vyos.vyos.vyos_firewall_rules 模块 – 防火墙规则资源模块
注意
此模块是 vyos.vyos 集合(版本 5.0.0)的一部分。
如果您使用的是 ansible 包,则可能已经安装了此集合。它不包含在 ansible-core 中。要检查是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用:ansible-galaxy collection install vyos.vyos。
要在剧本中使用它,请指定:vyos.vyos.vyos_firewall_rules。
vyos.vyos 1.0.0 中的新增功能
概要
此模块管理 VyOS 设备上的防火墙规则集属性
参数
参数 |
注释 |
|---|---|
防火墙规则集选项的字典。 |
|
指定规则集的类型。 选项
|
|
防火墙规则集列表。 |
|
规则集的默认操作。 drop(如果未命中先前的规则,则丢弃(默认)) reject(如果未命中先前的规则,则丢弃并通知源) accept(如果未命中先前的规则,则接受) 选项
|
|
规则集描述。 |
|
用于记录命中默认操作的数据包的选项。 选项
|
|
防火墙规则集名称。 |
|
指定规则集配置的字典。 |
|
指定操作。 选项
|
|
此规则的描述。 |
|
指定目标参数。 |
|
目标 IP 地址子网或范围。 要匹配的 IPv4/6 地址、子网或范围。 匹配指定地址、子网或范围之外的所有内容。 目标 IP 地址子网或范围。 |
|
目标组。 |
|
地址组。 |
|
网络组。 |
|
端口组。 |
|
可以将多个目标端口指定为逗号分隔的列表。 整个列表也可以使用“!”进行“取反”。 例如:'!22,telnet,http,123,1001-1005'。 |
|
禁用防火墙规则的选项。 选项
|
|
IP 分段匹配。 选项
|
|
ICMP 类型和代码信息。 |
|
ICMP 代码。 |
|
ICMP 类型。 |
|
ICMP 类型名称。 选项
|
|
入站 IP sec 数据包。 选项
|
|
使用令牌桶过滤器进行速率限制。 |
|
允许超过速率的最大数据包数。 |
|
速率格式(整数/时间单位)。 可以使用 second、minute、hour 或 day 中的任何一个来指定时间单位。 例如,1/second 表示规则平均每秒匹配一次。 |
|
这是整数值。 |
|
这是时间单位。 |
|
用于记录与规则匹配的数据包的选项 选项
|
|
规则编号。 |
|
P2P 应用程序数据包。 |
|
应用程序的名称。 选项
|
|
要匹配的协议(/etc/protocols 中的协议名称或协议号或 all)。 <text> 来自 /etc/protocols 的 IP 协议名称(例如,“tcp”或“udp”)。 <0-255> IP 协议号。 tcp_udp TCP 和 UDP 协议。 all 所有 IP 协议。 (!)除指定名称或编号之外的所有 IP 协议。 |
|
用于匹配最近看到的源的参数。 |
|
看到次数超过 N 次的源地址。 |
|
在最近 N 秒内看到的源地址。 |
|
源参数。 |
|
源 IP 地址子网或范围。 要匹配的 IPv4/6 地址、子网或范围。 匹配指定地址、子网或范围之外的所有内容。 源 IP 地址子网或范围。 |
|
源组。 |
|
地址组。 |
|
网络组。 |
|
端口组。 |
|
<MAC 地址> 要匹配的 MAC 地址。 <!MAC 地址> 匹配指定 MAC 地址之外的所有内容。 |
|
可以将多个源端口指定为逗号分隔的列表。 整个列表也可以使用“!”进行“取反”。 例如:'!22,telnet,http,123,1001-1005'。 |
|
会话状态。 |
|
已建立状态。 选项
|
|
无效状态。 选项
|
|
新状态。 选项
|
|
相关状态。 选项
|
|
要匹配的 TCP 标志。 |
|
要匹配的 TCP 标志。 |
|
匹配规则的时间。 |
|
要匹配规则的月份日期。 |
|
开始匹配规则的日期。 |
|
开始匹配规则的当天时间。 |
|
停止匹配规则的日期。 |
|
停止匹配规则的当天时间。 |
|
将 startdate、stopdate、starttime 和 stoptime 的时间解释为 UTC。 选项
|
|
要匹配规则的周日期。 |
|
此选项仅与状态 parsed 一起使用。 此选项的值应是通过执行命令 show configuration commands | grep firewall 从 VyOS 设备收到的输出。 状态 parsed 从 |
|
配置应保留的状态 选项
|
说明
注意
已针对 VyOS 1.1.8 (helium) 进行测试。
此模块与连接
ansible.netcommon.network_cli一起使用。请参阅 VyOS 操作系统平台选项。
示例
# Using deleted to delete firewall rules based on rule-set name
#
# Before state
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall name Downlink default-action 'accept'
# set firewall name Downlink description 'IPv4 INBOUND rule set'
# set firewall name Downlink rule 501 action 'accept'
# set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'
# set firewall name Downlink rule 501 ipsec 'match-ipsec'
# set firewall name Downlink rule 502 action 'reject'
# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
# set firewall name Downlink rule 502 ipsec 'match-ipsec'
- name: Delete attributes of given firewall rules.
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv4
rule_sets:
- name: Downlink
state: deleted
#
#
# ------------------------
# Module Execution Results
# ------------------------
#
# "before": [
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "Downlink",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 501 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 501
# },
# {
# "action": "reject",
# "description": "Rule 502 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 502
# }
# ]
# }
# ]
# }
# ]
# "commands": [
# "delete firewall name Downlink"
# ]
#
# "after": []
# After state
# ------------
# vyos@vyos# run show configuration commands | grep firewall
# set firewall group address-group 'inbound'
# Using deleted to delete firewall rules based on afi
#
# Before state
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall ipv6-name UPLINK rule 1 action 'accept'
# set firewall ipv6-name UPLINK rule 1
# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
# set firewall ipv6-name UPLINK rule 2 action 'accept'
# set firewall ipv6-name UPLINK rule 2
# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# set firewall group address-group 'inbound'
# set firewall name Downlink default-action 'accept'
# set firewall name Downlink description 'IPv4 INBOUND rule set'
# set firewall name Downlink rule 501 action 'accept'
# set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'
# set firewall name Downlink rule 501 ipsec 'match-ipsec'
# set firewall name Downlink rule 502 action 'reject'
# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
# set firewall name Downlink rule 502 ipsec 'match-ipsec'
- name: Delete attributes of given firewall rules.
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv4
state: deleted
#
#
# ------------------------
# Module Execution Results
# ------------------------
#
# "before": [
# {
# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "This is ipv6 specific rule-set",
# "name": "UPLINK",
# "rules": [
# {
# "action": "accept",
# "description": "Fwipv6-Rule 1 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 1
# },
# {
# "action": "accept",
# "description": "Fwipv6-Rule 2 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 2
# }
# ]
# }
# ]
# },
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "Downlink",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 501 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 501
# },
# {
# "action": "reject",
# "description": "Rule 502 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 502
# }
# ]
# }
# ]
# }
# ]
# "commands": [
# "delete firewall name"
# ]
#
# "after": []
# After state
# ------------
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall ipv6-name UPLINK rule 1 action 'accept'
# set firewall ipv6-name UPLINK rule 1
# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
# set firewall ipv6-name UPLINK rule 2 action 'accept'
# set firewall ipv6-name UPLINK rule 2
# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# Using deleted to delete all the the firewall rules when provided config is empty
#
# Before state
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall name Downlink default-action 'accept'
# set firewall name Downlink description 'IPv4 INBOUND rule set'
# set firewall name Downlink rule 501 action 'accept'
# set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'
# set firewall name Downlink rule 501 ipsec 'match-ipsec'
# set firewall name Downlink rule 502 action 'reject'
# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
# set firewall name Downlink rule 502 ipsec 'match-ipsec'
#
- name: Delete attributes of given firewall rules.
vyos.vyos.vyos_firewall_rules:
state: deleted
#
#
# ------------------------
# Module Execution Results
# ------------------------
#
# "before": [
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "Downlink",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 501 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 501
# },
# {
# "action": "reject",
# "description": "Rule 502 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 502
# }
# ]
# }
# ]
# }
# ]
# "commands": [
# "delete firewall name"
# ]
#
# "after": []
# After state
# ------------
# vyos@vyos# run show configuration commands | grep firewall
# set firewall group address-group 'inbound'
# Using merged
#
# Before state:
# -------------
#
# vyos@vyos# run show configuration commands | grep firewall
# set firewall group address-group 'inbound'
#
- name: Merge the provided configuration with the existing running configuration
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv6
rule_sets:
- name: UPLINK
description: This is ipv6 specific rule-set
default_action: accept
rules:
- number: 1
action: accept
description: Fwipv6-Rule 1 is configured by Ansible
ipsec: match-ipsec
- number: 2
action: accept
description: Fwipv6-Rule 2 is configured by Ansible
ipsec: match-ipsec
- afi: ipv4
rule_sets:
- name: INBOUND
description: IPv4 INBOUND rule set
default_action: accept
rules:
- number: 101
action: accept
description: Rule 101 is configured by Ansible
ipsec: match-ipsec
- number: 102
action: reject
description: Rule 102 is configured by Ansible
ipsec: match-ipsec
- number: 103
action: accept
description: Rule 103 is configured by Ansible
destination:
group:
address_group: inbound
source:
address: 192.0.2.0
state:
established: true
new: false
invalid: false
related: true
state: merged
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# before": []
#
# "commands": [
# "set firewall ipv6-name UPLINK default-action 'accept'",
# "set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'",
# "set firewall ipv6-name UPLINK rule 1 action 'accept'",
# "set firewall ipv6-name UPLINK rule 1",
# "set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'",
# "set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'",
# "set firewall ipv6-name UPLINK rule 2 action 'accept'",
# "set firewall ipv6-name UPLINK rule 2",
# "set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'",
# "set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'",
# "set firewall name INBOUND default-action 'accept'",
# "set firewall name INBOUND description 'IPv4 INBOUND rule set'",
# "set firewall name INBOUND rule 101 action 'accept'",
# "set firewall name INBOUND rule 101",
# "set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'",
# "set firewall name INBOUND rule 101 ipsec 'match-ipsec'",
# "set firewall name INBOUND rule 102 action 'reject'",
# "set firewall name INBOUND rule 102",
# "set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'",
# "set firewall name INBOUND rule 102 ipsec 'match-ipsec'",
# "set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'",
# "set firewall name INBOUND rule 103 destination group address-group inbound",
# "set firewall name INBOUND rule 103",
# "set firewall name INBOUND rule 103 source address 192.0.2.0",
# "set firewall name INBOUND rule 103 state established enable",
# "set firewall name INBOUND rule 103 state related enable",
# "set firewall name INBOUND rule 103 state invalid disable",
# "set firewall name INBOUND rule 103 state new disable",
# "set firewall name INBOUND rule 103 action 'accept'"
# ]
#
# "after": [
# {
# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "This is ipv6 specific rule-set",
# "name": "UPLINK",
# "rules": [
# {
# "action": "accept",
# "description": "Fwipv6-Rule 1 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 1
# },
# {
# "action": "accept",
# "description": "Fwipv6-Rule 2 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 2
# }
# ]
# }
# ]
# },
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "INBOUND",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 101 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 101
# },
# {
# "action": "reject",
# "description": "Rule 102 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 102
# },
# {
# "action": "accept",
# "description": "Rule 103 is configured by Ansible",
# "destination": {
# "group": {
# "address_group": "inbound"
# }
# },
# "number": 103,
# "source": {
# "address": "192.0.2.0"
# },
# "state": {
# "established": true,
# "invalid": false,
# "new": false,
# "related": true
# }
# }
# ]
# }
# ]
# }
# ]
#
# After state:
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall ipv6-name UPLINK rule 1 action 'accept'
# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
# set firewall ipv6-name UPLINK rule 2 action 'accept'
# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# set firewall name INBOUND default-action 'accept'
# set firewall name INBOUND description 'IPv4 INBOUND rule set'
# set firewall name INBOUND rule 101 action 'accept'
# set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'
# set firewall name INBOUND rule 101 ipsec 'match-ipsec'
# set firewall name INBOUND rule 102 action 'reject'
# set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'
# set firewall name INBOUND rule 102 ipsec 'match-ipsec'
# set firewall name INBOUND rule 103 action 'accept'
# set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'
# set firewall name INBOUND rule 103 destination group address-group 'inbound'
# set firewall name INBOUND rule 103 source address '192.0.2.0'
# set firewall name INBOUND rule 103 state established 'enable'
# set firewall name INBOUND rule 103 state invalid 'disable'
# set firewall name INBOUND rule 103 state new 'disable'
# set firewall name INBOUND rule 103 state related 'enable'
# Using replaced
#
# Before state:
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall ipv6-name UPLINK rule 1 action 'accept'
# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
# set firewall ipv6-name UPLINK rule 2 action 'accept'
# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# set firewall name INBOUND default-action 'accept'
# set firewall name INBOUND description 'IPv4 INBOUND rule set'
# set firewall name INBOUND rule 101 action 'accept'
# set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'
# set firewall name INBOUND rule 101 ipsec 'match-ipsec'
# set firewall name INBOUND rule 102 action 'reject'
# set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'
# set firewall name INBOUND rule 102 ipsec 'match-ipsec'
# set firewall name INBOUND rule 103 action 'accept'
# set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'
# set firewall name INBOUND rule 103 destination group address-group 'inbound'
# set firewall name INBOUND rule 103 source address '192.0.2.0'
# set firewall name INBOUND rule 103 state established 'enable'
# set firewall name INBOUND rule 103 state invalid 'disable'
# set firewall name INBOUND rule 103 state new 'disable'
# set firewall name INBOUND rule 103 state related 'enable'
#
- name: >-
Replace device configurations of listed firewall rules with provided
configurations
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv6
rule_sets:
- name: UPLINK
description: This is ipv6 specific rule-set
default_action: accept
- afi: ipv4
rule_sets:
- name: INBOUND
description: IPv4 INBOUND rule set
default_action: accept
rules:
- number: 101
action: accept
description: Rule 101 is configured by Ansible
ipsec: match-ipsec
- number: 104
action: reject
description: Rule 104 is configured by Ansible
ipsec: match-none
state: replaced
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "before": [
# {
# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "This is ipv6 specific rule-set",
# "name": "UPLINK",
# "rules": [
# {
# "action": "accept",
# "description": "Fwipv6-Rule 1 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 1
# },
# {
# "action": "accept",
# "description": "Fwipv6-Rule 2 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 2
# }
# ]
# }
# ]
# },
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "INBOUND",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 101 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 101
# },
# {
# "action": "reject",
# "description": "Rule 102 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 102
# },
# {
# "action": "accept",
# "description": "Rule 103 is configured by Ansible",
# "destination": {
# "group": {
# "address_group": "inbound"
# }
# },
# "number": 103,
# "source": {
# "address": "192.0.2.0"
# },
# "state": {
# "established": true,
# "invalid": false,
# "new": false,
# "related": true
# }
# }
# ]
# }
# ]
# }
# ]
#
# "commands": [
# "delete firewall ipv6-name UPLINK rule 1",
# "delete firewall ipv6-name UPLINK rule 2",
# "delete firewall name INBOUND rule 102",
# "delete firewall name INBOUND rule 103",
# "set firewall name INBOUND rule 104 action 'reject'",
# "set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible'",
# "set firewall name INBOUND rule 104",
# "set firewall name INBOUND rule 104 ipsec 'match-none'"
# ]
#
# "after": [
# {
# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "This is ipv6 specific rule-set",
# "name": "UPLINK"
# }
# ]
# },
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "INBOUND",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 101 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 101
# },
# {
# "action": "reject",
# "description": "Rule 104 is configured by Ansible",
# "ipsec": "match-none",
# "number": 104
# }
# ]
# }
# ]
# }
# ]
#
# After state:
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall name INBOUND default-action 'accept'
# set firewall name INBOUND description 'IPv4 INBOUND rule set'
# set firewall name INBOUND rule 101 action 'accept'
# set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'
# set firewall name INBOUND rule 101 ipsec 'match-ipsec'
# set firewall name INBOUND rule 104 action 'reject'
# set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible'
# set firewall name INBOUND rule 104 ipsec 'match-none'
# Using overridden
#
# Before state
# --------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall name INBOUND default-action 'accept'
# set firewall name INBOUND description 'IPv4 INBOUND rule set'
# set firewall name INBOUND rule 101 action 'accept'
# set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'
# set firewall name INBOUND rule 101 ipsec 'match-ipsec'
# set firewall name INBOUND rule 104 action 'reject'
# set firewall name INBOUND rule 104 description 'Rule 104 is configured by Ansible'
# set firewall name INBOUND rule 104 ipsec 'match-none'
#
- name: Overrides all device configuration with provided configuration
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv4
rule_sets:
- name: Downlink
description: IPv4 INBOUND rule set
default_action: accept
rules:
- number: 501
action: accept
description: Rule 501 is configured by Ansible
ipsec: match-ipsec
- number: 502
action: reject
description: Rule 502 is configured by Ansible
ipsec: match-ipsec
state: overridden
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "before": [
# {
# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "This is ipv6 specific rule-set",
# "name": "UPLINK"
# }
# ]
# },
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "INBOUND",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 101 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 101
# },
# {
# "action": "reject",
# "description": "Rule 104 is configured by Ansible",
# "ipsec": "match-none",
# "number": 104
# }
# ]
# }
# ]
# }
# ]
#
# "commands": [
# "delete firewall ipv6-name UPLINK",
# "delete firewall name INBOUND",
# "set firewall name Downlink default-action 'accept'",
# "set firewall name Downlink description 'IPv4 INBOUND rule set'",
# "set firewall name Downlink rule 501 action 'accept'",
# "set firewall name Downlink rule 501",
# "set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'",
# "set firewall name Downlink rule 501 ipsec 'match-ipsec'",
# "set firewall name Downlink rule 502 action 'reject'",
# "set firewall name Downlink rule 502",
# "set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'",
# "set firewall name Downlink rule 502 ipsec 'match-ipsec'"
#
#
# "after": [
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "Downlink",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 501 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 501
# },
# {
# "action": "reject",
# "description": "Rule 502 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 502
# }
# ]
# }
# ]
# }
# ]
#
#
# After state
# ------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall name Downlink default-action 'accept'
# set firewall name Downlink description 'IPv4 INBOUND rule set'
# set firewall name Downlink rule 501 action 'accept'
# set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'
# set firewall name Downlink rule 501 ipsec 'match-ipsec'
# set firewall name Downlink rule 502 action 'reject'
# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
# set firewall name Downlink rule 502 ipsec 'match-ipsec'
# Using gathered
#
# Before state:
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall ipv6-name UPLINK rule 1 action 'accept'
# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
# set firewall ipv6-name UPLINK rule 2 action 'accept'
# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# set firewall name INBOUND default-action 'accept'
# set firewall name INBOUND description 'IPv4 INBOUND rule set'
# set firewall name INBOUND rule 101 action 'accept'
# set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'
# set firewall name INBOUND rule 101 ipsec 'match-ipsec'
# set firewall name INBOUND rule 102 action 'reject'
# set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'
# set firewall name INBOUND rule 102 ipsec 'match-ipsec'
# set firewall name INBOUND rule 103 action 'accept'
# set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'
# set firewall name INBOUND rule 103 destination group address-group 'inbound'
# set firewall name INBOUND rule 103 source address '192.0.2.0'
# set firewall name INBOUND rule 103 state established 'enable'
# set firewall name INBOUND rule 103 state invalid 'disable'
# set firewall name INBOUND rule 103 state new 'disable'
# set firewall name INBOUND rule 103 state related 'enable'
#
- name: Gather listed firewall rules with provided configurations
vyos.vyos.vyos_firewall_rules:
state: gathered
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
# "gathered": [
# {
# "afi": "ipv6",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "This is ipv6 specific rule-set",
# "name": "UPLINK",
# "rules": [
# {
# "action": "accept",
# "description": "Fwipv6-Rule 1 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 1
# },
# {
# "action": "accept",
# "description": "Fwipv6-Rule 2 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 2
# }
# ]
# }
# ]
# },
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "INBOUND",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 101 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 101
# },
# {
# "action": "reject",
# "description": "Rule 102 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 102
# },
# {
# "action": "accept",
# "description": "Rule 103 is configured by Ansible",
# "destination": {
# "group": {
# "address_group": "inbound"
# }
# },
# "number": 103,
# "source": {
# "address": "192.0.2.0"
# },
# "state": {
# "established": true,
# "invalid": false,
# "new": false,
# "related": true
# }
# }
# ]
# }
# ]
# }
# ]
#
#
# After state:
# -------------
#
# vyos@vyos:~$ show configuration commands| grep firewall
# set firewall group address-group 'inbound'
# set firewall ipv6-name UPLINK default-action 'accept'
# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'
# set firewall ipv6-name UPLINK rule 1 action 'accept'
# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec'
# set firewall ipv6-name UPLINK rule 2 action 'accept'
# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible'
# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec'
# set firewall name INBOUND default-action 'accept'
# set firewall name INBOUND description 'IPv4 INBOUND rule set'
# set firewall name INBOUND rule 101 action 'accept'
# set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'
# set firewall name INBOUND rule 101 ipsec 'match-ipsec'
# set firewall name INBOUND rule 102 action 'reject'
# set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'
# set firewall name INBOUND rule 102 ipsec 'match-ipsec'
# set firewall name INBOUND rule 103 action 'accept'
# set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'
# set firewall name INBOUND rule 103 destination group address-group 'inbound'
# set firewall name INBOUND rule 103 source address '192.0.2.0'
# set firewall name INBOUND rule 103 state established 'enable'
# set firewall name INBOUND rule 103 state invalid 'disable'
# set firewall name INBOUND rule 103 state new 'disable'
# set firewall name INBOUND rule 103 state related 'enable'
# Using rendered
#
#
- name: Render the commands for provided configuration
vyos.vyos.vyos_firewall_rules:
config:
- afi: ipv6
rule_sets:
- name: UPLINK
description: This is ipv6 specific rule-set
default_action: accept
- afi: ipv4
rule_sets:
- name: INBOUND
description: IPv4 INBOUND rule set
default_action: accept
rules:
- number: 101
action: accept
description: Rule 101 is configured by Ansible
ipsec: match-ipsec
- number: 102
action: reject
description: Rule 102 is configured by Ansible
ipsec: match-ipsec
- number: 103
action: accept
description: Rule 103 is configured by Ansible
destination:
group:
address_group: inbound
source:
address: 192.0.2.0
state:
established: true
new: false
invalid: false
related: true
state: rendered
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#
# "rendered": [
# "set firewall ipv6-name UPLINK default-action 'accept'",
# "set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set'",
# "set firewall name INBOUND default-action 'accept'",
# "set firewall name INBOUND description 'IPv4 INBOUND rule set'",
# "set firewall name INBOUND rule 101 action 'accept'",
# "set firewall name INBOUND rule 101",
# "set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible'",
# "set firewall name INBOUND rule 101 ipsec 'match-ipsec'",
# "set firewall name INBOUND rule 102 action 'reject'",
# "set firewall name INBOUND rule 102",
# "set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible'",
# "set firewall name INBOUND rule 102 ipsec 'match-ipsec'",
# "set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible'",
# "set firewall name INBOUND rule 103 destination group address-group inbound",
# "set firewall name INBOUND rule 103",
# "set firewall name INBOUND rule 103 source address 192.0.2.0",
# "set firewall name INBOUND rule 103 state established enable",
# "set firewall name INBOUND rule 103 state related enable",
# "set firewall name INBOUND rule 103 state invalid disable",
# "set firewall name INBOUND rule 103 state new disable",
# "set firewall name INBOUND rule 103 action 'accept'"
# ]
# Using parsed
#
#
- name: Parsed the provided input commands.
vyos.vyos.vyos_firewall_rules:
running_config:
"set firewall group address-group 'inbound'
set firewall name Downlink default-action 'accept'
set firewall name Downlink description 'IPv4 INBOUND rule set'
set firewall name Downlink rule 501 action 'accept'
set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible'
set firewall name Downlink rule 501 ipsec 'match-ipsec'
set firewall name Downlink rule 502 action 'reject'
set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible'
set firewall name Downlink rule 502 ipsec 'match-ipsec'"
state: parsed
#
#
# -------------------------
# Module Execution Result
# -------------------------
#
#
# "parsed": [
# {
# "afi": "ipv4",
# "rule_sets": [
# {
# "default_action": "accept",
# "description": "IPv4 INBOUND rule set",
# "name": "Downlink",
# "rules": [
# {
# "action": "accept",
# "description": "Rule 501 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 501
# },
# {
# "action": "reject",
# "description": "Rule 502 is configured by Ansible",
# "ipsec": "match-ipsec",
# "number": 502
# }
# ]
# }
# ]
# }
# ]
返回值
通用返回值已在此处记录 此处,以下是此模块特有的字段
键 |
描述 |
|---|---|
生成的配置模型调用。 返回: 当更改时 示例: |
|
模型调用之前的配置。 返回: 总是 示例: |
|
推送到远程设备的命令集。 返回: 总是 示例: |