Vyos firewall rules ansible issue

oli · March 14, 2025, 4:26pm

Can’t seem to get firewall rules made using this module on vyos version 1.4.1 or 1.5-rolling

Ansible Version

➜ ansible --version
ansible [core 2.17.6]
  config file = /home/oli/git-personal/vyos/home-lab/ansible.cfg
  configured module search path = ['/home/oli/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /nix/store/68q8gz6ayd8z9ywi4109w02dd35smwc0-python3.12-ansible-core-2.17.6/lib/python3.12/site-packages/ansible
  ansible collection location = /home/oli/.ansible/collections:/usr/share/ansible/collections
  executable location = /nix/store/68q8gz6ayd8z9ywi4109w02dd35smwc0-python3.12-ansible-core-2.17.6/bin/ansible
  python version = 3.12.8 (main, Dec  3 2024, 18:42:41) [GCC 13.3.0] (/nix/store/kjgslpdqchx1sm7a5h9xibi5rrqcqfnl-python3-3.12.8/bin/python3.12)
  jinja version = 3.1.5
  libyaml = True

➜ ansible-galaxy collection list                                                                                                                                                                                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                                                                                                                                                                                                                            
# /home/oli/.ansible/collections/ansible_collections                                                                                                                                                                                                                                                                                                                                                                                
Collection                               Version                                                                                                                                                                                                                                                                                                                                                                                            
---------------------------------------- -------                                                                                                                                                                                                                                                                                                                                                                                            
ansible.netcommon                        7.1.0                                                                                                                                                                                                                                                                                                                                                                                              
ansible.posix                            2.0.0                                                                                                                                                                                                                                                                                                                                                                                              
ansible.utils                            4.1.0                                                                                                                                                                                                                                                                                                                                                                                              
community.crypto                         2.22.3                                                                                                                                                                                                                                                                                                                                                                                             
community.docker                         4.1.0                                                                                                                                                                                                                                                                                                                                                                                              
community.general                        10.1.0                                                                                                                                                                                                                                                                                                                                                                                             
community.library_inventory_filtering_v1 1.0.0                                                                                                                                                                                                                                                                                                                                                                                              
community.libvirt                        1.3.0                                                                                                                                                                                                                                                                                                                                                                                              
community.mysql                          1.5.1                                                                                                                                                                                                                                                                                                                                                                                              
containers.podman                        1.16.2                                                                                                                                                                                                                                                                                                                                                                                             
freeipa.ansible_freeipa                  1.13.1                                                                                                                                                                                                                                                                                                                                                                                             
gluster.gluster                          1.0.2                                                                                                                                                                                                                                                                                                                                                                                              
kubernetes.core                          4.0.0                                                                                                                                                                                                                                                                                                                                                                                              
openstack.cloud                          2.2.0                                                                                                                                                                                                                                                                                                                                                                                              
openstack.kolla                          1.0.0                                                                                                                                                                                                                                                                                                                                                                                              
vyos.vyos                                5.0.0

vars.yml

inbound_firewall:
  - name: VM-ACCESS
    ip-version: 4
    default_action: drop
    description: Allow access Network
    log: true
    rules:
      - number: 13370
        description: allow in to ip
        protocol: udp
        destination:
          address: 192.168.1.1
          group:
            port_group: WEBSERVER
        action: accept
        disable: true
        log: enable

playbook.yml

- name: Merge the provided configuration with the existing running configuration
  vyos.vyos.vyos_firewall_rules:
    config:
      - afi: ipv4
        rule_sets:
          - name: "{{ item.name }}"
            description: "{{ item.description }}"
            default_action: "{{ item.default_action }}"
            rules: "{{ item.rules }}"
    state: merged
  loop: "{{ inbound_firewall }}"

Error:

 "module_stderr": "set firewall name VM-ACCESS description 'Allow access Network\r\n\r\n  Configuration path: firewall [name] is not valid\r\n  Set failed\r\n\r\n[edit]\r\r\noli@firewall# ",

Its like its not finding its version 1.4+ and adding in the set firewall ipv4 syntax from the module

github.com

vyos/vyos.vyos/blob/41e4b0734ca961d18c0a016a50b3c6e598a10dff/plugins/module_utils/network/vyos/facts/firewall_rules/firewall_rules.py#L69


      
              data = self.get_device_data(connection)
          # split the config into instances of the resource
          objs = []
          # check 1.4+ first
          new_rules = True
          v6_rules = findall(r"^set firewall ipv6 (name|forward|input|output) (?:\'*)(\S+)(?:\'*)", data, M)
          if not v6_rules:
              v6_rules = findall(r"^set firewall ipv6-name (?:\'*)(\S+)(?:\'*)", data, M)
              if v6_rules:
                  new_rules = False
          v4_rules = findall(r"^set firewall ipv4 (name|forward|input|output) (?:\'*)(\S+)(?:\'*)", data, M)
          if not v4_rules:
              v4_rules = findall(r"^set firewall name (?:\'*)(\S+)(?:\'*)", data, M)
              if v4_rules:
                  new_rules = False
          if v6_rules:
              if new_rules:
                  config = self.get_rules_post_1_4(data, v6_rules, type="ipv6")
              else:
                  config = self.get_rules(data, v6_rules, type="ipv6")
              if config:

https://docs.ansible.com/ansible/latest/collections/vyos/vyos/vyos_firewall_rules_module.html

system · April 13, 2025, 4:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.