search

puzzle / puzzle.opnsense

An Ansible Collection to configure an opnsense Firewall
https://puzzle.github.io/puzzle.opnsense/collections/puzzle/opnsense/index.html
GNU General Public License v3.0
18 stars 11 forks source link

Unexpected keyword argument 'associated-rule-id' when creating firewall rule #139

Open nerrehmit opened 2 weeks ago

nerrehmit commented 2 weeks ago

Describe the bug If I want to block some outgoing requests on my LAN interface for testing purposes I get an ansible error during module execution saying that there was an unexpected keyword argument 'associated-rule-id'

Currently it's only for testing so there are no other firewall rules on the LAN interface, despite the default rules. There are a few rules on the WAN interface that were added manually.

This is a fully upgraded OPNSense 24.1_9 installation that was probably upgraded from 22.1 if I had to guess.

To Reproduce Example playbook:

- hosts: opnsense

  tasks:
  - name: create lan block rule 1
    puzzle.opnsense.firewall_rules:
      action: block
      destination:
        address: 203.0.113.5/32
      interface: LAN

Module output:

TASK [create lan block rule 1] *******************************************************************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: FirewallRule.__init__() got an unexpected keyword argument 'associated-rule-id'
fatal: [opnsense]: FAILED! => {
    "changed": false,
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error

MODULE_STDOUT:

Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1720474165.6209621-11653-44235569034026/AnsiballZ_firewall_rules.py", line 107, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1720474165.6209621-11653-44235569034026/AnsiballZ_firewall_rules.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1720474165.6209621-11653-44235569034026/AnsiballZ_firewall_rules.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.puzzle.opnsense.plugins.modules.firewall_rules', init_globals=dict(_module_fqn='ansible_collections.puzzle.opnsense.plugins.modules.firewall_rules', _modlib_path=modlib_path),
  File "<frozen runpy>", line 226, in run_module
  File "<frozen runpy>", line 98, in _run_module_code
  File "<frozen runpy>", line 88, in _run_code
  File "/tmp/ansible_puzzle.opnsense.firewall_rules_payload_i3xwt9ua/ansible_puzzle.opnsense.firewall_rules_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/firewall_rules.py", line 448, in <module>
  File "/tmp/ansible_puzzle.opnsense.firewall_rules_payload_i3xwt9ua/ansible_puzzle.opnsense.firewall_rules_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/firewall_rules.py", line 423, in main
  File "/tmp/ansible_puzzle.opnsense.firewall_rules_payload_i3xwt9ua/ansible_puzzle.opnsense.firewall_rules_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_rules_utils.py", line 537, in __init__
  File "/tmp/ansible_puzzle.opnsense.firewall_rules_payload_i3xwt9ua/ansible_puzzle.opnsense.firewall_rules_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_rules_utils.py", line 543, in _load_rules
  File "/tmp/ansible_puzzle.opnsense.firewall_rules_payload_i3xwt9ua/ansible_puzzle.opnsense.firewall_rules_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_rules_utils.py", line 543, in <listcomp>
  File "/tmp/ansible_puzzle.opnsense.firewall_rules_payload_i3xwt9ua/ansible_puzzle.opnsense.firewall_rules_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_rules_utils.py", line 505, in from_xml
TypeError: FirewallRule.__init__() got an unexpected keyword argument 'associated-rule-id'

MODULE_STDERR:

Shared connection to 192.168.1.1 closed.

Expected behavior Blocking rule is created on LAN interface without error during ansible run

Ansible ENV:

➜ ansible --version
ansible [core 2.17.1]
  config file = /home/tim/git/private/ansible-home/ansible.cfg
  configured module search path = ['/home/tim/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/tim/.local/share/virtualenvs/ansible-home-cckXjtMV/lib64/python3.11/site-packages/ansible
  ansible collection location = /home/tim/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/tim/.local/share/virtualenvs/ansible-home-cckXjtMV/bin/ansible
  python version = 3.11.9 (main, Apr 17 2024, 00:00:00) [GCC 13.2.1 20240316 (Red Hat 13.2.1-7)] (/home/tim/.local/share/virtualenvs/ansible-home-cckXjtMV/bin/python)
  jinja version = 3.1.4
  libyaml = True

➜ ansible-galaxy collection list puzzle.opnsense

# /home/tim/.ansible/collections/ansible_collections
Collection      Version
--------------- -------
puzzle.opnsense 1.2.0

Additional context I can provide the full traceback if you like. Let me know if I can support debugging. :)

nerrehmit commented 2 weeks ago

I think I found the problem that I'm having on my instance.

I have two NAT rules on my instance to forward certain ports on my public IPv4 WAN Interface back into my network. When I created those rules manually I had the option for Filter rule association set to Add associated filter rule which I think is the default setting. This creates a matching firewall rule on the WAN interface to allow inbound access to the NAT'ed port. Documentation: https://docs.opnsense.org/manual/nat.html#port-forwarding

The important snippet of my firewall rule XML config looks like this (some info redacted):

  <filter>

-- ipv6 rules cut --

    <rule uuid="ca0393b9-36b9-4dfc-869c-925c2db9c85c">
      <source>
        <any>1</any>
      </source>
      <interface>wan</interface>
      <statetype>keep state</statetype>
      <protocol>tcp</protocol>
      <ipprotocol>inet</ipprotocol>
      <destination>
        <address>192.168.1.118</address>
        <port>80</port>
      </destination>
      <descr>REDACTED</descr>
      <category/>
      <associated-rule-id>nat_64b50f451b5983.28976102</associated-rule-id>
      <created>
        <username>REDACTED@INTERNAL-IP</username>
        <time>TIMESTAMP</time>
        <description>/firewall_nat_edit.php made changes</description>
      </created>
    </rule>

That explains where this field comes from. Let me know if you need further info