f5-declarative-onboarding icon indicating copy to clipboard operation
f5-declarative-onboarding copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

protocol property of the ManagementIpFirewall_rules object does not accept ICMP

Open person50002 opened this issue 2 years ago • 0 comments

Environment

  • Declarative Onboarding Version: 1.36.1
  • BIG-IP Version: 17.1.0

Summary

With TMSH or TMUI it is possible to create firewall rules for the management port that match ICMP traffic but this cannot be done with Declarative Onboarding. The protocol property of the ManagementIpFirewall_rules object can only be set to any, tcp or udp but not to icmp or anything else. https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/schema-reference.html#managementipfirewall-rules

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration:
{
  "schemaVersion": "1.36.0",
  "class": "Device",
  "controls": {
		"traceResponse": true,
		"dryRun": true
	},
  "Common": {
    "class": "Tenant",
    "managementIpFirewall": {
      "class": "ManagementIpFirewall",
      "rules": [
        {
          "name": "allow_icmp",
          "action": "accept",
          "protocol": "icmp",
          "loggingEnabled": true
        },
        {
          "name": "deny_all",
          "action": "drop",
          "protocol": "any",
          "loggingEnabled": true
        }
      ]
    }
  }
}
  1. Observe the following error response:
{
	"id": "6b640d9b-b9b9-4592-a85c-9ae54ffa022b",
	"selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/6b640d9b-b9b9-4592-a85c-9ae54ffa022b",
	"code": 400,
	"status": "ERROR",
	"message": "bad declaration",
	"errors": [
		{
			"keyword": "enum",
			"dataPath": ".declaration.Common['managementIpFirewall'].rules[0].protocol",
			"schemaPath": "#/properties/protocol/enum",
			"params": {
				"allowedValues": [
					"any",
					"tcp",
					"udp"
				]
			},
			"message": "should be equal to one of the allowed values"
		},
		{
			"keyword": "if",
			"dataPath": ".declaration.Common['managementIpFirewall']",
			"schemaPath": "#/allOf/18/if",
			"params": {
				"failingKeyword": "then"
			},
			"message": "should match \"then\" schema"
		},
		{
			"keyword": "if",
			"dataPath": "",
			"schemaPath": "#/allOf/1/if",
			"params": {
				"failingKeyword": "then"
			},
			"message": "should match \"then\" schema"
		}
	],
	"result": {
		"class": "Result",
		"code": 400,
		"status": "ERROR",
		"dryRun": true,
		"message": "bad declaration",
		"errors": [
			{
				"keyword": "enum",
				"dataPath": ".declaration.Common['managementIpFirewall'].rules[0].protocol",
				"schemaPath": "#/properties/protocol/enum",
				"params": {
					"allowedValues": [
						"any",
						"tcp",
						"udp"
					]
				},
				"message": "should be equal to one of the allowed values"
			},
			{
				"keyword": "if",
				"dataPath": ".declaration.Common['managementIpFirewall']",
				"schemaPath": "#/allOf/18/if",
				"params": {
					"failingKeyword": "then"
				},
				"message": "should match \"then\" schema"
			},
			{
				"keyword": "if",
				"dataPath": "",
				"schemaPath": "#/allOf/1/if",
				"params": {
					"failingKeyword": "then"
				},
				"message": "should match \"then\" schema"
			}
		]
	},
	"declaration": {
		"schemaVersion": "1.36.0",
		"class": "Device",
		"controls": {
			"traceResponse": true,
			"dryRun": true
		},
		"Common": {
			"class": "Tenant",
			"managementIpFirewall": {
				"class": "ManagementIpFirewall",
				"rules": [
					{
						"name": "allow_icmp",
						"action": "accept",
						"protocol": "icmp",
						"loggingEnabled": true
					},
					{
						"name": "deny_all",
						"action": "drop",
						"protocol": "any",
						"loggingEnabled": true
					}
				]
			}
		},
		"async": false
	}
}

Expected Behavior

DO should accept a value of icmp

person50002 avatar May 23 '23 16:05 person50002