SUMMARY
Firewall rate limit is improperly handled. While a correct configuration command is produced, it is not properly parsed from the current configuration and therefore not properly idempotent.
OS / ENVIRONMENT
VyOS 1.3
STEPS TO REPRODUCE
Execute the following configuration rule:
vyos.vyos.vyos_firewall_rules:
state: merged
config:
- afi: ipv6
rule_sets:
- name: WAN-ROUTER6
default_action: drop
rules:
- number: 20
action: accept
description: Allow ICMP
limit:
burst: 1
rate:
number: 10
unit: second
protocol: icmpv6EXPECTED RESULTS
I expect either the firewall rule to be created as described or for nothing to happen if it already exists
set firewall ipv6-name WAN-ROUTER6 rule 20 action 'accept' set firewall ipv6-name WAN-ROUTER6 rule 20 description 'Allow ICMP' set firewall ipv6-name WAN-ROUTER6 rule 20 limit burst '1' set firewall ipv6-name WAN-ROUTER6 rule 20 limit rate '10/second' set firewall ipv6-name WAN-ROUTER6 rule 20 protocol 'icmpv6'
ACTUAL RESULTS
If executed on a target that already has a matching rule, this will perform the following command redundantly:
set firewall ipv6-name WAN-ROUTER6 rule 20 limit rate 10/second
If executed on a target with a matching rule that does not have a limit section at all, executing the playbook throws an error:
MSG: MODULE FAILURE See stdout/stderr for the exact error MODULE_STDERR: 'limit'