Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall rate limit is improperly handled #336

Open
Chippit opened this issue Oct 27, 2023 · 0 comments
Open

Firewall rate limit is improperly handled #336

Chippit opened this issue Oct 27, 2023 · 0 comments

Comments

@Chippit
Copy link

Chippit commented Oct 27, 2023

SUMMARY

Firewall rate limit is improperly handled. While a correct configuration command is produced, it is not properly parsed from the current configuration and therefore not properly idempotent.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

vyos.vyos.vyos_firewall_rules

ANSIBLE VERSION
ansible [core 2.15.4]
  config file = <redacted_path>/ansible.cfg
  configured module search path = ['<redacted_path>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = <redacted_path>/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.5 (main, Sep  2 2023, 14:16:33) [GCC 13.2.1 20230801] (/usr/bin/python)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
vyos.vyos                     4.1.0
CONFIGURATION
ANSIBLE_PIPELINING() = True
CONFIG_FILE() = <redacted_path>/ansible.cfg
DEFAULT_HOST_LIST() = ['<redacted_path>/inventory/hosts.yml']
DEFAULT_JINJA2_NATIVE() = True
DEFAULT_LOAD_CALLBACK_PLUGINS() = True
DEFAULT_STDOUT_CALLBACK() = debug
DEFAULT_VAULT_PASSWORD_FILE() = <redacted>
OS / ENVIRONMENT

Vyos 1.3

STEPS TO REPRODUCE

Execute the following configuration rule:

vyos.vyos.vyos_firewall_rules:
  state: merged
  config:
    - afi: ipv6
      rule_sets:
        - name: WAN-ROUTER6
          default_action: drop
          rules:
            - number: 20
              action: accept
              description: Allow ICMP
              limit:
                burst: 1
                rate:
                  number: 10
                  unit: second
              protocol: icmpv6
EXPECTED RESULTS

I expect either the firewall rule to be created as described, or for nothing to happen if it already exists

set firewall ipv6-name WAN-ROUTER6 rule 20 action 'accept'
set firewall ipv6-name WAN-ROUTER6 rule 20 description 'Allow ICMP'
set firewall ipv6-name WAN-ROUTER6 rule 20 limit burst '1'
set firewall ipv6-name WAN-ROUTER6 rule 20 limit rate '10/second'
set firewall ipv6-name WAN-ROUTER6 rule 20 protocol 'icmpv6'
ACTUAL RESULTS

If executed on a target that already has a matching rule, this will perform the following command redundantly:

set firewall ipv6-name WAN-ROUTER6 rule 20 limit rate 10/second

If executed on a target with a matching rule that does not have a limit section at all, executing the playbook throws an error:

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDERR:

'limit'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Chippit