Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vyos_facts confused about value of firewall rule log attribute. #342

Open
np422 opened this issue May 31, 2024 · 1 comment
Open

vyos_facts confused about value of firewall rule log attribute. #342

np422 opened this issue May 31, 2024 · 1 comment
Labels
1.3 Compatibility with 1.3 versions firewall_rules firewall_rules module

Comments

@np422
Copy link

np422 commented May 31, 2024
edited
Loading

SUMMARY

vyos_facts slightly confused about the value of log in firewall rule

ISSUE TYPE
  • Bug Report
COMPONENT NAME

vyos_facts

ANSIBLE VERSION
ansible [core 2.16.5]
  config file = /home/ops/ansible/ansible.cfg
  configured module search path = ['/home/ops/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ops/ansible/venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ops/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ops/ansible/venv/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ops/ansible/venv/bin/python3)
  jinja version = 3.1.3
  libyaml = True
COLLECTION VERSION
ansible-galaxy collection list vyos.vyos

# /home/ops/.ansible/collections/ansible_collections
Collection Version
---------- -------
vyos.vyos  4.1.0  

# /home/ops/ansible/venv/lib/python3.10/site-packages/ansible_collections
Collection Version
---------- -------
vyos.vyos  4.1.0
CONFIGURATION
ANSIBLE_NOCOWS(/home/ops/ansible/ansible.cfg) = True
CONFIG_FILE() = /home/ops/ansible/ansible.cfg
DEFAULT_FILTER_PLUGIN_PATH(/home/ops/ansible/ansible.cfg) = ['/home/ops/ansible/plugins/filter']
DEFAULT_FORKS(/home/ops/ansible/ansible.cfg) = 20
DEFAULT_ROLES_PATH(/home/ops/ansible/ansible.cfg) = ['/home/ops/ansible/roles.galaxy', '/home/ops/ansible/roles']
DEFAULT_VAULT_PASSWORD_FILE(env: ANSIBLE_VAULT_PASSWORD_FILE) = /home/ops/.seconvault
DEPRECATION_WARNINGS(/home/ops/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/home/ops/ansible/ansible.cfg) = False
OS / ENVIRONMENT

Host running ansible ubuntu 22.04, vyos target 1.3.2

STEPS TO REPRODUCE

Use the vyos_facts module.

- name: Firwall configuration, rules and aliases only
  hosts:
    - XXXX-fw-01
  gather_facts: false
  tasks:
    -  name: Get running config from remote firewall
       vyos_facts:
         gather_subset: all
         gather_network_resources: all
       register: orig_vyos_config
EXPECTED RESULTS

The running config, not an error message

ACTUAL RESULTS

Result short:

PLAY [Firwall configuration, rules and aliases only] ***********************************************************************************************************************************************************************************************************************************************************

TASK [Get running config from remote firewall] *****************************************************************************************************************************************************************************************************************************************************************
fatal: [XXX-fw-01]: FAILED! => {"changed": false, "msg": "value of log must be one of: enable, disable, got: TCP found in config -> rule_sets -> rules"}

Verbose output:

ansible-playbook [core 2.16.5]
  config file = /home/ops/ansible/ansible.cfg
  configured module search path = ['/home/ops/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ops/ansible/venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ops/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ops/ansible/venv/bin/ansible-playbook
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ops/ansible/venv/bin/python3)
  jinja version = 3.1.3
  libyaml = True
Using /home/ops/ansible/ansible.cfg as config file
Reading vault password file: /home/ops/.seconvault
setting up inventory plugins
Loading collection ansible.builtin from 
host_list declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
script declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
auto declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
Parsed /home/ops/ansible/inventories/vyos/inventory inventory source with ini plugin
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
Loading collection vyos.vyos from /home/ops/.ansible/collections/ansible_collections/vyos/vyos
Loading callback plugin default of type stdout, v2.0 from /home/ops/ansible/venv/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Attempting to use 'default' callback.
Skipping callback 'default', as we already have a stdout callback.
Attempting to use 'junit' callback.
Attempting to use 'minimal' callback.
Skipping callback 'minimal', as we already have a stdout callback.
Attempting to use 'oneline' callback.
Skipping callback 'oneline', as we already have a stdout callback.
Attempting to use 'tree' callback.

PLAYBOOK: site.yml *************************************************************
Positional arguments: playbooks/vyos/site.yml
verbosity: 7
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/home/ops/ansible/inventories/vyos/inventory',)
subset: XXX-fw-01
forks: 20
1 plays in playbooks/vyos/site.yml

PLAY [Firwall configuration, rules and aliases only] ***************************

TASK [Get running config from remote firewall] *********************************
task path: /home/ops/ansible/playbooks/vyos/site.yml:11
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.netcommon from /home/ops/.ansible/collections/ansible_collections/ansible/netcommon
Loading collection ansible.utils from /home/ops/.ansible/collections/ansible_collections/ansible/utils
redirecting (type: terminal) ansible.builtin.vyos to vyos.vyos.vyos
redirecting (type: cliconf) ansible.builtin.vyos to vyos.vyos.vyos
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> Using network group action vyos for vyos_facts
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> attempting to start connection
<172.16.21.71> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /home/ops/ansible/venv/bin/ansible-connection
<172.16.21.71> local domain socket does not exist, starting it
<172.16.21.71> control socket path is /home/ops/.ansible/pc/8eabc378a2
<172.16.21.71> Loading collection ansible.builtin from 
<172.16.21.71> redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
<172.16.21.71> Loading collection ansible.netcommon from /home/ops/.ansible/collections/ansible_collections/ansible/netcommon
<172.16.21.71> Loading collection ansible.utils from /home/ops/.ansible/collections/ansible_collections/ansible/utils
<172.16.21.71> redirecting (type: terminal) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> Loading collection vyos.vyos from /home/ops/.ansible/collections/ansible_collections/vyos/vyos
<172.16.21.71> redirecting (type: cliconf) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> local domain socket listeners started successfully
<172.16.21.71> loaded cliconf plugin ansible_collections.vyos.vyos.plugins.cliconf.vyos from path /home/ops/.ansible/collections/ansible_collections/vyos/vyos/plugins/cliconf/vyos.py for network_os vyos
<172.16.21.71> ssh type is set to auto
<172.16.21.71> autodetecting ssh_type
<172.16.21.71> ssh type is now set to libssh
<172.16.21.71> Loading collection ansible.builtin from 
<172.16.21.71> local domain socket path is /home/ops/.ansible/pc/8eabc378a2
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: found vyos_facts  at /home/ops/.ansible/collections/ansible_collections/vyos/vyos/plugins/modules/vyos_facts.py
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: running vyos_facts
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: complete
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES:
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: Result: {'failed': True, 'msg': 'value of log must be one of: enable, disable, got: TCP found in config -> rule_sets -> rules', 'invocation': {'module_args': {'config': [{'afi': 'ipv4', 'rule_sets': [{'default_action': 'reject', 'enable_default_log': True, 'rules': [{'action': 'accept', 'description': 'no remove', 'state': {'related': True, 'established': True, 'invalid': None, 'new': None}, 'number': 10, 'destination': None, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'log': None, 'p2p': None, 'protocol': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX001_Secon_ad_tcp - Internal access to ad', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'AD_tcp', 'address_group': 'com-ad-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1030, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'udp', 'description': 'ANSIBLE: EX001_Secon_ad_udp - Internal access to ad', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'AD_udp', 'address_group': 'com-ad-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1040, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX002_wsus - This rule is for all wsus updates', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'WSUS', 'address_group': 'com-wsus-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1050, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'udp', 'description': 'ANSIBLE: EX004_icinga_ntp_check - Allow all windows hosts to check the time against edge-fw-01', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'NTP', 'address_group': 'edge-fw-01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1160, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'TCP', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'gro .....

Example of more clear output found later in the printout, excerpt of the problematic section:

                                {
                                    "action": "accept",
                                    "description": "ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP",
                                    "destination": {
                                        "address": null,
                                        "group": {
                                            "address_group": "com-graylog",
                                            "network_group": null,
                                            "port_group": "EX005_graylog_tcp"
                                        },
                                        "port": null
                                    },
                                    "disable": null,
                                    "fragment": null,
                                    "icmp": null,
                                    "ipsec": null,
                                    "limit": null,
                                    "log": "TCP",
                                    "number": 1170,
                                    "p2p": null,
                                    "protocol": "tcp",
                                    "recent": null,
                                    "source": null,
                                    "state": {
                                        "established": null,
                                        "invalid": null,
                                        "new": true,
                                        "related": null
                                    },
                                    "tcp": null,
                                    "time": null
                                },

The corresponding rule on the firewall as printed by show command in configure mode:

         rule 1170 {
             action accept
             description "ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP"
             destination {
                 group {
                     address-group com-graylog
                     port-group EX005_graylog_tcp
                 }
             }
             log enable
             protocol tcp
             state {
                 new enable
             }
         }

The firewall does not have the value of the log parameter set to TCP, somehow the vyos_facts module seems to be a little confused about this.

I will provide any extra information requested.

We just upgraded the ansible version, the vyos_module has worked flawless for many years before.
@gaige
Copy link

gaige commented Jul 28, 2024

@np422 What version were you upgrading from?

Could you use the | commands pipe? The facts are read from the set commands currently.

Also, can you show the rules from ANSIBLE: EX004_icinga_ntp_check as well? That appears to have the log appropriately set to enabled.

@gaige gaige added 1.3 Compatibility with 1.3 versions firewall_rules firewall_rules module labels Jul 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.3 Compatibility with 1.3 versions firewall_rules firewall_rules module
Milestone
No milestone
Development

No branches or pull requests
2 participants
@np422 @gaige