search

Rosa-Luxemburgstiftung-Berlin / ansible-opnsense

Ansible role to configure OPNsense firewalls
17 stars 8 forks source link

ipsec p2 encryption-algorithm-option and hash-algorithm-option update seems disfunctional #69

Closed zerwes closed 3 months ago

zerwes commented 4 months ago

while starting some test implementation for #67 the 2 options let some ipsec tests fail ... ... or just deprecate the old legacy stuff and implement #42

zerwes commented 4 months ago

wip ... fix-encalg-and-hashalg

zerwes commented 4 months ago

https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense/actions/runs/9090917733/job/24984556065#step:5:1881

zerwes commented 3 months ago

task args xpath: "/opnsense/ipsec/phase2[ikeid='1' and uniqid='eea1dcb2e051a']/hash-algorithm-option" will fail!

but

[localhost] TASK: debug failing (debug)> task.args['xpath'] = "/opnsense/ipsec/phase2[ikeid=1 and uniqid=eea1dcb2e051a]/hash-algorithm-option"
[localhost] TASK: debug failing (debug)> redo

=> OK

zerwes commented 3 months ago

strange .. this works as expected

- name: test
  hosts: all
  gather_facts: false
  vars:
    ikeid: 1
    uniqid: eea1dcb2e051a
  tasks:
   - name: test del encryption-algorithm-option
      delegate_to: localhost
      community.general.xml:
        path: cfg/ipsec-test1-04-encalg.xml
        state: absent
        pretty_print: true
        xpath: "/opnsense/ipsec/phase2[ikeid='{{ ikeid }}' and uniqid='{{ uniqid }}']/encryption-algorithm-option"

but not in the test setup

zerwes commented 3 months ago

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Couldn't delete xpath target: /opnsense/ipsec/phase2[ikeid='1' and uniqid='eea1dcb2e051a']/encryption-algorithm-option (module 'lxml.etree' has no attribute '_ElementStringResult')"}

zerwes commented 3 months ago

seems we just have 2 options

  1. error (see last comment)
  2. no action/match on delete/absent xpath request ok: [localhost] => {"actions": {"namespaces": {}, "state": "absent", "xpath": "/opnsense/ipsec/phase2[ikeid/text()='1' and uniqid/text='eea1dcb2e051a']/encryption-algorithm-option"}, "changed": false}
zerwes commented 3 months ago

In 5.1.1 lxml removed _ElementStringResult() ... :question: https://github.com/lxml/lxml/compare/lxml-5.1.0...lxml-5.1.1

https://github.com/lxml/lxml/compare/lxml-5.1.0...lxml-5.1.1#diff-50572a55550b6596b53b8b534c05abce39dc5cce6e8f969e1f11d4e5348330d8

currently I use: lxml 5.2.1

zerwes commented 3 months ago

fck ... hours of debugging and testing for the a... ah... for nothing all works as expected w/ lxml 5.1.0 :exclamation:

zerwes commented 3 months ago

ansible-collections/community.general#8435

zerwes commented 3 months ago

71