firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the same name (#236)
firewall_rules: Fix incorrect behavior when IPv4 and IPv6 rule sets have the same name
SUMMARY
VyOS supports IPv4 and IPv6 rule sets having the same name, but there are a couple places in the Ansible module that don't handle this situation.
The fact gathering for ansible_network_resources.firewall_rules has been updated to look for name <name> or ipv6-name <name> instead of just <name>.
The vyos_firewall_rules module has been updated to take the afi into consideration when comparing the have and want states.
V4-EGRESS and V6-EGRESS have been renamed to just EGRESS in the tests. The existing tests seem to be complete enough to test this same-name situation. (V4-INGRESS and V6-INGRESS were not renamed.)
ISSUE TYPE
Bugfix Pull Request
COMPONENT NAME
vyos_facts and vyos_firewall_rules
ADDITIONAL INFORMATION
An example of a configuration that was originally causing an issue:
(Click to expand):
name wan-lan {
default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } }
}
ipv6-name wan-lan {
default-action drop rule 1 { action accept state { established enable related enable } } rule 2 { action drop log enable state { invalid enable } } rule 10 { action accept protocol icmpv6 }
}
With this configuration, ansible_network_resources.firewall_rules would show the icmpv6 rule under both ipv4 and ipv6:
(Click to expand):
[
{ "afi": "ipv4", "rule_sets": [ { "default_action": "drop", "name": "wan-lan", "rules": [ { "action": "accept", "number": 1, "state": { "established": true, "related": true } }, { "action": "drop", "number": 2, "state": { "invalid": true } }, { "action": "accept", "number": 10, "protocol": "icmpv6" } ] }, ] }, { "afi": "ipv6", "rule_sets": [ { "default_action": "drop", "name": "wan-lan", "rules": [ { "action": "accept", "number": 1, "state": { "established": true, "related": true } }, { "action": "drop", "number": 2, "state": { "invalid": true } }, { "action": "accept", "number": 10, "protocol": "icmpv6" } ] }, ] }
]
A similar issue would happen when using vyos_firewall_rules as well, where it would attempt to change rules for the wrong afi.
Reviewed-by: GomathiselviS <None>
Reviewed-by: None <None>