Diffusion VyOS Ansible Collection b28632c3e581

firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the…
b28632c3e581
Actions

Description

firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the same name (#236)

firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the same name

SUMMARY
VyOS supports IPv4 and IPv6 rule sets having the same name, but there are a couple places in the Ansible module that don't handle this situation.

The fact gathering for ansible_network_resources.firewall_rules has been updated to look for name <name> or ipv6-name <name> instead of just <name>.
The vyos_firewall_rules module has been updated to take the afi into consideration when comparing the have and want states.
V4-EGRESS and V6-EGRESS have been renamed to just EGRESS in the tests. The existing tests seem to be complete enough to test this same-name situation. (V4-INGRESS and V6-INGRESS were not renamed.)

ISSUE TYPE

Bugfix Pull Request

COMPONENT NAME
vyos_facts and vyos_firewall_rules
ADDITIONAL INFORMATION
An example of a configuration that was originally causing an issue:

(Click to expand):
name wan-lan {

default-action drop
rule 1 {
    action accept
    state {
        established enable
        related enable
    }
}
rule 2 {
    action drop
    log enable
    state {
        invalid enable
    }
}

}

ipv6-name wan-lan {

default-action drop
rule 1 {
    action accept
    state {
        established enable
        related enable
    }
}
rule 2 {
    action drop
    log enable
    state {
        invalid enable
    }
}
rule 10 {
    action accept
    protocol icmpv6
}

}

With this configuration, ansible_network_resources.firewall_rules would show the icmpv6 rule under both ipv4 and ipv6:

(Click to expand):
[

{
    "afi": "ipv4",
    "rule_sets": [
        {
            "default_action": "drop",
            "name": "wan-lan",
            "rules": [
                {
                    "action": "accept",
                    "number": 1,
                    "state": {
                        "established": true,
                        "related": true
                    }
                },
                {
                    "action": "drop",
                    "number": 2,
                    "state": {
                        "invalid": true
                    }
                },
                {
                    "action": "accept",
                    "number": 10,
                    "protocol": "icmpv6"
                }
            ]
        },
    ]
},
{
    "afi": "ipv6",
    "rule_sets": [
        {
            "default_action": "drop",
            "name": "wan-lan",
            "rules": [
                {
                    "action": "accept",
                    "number": 1,
                    "state": {
                        "established": true,
                        "related": true
                    }
                },
                {
                    "action": "drop",
                    "number": 2,
                    "state": {
                        "invalid": true
                    }
                },
                {
                    "action": "accept",
                    "number": 10,
                    "protocol": "icmpv6"
                }
            ]
        },
    ]
}

]

A similar issue would happen when using vyos_firewall_rules as well, where it would attempt to change rules for the wrong afi.

Reviewed-by: GomathiselviS <None>
Reviewed-by: None <None>