Comments (8)
f-bor
commented on July 19, 2024
Hi,
could you please give me the parameters for the call to pfsense_rule_separator that is failing ?
I also need your rules and separators definition on the lan interface before that call. I mean something like this:
- 1 sep
- 3 rules
- 1 sep
- 2 rules
...
If you use the after or before parameter, I need to know the position of the target.
from ansible-pfsense.
robindbe
commented on July 19, 2024
Hi,
So the actual task is this:
- name: Add rule separators on LAN
pfsense_rule_separator:
name: "{{ item.name }}"
state: present
interface: lan
before: "{{ item.before }}"
color: "{{ item.color }}"
loop:
- name: "Management and Monitoring"
before: "Firewall monitoring over TCP"
color: "info"
- name: "Cleanup"
before: "Cleanup"
color: "danger"
This is the output from that task:
TASK [Add rule separators on LAN] **************************************************************************************
task path: /Gitlab/ansible-pfsense/tasks_pfsense_config.yml:603
changed: [127.0.0.1 -> 172.29.126.16] => (item={u'color': u'info', u'name': u'Management and Monitoring', u'before': u'Firewall monitoring over TCP'}) => changed=true
ansible_loop_var: item
commands:
- create rule_separator 'Management and Monitoring', interface='lan', color='info', before='Firewall monitoring over TCP'
item:
before: Firewall monitoring over TCP
color: info
name: Management and Monitoring
stderr: ''
stderr_lines: <omitted>
stdout: |-
pfSense shell: global $debug;
pfSense shell: $debug = 1;
pfSense shell: require_once("filter.inc");
pfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); } [ApfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); [K}
pfSense shell: exec
pfSense shell: exit
stdout_lines: <omitted>
changed: [127.0.0.1 -> 172.29.126.16] => (item={u'color': u'danger', u'name': u'Cleanup', u'before': u'Cleanup'}) => changed=true
ansible_loop_var: item
commands:
- create rule_separator 'Cleanup', interface='lan', color='danger', before='Cleanup'
item:
before: Cleanup
color: danger
name: Cleanup
stderr: ''
stderr_lines: <omitted>
stdout: |-
pfSense shell: global $debug;
pfSense shell: $debug = 1;
pfSense shell: require_once("filter.inc");
pfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); } [ApfSense shell: if (filter_configure() == 0) { clear_subsystem_dirty('filter'); [K}
pfSense shell: exec
pfSense shell: exit
stdout_lines: <omitted>
This is the XML for the rules:
<rule>
<type>pass</type>
<tracker>1567429839</tracker>
<ipprotocol>inet</ipprotocol>
<interface>lan</interface>
<direction>any</direction>
<statetype><![CDATA[keep state]]></statetype>
<descr><![CDATA[Firewall monitoring over TCP]]></descr>
<log></log>
<protocol>tcp</protocol>
<source>
<address>NET_EXT_MON</address>
</source>
<destination>
<network>lanip</network>
<port>SVC_MON_TCP</port>
</destination>
</rule>
<rule>
<type>pass</type>
<tracker>1567429840</tracker>
<ipprotocol>inet</ipprotocol>
<interface>lan</interface>
<direction>any</direction>
<statetype><![CDATA[keep state]]></statetype>
<descr><![CDATA[Firewall monitoring over UDP]]></descr>
<log></log>
<protocol>udp</protocol>
<source>
<address>NET_EXT_MON</address>
</source>
<destination>
<network>lanip</network>
<port>SVC_MON_UDP</port>
</destination>
</rule>
<rule>
<type>pass</type>
<tracker>1567429841</tracker>
<ipprotocol>inet</ipprotocol>
<interface>lan</interface>
<direction>any</direction>
<statetype><![CDATA[keep state]]></statetype>
<descr><![CDATA[Firewall mgmt]]></descr>
<log></log>
<protocol>tcp</protocol>
<source>
<address>GRP_EXT_OFFICE</address>
</source>
<destination>
<network>lanip</network>
<port>SVC_MGMT_FW</port>
</destination>
</rule>
<rule>
<type>block</type>
<tracker>1567429842</tracker>
<ipprotocol>inet46</ipprotocol>
<interface>lan</interface>
<direction>any</direction>
<statetype><![CDATA[keep state]]></statetype>
<descr><![CDATA[Cleanup]]></descr>
<log></log>
<protocol>tcp/udp</protocol>
<source>
<any></any>
</source>
<destination>
<any></any>
</destination>
</rule>
This is the XML of the separators added by the Ansible module (the one's not showing up):
<separator>
<lan>
<sep0>
<color>bg-info</color>
<text><![CDATA[Management and Monitoring]]></text>
<row>fr8</row>
<if>lan</if>
</sep0>
<sep1>
<color>bg-danger</color>
<text><![CDATA[Cleanup]]></text>
<row>fr11</row>
<if>lan</if>
</sep1>
</lan>
</separator>
And this is the XML for the separators if I manually add them in the correct place. The order should be sep1, r1, r2, r3, sep2, r4:
<separator>
<lan>
<sep0>
<row>fr0</row>
<text><![CDATA[Management and Monitoring]]></text>
<color>bg-info</color>
<if>lan</if>
</sep0>
<sep1>
<row>fr3</row>
<text><![CDATA[Cleanup]]></text>
<color>bg-danger</color>
<if>lan</if>
</sep1>
</lan>
</separator>
If it helps, this is how the correct version looks in the GUI:
from ansible-pfsense.
f-bor
commented on July 19, 2024
Thank you. Unfortunatly, I haven't been able to reproduce, it's working as expected when I'm trying.
The fr8 and fr11 values shows that the module thinks there is 8 other rules before.
Would it be possible to see the entire filter section of your config.xml ? (I dont care about the sources and destinations if you mind and want to remove them)
from ansible-pfsense.
robindbe
commented on July 19, 2024
I think I start to understand. I do have a couple of floating rules, but those had only the LAN interface selected; that is an issue on my end (none should be selected or multiple, but not just LAN) but I believe that is causing the separators to be offset. This is one of them:
<filter>
<rule>
<type>block</type>
<tracker>1567429830</tracker>
<ipprotocol>inet46</ipprotocol>
**<interface>lan</interface>**
<direction>any</direction>
<statetype><![CDATA[keep state]]></statetype>
<descr><![CDATA[No log HSRP]]></descr>
<quick>yes</quick>
<protocol>udp</protocol>
<floating></floating>
<source>
<any></any>
</source>
<destination>
<any></any>
<port>SVC_HSRP</port>
</destination>
</rule>
Once I deselected the LAN interface (removing the 'interface' section completely in the above output) or selected an extra interface (like OPT1, resulting in lan,opt1) the issue disappears and the separators show up correctly.
from ansible-pfsense.
f-bor
commented on July 19, 2024
Ok. I thought it may be this situation and I did the same configuration in my tests. It worked on my side because the GUI generated the following XML for floating rules:
<floating>yes</floating>
But in your case, it's just:
<floating></floating>
I will push a fix to handle that but how did you create those rules ? And if it's with GUI with which version of pfSense ?
from ansible-pfsense.
robindbe
commented on July 19, 2024
Thanks.
I used another module from a different repository, I'll log an issue there as well about the 'yes' thing.
from ansible-pfsense.
f-bor
commented on July 19, 2024
it should be ok now. Can you please confirm ?
from ansible-pfsense.
robindbe
commented on July 19, 2024
It is indeed solved, thanks a lot.
from ansible-pfsense.
Related Issues (20)
- Calling the plugin breaks special XML fields which use CDATA and contain ampersands HOT 4
- Managing DHCP and unbound - any plans? HOT 4
- Modules list error in main README.md ? HOT 1
- Feature Request: Provide interface update HOT 1
- Ansible - Error using privilege escalation HOT 1
- pfsense 2.5 Support? HOT 25
- using ca module in pfsense 2.5 HOT 1
- pfsensible.core not compatible with ansible.netcommon 2.0.0 HOT 1
- diff['before'] is equal to diff['after'] HOT 1
- Retire this repo HOT 5
- pfsense_vlan.py error on 2.5.1 HOT 5
- Problem with pfsense_authserver_ldap module - automatically change LDAP config ? HOT 2
- pfsense_ipsec_p2 module overwriting other p2 interfaces in 2.5.2 HOT 1
- pfsense_aggregate: module failuer when try to use non-default gateway with the rule
- cannot add vlan interface HOT 1
- can we have a backup option on this ansible modules HOT 1
- Rule add issue when alias list is empty -> TypeError: 'NoneType' object is not iterable HOT 1
- pfsense_interface module cannot remove a subinterface HOT 1
- ERROR! 'pfsense_rule' is not a valid attribute for a Play HOT 1
- Not a problem - just wondering if there is a way to print a list of users by group? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-pfsense.