Summary

Request: New module `pf` (packet filter) for BSD based systems

General

While Ansible is often used for orchestrating and administrating Linux based systems it may also be used for other systems. Especially BSD based systems (e.g. FreeBSD, OpenBSD,...) may also benefit from a better module support of BSD's most used tools and applications instead of writing workarounds with roles, tasks and notifiers.

Issue

When running a CARP and pfsync based firewall cluster it may often be needed to adjust the rule set. However, you may still want to test the rules within a dry-run or just or test a subset of filter types (e.g. filter, options or nat). Afterwards, you may want to apply this ones. Currently, you need workarounds based on roles, notifiers etc. to solve this. If would be great to have an Ansible module to solve this.

Examples

Test config

Test a config within a dry-run and provide the loaded rule set within Ansible's json meta output:

- name: Test a rule set
  pf:
    action: reload
    config: /etc/pf.conf
    dry_run: True

Load a subset of rules for testing:

- name: Load only NAT rule set
  pf:
    action: reload
    config: /etc/pf.conf
    filter: nat

Flush the rules and reload the new rule set:

- name: Flush and load a rule set
  pf:
    action: reload
    config: /etc/pf.conf

Module

While this module makes sense for me I can not judge the BSD based user base of Ansible. If you think Ansible could benefit from this contribution feel free to ping me and I may attach a PR (the module is already finish and ready for review). For my last contribution to community.general see also yum_versionlock.

Issue Type

Feature Idea

Component Name

Additional Information

- name: Load only NAT rule set
  pf:
    action: reload
    config: /etc/pf.conf
    filter: nat

Code of Conduct

[X] I agree to follow the Ansible Code of Conduct

ansible-collections / community.general