vyos
State "overridden" not working properly
SUMMARY
State "overridden" not correctly delete rules when new rules use the same number
If the existing rule has the destination port and I want to use "overridden" to set rule with the source port (same number), the new rule will have both
ISSUE TYPE
- Bug Report
COMPONENT NAME
vyos_firewall_rules (maybe others)
ANSIBLE VERSION
❯ ansible --version
ansible 2.10.7
config file = None
configured module search path = ['/Users/filda/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/3.2.0/libexec/lib/python3.9/site-packages/ansible
executable location = /opt/homebrew/bin/ansible
python version = 3.9.4 (default, Apr 4 2021, 17:42:23) [Clang 12.0.0 (clang-1200.0.32.29)]
CONFIGURATION
COLLECTIONS_PATHS(/Users/filda/Documents/PVyos/network/ansible.cfg) = ['/Users/filda/Documents/PVyos/network/ansible/collections']
DEFAULT_MODULE_PATH(/Users/filda/Documents/PVyos/network/ansible.cfg) = ['/Users/filda/Documents/PVyos/network/ansible/modules']
DEPRECATION_WARNINGS(/Users/filda/Documents/PVyos/network/ansible.cfg) = False
HOST_KEY_CHECKING(/Users/filda/Documents/PVyos/network/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/filda/Documents/PVyos/network/ansible.cfg) = /usr/bin/python3
OS / ENVIRONMENT
Version: VyOS 1.4-rolling-202104091411 Release Train: sagitta
Built by: [email protected] Built on: Fri 09 Apr 2021 12:16 UTC Build UUID: 2036e80c-34a1-4429-9f35-1869cca76500 Build Commit ID: b3ba57ac9423a9
Architecture: x86_64 Boot via: installed image System type: KVM guest
Hardware vendor: QEMU Hardware model: Standard PC (i440FX + PIIX, 1996) Hardware S/N: Hardware UUID: 3f026c93-de24-4bfc-9476-42157a49e281
Copyright: VyOS maintainers and contributors
STEPS TO REPRODUCE
set firewall group address-group Public4_IPs address '1.1.1.1'
set firewall group address-group Public4_IPs description 'Public IP'
set firewall name WAN-GW rule 1 action 'accept'
set firewall name WAN-GW rule 1 description 'Accept already established connections'
set firewall name WAN-GW rule 1 state established 'enable'
set firewall name WAN-GW rule 1 state related 'enable'
set firewall name WAN-GW rule 2 action 'accept'
set firewall name WAN-GW rule 2 description 'Accept routers keepalive'
set firewall name WAN-GW rule 2 destination port '694'
set firewall name WAN-GW rule 2 protocol 'udp'
set firewall name WAN-GW rule 2 source group address-group 'Public4_IPs'
set firewall name WAN-GW rule 3 action 'accept'
set firewall name WAN-GW rule 3 description 'Accept wireguard connection'
set firewall name WAN-GW rule 3 destination port '51820'
set firewall name WAN-GW rule 3 protocol 'udp'
set firewall name WAN-IN rule 1 action 'accept'
set firewall name WAN-IN rule 1 description 'Accept already established connections'
set firewall name WAN-IN rule 1 state established 'enable'
set firewall name WAN-IN rule 1 state related 'enable'
- name: Setting firewall rules
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv4
rule_sets:
- name: WAN-GW
description: Communication from WAN to GW
default_action: drop
rules:
- description: Accept routers keepalive
action: accept
number: 2
protocol: "udp"
destination:
port: "1111"
- description: Accept routers keepalive
action: accept
number: 3
protocol: "udp"
source:
port: "2222"
state: overridden
EXPECTED RESULTS
- Delete all rules
delete firewall name WAN-IN delete firewall name WAN-GW
- Set new rules
set firewall name WAN-GW rule 2 description "Accept routers keepalive" set firewall name WAN-GW rule 2 action "accept" set firewall name WAN-GW rule 2 protocol "udp" set firewall name WAN-GW rule 2 destination port "1111" set firewall name WAN-GW rule 3 description "Accept routers keepalive" set firewall name WAN-GW rule 3 action "accept" set firewall name WAN-GW rule 3 protocol "udp" set firewall name WAN-GW rule 3 source port "2222"
ACTUAL RESULTS
delete firewall name WAN-GW rule 1 delete firewall name WAN-IN set firewall name WAN-GW rule 2 destination port 1111 set firewall name WAN-GW rule 3 description 'Accept routers keepalive' set firewall name WAN-GW rule 3 source port 2222
"before": [
{
"afi": "ipv4",
"rule_sets": [
{
"default_action": "drop",
"description": "Communication from WAN to GW",
"name": "WAN-GW",
"rules": [
{
"action": "accept",
"description": "Accept already established connections",
"number": 1,
"state": {
"established": true,
"related": true
}
},
{
"action": "accept",
"description": "Accept routers keepalive",
"destination": {
"port": "694"
},
"number": 2,
"protocol": "udp",
"source": {
"group": {
"address_group": "Public4_IPs"
}
}
},
{
"action": "accept",
"description": "Accept wireguard connection",
"destination": {
"port": "51820"
},
"number": 3,
"protocol": "udp"
}
]
},
{
"default_action": "drop",
"description": "Communication from WAN through GW",
"name": "WAN-IN",
"rules": [
{
"action": "accept",
"description": "Accept already established connections",
"number": 1,
"state": {
"established": true,
"related": true
}
}
]
}
]
}
],
"changed": true,
"commands": [
"delete firewall name WAN-GW rule 1",
"delete firewall name WAN-IN",
"set firewall name WAN-GW rule 2 destination port 1111",
"set firewall name WAN-GW rule 3 description 'Accept routers keepalive'",
"set firewall name WAN-GW rule 3 source port 2222"
],
"invocation": {
"module_args": {
"config": [
{
"afi": "ipv4",
"rule_sets": [
{
"default_action": "drop",
"description": "Communication from WAN to GW",
"enable_default_log": null,
"name": "WAN-GW",
"rules": [
{
"action": "accept",
"description": "Accept routers keepalive",
"destination": {
"port": "1111"
},
"number": 2,
"protocol": "udp"
},
{
"action": "accept",
"description": "Accept routers keepalive",
"number": 3,
"protocol": "udp",
"source": {
"port": "2222"
}
}
]
}
]
}
],
"running_config": null,
"state": "overridden"
}
}
