search

vyos / vyos.vyos

Ansible Network Collection for VyOS
GNU General Public License v3.0
69 stars 62 forks source link

vyos_facts confused about value of firewall rule log attribute. #342

Open np422 opened 3 months ago

np422 commented 3 months ago
SUMMARY

vyos_facts slightly confused about the value of log in firewall rule

ISSUE TYPE
COMPONENT NAME

vyos_facts

ANSIBLE VERSION
ansible [core 2.16.5]
  config file = /home/ops/ansible/ansible.cfg
  configured module search path = ['/home/ops/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ops/ansible/venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ops/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ops/ansible/venv/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ops/ansible/venv/bin/python3)
  jinja version = 3.1.3
  libyaml = True
COLLECTION VERSION
ansible-galaxy collection list vyos.vyos

# /home/ops/.ansible/collections/ansible_collections
Collection Version
---------- -------
vyos.vyos  4.1.0  

# /home/ops/ansible/venv/lib/python3.10/site-packages/ansible_collections
Collection Version
---------- -------
vyos.vyos  4.1.0
CONFIGURATION
ANSIBLE_NOCOWS(/home/ops/ansible/ansible.cfg) = True
CONFIG_FILE() = /home/ops/ansible/ansible.cfg
DEFAULT_FILTER_PLUGIN_PATH(/home/ops/ansible/ansible.cfg) = ['/home/ops/ansible/plugins/filter']
DEFAULT_FORKS(/home/ops/ansible/ansible.cfg) = 20
DEFAULT_ROLES_PATH(/home/ops/ansible/ansible.cfg) = ['/home/ops/ansible/roles.galaxy', '/home/ops/ansible/roles']
DEFAULT_VAULT_PASSWORD_FILE(env: ANSIBLE_VAULT_PASSWORD_FILE) = /home/ops/.seconvault
DEPRECATION_WARNINGS(/home/ops/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/home/ops/ansible/ansible.cfg) = False
OS / ENVIRONMENT

Host running ansible ubuntu 22.04, vyos target 1.3.2

STEPS TO REPRODUCE

Use the vyos_facts module.

- name: Firwall configuration, rules and aliases only
  hosts:
    - XXXX-fw-01
  gather_facts: false
  tasks:
    -  name: Get running config from remote firewall
       vyos_facts:
         gather_subset: all
         gather_network_resources: all
       register: orig_vyos_config
EXPECTED RESULTS

The running config, not an error message

ACTUAL RESULTS

Result short:

PLAY [Firwall configuration, rules and aliases only] ***********************************************************************************************************************************************************************************************************************************************************

TASK [Get running config from remote firewall] *****************************************************************************************************************************************************************************************************************************************************************
fatal: [XXX-fw-01]: FAILED! => {"changed": false, "msg": "value of log must be one of: enable, disable, got: TCP found in config -> rule_sets -> rules"}

Verbose output:

ansible-playbook [core 2.16.5]
  config file = /home/ops/ansible/ansible.cfg
  configured module search path = ['/home/ops/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ops/ansible/venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/ops/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ops/ansible/venv/bin/ansible-playbook
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ops/ansible/venv/bin/python3)
  jinja version = 3.1.3
  libyaml = True
Using /home/ops/ansible/ansible.cfg as config file
Reading vault password file: /home/ops/.seconvault
setting up inventory plugins
Loading collection ansible.builtin from 
host_list declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
script declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
auto declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
Parsed /home/ops/ansible/inventories/vyos/inventory inventory source with ini plugin
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
Loading collection vyos.vyos from /home/ops/.ansible/collections/ansible_collections/vyos/vyos
Loading callback plugin default of type stdout, v2.0 from /home/ops/ansible/venv/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Attempting to use 'default' callback.
Skipping callback 'default', as we already have a stdout callback.
Attempting to use 'junit' callback.
Attempting to use 'minimal' callback.
Skipping callback 'minimal', as we already have a stdout callback.
Attempting to use 'oneline' callback.
Skipping callback 'oneline', as we already have a stdout callback.
Attempting to use 'tree' callback.

PLAYBOOK: site.yml *************************************************************
Positional arguments: playbooks/vyos/site.yml
verbosity: 7
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/home/ops/ansible/inventories/vyos/inventory',)
subset: XXX-fw-01
forks: 20
1 plays in playbooks/vyos/site.yml

PLAY [Firwall configuration, rules and aliases only] ***************************

TASK [Get running config from remote firewall] *********************************
task path: /home/ops/ansible/playbooks/vyos/site.yml:11
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.netcommon from /home/ops/.ansible/collections/ansible_collections/ansible/netcommon
Loading collection ansible.utils from /home/ops/.ansible/collections/ansible_collections/ansible/utils
redirecting (type: terminal) ansible.builtin.vyos to vyos.vyos.vyos
redirecting (type: cliconf) ansible.builtin.vyos to vyos.vyos.vyos
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> Using network group action vyos for vyos_facts
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> attempting to start connection
<172.16.21.71> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /home/ops/ansible/venv/bin/ansible-connection
<172.16.21.71> local domain socket does not exist, starting it
<172.16.21.71> control socket path is /home/ops/.ansible/pc/8eabc378a2
<172.16.21.71> Loading collection ansible.builtin from 
<172.16.21.71> redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
<172.16.21.71> Loading collection ansible.netcommon from /home/ops/.ansible/collections/ansible_collections/ansible/netcommon
<172.16.21.71> Loading collection ansible.utils from /home/ops/.ansible/collections/ansible_collections/ansible/utils
<172.16.21.71> redirecting (type: terminal) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> Loading collection vyos.vyos from /home/ops/.ansible/collections/ansible_collections/vyos/vyos
<172.16.21.71> redirecting (type: cliconf) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> local domain socket listeners started successfully
<172.16.21.71> loaded cliconf plugin ansible_collections.vyos.vyos.plugins.cliconf.vyos from path /home/ops/.ansible/collections/ansible_collections/vyos/vyos/plugins/cliconf/vyos.py for network_os vyos
<172.16.21.71> ssh type is set to auto
<172.16.21.71> autodetecting ssh_type
<172.16.21.71> ssh type is now set to libssh
<172.16.21.71> Loading collection ansible.builtin from 
<172.16.21.71> local domain socket path is /home/ops/.ansible/pc/8eabc378a2
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: found vyos_facts  at /home/ops/.ansible/collections/ansible_collections/vyos/vyos/plugins/modules/vyos_facts.py
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: running vyos_facts
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: complete
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES:
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: Result: {'failed': True, 'msg': 'value of log must be one of: enable, disable, got: TCP found in config -> rule_sets -> rules', 'invocation': {'module_args': {'config': [{'afi': 'ipv4', 'rule_sets': [{'default_action': 'reject', 'enable_default_log': True, 'rules': [{'action': 'accept', 'description': 'no remove', 'state': {'related': True, 'established': True, 'invalid': None, 'new': None}, 'number': 10, 'destination': None, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'log': None, 'p2p': None, 'protocol': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX001_Secon_ad_tcp - Internal access to ad', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'AD_tcp', 'address_group': 'com-ad-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1030, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'udp', 'description': 'ANSIBLE: EX001_Secon_ad_udp - Internal access to ad', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'AD_udp', 'address_group': 'com-ad-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1040, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX002_wsus - This rule is for all wsus updates', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'WSUS', 'address_group': 'com-wsus-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1050, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'udp', 'description': 'ANSIBLE: EX004_icinga_ntp_check - Allow all windows hosts to check the time against edge-fw-01', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'NTP', 'address_group': 'edge-fw-01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1160, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'TCP', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'gro .....

Example of more clear output found later in the printout, excerpt of the problematic section:

                                {
                                    "action": "accept",
                                    "description": "ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP",
                                    "destination": {
                                        "address": null,
                                        "group": {
                                            "address_group": "com-graylog",
                                            "network_group": null,
                                            "port_group": "EX005_graylog_tcp"
                                        },
                                        "port": null
                                    },
                                    "disable": null,
                                    "fragment": null,
                                    "icmp": null,
                                    "ipsec": null,
                                    "limit": null,
                                    "log": "TCP",
                                    "number": 1170,
                                    "p2p": null,
                                    "protocol": "tcp",
                                    "recent": null,
                                    "source": null,
                                    "state": {
                                        "established": null,
                                        "invalid": null,
                                        "new": true,
                                        "related": null
                                    },
                                    "tcp": null,
                                    "time": null
                                },

The corresponding rule on the firewall as printed by show command in configure mode:

         rule 1170 {
             action accept
             description "ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP"
             destination {
                 group {
                     address-group com-graylog
                     port-group EX005_graylog_tcp
                 }
             }
             log enable
             protocol tcp
             state {
                 new enable
             }
         }

The firewall does not have the value of the log parameter set to TCP, somehow the vyos_facts module seems to be a little confused about this.

I will provide any extra information requested.

We just upgraded the ansible version, the vyos_module has worked flawless for many years before.

gaige commented 1 month ago

@np422 What version were you upgrading from?

Could you use the | commands pipe? The facts are read from the set commands currently.

Also, can you show the rules from ANSIBLE: EX004_icinga_ntp_check as well? That appears to have the log appropriately set to enabled.