6 rule_sets: - name: UPLINK description: This is ipv6 specific rule-set default_action: accept rules: - number: 1 action: accept description: Fwipv6-Rule 1 is configured by Ansible ipsec: match-ipsec - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible ipsec: match-ipsec - afi: ipv4 rule_sets: - name: INBOUND description: IPv4 INBOUND rule set default_action: accept rules: - number: 101 action: accept description: Rule 101 is configured by Ansible ipsec: match-ipsec - number: 102 action: reject description: Rule 102 is configured by Ansible ipsec: match-ipsec - number: 103 action: accept description: Rule 103 is configured by Ansible destination: group: address_group: inbound source: address: 192.0.2.0 state: established: true new: false invalid: false related: true state: merged # # # ------------------------- # Module Execution Result # ------------------------- # # before": [] # # "commands": [ # "set firewall ipv6-name UPLINK default-action 'accept'", # "set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'", # "set firewall ipv6-name UPLINK rule 1 action 'accept'", # "set firewall ipv6-name UPLINK rule 1", # "set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'", # "set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'", # "set firewall ipv6-name UPLINK rule 2 action 'accept'", # "set firewall ipv6-name UPLINK rule 2", # "set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'", # "set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'", # "set firewall name INBOUND default-action 'accept'", # "set firewall name INBOUND description 'IPv4 INBOUND rule set'", # "set firewall name INBOUND rule 101 action 'accept'", # "set firewall name INBOUND rule 101", # "set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'", # "set firewall name INBOUND rule 101 ipsec 'match-ipsec'", # "set firewall name INBOUND rule 102 action 'reject'", # "set firewall name INBOUND rule 102", # "set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'", # "set firewall name INBOUND rule 102 ipsec 'match-ipsec'", # "set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'", # "set firewall name INBOUND rule 103 destination group address-group inbound", # "set firewall name INBOUND rule 103", # "set firewall name INBOUND rule 103 source address 192.0.2.0", # "set firewall name INBOUND rule 103 state established enable", # "set firewall name INBOUND rule 103 state related enable", # "set firewall name INBOUND rule 103 state invalid disable", # "set firewall name INBOUND rule 103 state new disable", # "set firewall name INBOUND rule 103 action 'accept'" # ] # # "after": [ # { # "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", # "description": "This is ipv6 specific rule-set", # "name": "UPLINK", # "rules": [ # { # "action": "accept", # "description": "Fwipv6-Rule 1 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 1 # }, # { # "action": "accept", # "description": "Fwipv6-Rule 2 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 2 # } # ] # } # ] # }, # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "INBOUND", # "rules": [ # { # "action": "accept", # "description": "Rule 101 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 101 # }, # { # "action": "reject", # "description": "Rule 102 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 102 # }, # { # "action": "accept", # "description": "Rule 103 is configured by Ansible", # "destination": { # "group": { # "address_group": "inbound" # } # }, # "number": 103, # "source": { # "address": "192.0.2.0" # }, # "state": { # "established": true, # "invalid": false, # "new": false, # "related": true # } # } # ] # } # ] # } # ] # # After state: # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall ipv6-name UPLINK rule 1 action 'accept' # set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' # set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' # set firewall ipv6-name UPLINK rule 2 action 'accept' # set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' # set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # set firewall name INBOUND default-action 'accept' # set firewall name INBOUND description 'IPv4 INBOUND rule set' # set firewall name INBOUND rule 101 action 'accept' # set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' # set firewall name INBOUND rule 101 ipsec 'match-ipsec' # set firewall name INBOUND rule 102 action 'reject' # set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' # set firewall name INBOUND rule 102 ipsec 'match-ipsec' # set firewall name INBOUND rule 103 action 'accept' # set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' # set firewall name INBOUND rule 103 destination group address-group 'inbound' # set firewall name INBOUND rule 103 source address '192.0.2.0' # set firewall name INBOUND rule 103 state established 'enable' # set firewall name INBOUND rule 103 state invalid 'disable' # set firewall name INBOUND rule 103 state new 'disable' # set firewall name INBOUND rule 103 state related 'enable' # Using replaced # # Before state: # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall ipv6-name UPLINK rule 1 action 'accept' # set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' # set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' # set firewall ipv6-name UPLINK rule 2 action 'accept' # set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' # set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # set firewall name INBOUND default-action 'accept' # set firewall name INBOUND description 'IPv4 INBOUND rule set' # set firewall name INBOUND rule 101 action 'accept' # set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' # set firewall name INBOUND rule 101 ipsec 'match-ipsec' # set firewall name INBOUND rule 102 action 'reject' # set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' # set firewall name INBOUND rule 102 ipsec 'match-ipsec' # set firewall name INBOUND rule 103 action 'accept' # set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' # set firewall name INBOUND rule 103 destination group address-group 'inbound' # set firewall name INBOUND rule 103 source address '192.0.2.0' # set firewall name INBOUND rule 103 state established 'enable' # set firewall name INBOUND rule 103 state invalid 'disable' # set firewall name INBOUND rule 103 state new 'disable' # set firewall name INBOUND rule 103 state related 'enable' # - name: >- Replace device configurations of listed firewall rules with provided configurations vyos.vyos.vyos_firewall_rules: config: - afi: ipv6 rule_sets: - name: UPLINK description: This is ipv6 specific rule-set default_action: accept - afi: ipv4 rule_sets: - name: INBOUND description: IPv4 INBOUND rule set default_action: accept rules: - number: 101 action: accept description: Rule 101 is configured by Ansible ipsec: match-ipsec - number: 104 action: reject description: Rule 104 is configured by Ansible ipsec: match-none state: replaced # # # ------------------------- # Module Execution Result # ------------------------- # # "before": [ # { # "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", # "description": "This is ipv6 specific rule-set", # "name": "UPLINK", # "rules": [ # { # "action": "accept", # "description": "Fwipv6-Rule 1 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 1 # }, # { # "action": "accept", # "description": "Fwipv6-Rule 2 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 2 # } # ] # } # ] # }, # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "INBOUND", # "rules": [ # { # "action": "accept", # "description": "Rule 101 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 101 # }, # { # "action": "reject", # "description": "Rule 102 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 102 # }, # { # "action": "accept", # "description": "Rule 103 is configured by Ansible", # "destination": { # "group": { # "address_group": "inbound" # } # }, # "number": 103, # "source": { # "address": "192.0.2.0" # }, # "state": { # "established": true, # "invalid": false, # "new": false, # "related": true # } # } # ] # } # ] # } # ] # # "commands": [ # "delete firewall ipv6-name UPLINK rule 1", # "delete firewall ipv6-name UPLINK rule 2", # "delete firewall name INBOUND rule 102", # "delete firewall name INBOUND rule 103", # "set firewall name INBOUND rule 104 action 'reject'", # "set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible'", # "set firewall name INBOUND rule 104", # "set firewall name INBOUND rule 104 ipsec 'match-none'" # ] # # "after": [ # { # "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", # "description": "This is ipv6 specific rule-set", # "name": "UPLINK" # } # ] # }, # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "INBOUND", # "rules": [ # { # "action": "accept", # "description": "Rule 101 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 101 # }, # { # "action": "reject", # "description": "Rule 104 is configured by Ansible", # "ipsec": "match-none", # "number": 104 # } # ] # } # ] # } # ] # # After state: # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall name INBOUND default-action 'accept' # set firewall name INBOUND description 'IPv4 INBOUND rule set' # set firewall name INBOUND rule 101 action 'accept' # set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' # set firewall name INBOUND rule 101 ipsec 'match-ipsec' # set firewall name INBOUND rule 104 action 'reject' # set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' # set firewall name INBOUND rule 104 ipsec 'match-none' # Using overridden # # Before state # -------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall name INBOUND default-action 'accept' # set firewall name INBOUND description 'IPv4 INBOUND rule set' # set firewall name INBOUND rule 101 action 'accept' # set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' # set firewall name INBOUND rule 101 ipsec 'match-ipsec' # set firewall name INBOUND rule 104 action 'reject' # set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible' # set firewall name INBOUND rule 104 ipsec 'match-none' # - name: Overrides all device configuration with provided configuration vyos.vyos.vyos_firewall_rules: config: - afi: ipv4 rule_sets: - name: Downlink description: IPv4 INBOUND rule set default_action: accept rules: - number: 501 action: accept description: Rule 501 is configured by Ansible ipsec: match-ipsec - number: 502 action: reject description: Rule 502 is configured by Ansible ipsec: match-ipsec state: overridden # # # ------------------------- # Module Execution Result # ------------------------- # # "before": [ # { # "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", # "description": "This is ipv6 specific rule-set", # "name": "UPLINK" # } # ] # }, # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "INBOUND", # "rules": [ # { # "action": "accept", # "description": "Rule 101 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 101 # }, # { # "action": "reject", # "description": "Rule 104 is configured by Ansible", # "ipsec": "match-none", # "number": 104 # } # ] # } # ] # } # ] # # "commands": [ # "delete firewall ipv6-name UPLINK", # "delete firewall name INBOUND", # "set firewall name Downlink default-action 'accept'", # "set firewall name Downlink description 'IPv4 INBOUND rule set'", # "set firewall name Downlink rule 501 action 'accept'", # "set firewall name Downlink rule 501", # "set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'", # "set firewall name Downlink rule 501 ipsec 'match-ipsec'", # "set firewall name Downlink rule 502 action 'reject'", # "set firewall name Downlink rule 502", # "set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'", # "set firewall name Downlink rule 502 ipsec 'match-ipsec'" # # # "after": [ # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "Downlink", # "rules": [ # { # "action": "accept", # "description": "Rule 501 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 501 # }, # { # "action": "reject", # "description": "Rule 502 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 502 # } # ] # } # ] # } # ] # # # After state # ------------ # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall name Downlink default-action 'accept' # set firewall name Downlink description 'IPv4 INBOUND rule set' # set firewall name Downlink rule 501 action 'accept' # set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' # set firewall name Downlink rule 501 ipsec 'match-ipsec' # set firewall name Downlink rule 502 action 'reject' # set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' # set firewall name Downlink rule 502 ipsec 'match-ipsec' # Using gathered # # Before state: # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall ipv6-name UPLINK rule 1 action 'accept' # set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' # set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' # set firewall ipv6-name UPLINK rule 2 action 'accept' # set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' # set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # set firewall name INBOUND default-action 'accept' # set firewall name INBOUND description 'IPv4 INBOUND rule set' # set firewall name INBOUND rule 101 action 'accept' # set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' # set firewall name INBOUND rule 101 ipsec 'match-ipsec' # set firewall name INBOUND rule 102 action 'reject' # set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' # set firewall name INBOUND rule 102 ipsec 'match-ipsec' # set firewall name INBOUND rule 103 action 'accept' # set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' # set firewall name INBOUND rule 103 destination group address-group 'inbound' # set firewall name INBOUND rule 103 source address '192.0.2.0' # set firewall name INBOUND rule 103 state established 'enable' # set firewall name INBOUND rule 103 state invalid 'disable' # set firewall name INBOUND rule 103 state new 'disable' # set firewall name INBOUND rule 103 state related 'enable' # - name: Gather listed firewall rules with provided configurations vyos.vyos.vyos_firewall_rules: state: gathered # # # ------------------------- # Module Execution Result # ------------------------- # # "gathered": [ # { # "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", # "description": "This is ipv6 specific rule-set", # "name": "UPLINK", # "rules": [ # { # "action": "accept", # "description": "Fwipv6-Rule 1 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 1 # }, # { # "action": "accept", # "description": "Fwipv6-Rule 2 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 2 # } # ] # } # ] # }, # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "INBOUND", # "rules": [ # { # "action": "accept", # "description": "Rule 101 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 101 # }, # { # "action": "reject", # "description": "Rule 102 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 102 # }, # { # "action": "accept", # "description": "Rule 103 is configured by Ansible", # "destination": { # "group": { # "address_group": "inbound" # } # }, # "number": 103, # "source": { # "address": "192.0.2.0" # }, # "state": { # "established": true, # "invalid": false, # "new": false, # "related": true # } # } # ] # } # ] # } # ] # # # After state: # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall # set firewall group address-group 'inbound' # set firewall ipv6-name UPLINK default-action 'accept' # set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' # set firewall ipv6-name UPLINK rule 1 action 'accept' # set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' # set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' # set firewall ipv6-name UPLINK rule 2 action 'accept' # set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' # set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # set firewall name INBOUND default-action 'accept' # set firewall name INBOUND description 'IPv4 INBOUND rule set' # set firewall name INBOUND rule 101 action 'accept' # set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' # set firewall name INBOUND rule 101 ipsec 'match-ipsec' # set firewall name INBOUND rule 102 action 'reject' # set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' # set firewall name INBOUND rule 102 ipsec 'match-ipsec' # set firewall name INBOUND rule 103 action 'accept' # set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' # set firewall name INBOUND rule 103 destination group address-group 'inbound' # set firewall name INBOUND rule 103 source address '192.0.2.0' # set firewall name INBOUND rule 103 state established 'enable' # set firewall name INBOUND rule 103 state invalid 'disable' # set firewall name INBOUND rule 103 state new 'disable' # set firewall name INBOUND rule 103 state related 'enable' # Using rendered # # - name: Render the commands for provided configuration vyos.vyos.vyos_firewall_rules: config: - afi: ipv6 rule_sets: - name: UPLINK description: This is ipv6 specific rule-set default_action: accept - afi: ipv4 rule_sets: - name: INBOUND description: IPv4 INBOUND rule set default_action: accept rules: - number: 101 action: accept description: Rule 101 is configured by Ansible ipsec: match-ipsec - number: 102 action: reject description: Rule 102 is configured by Ansible ipsec: match-ipsec - number: 103 action: accept description: Rule 103 is configured by Ansible destination: group: address_group: inbound source: address: 192.0.2.0 state: established: true new: false invalid: false related: true state: rendered # # # ------------------------- # Module Execution Result # ------------------------- # # # "rendered": [ # "set firewall ipv6-name UPLINK default-action 'accept'", # "set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'", # "set firewall name INBOUND default-action 'accept'", # "set firewall name INBOUND description 'IPv4 INBOUND rule set'", # "set firewall name INBOUND rule 101 action 'accept'", # "set firewall name INBOUND rule 101", # "set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'", # "set firewall name INBOUND rule 101 ipsec 'match-ipsec'", # "set firewall name INBOUND rule 102 action 'reject'", # "set firewall name INBOUND rule 102", # "set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'", # "set firewall name INBOUND rule 102 ipsec 'match-ipsec'", # "set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'", # "set firewall name INBOUND rule 103 destination group address-group inbound", # "set firewall name INBOUND rule 103", # "set firewall name INBOUND rule 103 source address 192.0.2.0", # "set firewall name INBOUND rule 103 state established enable", # "set firewall name INBOUND rule 103 state related enable", # "set firewall name INBOUND rule 103 state invalid disable", # "set firewall name INBOUND rule 103 state new disable", # "set firewall name INBOUND rule 103 action 'accept'" # ] # Using parsed # # - name: Parsed the provided input commands. vyos.vyos.vyos_firewall_rules: running_config: "set firewall group address-group 'inbound' set firewall name Downlink default-action 'accept' set firewall name Downlink description 'IPv4 INBOUND rule set' set firewall name Downlink rule 501 action 'accept' set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' set firewall name Downlink rule 501 ipsec 'match-ipsec' set firewall name Downlink rule 502 action 'reject' set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' set firewall name Downlink rule 502 ipsec 'match-ipsec'" state: parsed # # # ------------------------- # Module Execution Result # ------------------------- # # # "parsed": [ # { # "afi": "ipv4", # "rule_sets": [ # { # "default_action": "accept", # "description": "IPv4 INBOUND rule set", # "name": "Downlink", # "rules": [ # { # "action": "accept", # "description": "Rule 501 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 501 # }, # { # "action": "reject", # "description": "Rule 502 is configured by Ansible", # "ipsec": "match-ipsec", # "number": 502 # } # ] # } # ] # } # ] Return Values ------------- Common return values are documented `here `_, the following are the fields unique to this module: .. raw:: html

Key	Returned	Description
after dictionary	when changed	The resulting configuration model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
before dictionary	always	The configuration prior to the model invocation. Sample: The configuration returned will always be in the same format of the parameters above.
commands list	always	The set of commands pushed to the remote device. Sample: ["set firewall name Downlink default-action 'accept'", "set firewall name Downlink description 'IPv4 INBOUND rule set'", "set firewall name Downlink rule 501 action 'accept'", "set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'", "set firewall name Downlink rule 502 ipsec 'match-ipsec'"]

Status ------ Authors ~~~~~~~ - Rohit Thakur (@rohitthakur2590)