Open person50002 opened 1 year ago
With TMSH or TMUI it is possible to create firewall rules for the management port that match ICMP traffic but this cannot be done with Declarative Onboarding. The protocol property of the ManagementIpFirewall_rules object can only be set to any, tcp or udp but not to icmp or anything else. https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/schema-reference.html#managementipfirewall-rules
Steps to reproduce the behavior:
{ "schemaVersion": "1.36.0", "class": "Device", "controls": { "traceResponse": true, "dryRun": true }, "Common": { "class": "Tenant", "managementIpFirewall": { "class": "ManagementIpFirewall", "rules": [ { "name": "allow_icmp", "action": "accept", "protocol": "icmp", "loggingEnabled": true }, { "name": "deny_all", "action": "drop", "protocol": "any", "loggingEnabled": true } ] } } }
2. Observe the following error response: ```json { "id": "6b640d9b-b9b9-4592-a85c-9ae54ffa022b", "selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/6b640d9b-b9b9-4592-a85c-9ae54ffa022b", "code": 400, "status": "ERROR", "message": "bad declaration", "errors": [ { "keyword": "enum", "dataPath": ".declaration.Common['managementIpFirewall'].rules[0].protocol", "schemaPath": "#/properties/protocol/enum", "params": { "allowedValues": [ "any", "tcp", "udp" ] }, "message": "should be equal to one of the allowed values" }, { "keyword": "if", "dataPath": ".declaration.Common['managementIpFirewall']", "schemaPath": "#/allOf/18/if", "params": { "failingKeyword": "then" }, "message": "should match \"then\" schema" }, { "keyword": "if", "dataPath": "", "schemaPath": "#/allOf/1/if", "params": { "failingKeyword": "then" }, "message": "should match \"then\" schema" } ], "result": { "class": "Result", "code": 400, "status": "ERROR", "dryRun": true, "message": "bad declaration", "errors": [ { "keyword": "enum", "dataPath": ".declaration.Common['managementIpFirewall'].rules[0].protocol", "schemaPath": "#/properties/protocol/enum", "params": { "allowedValues": [ "any", "tcp", "udp" ] }, "message": "should be equal to one of the allowed values" }, { "keyword": "if", "dataPath": ".declaration.Common['managementIpFirewall']", "schemaPath": "#/allOf/18/if", "params": { "failingKeyword": "then" }, "message": "should match \"then\" schema" }, { "keyword": "if", "dataPath": "", "schemaPath": "#/allOf/1/if", "params": { "failingKeyword": "then" }, "message": "should match \"then\" schema" } ] }, "declaration": { "schemaVersion": "1.36.0", "class": "Device", "controls": { "traceResponse": true, "dryRun": true }, "Common": { "class": "Tenant", "managementIpFirewall": { "class": "ManagementIpFirewall", "rules": [ { "name": "allow_icmp", "action": "accept", "protocol": "icmp", "loggingEnabled": true }, { "name": "deny_all", "action": "drop", "protocol": "any", "loggingEnabled": true } ] } }, "async": false } }
DO should accept a value of icmp
Environment
Summary
With TMSH or TMUI it is possible to create firewall rules for the management port that match ICMP traffic but this cannot be done with Declarative Onboarding. The protocol property of the ManagementIpFirewall_rules object can only be set to any, tcp or udp but not to icmp or anything else. https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/schema-reference.html#managementipfirewall-rules
Steps To Reproduce
Steps to reproduce the behavior:
Expected Behavior
DO should accept a value of icmp