Firewall groups with same name as a zone gets confused by Ansible
Closed, ResolvedPublicBUG
Actions

Assigned To

Authored By

	RubenNL
	Sep 23 2025, 10:24 AM

Description

Start with

set firewall group address-group test address '1.2.3.4'
set firewall zone test description 'test description'
set firewall zone test interface 'eth0.1234'

then execute:

yaml
- name: test script
  vyos.vyos.vyos_firewall_global:
    config:
      group:
        address_group:
          - name: test
            members:
              - address: 1.2.3.4
    state: replaced

We should expect that nothing changes, but ansible still marks the task as "changed".

While debugging, I found that it tries to delete the (non existing) description of the address_group. This is caused by a broken regex.

PR: https://github.com/vyos/vyos.vyos/pull/436

Details

Version: vyos.vyos 6.0.0, vyos 1.4.2
Is it a breaking change?: Perfectly compatible
Issue type: Bug (incorrect behavior)

Event Timeline

RubenNL created this task.Sep 23 2025, 10:24 AM

RubenNL changed the task status from Open to In progress.Sep 23 2025, 10:34 AM

RubenNL claimed this task.

RubenNL updated the task description. (Show Details)

pasik subscribed.Sep 23 2025, 12:04 PM

dmbaturin triaged this task as Normal priority.Sep 29 2025, 1:51 PM

dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.

evgmol closed this task as Resolved.Sun, Nov 30, 7:11 PM

Firewall groups with same name as a zone gets confused by AnsibleClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Firewall groups with same name as a zone gets confused by Ansible
Closed, ResolvedPublicBUG
Actions