pfsensible / core Goto Github PK
View Code? Open in Web Editor NEWCore modules for managing pfSense firewalls with ansible
License: GNU General Public License v3.0
Core modules for managing pfSense firewalls with ansible
License: GNU General Public License v3.0
When an interface is manually configured with DHCP, the correspondent gateway is automatically added (let's say its name is XYZ_DHCP).
But when trying to configure a route:
pfsensible.core.route:
descr: "..."
gateway: "XYZ_DHCP"
network: "192.168.0.0/24"
I get the error: "The gateway XYZ_DHCP does not exist".
Hello
I have just noticed that you have a second repo for this collection.
But I have already written an issue on it: issue
So I post It here, tell me which one you want me to remove.
Hello,
First, thank you for the plugins.
I'm encountering a problem when i'm tring to use the pfsense_interface module to delete an existing and empty of any rule or separator interface.
It throws me this -vvv error message:
The full traceback is:
Traceback (most recent call last):
File "/root/.ansible/tmp/ansible-tmp-1654160293.51-1420-237622735159209/AnsiballZ_pfsense_interface.py", line 102, in <module>
_ansiballz_main()
File "/root/.ansible/tmp/ansible-tmp-1654160293.51-1420-237622735159209/AnsiballZ_pfsense_interface.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/root/.ansible/tmp/ansible-tmp-1654160293.51-1420-237622735159209/AnsiballZ_pfsense_interface.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_interface', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/local/lib/python3.8/runpy.py", line 207, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/local/lib/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/local/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface.py", line 152, in <module>
File "/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface.py", line 147, in main
File "/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 228, in run
File "/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 204, in _remove
File "/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface.py", line 316, in _pre_remove_target_elt
File "/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface.py", line 365, in _remove_all_separators
TypeError: 'NoneType' object is not iterable
fatal: [pfsense]: FAILED! => {
"changed": false,
"module_stderr": "Shared connection to 192.168.200.254 closed.\r
",
"module_stdout": "Traceback (most recent call last):\r
File \"/root/.ansible/tmp/ansible-tmp-1654160293.51-1420-237622735159209/AnsiballZ_pfsense_interface.py\", line 102, in <module>\r
_ansiballz_main()\r
File \"/root/.ansible/tmp/ansible-tmp-1654160293.51-1420-237622735159209/AnsiballZ_pfsense_interface.py\", line 94, in _ansiballz_main\r
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r
File \"/root/.ansible/tmp/ansible-tmp-1654160293.51-1420-237622735159209/AnsiballZ_pfsense_interface.py\", line 40, in invoke_module\r
runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_interface', init_globals=None, run_name='__main__', alter_sys=True)\r
File \"/usr/local/lib/python3.8/runpy.py\", line 207, in run_module\r
return _run_module_code(code, init_globals, run_name, mod_spec)\r
File \"/usr/local/lib/python3.8/runpy.py\", line 97, in _run_module_code\r
_run_code(code, mod_globals, init_globals,\r
File \"/usr/local/lib/python3.8/runpy.py\", line 87, in _run_code\r
exec(code, run_globals)\r
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface.py\", line 152, in <module>\r
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface.py\", line 147, in main\r
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py\", line 228, in run\r
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py\", line 204, in _remove\r
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface.py\", line 316, in _pre_remove_target_elt\r
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_99eqtdqt/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface.py\", line 365, in _remove_all_separators\r
TypeError: 'NoneType' object is not iterable\r
",
"msg": "MODULE FAILURE
See stdout/stderr for the exact error",
"rc": 1
}
My pfSense is in a virtualbox VM
Virtualbox version: 6.1.34
Ansible version: 2.9.27
pfSense version: 2.6.0
I'm trying to automate the creation of subinterfaces on my pfSense install using Ansible.
I have a task that first creates a VLAN.
Then another tasks that create the associated subinterface without any separator neither any rule.
Finally, a third task to remove the subinterface (in order to remove the VLAN next) and I face a problem: Ansible throws me the error above.
Create a pfSense VM using virtualbox
Run the following Ansible playbook
---
- name: "VLANs and subinterfaces configuration on pfSense firewall"
hosts: 'pfsense'
become: true
collections:
- 'pfsensible.core'
tasks:
- name: "Create a VLAN"
pfsensible.core.pfsense_vlan:
interface: 'em1'
vlan_id: '111'
descr: '111_VLAN'
state: 'present'
- name: "Create subinterface"
pfsensible.core.pfsense_interface:
interface: 'em1.111'
descr: '111_VLAN'
enable: true
ipv4_type: 'static'
ipv4_address: '192.168.66.1'
ipv4_prefixlen: 24
state: 'present'
- name: "Remove subinterface"
pfsensible.core.pfsense_interface:
interface: 'em1.111'
descr: '111_VLAN'
enable: true
ipv4_type: 'static'
ipv4_address: '192.168.66.1'
ipv4_prefixlen: 24
state: 'absent'
The problem seems to comes from the fact that the subinterface that I'm trying to remove doesn't have any separators in its rules.
It looks like a bug in the module_utils/network/pfsense/interface.py
file, at line 368. I'm not very familiar with Python but it looks like there's no check to verify that the variable separator
is not empty before trying to iterate on it in the for loop.
In Ansible, just before the task that deletes the subinterface, you can add a task to create a dummy separator associated to the subinterface rules and after that the task that removes the subinterface works, like so:
- name: "VLANs and subinterfaces configuration on pfSense firewall"
hosts: 'pfsense'
become: true
collections:
- 'pfsensible.core'
tasks:
- name: "Create a VLAN"
pfsensible.core.pfsense_vlan:
interface: 'em1'
vlan_id: '111'
descr: '111_VLAN'
state: 'present'
- name: "Create subinterface"
pfsensible.core.pfsense_interface:
interface: 'em1.111'
descr: '111_VLAN'
enable: true
ipv4_type: 'static'
ipv4_address: '192.168.66.1'
ipv4_prefixlen: 24
state: 'present'
- name: "Workaround removing interface problem"
block:
- name: "Add dummy separator to subinterface rules"
pfsensible.core.pfsense_rule_separator:
color: 'info'
interface: '111_VLAN'
name: 'Dummy separator'
state: 'present'
- name: "Remove subinterface"
pfsensible.core.pfsense_interface:
interface: 'em1.111'
descr: '111_VLAN'
enable: true
ipv4_type: 'static'
ipv4_address: '192.168.66.1'
ipv4_prefixlen: 24
state: 'absent'
I modified the function _remove_all_separators
like so:
def _remove_all_separators(self, interface):
""" delete all interface separators """
todel = []
separators = self.pfsense.rules.find('separator')
if separators is not None:
for interface_elt in separators:
if interface_elt.tag != interface:
continue
for separator_elt in interface_elt:
todel.append(separator_elt)
for separator_elt in todel:
cmd = 'delete rule_separator \'{0}\', interface=\'{1}\''.format(separator_elt.find('text').text, interface)
self.result['commands'].append(cmd)
interface_elt.remove(separator_elt)
separators.remove(interface_elt)
break
And ran the problematic Ansible code and it worked, the subinterface was deleted successfuly without errors. I'm not sure if this is the right way to fix it but let me know if you want me to open a PR.
Thanks for the help
Jo
It would be great if there is a module for managing Virtual IPs. (Firewall -> Virtual IPs)
I encountered an issue working with the pfsensible.core.ca module. It appears when using Ansible with Python3 the validate_cert bas64.b64encode(cert) does not work properly. Please see the error message below. My workaround was to manually base64 encode the PEM file and use the encoded value in my playbook but I think the function could be modified to handle this.
Code in plugin
def validate_cert(self, cert):
# TODO - Make sure certificate purpose includes CA
lines = cert.splitlines()
if lines[0] == '-----BEGIN CERTIFICATE-----' and lines[-1] == '-----END CERTIFICATE-----':
return base64.b64encode(cert)
Problem encountered on OS CentOS 7.8.2003 Ansible Version: 2.9.9
Sample: Ansible Playbook used
Ansible Error:
"/tmp/ansible_pfsensible.core.ca_payload_m7vvdkd5/ansible_pfsensible.core.ca_payload.zip/ansible_collections/pfsensible/core/plugins/modules/ca.py", line 111, in validate_cert\r\n File "/usr/local/lib/python3.7/base64.py", line 58, in b64encode\r\n encoded = binascii.b2a_base64(s, newline=False)\r\nTypeError: a bytes-like object is required, not 'str'\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
Tested For fix:
#!/usr/bin/python3
import base64
data = open(unencoded_pem, "r").read()
#Commented for test
#data=(data.encode('utf-8'))
encoded = base64.b64encode(data)
print(encoded)
Traceback (most recent call last):
File "./py3fix.py", line 8, in
encoded = base64.b64encode(data)
File "/usr/lib64/python3.6/base64.py", line 58, in b64encode
encoded = binascii.b2a_base64(s, newline=False)
TypeError: a bytes-like object is required, not 'str'
#!/usr/bin/python3
import base64
data = open(unencoded_pem, "r").read()
data=(data.encode('utf-8'))
encoded = base64.b64encode(data)
print(encoded)
Output:
b'LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREF6TVJFd0R3WURWUVFLREFoVVJWTlUKTGt4QlRqRWVNQndHQTFVRUF3d1ZRMlZ5ZEdsbDBwZ0hMSyt5cHUxK3g=='
I'm trying to use the pfsensible.core.alias module and running into an issue seen below. I've set my remote_tmp directory to /tmp as noted in the error message but it appears that the main issue is "Bad -c option"?
<172.16.0.10> ESTABLISH PARAMIKO SSH CONNECTION FOR USER: admin on PORT 22 TO 172.16.0.10 <172.16.0.10> EXEC /bin/sh -c '( umask 77 && mkdir -p "
echo /tmp/ansible-tmp-1587412302.8008745-40411721665864 " && echo ansible-tmp-1587412302.8008745-40411721665864="
echo /tmp/ansible-tmp-1587412302.8008745-40411721665864 " ) && sleep 0' fatal: [pfsense]: UNREACHABLE! => { "changed": false, "msg": "Authentication or permission failure. In some cases, you may have been able to authenticate and did not have permissions on the target directory. Consider changing the remote tmp path in ansible.cfg to a path rooted in \"/tmp\". Failed command was: ( umask 77 && mkdir -p \"
echo /tmp/ansible-tmp-1587412302.8008745-40411721665864 \" && echo ansible-tmp-1587412302.8008745-40411721665864=\"
echo /tmp/ansible-tmp-1587412302.8008745-40411721665864 \" ), exited with result 2, stderr output: Bad -c option\n", "unreachable": true }
Please let me know if I can provide any more information on this error.
We're currently unable to create a a NAT port forward rule for ICMP over WAN. Is this a good idea in all "prod" networks? Perhaps not, but it's useful for test ranges and troubleshooting!
Why are we asking about NAT port forwards when NAT doesn't have a port? If the end goal is to provide the same amount of functionality via pfsensible
as with the webUI, this may be worth the spare effort. This may already be covered by the firewall rule modules, if so I'll verify and close this issue.
Here's the desired state of a valid nat forward rule:
- Name: Create ICMP forward to some IP
pfsensible.core.pfsense_nat_port_forward
descr: ICMP to some IP
interface: wan
source: any
protocol: icmp
destination: “{{ some IP }}”
target: “{{ a destination IP }}”
associated_rule: associated
state: “{{ portfwd_state }}”
tags: my_tag
Here are the current errors I receive:
FAILED! => {“changed”: false, “msg”: “’Create ICMP forward to some IP’ on ‘wan’: “\”None\” is not a valid redirect target port. It must be a port alias or integer between 1 and 65535.”}
FAILED! => {“changed”: false, “msg”: “’Create ICMP forward to some IP’ on ‘wan’: “\”*\” is not a valid redirect target port. It must be a port alias or integer between 1 and 65535.”}
FAILED! => {“changed”: false, “msg”: “’Create ICMP forward to some IP’ on ‘wan’: “\”any\” is not a valid redirect target port. It must be a port alias or integer between 1 and 65535.”}
FAILED! => {“changed”: false, “msg”: “’Create ICMP forward to some IP’ on ‘wan’: You can’t use ports on protocols other than tcp, udp, tcp/udp”}
Hi,
pfsensible.core.interface:
descr: "..."
enable: true
interface: "..."
ipv4_type: "dhcp"
doesn't change the "IPv4 Configuration Type" (it's always "None").
I was very happy to find this project and the ansible galaxy collection, but I spent a few hours debugging why it did not work out of the box with Ansible 2.9.
I tried a small start with just defining a few aliases (having to trudge through the example files and not documentation to find out you need to call "pfsensible.core.alias" and not "pfsense_alias" anymore), and noticed that a lot of references to modules are using the old mechanism.
Long story short, after installing the collection (getting version 0.1.0), I have to perform the following changes on the related files if I want to use the alias module alone :
diff -ru /tmp/collections/ansible_collections/pfsensible/core/plugins/modules/alias.py /tmp/collections.new/collections/ansible_collections/pfsensible/core/plugins/modules/alias.py
--- /tmp/collections/ansible_collections/pfsensible/core/plugins/modules/alias.py 2020-01-22 18:58:33.375046136 +0900
+++ /tmp/collections.new/collections/ansible_collections/pfsensible/core/plugins/modules/alias.py 2020-01-22 19:49:52.884521470 +0900
@@ -82,7 +82,7 @@
"""
from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.network.pfsense.alias import PFSenseAliasModule, ALIAS_ARGUMENT_SPEC, ALIAS_REQUIRED_IF
+from ansible_collections.pfsensible.core.plugins.module_utils.alias import PFSenseAliasModule, ALIAS_ARGUMENT_SPEC, ALIAS_REQUIRED_IF
def main():
diff -ru /tmp/collections/ansible_collections/pfsensible/core/plugins/module_utils/alias.py /tmp/collections.new/collections/ansible_collections/pfsensible/core/plugins/module_utils/alias.py
--- /tmp/collections/ansible_collections/pfsensible/core/plugins/module_utils/alias.py 2020-01-22 18:58:33.379046164 +0900
+++ /tmp/collections.new/collections/ansible_collections/pfsensible/core/plugins/module_utils/alias.py 2020-01-22 19:49:18.112280479 +0900
@@ -7,7 +7,7 @@
from __future__ import absolute_import, division, print_function
__metaclass__ = type
import re
-from ansible.module_utils.network.pfsense.module_base import PFSenseModuleBase
+from ansible_collections.pfsensible.core.plugins.module_utils.module_base import PFSenseModuleBase
ALIAS_ARGUMENT_SPEC = dict(
name=dict(required=True, type='str'),
diff -ru /tmp/collections/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py /tmp/collections.new/collections/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py
--- /tmp/collections/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py 2020-01-22 18:58:33.383046193 +0900
+++ /tmp/collections.new/collections/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py 2020-01-22 19:47:20.871467915 +0900
@@ -21,8 +21,8 @@
class PFSenseModule(object):
""" class managing pfsense base configuration """
- from ansible.module_utils.network.pfsense.__impl.parse_address import parse_address
- from ansible.module_utils.network.pfsense.__impl.checks import check_name
+ from ansible_collections.pfsensible.core.plugins.module_utils.__impl.parse_address import parse_address
+ from ansible_collections.pfsensible.core.plugins.module_utils.__impl.checks import check_name
def __init__(self, module, config='/cf/conf/config.xml'):
self.module = module
The above changes finally yield the expected behavior when the code is actually ran on pfSense.
All other modules probably suffer from the same issue.
I hope this helps someone, and at any rate, do keep up the good work!
I expect to make heavy use of this in the upcoming weeks.
Cheers,
I just realized that there are two different repositories. I guess I reported my issue in the wrong place? Just in case I am also linking it here
I can make rule separators for firewall rules with pfsensible.core.rule_separator, it sure would be neat if I could do the same for NAT port forward rules.
I see two potential approaches:
nat
in the interface
field of rule_separator
.pfsensible.core.nat_rule_separator
.I'm trying to create a phase 1 on an IPSec tunnel in Responder Only mode, so i've set responderonly
to True
But It gave me this error :
TypeError: cannot serialize True (type bool)
Documentation states that's a boolean parameter, but I think on the pfsense it's not :
Default value is False
ant it must be working because it falls back to Default
on the pfsense.
Can you update the type of this parameter to choices in pfsense_ipsec module ?
trying it with pfsense 2.6.0 (dont know if its compatible)
logging as root
[pfsense]
10.90.0.99 ansible_user=root ansible_ssh_pass=pfsense
running simple thing like creating vlans
package sudo is installed on pfsense
tried with "become" and without
I get file not found /cf/conf/config.xml , if i login to ssh and go there file its there and my user or root can write it. From webui using edit file and pointing it to /cf/conf/config.xml also works
Hi folks,
First time user here. I was able to add VLANs, but unable to add interfaces.
I did a little digging and added a couple more print statements to see the actual error, pasted below.
Thanks!
core 2.14.3
Latest main (master) branch.
Python 3.9 (3.11 gives the same result)
MacOS Ventura 13.2.1
23.01-RELEASE (amd64)
built on Fri Feb 10 20:06:33 UTC 2023
FreeBSD 14.0-CURRENT
- name: Create Interfaces
hosts: pfsense
gather_facts: yes
tasks:
- name: Read Database CSV
read_csv:
path: database.csv
delegate_to: localhost
register: db
- name: Create Interfaces
loop: "{{ db.list }}"
loop_control:
loop_var: item
pfsensible.core.pfsense_interface:
interface: "ix1.{{ item.id }}"
descr: "{{ item.label }}"
enable: True
state: present #absent
require_once('/etc/inc/interfaces.inc');
$portlist = get_interface_list(); /* add wireless clone interfaces */
if
(is_array($config['wireless']['clone']) && count($config['wireless']['clone']))
foreach ($config['wireless']['clone'] as $clone)
$portlist[$clone['cloneif']] = $clone; /* add VLAN interfaces */
if (
is_array($config['vlans']['vlan']) &&
count($config['vlans']['vlan'])
) foreach ($config['vlans']['vlan'] as $vlan)
$portlist[$vlan['vlanif']] = $vlan; /* add
Bridge interfaces */
if (is_array($config['bridges']['bridged']) && count($config['bridges']['bridged'])) foreach ($config['bridges']['bridged'] as $bridge)
$portlist[$bridge['bridgeif']] = $bridge; /* add GIF interfaces */
if
(is_array($config['gifs']['gif']) && count($config['gifs']['gif'])) foreach ($config['gifs']['gif'] as $gif)
$portlist[$gif['gifif']] = $gif; /* add GRE interfaces */
if (
is_array($config['gres']['gre']) &&
count($config['gres']['gre'])
) foreach ($config['gres']['gre'] as $gre)
$portlist[$gre['greif']] = $gre; /* add LAGG
interfaces */
if (is_array($config['laggs']['lagg']) && count($config['laggs']['lagg'])) foreach ($config['laggs']['lagg'] as $lagg) {
$portlist[$lagg['laggif']] = $lagg; /* LAGG members cannot be assigned */
$lagifs
= explode(',', $lagg['members']);
foreach ($lagifs as $lagif)
if (isset($portlist[$lagif]))
unset($portlist[$lagif]);
} /* add QinQ interfaces */
if (is_array($config['qinqs']['qinqentry']) && count($config['qinqs']['qinqentry'])) foreach ($config['qinqs']['qinqentry'] as $qinq) {
$portlist["{$qinq['vlanif']}"] = $qinq; /* QinQ members */
$qinqifs =
explode(' ', $qinq['members']);
foreach ($qinqifs as $qinqif)
$portlist["{$qinq['vlanif']}.{$qinqif}"] = $qinqif;
} /*
add PPP interfaces */
if (is_array($config['ppps']['ppp']) && count($config['ppps']['ppp'])) foreach ($config['ppps']['ppp'] as $pppid => $ppp)
$portlist[$ppp['if']] = $ppp;
if (is_array($config['openvpn'])) {
if
(is_array($config['openvpn']['openvpn-server']))
foreach ($config['openvpn']['openvpn-server'] as $s)
$portlist["ovpns{$s['vpnid']}"] = $s;
if (is_array($config['openvpn']['openvpn-client'])) foreach ($config['openvpn']['openvpn-client'] as $c)
$portlist["ovpnc{$c['vpnid']}"] = $c;
}
$ipsec_descrs =
interface_ipsec_vti_list_all(); foreach ($ipsec_descrs as $ifname => $ifdescr)
$portlist[$ifname] = array(
'descr' =>
$ifdescr
);
echo json_encode($portlist, JSON_PRETTY_PRINT);
----------------------------------------------------
Fatal error: Uncaught TypeError: Cannot access offset of type string on string in Standard input code:2
Stack trace:
#0 {main}
thrown in Standard input code on line 2
PHP ERROR: Type: 1, File: Standard input code, Line: 2, Message: Uncaught TypeError: Cannot access offset of type string on string in Standard input code:2
Stack trace:
#0 {main}
thrown
Traceback (most recent call last):
File \"/root/.ansible/tmp/ansible-tmp-1678194212.721174-67614-29264918768809/AnsiballZ_pfsense_interface.py\", line 107, in <module>
_ansiballz_main()
File \"/root/.ansible/tmp/ansible-tmp-1678194212.721174-67614-29264918768809/AnsiballZ_pfsense_interface.py\", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File \"/root/.ansible/tmp/ansible-tmp-1678194212.721174-67614-29264918768809/AnsiballZ_pfsense_interface.py\", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_interface', init_globals=dict(_module_fqn='ansible_collections.pfsensible.core.plugins.modules.pfsense_interface', _modlib_path=modlib_path),
File \"/usr/local/lib/python3.9/runpy.py\", line 225, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File \"/usr/local/lib/python3.9/runpy.py\", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File \"/usr/local/lib/python3.9/runpy.py\", line 87, in _run_code
exec(code, run_globals)
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_dnr2ahcy/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface.py\", line 159, in <module>
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_dnr2ahcy/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface.py\", line 154, in main
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_dnr2ahcy/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py\", line 223, in run
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_dnr2ahcy/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface.py\", line 177, in _validate_params
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_dnr2ahcy/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface.py\", line 385, in _get_interface_list
File \"/tmp/ansible_pfsensible.core.pfsense_interface_payload_dnr2ahcy/ansible_pfsensible.core.pfsense_interface_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py\", line 618, in php
File \"/usr/local/lib/python3.9/json/__init__.py\", line 346, in loads
return _default_decoder.decode(s)
File \"/usr/local/lib/python3.9/json/decoder.py\", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File \"/usr/local/lib/python3.9/json/decoder.py\", line 355, in raw_decode
raise JSONDecodeError(\"Expecting value\", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)
https://github.com/pfsensible/core/wiki/pfsensible.core.group
Just a few quirks in documentation.
Documentation states description
as a parameter, but trying to use it results in the following message:
Unsupported parameters for (pfsensible.core.group) module: description Supported parameters include: descr, gid, name, priv, scope, state
Also, state: present
is not mentioned in the example but actually explicitly required.
What's about a module to configure DHCP forwarding?
Any plans for this?
BTW: I'm looking forward for additional modules like Gateway group configuration, configure wireguard module, etc.
Any plans to develop this collection any further?
Best reagrds
André
Would be nice if there is a module for managing 1:1 NAT rules.
Hi all,
I tried to manage my interface groups with pfsensible. The simple ansible task below can change the members of an existing interface group (i.e. there's already a group with the same name in the config.xml). Creating a new interface group with a new name, however, results in following error: IndexError: list index out of range
- name: Add interface group
pfsensible.core.pfsense_interface_group:
name: SRV
members:
- 121_SRV_PRD
- 123_SRV_DEV
TASK [pfs_base : Add interface group] ******************************************************************************************************************************************************************************************************
task path: /home/user/ansible/roles/pfs_base/tasks/main.yml:27
The full traceback is:
Traceback (most recent call last):
File "<stdin>", line 107, in <module>
File "<stdin>", line 99, in _ansiballz_main
File "<stdin>", line 47, in invoke_module
File "<frozen runpy>", line 226, in run_module
File "<frozen runpy>", line 98, in _run_module_code
File "<frozen runpy>", line 88, in _run_code
File "/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface_group.py", line 93, in <module>
File "/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface_group.py", line 88, in main
File "/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 227, in run
File "/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface_group.py", line 113, in _find_target
IndexError: list index out of range
fatal: [versefw]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 107, in <module>\n File \"<stdin>\", line 99, in _ansiballz_main\n File \"<stdin>\", line 47, in invoke_module\n File \"<frozen runpy>\", line 226, in run_module\n File \"<frozen runpy>\", line 98, in _run_module_code\n File \"<frozen runpy>\", line 88, in _run_code\n File \"/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface_group.py\", line 93, in <module>\n File \"/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_interface_group.py\", line 88, in main\n File \"/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py\", line 227, in run\n File \"/tmp/ansible_pfsensible.core.pfsense_interface_group_payload_wgh2n3j9/ansible_pfsensible.core.pfsense_interface_group_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/interface_group.py\", line 113, in _find_target\nIndexError: list index out of range\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
Using:
ansible [core 2.14.5]
python version = 3.11.3 (main, Jun 9 2023, 16:40:48) [GCC 12.2.1 20230428] (/usr/bin/python3.11)
pfsensible.core 0.5.3
Many thanks for this project!
Hi,
I am using pfsensible.core.pfsense_openvpn_override and I am trying to add a client specific override. One of the fields in the GUI is the "Tunnel Network" and you can specify the ip/netmask in cidr notation, allowing for static tunnel ips for specific clients. In the gui you can specify an ip address that is not the network address, e.g. 192.168.0.2/24 as opposed to 192.168.0.0/24, however when testing the pfsensible functionality, it appears to error with fatal: FAILED! => {"changed": false, "msg": "A valid IPv4 network must be specified for tunnel_network."}
It does not appear to fail when eh network address is specified, but this doesn't allow for the static tunnel addresses
Hi,
first of all: thanks for the work you all have done in here :) i really appreciate this collection!
But I wanted to ask if someone is already working on modules to make some services scripable, especially the DHCP and DNS module.... or are these already available and i missed them somewhere?
Greetz,
Markus
I am using pfsense_aggregate with aggregated_rules. The following rules worked for the Netgate 2100, but not the Netgate 6100. Below is a brief example of the code I am running. MANAGEMENT is a VLAN interface on ix0 as: ix0.100
.
Task:
- name: Setup the Rules
pfsensible.core.pfsense_aggregate:
purge_rules: "{{ host_firewall_rules.options.purge_rules }}"
aggregated_rules: "{{ host_firewall_rules.rules }}"
host_vars:
host_interfaces:
management:
interface: opt8
host_firewall_rules:
options:
purge_rules: true
rules:
- name: MANAGEMENT - Allow ping out
state: present
action: pass
interface: "{{ host_interfaces.management.interface }}"
ipprotocol: inet
protocol: icmp
source: MANAGEMENTNetwork
destination: any
Ansible is giving me the error:
mgs: '"opt8" is not a valid interface'
I have tried ix0.100
, other opt interfaces. Again this worked on the Netgate 2100. Any ideas or thoughts?
It seems that using this ansible definition:
will fail with an error like this if and only if the list of static mappings for the given interface is empty:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: IndexError: list index out of range
failed: [192.168.1.201] (item={'name': 'sony-tv-sitting-room', 'mac': '70:26:05:7b:f7:0e', 'address': '172.16.24.204', 'interface': 'opt2'}) => {"ansible_loop_var": "item", "changed": false, "item": {"address": "172.16.24.204", "interface": "opt2", "mac": "70:26:05:7b:f7:0e", "name": "sony-tv-sitting-room"}, "module_stderr": "Shared connection to 192.168.1.201 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File "/root/.ansible/tmp/ansible-tmp-1678623425.479361-92221-106907561307919/AnsiballZ_pfsense_dhcp_static.py", line 107, in \r\n _ansiballz_main()\r\n File "/root/.ansible/tmp/ansible-tmp-1678623425.479361-92221-106907561307919/AnsiballZ_pfsense_dhcp_static.py", line 99, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File "/root/.ansible/tmp/ansible-tmp-1678623425.479361-92221-106907561307919/AnsiballZ_pfsense_dhcp_static.py", line 47, in invoke_module\r\n runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_dhcp_static', init_globals=dict(_module_fqn='ansible_collections.pfsensible.core.plugins.modules.pfsense_dhcp_static', _modlib_path=modlib_path),\r\n File "/usr/local/lib/python3.8/runpy.py", line 207, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File "/usr/local/lib/python3.8/runpy.py", line 97, in _run_module_code\r\n _run_code(code, mod_globals, init_globals,\r\n File "/usr/local/lib/python3.8/runpy.py", line 87, in _run_code\r\n exec(code, run_globals)\r\n File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_siiogh9i/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 362, in \r\n File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_siiogh9i/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 357, in main\r\n File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_siiogh9i/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 232, in run\r\n File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_siiogh9i/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 169, in _add\r\n File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_siiogh9i/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 296, in _copy_and_add_target\r\n File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_siiogh9i/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 284, in _find_last_dhcp_static_index\r\nIndexError: list index out of range\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Manually creating a dummy mapping for each interface before running the ansible means this error is no longer seen.
Here is my playbook :
- name: Create Ansible user on pfSense
hosts: pfsense
collections:
- pfsensible.core
remote_user: admin
become: false
tasks:
- name: Add Ansible user
pfsense_user:
name: "{{ lookup('env','ADM_USR') }}"
password: "{{ lookup('env','ADM_PWD') | password_hash('bcrypt') }}"
authorizedkeys: "{{ lookup('env','PUBLIC_KEY') }}"
descr: Ansible User
scope: system
groups: [ 'admins' ]
priv: [ 'page-all', 'user-shell-access' ]
Here is the result :
Run ansible-playbook ansible/playbook-pfsense-create-ansible-user.yml
ansible-playbook ansible/playbook-pfsense-create-ansible-user.yml
shell: /usr/bin/bash -e {0}
env:
pythonLocation: /opt/hostedtoolcache/Python/3.11.3/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.3/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.3/x64
Python[2](https://github.com/LeoShivas/ovhbaremetal/actions/runs/5039174203/jobs/9037140620#step:6:2)_ROOT_DIR: /opt/hostedtoolcache/Python/[3](https://github.com/LeoShivas/ovhbaremetal/actions/runs/5039174203/jobs/9037140620#step:6:3).11.3/x6[4](https://github.com/LeoShivas/ovhbaremetal/actions/runs/5039174203/jobs/9037140620#step:6:4)
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.3/x[6](https://github.com/LeoShivas/ovhbaremetal/actions/runs/5039174203/jobs/9037140620#step:6:6)4
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.[11](https://github.com/LeoShivas/ovhbaremetal/actions/runs/5039174203/jobs/9037140620#step:6:11).3/x64/lib
ADM_USR: ***
ADM_PWD: ***
PUBLIC_KEY: ***
PLAY [Create Ansible user on pfSense] ******************************************
TASK [Gathering Facts] *********************************************************
ok: [pfsense.jordan-lenuff.com]
TASK [Add Ansible user] ********************************************************
changed: [pfsense]
PLAY RECAP *********************************************************************
pfsense : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
When I go to the pfSense web GUI, I can see my new created user :
When I log through SSH into the server, I can see the FreeBSD created user :
[2.6.0-RELEASE][[email protected]]/root: id myuser
uid=2000(myuser) gid=65534(nobody) groups=65534(nobody)
[2.6.0-RELEASE][[email protected]]/root:
But, as shown above, the user does not belong to the admins
group.
I tried to manually delete the /tmp/config.cache
file, run some of the rc scripts (as /etc/rc.restart_webgui
, /etc/rc.reload_all
, etc ...), but nothing updates the user groups.
If I simply reboot the pfSense machine, the user finally belongs to the admins
.
So, I have to questions :
When defining a firewall rule:
To reproduce, define an URL Table (Ports) and use it in a pfsensible.core.pfsense_rule
example yaml:
pfsensible.core.pfsense_rule:
name: "Title"
action: "pass"
interface: "LAN"
ipprotocol "inet"
protocol: "tcp/udp"
source: "NET:LAN"
destination: "8.8.8.8"
destination_port: "Google_urltable_ports" # this fails
state: present
I have verified in my testing that my URL Table (Ports) is valid by using it in a rule defined in the web interface of the pfSense
Hi,
I tried this playbook using ansible 2.9.2
and the collection version 0.2.0
---
- hosts: all
tasks:
- name: "Test playbook"
pfsensible.core.aggregate:
purge_aliases: true
purge_rules: true
purge_rule_separators: true
aggregated_aliases:
- { name: ports_http_https, type: port, address: '80 443', state: present }
aggregated_rules:
- { name: "rule_1", source: any, destination: any, protocol: any, interface: LAN, state: present, disabled: false }
- { name: "rule_2", source: any, destination: any, protocol: any, interface: LAN, state: present, disabled: false }
aggregated_rule_separators:
- { name: "separator_1", interface: LAN, state: present, before: rule_1 }
- { name: "separator_2", interface: LAN, state: present, before: rule_2 }
and I get this result:
Then I have updated the playbook adding new rule and separator rule_0
and separator_0
combined with purge_rules
and purge_separators
:
---
- hosts: all
tasks:
- name: "Test playbook"
pfsensible.core.aggregate:
purge_aliases: true
purge_rules: true
purge_rule_separators: true
aggregated_aliases:
- { name: ports_http_https, type: port, address: '80 443', state: present }
aggregated_rules:
- { name: "rule_0", source: any, destination: any, protocol: any, interface: LAN, state: present, disabled: false }
- { name: "rule_1", source: any, destination: any, protocol: any, interface: LAN, state: present, disabled: false }
- { name: "rule_2", source: any, destination: any, protocol: any, interface: LAN, state: present, disabled: false }
aggregated_rule_separators:
- { name: "separator_0", interface: LAN, state: present, before: rule_0 }
- { name: "separator_1", interface: LAN, state: present, before: rule_1 }
- { name: "separator_2", interface: LAN, state: present, before: rule_2 }
and I was expecting that the new rule would appear at the top but it's added at the bottom. see
I have seen that module pfsensible.core.rule
provides the options before
and after
to define the order of the rules but if the list of rules grows a lot I would find much more convenient that the order defined in the playbook is respected. Is that possible?
Thanks in advance for any help.
Any idea on why I'm getting a invalid -c
option error
<10.79.109.138> SSH: EXEC sshpass -d43 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o 'User="admin"' -o ConnectTimeout=10 -o ControlPath=/Users/****/.ansible/cp/d05d73dcc1 10.79.109.138 '/bin/sh -c '"'"'echo ~admin && sleep 0'"'"''
<10.79.109.138> (2, b'', b'Bad -c option\n')
---
- hosts: pfsense
become: true
gather_facts: false
tasks:
- name: Add operator user
pfsensible.core.user:
name: "{{ item.username }}"
descr: "{{ item.full_name }}"
scope: user
priv: [ 'user-shell-access' ]
authorizedkeys: "{{ item.authorized_key|b64encode }}"
loop: "{{ ops_users }}"
Hello,
thank you for this module.
I'm encountering a problem when i'm tring to use the pfsense_gateway to create a gateway. it throw me this error from my awx
{ "msg": "Interface vtnet0 not found", "invocation": { "module_args": { "name": "wangateway", "interface": "vtnet0", "gateway": "redacted", "state": "present", "ipprotocol": "inet", "descr": "", "disabled": false, "monitor_disable": false, "action_disable": false, "force_down": false, "weight": 1, "nonlocalgateway": false, "monitor": null } }, "_ansible_no_log": false, "changed": false }
my playbook is using variable for gateway in pfsense 2.6.0
- name: get interface name
shell: ifconfig -lu | awk '{print$1}'
register: interface_get
- name: debug {{ interface_get.stdout }}
debug:
var: interface_get.stdout
# configure gateway first for interface
- name: config pfsense gateway
pfsense_gateway:
name: 'wangateway'
# interface: "{{ pfsense_interface_gateway | quote }}"
interface: "{{interface_get.stdout | quote}}"
gateway: "{{ pfsense_gateway_address }}"
state: present
Feature request
In pfsense_dhcp_static, extend the parameter netif=<interface_port> to allow for the display name of the interface as well.
Furthermore, dhcp cannot be configured for an interface group, so return a more speaking error msg.
diff -Nur collections.save/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py collections/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py
--- collections.save/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py 2023-07-02 20:35:20.151705302 +0200
+++ collections/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py 2023-07-26 12:43:49.166989810 +0200
@@ -279,6 +279,14 @@
return False
def _find_staticmaps(self, netif=None):
+ # Already checked: netif is either None or a valid display name, port or group.
+ # Convert name to port, stop for group
+ if netif is not None:
+ if self.pfsense.is_interface_display_name(netif):
+ netif = self.pfsense.get_interface_by_display_name(netif)
+ elif self.pfsense.is_interface_group(netif):
+ self.module.fail_json(msg='DHCP cannot be configured for interface groups')
+
for e in self.dhcpd:
if netif is None or e.tag == netif:
if e.find('enable') is not None:
Some cloud providers assign /32 addresses for their private networks, and the traffic is routed through the first address (the gateway), for example:
host ip: 192.168.0.2/32
gateway: 192.168.0.1
The only way to make pfSense work is by setting the "non-local gateway" option.
I tried setting LDAP authentication via the module, only to find the following quirks :
state=present
forces it to require a CA parameterrequired_if
definition worksmodule.params['transport']
, but it is not defined and using ldap_urltype is not appropriateauthserver['transport'] = module.params['transport']
fixes the problemOn the rules I have specified manually, the Destination
type is WAN address
. When I define the same rule in my pfsensible role, I can only figure out how to get WAN net
to work.
Here is the code:
- name: Apply nat port forward rules
pfsensible.core.nat_port_forward:
descr: Test nat rule
interface: wan
source: any
destination: WAN:48222 # <--- This field is the issue
target: 192.168.2.100:48223
associated_rule: pass
state: present
My manually defined rule looks like:
What is the proper format to set the destination to Wan address
instead of Wan net
?
When using the pfsense_dhcp_static
example and passing only the name
and state
. The following error occurs
Traceback (most recent call last):
File "/home/terraform/.ansible/tmp/ansible-tmp-1683842423.7034736-103-56418711469811/AnsiballZ_pfsense_dhcp_static.py", line 102, in <module>
_ansiballz_main()
File "/home/terraform/.ansible/tmp/ansible-tmp-1683842423.7034736-103-56418711469811/AnsiballZ_pfsense_dhcp_static.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/terraform/.ansible/tmp/ansible-tmp-1683842423.7034736-103-56418711469811/AnsiballZ_pfsense_dhcp_static.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_dhcp_static', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/local/lib/python3.8/runpy.py", line 207, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/local/lib/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/local/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_eu5yj8za/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 393, in <module>
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_eu5yj8za/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 388, in main
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_eu5yj8za/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 223, in run
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_eu5yj8za/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 222, in _validate_params
File "/usr/local/lib/python3.8/re.py", line 196, in fullmatch
return _compile(pattern, flags).fullmatch(string)
TypeError: expected string or bytes-like object
",
core/plugins/modules/pfsense_dhcp_static.py
Line 222 in 71ca1d7
I see name
OR macaddr
required when using pfsense_dhcp_static
. Is macaddr
expected to be given when removing a static DHCP entry?
Version 0.5.3
Hello,
I've noticed that the pfsense config file XML encoding differs from the default pfSense XML encoding when I use pfsensible.core. Example (start of the config file right after a change over pfsensible):
<?xml version='1.0' encoding='us-ascii'?> <pfsense> <version>22.9</version> <lastchange></lastchange> <system> <optimization>normal</optimization> <hostname>testfw-1</hostname> <domain>test.group</domain> <group> <name>Network Admins</name> <description>RADIUS Group</description> <scope>remote</scope> <gid>2000</gid> <priv>page-all</priv> </group> <group> <name>admins</name> <description>System Administrators</description> <scope>system</scope> <gid>1999</gid> <member>0</member> <priv>page-all</priv> </group> <group> <name>all</name> <description>All Users</description> <scope>system</scope> <gid>1998</gid> </group>
Start of the config file right after a change done in the webgui:
<?xml version="1.0"?> <pfsense> <version>22.9</version> <lastchange></lastchange> <system> <optimization>normal</optimization> <hostname>testfw-1</hostname> <domain>test.group</domain> <group> <name>Network Admins</name> <description><![CDATA[RADIUS Group]]></description> <scope>remote</scope> <gid>2000</gid> <priv>page-all</priv> </group> <group> <name>admins</name> <description><![CDATA[System Administrators]]></description> <scope>system</scope> <gid>1999</gid> <member>0</member> <priv>page-all</priv> </group> <group> <name>all</name> <description><![CDATA[All Users]]></description> <scope>system</scope> <gid>1998</gid> </group>
While this encoding change has not caused any troubles I'm aware of, if you have a config management system that keeps track of your pfsense config changes then doing even just a slight adjustment with pfsensible causes hundreds of changes in the config file because of the encoding differences.
BR
Robert
Hi, I just update pfsense to the version 2.5 and the pfsense_aggregate module is not working anymore. This is the trace:
TASK [Setup two vlans, three aliases, six rules, four separators, and delete everything else] *************************************************************************
task path: /home/joe/Downloads/ansible/site.yml:37
<172.16.2.15> ESTABLISH PARAMIKO SSH CONNECTION FOR USER: root on PORT 22 TO 172.16.2.15
<172.16.2.15> EXEC /bin/sh -c 'echo ~root && sleep 0'
<172.16.2.15> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740 `" && echo ansible-tmp-1613866031.1342916-233072796188740="` echo /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740 `" ) && sleep 0'
Using module file /home/joe/.ansible/collections/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py
<172.16.2.15> PUT /home/joe/.ansible/tmp/ansible-local-32996drj_mhem/tmp72e5eqva TO /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py
<172.16.2.15> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/ /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py && sleep 0'
<172.16.2.15> EXEC /bin/sh -c '/usr/local/bin/python3.7 /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py && sleep 0'
<172.16.2.15> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py", line 102, in <module>
_ansiballz_main()
File "/root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_aggregate', init_globals=None, run_name='__main__', alter_sys=True)
File "/usr/local/lib/python3.7/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/local/lib/python3.7/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/local/lib/python3.7/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py", line 1096, in <module>
File "/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py", line 1081, in main
File "/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py", line 618, in __init__
File "/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/vlan.py", line 44, in __init__
File "/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py", line 573, in php
File "/usr/local/lib/python3.7/json/__init__.py", line 348, in loads
return _default_decoder.decode(s)
File "/usr/local/lib/python3.7/json/decoder.py", line 337, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/usr/local/lib/python3.7/json/decoder.py", line 355, in raw_decode
raise JSONDecodeError("Expecting value", s, err.value) from None
json.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)
fatal: [pflab]: FAILED! => {
"changed": false,
"module_stderr": "",
"module_stdout": "Traceback (most recent call last):\r\n File \"/root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/root/.ansible/tmp/ansible-tmp-1613866031.1342916-233072796188740/AnsiballZ_pfsense_aggregate.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_aggregate', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/usr/local/lib/python3.7/runpy.py\", line 205, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/local/lib/python3.7/runpy.py\", line 96, in _run_module_code\r\n mod_name, mod_spec, pkg_name, script_name)\r\n File \"/usr/local/lib/python3.7/runpy.py\", line 85, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py\", line 1096, in <module>\r\n File \"/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py\", line 1081, in main\r\n File \"/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py\", line 618, in __init__\r\n File \"/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/vlan.py\", line 44, in __init__\r\n File \"/tmp/ansible_pfsense_aggregate_payload_s1ipa_5f/ansible_pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py\", line 573, in php\r\n File \"/usr/local/lib/python3.7/json/__init__.py\", line 348, in loads\r\n return _default_decoder.decode(s)\r\nFile \"/usr/local/lib/python3.7/json/decoder.py\", line 337, in decode\r\n obj, end = self.raw_decode(s, idx=_w(s, 0).end())\r\n File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode\r\n raise JSONDecodeError(\"Expecting value\", s, err.value) from None\r\njson.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)\r\n",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
Edit: Add error at pfsense gui
PHP ERROR: Type: 1, File: Standard input code, Line: 2, Message: Uncaught Error: Call to undefined function is_jumbo_capable() in Standard input code:2
Stack trace:
#0 {main}
thrown @ 2021-02-20 18:45:44
If not, is there any plan to add this feature?
Hi all, thank you for putting together these modules.
I'm working on a project for importing bulk rules into a new firewall I'm building and I've been able to troubleshoot most things but I'm having a hard time using one small feature. I cannot get the pfsense_rules modules to add the "Invert Match" for source/destination addresses.
The playbook task compiles and it creates the rule I want but it simply omits the Invert Match. The documentation states that "the destination/source address, in [!]{IP,HOST,ALIAS,any,(self),IP:INTERFACE,NET:INTERFACE} format." So I included in the rule field "destination: ! Alias_Name". This compiled and creates the rule but it skips the Invert Match.
So I've tried any syntax possibility I could think of. I've tried other permutations with and without spaces, any combination of parenthesis, braces, and brackets. Some examples are:
destination: [!] Alias_Name
destination: [!] {Alias_Name}
destination: [!] (Alias_Name)
destination: "!" Alias_Name
destination: '!' Alias_Name
I don't want to point fingers and say that the function is bugged, so can someone point me to what I'm doing wrong? If I'm not, is this something that could be easily patched and pushed?
PFSense 2.5.0 with current master of this repo.
A IPSec VTI Interface created with the name MY_VPN_INTERFACE
automatically creates a gateway MY_VPN_INTERFACE_VTIV4
.
I can't use this gateway in a pfsense_route
.
Getting:
The gateway Interface MY_VPN_INTERFACE_VTIV4 Gateway does not exist
I assume it's similar to #8.
The documentation specifies that you can set tls='generate' to generate a TLS key, however this seems to be un-implemented, as the parameter is required to match the correct format and I can't seem to find anything that would parse the keyword "generate".
When creating multiple ipsec phase2 interfaces there is a problem when creating the interface meaning they are not id'd correctly so the interfaces are overwritten. so can not be assigned
I tested this in 2.4.5 and works as intended as the ipsec interfaces are labled ipsec1000, ipsec2000
however in 2.5.2 each interface is labled ipsec, ipsec and so on.
it's possible i'm missing something obvious but the same yml yielded the above results on the different versions.
If you need more details let me know and will be happy to provide.
thanks
Hi, is it possible to use this role to edit the default password?
I'm trying to do so:
- name: Change password for admin user
pfsensible.core.pfsense_user:
name: "admin"
descr: "Admin"
password: "{{ 'PasSw0rd123' | password_hash('bcrypt') }}"
scope: "user"
groups: [ 'admins' ]
priv: [ 'page-all', 'user-shell-access' ]
when: netgate_configuration
But it doesn't affect the password..
In pfSense 2.4.5 it appears that support for Python2.7 is no longer there. In /usr/local/bin/python3.7 is all that is there.
[2.4.5-RELEASE][admin@pfsense-test]/root: ls /usr/local/bin/python*
/usr/local/bin/python3.7 /usr/local/bin/python3.7-config /usr/local/bin/python3.7m /usr/local/bin/python3.7m-config
Running a playbook per the normal method to add an alias fails on new 2.4.5 pfSense:
TASK [Add test alias] ***************************************************************************************************************************************
task path: /home/kinther/test2.yml:11
<172.16.0.10> ESTABLISH PARAMIKO SSH CONNECTION FOR USER: ansibleuser on PORT 22 TO 172.16.0.10
<172.16.0.10> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /tmp/ansible-tmp-1587500186.5604308-239104599291623
" && echo ansible-tmp-1587500186.5604308-239104599291623="echo /tmp/ansible-tmp-1587500186.5604308-239104599291623
" ) && sleep 0'
Using module file /home/kinther/.ansible/collections/ansible_collections/pfsensible/core/plugins/modules/alias.py
<172.16.0.10> PUT /home/kinther/.ansible/tmp/ansible-local-42188btu0sfj3/tmppljgqbz8 TO /tmp/ansible-tmp-1587500186.5604308-239104599291623/AnsiballZ_alias.py
<172.16.0.10> EXEC /bin/sh -c 'chmod u+x /tmp/ansible-tmp-1587500186.5604308-239104599291623/ /tmp/ansible-tmp-1587500186.5604308-239104599291623/AnsiballZ_alias.py && sleep 0'
<172.16.0.10> EXEC /bin/sh -c '/usr/local/bin/python2.7 /tmp/ansible-tmp-1587500186.5604308-239104599291623/AnsiballZ_alias.py && sleep 0'
<172.16.0.10> EXEC /bin/sh -c 'rm -f -r /tmp/ansible-tmp-1587500186.5604308-239104599291623/ > /dev/null 2>&1 && sleep 0'
fatal: [pfsense-test]: FAILED! => {
"changed": false,
"module_stderr": "",
"module_stdout": "/bin/sh: /usr/local/bin/python2.7: not found\r\n",
"msg": "The module failed to execute correctly, you probably need to set the interpreter.\nSee stdout/stderr for the exact error",
"rc": 127
}
Environment information:
(testenv) [kinther@server ~]$ ansible --version
ansible 2.9.6
config file = /home/kinther/ansible.cfg
configured module search path = ['/home/kinther/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/kinther/testenv/lib64/python3.6/site-packages/ansible
executable location = /home/kinther/testenv/bin/ansible
python version = 3.6.8 (default, Aug 7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
Ansible Version
ansible 2.10.6
config file = /app/ansible/ansible_linux_playbooks/ansible.cfg
configured module search path = ['/etc/ansible/library/modules']
ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
executable location = /usr/local/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Ansible Config
COLLECTIONS_PATHS(/app/ansible/ansible_linux_playbooks/ansible.cfg) = ['/app/ansible/ansible_linux_playbooks/collections']
DEFAULT_CALLBACK_WHITELIST(/app/ansible/ansible_linux_playbooks/ansible.cfg) = ['ansible.posix.profile_tasks']
DEFAULT_HOST_LIST(/app/ansible/ansible_linux_playbooks/ansible.cfg) = ['/app/ansible/ansible_linux_playbooks/inventory']
DEFAULT_MODULE_PATH(/app/ansible/ansible_linux_playbooks/ansible.cfg) = ['/etc/ansible/library/modules']
DEFAULT_MODULE_UTILS_PATH(/app/ansible/ansible_linux_playbooks/ansible.cfg) = ['/etc/ansible/library/modules_utils']
DEFAULT_ROLES_PATH(/app/ansible/ansible_linux_playbooks/ansible.cfg) = ['/etc/ansible/roles', '/app/ansible/ansible_linux_playbooks/roles']
DEFAULT_STDOUT_CALLBACK(/app/ansible/ansible_linux_playbooks/ansible.cfg) = debug
DEFAULT_TRANSPORT(/app/ansible/ansible_linux_playbooks/ansible.cfg) = smart
HOST_KEY_CHECKING(/app/ansible/ansible_linux_playbooks/ansible.cfg) = False
Tree of Collections - Netcommon
tree collections/ansible_collections/ansible/netcommon/
collections/ansible_collections/ansible/netcommon/
├── bindep.txt
├── changelogs
│ ├── CHANGELOG.rst
│ ├── changelog.yaml
│ ├── config.yaml
│ └── fragments
├── docs
│ ├── ansible.netcommon.cli_command_module.rst
│ ├── ansible.netcommon.cli_config_module.rst
│ ├── ansible.netcommon.cli_parse_module.rst
│ ├── ansible.netcommon.default_netconf.rst
│ ├── ansible.netcommon.enable_become.rst
│ ├── ansible.netcommon.httpapi_connection.rst
│ ├── ansible.netcommon.libssh_connection.rst
│ ├── ansible.netcommon.napalm_connection.rst
│ ├── ansible.netcommon.net_banner_module.rst
│ ├── ansible.netcommon.netconf_config_module.rst
│ ├── ansible.netcommon.netconf_connection.rst
│ ├── ansible.netcommon.netconf_get_module.rst
│ ├── ansible.netcommon.netconf_rpc_module.rst
│ ├── ansible.netcommon.net_get_module.rst
│ ├── ansible.netcommon.net_interface_module.rst
│ ├── ansible.netcommon.net_l2_interface_module.rst
│ ├── ansible.netcommon.net_l3_interface_module.rst
│ ├── ansible.netcommon.net_linkagg_module.rst
│ ├── ansible.netcommon.net_lldp_interface_module.rst
│ ├── ansible.netcommon.net_lldp_module.rst
│ ├── ansible.netcommon.net_logging_module.rst
│ ├── ansible.netcommon.net_ping_module.rst
│ ├── ansible.netcommon.net_put_module.rst
│ ├── ansible.netcommon.net_static_route_module.rst
│ ├── ansible.netcommon.net_system_module.rst
│ ├── ansible.netcommon.net_user_module.rst
│ ├── ansible.netcommon.net_vlan_module.rst
│ ├── ansible.netcommon.net_vrf_module.rst
│ ├── ansible.netcommon.network_cli_connection.rst
│ ├── ansible.netcommon.persistent_connection.rst
│ ├── ansible.netcommon.restconf_config_module.rst
│ ├── ansible.netcommon.restconf_get_module.rst
│ ├── ansible.netcommon.restconf_httpapi.rst
│ └── ansible.netcommon.telnet_module.rst
├── FILES.json
├── LICENSE
├── MANIFEST.json
├── meta
│ └── runtime.yml
├── plugins
│ ├── action
│ │ ├── cli_command.py
│ │ ├── cli_config.py
│ │ ├── cli_parse.py
│ │ ├── __init__.py
│ │ ├── net_banner.py
│ │ ├── net_base.py
│ │ ├── netconf.py
│ │ ├── net_get.py
│ │ ├── net_interface.py
│ │ ├── net_l2_interface.py
│ │ ├── net_l3_interface.py
│ │ ├── net_linkagg.py
│ │ ├── net_lldp_interface.py
│ │ ├── net_lldp.py
│ │ ├── net_logging.py
│ │ ├── net_ping.py
│ │ ├── net_put.py
│ │ ├── net_static_route.py
│ │ ├── net_system.py
│ │ ├── net_user.py
│ │ ├── net_vlan.py
│ │ ├── net_vrf.py
│ │ ├── network.py
│ │ └── telnet.py
│ ├── become
│ │ ├── enable.py
│ │ └── __init__.py
│ ├── cache
│ │ ├── __init__.py
│ │ └── memory.py
│ ├── connection
│ │ ├── httpapi.py
│ │ ├── __init__.py
│ │ ├── libssh.py
│ │ ├── napalm.py
│ │ ├── netconf.py
│ │ ├── network_cli.py
│ │ └── persistent.py
│ ├── doc_fragments
│ │ ├── __init__.py
│ │ └── network_agnostic.py
│ ├── filter
│ │ ├── __init__.py
│ │ ├── ipaddr.py
│ │ └── network.py
│ ├── httpapi
│ │ ├── __init__.py
│ │ └── restconf.py
│ ├── modules
│ │ ├── cli_command.py
│ │ ├── cli_config.py
│ │ ├── cli_parse.py
│ │ ├── __init__.py
│ │ ├── net_banner.py
│ │ ├── netconf_config.py
│ │ ├── netconf_get.py
│ │ ├── netconf_rpc.py
│ │ ├── net_get.py
│ │ ├── net_interface.py
│ │ ├── net_l2_interface.py
│ │ ├── net_l3_interface.py
│ │ ├── net_linkagg.py
│ │ ├── net_lldp_interface.py
│ │ ├── net_lldp.py
│ │ ├── net_logging.py
│ │ ├── net_ping.py
│ │ ├── net_put.py
│ │ ├── net_static_route.py
│ │ ├── net_system.py
│ │ ├── net_user.py
│ │ ├── net_vlan.py
│ │ ├── net_vrf.py
│ │ ├── restconf_config.py
│ │ ├── restconf_get.py
│ │ └── telnet.py
│ ├── module_utils
│ │ ├── cli_parser
│ │ │ ├── cli_parserbase.py
│ │ │ └── cli_parsertemplate.py
│ │ ├── __init__.py
│ │ ├── network
│ │ │ ├── common
│ │ │ │ ├── cfg
│ │ │ │ │ ├── base.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── config.py
│ │ │ │ ├── facts
│ │ │ │ │ ├── facts.py
│ │ │ │ │ └── __init__.py
│ │ │ │ ├── __init__.py
│ │ │ │ ├── netconf.py
│ │ │ │ ├── network.py
│ │ │ │ ├── network_template.py
│ │ │ │ ├── parsing.py
│ │ │ │ ├── resource_module.py
│ │ │ │ ├── rm_base
│ │ │ │ │ ├── network_template.py
│ │ │ │ │ ├── resource_module_base.py
│ │ │ │ │ └── resource_module.py
│ │ │ │ └── utils.py
│ │ │ ├── netconf
│ │ │ │ ├── __init__.py
│ │ │ │ └── netconf.py
│ │ │ └── restconf
│ │ │ ├── __init__.py
│ │ │ └── restconf.py
│ │ └── utils
│ │ └── data.py
│ ├── netconf
│ │ ├── default.py
│ │ └── __init__.py
│ └── sub_plugins
│ └── cli_parser
│ ├── native_parser.py
│ ├── ntc_templates_parser.py
│ └── pyats_parser.py
├── README.md
├── requirements.txt
├── test-requirements.txt
├── tests
│ ├── integration
│ │ ├── target-prefixes.network
│ │ └── targets
│ │ ├── cli_parse
│ │ │ ├── tasks
│ │ │ │ ├── centos_native.yaml
│ │ │ │ ├── fedora_native.yaml
│ │ │ │ ├── main.yaml
│ │ │ │ ├── nxos_json.yaml
│ │ │ │ ├── nxos_native.yaml
│ │ │ │ ├── nxos_ntc_templates.yaml
│ │ │ │ ├── nxos_pyats.yaml
│ │ │ │ ├── nxos_textfsm.yaml
│ │ │ │ ├── nxos_ttp.yaml
│ │ │ │ └── nxos_xml.yaml
│ │ │ └── templates
│ │ │ ├── centos_ps_-ef.yaml
│ │ │ ├── fedora_iptables_--list.yaml
│ │ │ ├── fedora_ps_-ef.yaml
│ │ │ ├── nxos_show_interface.ttp
│ │ │ ├── nxos_show_interface.yaml
│ │ │ └── nxos_show_version.textfsm
│ │ ├── netconf_config
│ │ │ ├── defaults
│ │ │ │ └── main.yaml
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ ├── iosxr.yaml
│ │ │ │ ├── junos.yaml
│ │ │ │ ├── main.yaml
│ │ │ │ └── nxos.yaml
│ │ │ └── tests
│ │ │ ├── iosxr
│ │ │ │ └── basic.yaml
│ │ │ ├── junos
│ │ │ │ ├── basic.yaml
│ │ │ │ └── fixtures
│ │ │ │ ├── config.yml
│ │ │ │ └── invalid_config.yml
│ │ │ └── nxos
│ │ │ ├── basic.yaml
│ │ │ └── fixtures
│ │ │ └── config.yaml
│ │ ├── netconf_get
│ │ │ ├── defaults
│ │ │ │ └── main.yaml
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ ├── iosxr.yaml
│ │ │ │ ├── junos.yaml
│ │ │ │ ├── main.yaml
│ │ │ │ └── sros.yaml
│ │ │ └── tests
│ │ │ ├── iosxr
│ │ │ │ └── basic.yaml
│ │ │ ├── junos
│ │ │ │ └── basic.yaml
│ │ │ └── sros
│ │ │ └── basic.yaml
│ │ ├── netconf_rpc
│ │ │ ├── defaults
│ │ │ │ └── main.yaml
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ ├── iosxr.yaml
│ │ │ │ ├── junos.yaml
│ │ │ │ ├── main.yaml
│ │ │ │ └── sros.yaml
│ │ │ └── tests
│ │ │ ├── iosxr
│ │ │ │ └── basic.yaml
│ │ │ ├── junos
│ │ │ │ └── basic.yaml
│ │ │ └── sros
│ │ │ └── basic.yaml
│ │ ├── prepare_iosxe_tests
│ │ │ └── tasks
│ │ │ └── main.yml
│ │ ├── prepare_iosxr_tests
│ │ │ ├── tasks
│ │ │ │ └── main.yml
│ │ │ └── templates
│ │ │ └── config.j2
│ │ ├── prepare_junos_tests
│ │ │ └── tasks
│ │ │ └── main.yml
│ │ ├── prepare_nxos_tests
│ │ │ └── tasks
│ │ │ └── main.yaml
│ │ ├── prepare_sros_tests
│ │ │ └── tasks
│ │ │ └── main.yml
│ │ ├── restconf_config
│ │ │ ├── defaults
│ │ │ │ └── main.yaml
│ │ │ ├── meta
│ │ │ │ └── main.yml
│ │ │ ├── tasks
│ │ │ │ ├── main.yaml
│ │ │ │ └── restconf.yaml
│ │ │ └── tests
│ │ │ └── iosxe
│ │ │ └── basic.yaml
│ │ └── restconf_get
│ │ ├── defaults
│ │ │ └── main.yaml
│ │ ├── meta
│ │ │ └── main.yml
│ │ ├── tasks
│ │ │ ├── main.yaml
│ │ │ └── restconf.yaml
│ │ └── tests
│ │ └── iosxe
│ │ └── basic.yaml
│ ├── sanity
│ │ ├── ignore-2.10.txt
│ │ ├── ignore-2.11.txt
│ │ ├── ignore-2.9.txt
│ │ └── requirements.txt
│ └── unit
│ ├── compat
│ │ ├── builtins.py
│ │ ├── __init__.py
│ │ ├── mock.py
│ │ └── unittest.py
│ ├── __init__.py
│ ├── mock
│ │ ├── __init__.py
│ │ ├── loader.py
│ │ ├── path.py
│ │ ├── procenv.py
│ │ ├── vault_helper.py
│ │ └── yaml_helper.py
│ ├── modules
│ │ ├── conftest.py
│ │ ├── __init__.py
│ │ ├── network
│ │ │ ├── cli
│ │ │ │ ├── cli_module.py
│ │ │ │ ├── __init__.py
│ │ │ │ └── test_cli_config.py
│ │ │ └── __init__.py
│ │ └── utils.py
│ ├── module_utils
│ │ ├── conftest.py
│ │ ├── __init__.py
│ │ └── network
│ │ ├── common
│ │ │ ├── __init__.py
│ │ │ ├── test_config.py
│ │ │ ├── test_parsing.py
│ │ │ └── test_utils.py
│ │ └── __init__.py
│ ├── plugins
│ │ ├── action
│ │ │ └── cli_parse
│ │ │ ├── fixtures
│ │ │ │ ├── nxos_empty_parser.yaml
│ │ │ │ ├── nxos_show_version.txt
│ │ │ │ └── nxos_show_version.yaml
│ │ │ └── test_cli_parse.py
│ │ ├── cli_parsers
│ │ │ ├── fixtures
│ │ │ │ ├── ios_show_ip_interface_brief.cfg
│ │ │ │ └── nxos_show_version.cfg
│ │ │ └── test_pyats_parser.py
│ │ ├── connection
│ │ │ ├── __init__.py
│ │ │ ├── test_libssh.py
│ │ │ ├── test_netconf.py
│ │ │ └── test_network_cli.py
│ │ ├── filter
│ │ │ ├── fixtures
│ │ │ │ ├── __init__.py
│ │ │ │ └── network
│ │ │ │ ├── __init__.py
│ │ │ │ ├── show_vlans_xml_output.txt
│ │ │ │ ├── show_vlans_xml_single_value_spec.yml
│ │ │ │ ├── show_vlans_xml_spec.yml
│ │ │ │ ├── show_vlans_xml_with_condition_spec.yml
│ │ │ │ └── show_vlans_xml_with_key_spec.yml
│ │ │ ├── __init__.py
│ │ │ ├── test_ipaddr.py
│ │ │ └── test_network.py
│ │ └── __init__.py
│ └── requirements.txt
└── tox.ini
101 directories, 257 files
Tree Ansible Collections - PFsensible (v.0.4.1)
tree collections/ansible_collections/pfsensible/core/
collections/ansible_collections/pfsensible/core/
├── FILES.json
├── LICENSE
├── MANIFEST.json
├── pfsensible
│ └── core
│ ├── examples
│ ├── misc
│ ├── plugins
│ │ └── modules
│ └── tests
│ └── units
│ └── modules
├── plugins
│ ├── lookup
│ │ └── pfsense.py
│ ├── modules
│ │ ├── pfsense_aggregate.py
│ │ ├── pfsense_alias.py
│ │ ├── pfsense_authserver_ldap.py
│ │ ├── pfsense_ca.py
│ │ ├── pfsense_gateway.py
│ │ ├── pfsense_group.py
│ │ ├── pfsense_haproxy_backend.py
│ │ ├── pfsense_haproxy_backend_server.py
│ │ ├── pfsense_interface.py
│ │ ├── pfsense_ipsec_aggregate.py
│ │ ├── pfsense_ipsec_p2.py
│ │ ├── pfsense_ipsec_proposal.py
│ │ ├── pfsense_ipsec.py
│ │ ├── pfsense_nat_outbound.py
│ │ ├── pfsense_nat_port_forward.py
│ │ ├── pfsense_route.py
│ │ ├── pfsense_rule.py
│ │ ├── pfsense_rule_separator.py
│ │ ├── pfsense_setup.py
│ │ ├── pfsense_user.py
│ │ └── pfsense_vlan.py
│ └── module_utils
│ ├── alias.py
│ ├── gateway.py
│ ├── haproxy_backend.py
│ ├── haproxy_backend_server.py
│ ├── __impl
│ │ ├── addresses.py
│ │ ├── checks.py
│ │ ├── __init__.py
│ │ └── interfaces.py
│ ├── __init__.py
│ ├── interface.py
│ ├── ipsec_p2.py
│ ├── ipsec_proposal.py
│ ├── ipsec.py
│ ├── module_base.py
│ ├── nat_outbound.py
│ ├── nat_port_forward.py
│ ├── pfsense.py
│ ├── route.py
│ ├── rule.py
│ ├── rule_separator.py
│ └── vlan.py
└── README.md
14 directories, 47 files
Playbook:
# ./standalone_playbook.yml
---
- name: standalone_playbook
hosts:
- vcd_pfsense
collections:
- pfsensible.core
- ansible.netcommon
gather_facts: true
vars:
ansible_connection: smart
ansible_user: XXXXXXX
ansible_ssh_pass: XXXXXXX
ansible_python_interpreter: /usr/local/bin/python3.7
tasks:
- name: find_pfsense_theme
pfsensible.core.pfsense_setup:
webguicss: Compact-RED
...
Actual results:
fatal: [testfw01.tlb1.thinkon.net]: FAILED! => {}
MSG:
Could not find imported module support code for ansible_collections.pfsensible.core.plugins.modules.pfsense_setup. Looked for (['ansible_collections.ansible.netcommon.plugins.module_utils.compat.ipaddress.IPv4Address', 'ansible_collections.ansible.netcommon.plugins.module_utils.compat.ipaddress'])
Issue:
Seems the module is looking for netcommon module that does not exist anymore or the incorrect location.
Thanks
Is there any way to achieve this ?
Crash error on Dashboard:
Crash report begins. Anonymous machine information:
arm
11.3-STABLE
FreeBSD 11.3-STABLE #238 885b1ed26b6(factory-RELENG_2_4_5): Tue Jun 2 17:52:40 EDT 2020 [email protected]:/build/factory-crossbuild-245-armv6/obj/armv6/kJlGauaG/arm.armv6/build/factory-crossbuild-245-armv6/sources/FreeBSD-src/sys/pfSense
Crash report details:
PHP Errors:
[18-Dec-2020 14:55:04 America/New_York] PHP Parse error: syntax error, unexpected '--' (T_DEC), expecting ',' or ')' in /usr/local/sbin/pfSsh.php(371) : eval()'d code on line 9
No FreeBSD crash data found.
Debug ansible with -vvv
"stdout_lines": [
"pfSense shell: global $debug;",
"pfSense shell: $debug = 1;",
"pfSense shell: ",
"pfSense shell: init_config_arr(array('ca'));",
"pfSense shell: $ca =& lookup_ca('sha1hash');",
"pfSense shell: ca_import($ca, 'b'-----BEGIN CERTIFICATE-----\\nMII",
.....removed
".....=\\n-----END CERTIFICATE-----'');",
"pfSense shell: print_r($ca);",
"pfSense shell: print_r($config['ca']);",
"pfSense shell: write_config();",
"pfSense shell: exec",
"",
"Parse error: syntax error, unexpected '--' (T_DEC), expecting ',' or ')' in /usr/local/sbin/pfSsh.php(371) : eval()'d code on line 9"
]
Running this against an SG-3100, 2.4.5-RELEASE-p1 from a Mac 10.15 with Python3.8
I'm loading 5 certs with 2 root self-signed certs and the other 3 are issued from the first 2. Certs do not end up referencing each other in the GUI or the xml file like when I load them all manually. This causes some other errors with LDAP connection not able to verify the server cert.
Ansible task:
---
- name: Add Certificate Authority
pfsensible.core.ca:
name: '{{ cert.name }}'
certificate: '{{ cert.cert }}'
state: present
loop: '{{ cacerts }}'
loop_control:
loop_var: cert
Hosts setup:
cacerts:
- { name: Cert1, cert: "{{ lookup('file', 'ssl/ca/1.pem' ) |b64encode }}" }
- { name: Cert2, cert: "{{ lookup('file', 'ssl/ca/2.pem' ) |b64encode }}" } # issued by 1
- { name: Cert3, cert: "{{ lookup('file', 'ssl/ca/3.pem' ) |b64encode }}" } # issued by 2
# concat 4 and 5 to make ldap auth work
- { name: Cert4, cert: "{{ (lookup('file', 'ssl/ca/4.pem' ) + '\n' + lookup('file', 'ssl/ca/5.pem' ) )|b64encode }}" }
- { name: Cert5, cert: "{{ lookup('file', 'ssl/ca/5.pem' ) |b64encode }}" } # issued by 4
Support for virtual IPs would be incredibly useful, helping to get one step closer to fully managing PFSense via Ansible.
Hi, I have just installed the new pfSense version 21.02
and the pfsense_aggregate module is not working anymore. This is the trace:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: json.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1) fatal: [pfin_2]: FAILED! => {"changed": false, "module_stderr": "Shared connection to ########### closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1614002528.0419357-46891-200519525228219/AnsiballZ_pfsense_aggregate.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1614002528.0419357-46891-200519525228219/AnsiballZ_pfsense_aggregate.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/ec2-user/.ansible/tmp/ansible-tmp-1614002528.0419357-46891-200519525228219/AnsiballZ_pfsense_aggregate.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_aggregate', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/usr/local/lib/python3.7/runpy.py\", line 205, in run_module\r\n return _run_module_code(code, init_globals, run_name, mod_spec)\r\n File \"/usr/local/lib/python3.7/runpy.py\", line 96, in _run_module_code\r\n mod_name, mod_spec, pkg_name, script_name)\r\n File \"/usr/local/lib/python3.7/runpy.py\", line 85, in _run_code\r\n exec(code, run_globals)\r\n File \"/tmp/ansible_pfsensible.core.pfsense_aggregate_payload_3oc4rroq/ansible_pfsensible.core.pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py\", line 1096, in <module>\r\n File \"/tmp/ansible_pfsensible.core.pfsense_aggregate_payload_3oc4rroq/ansible_pfsensible.core.pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py\", line 1081, in main\r\n File \"/tmp/ansible_pfsensible.core.pfsense_aggregate_payload_3oc4rroq/ansible_pfsensible.core.pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_aggregate.py\", line 618, in __init__\r\n File \"/tmp/ansible_pfsensible.core.pfsense_aggregate_payload_3oc4rroq/ansible_pfsensible.core.pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/vlan.py\", line 44, in __init__\r\n File \"/tmp/ansible_pfsensible.core.pfsense_aggregate_payload_3oc4rroq/ansible_pfsensible.core.pfsense_aggregate_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/pfsense.py\", line 557, in php\r\n File \"/usr/local/lib/python3.7/json/__init__.py\", line 348, in loads\r\n return _default_decoder.decode(s)\r\n File \"/usr/local/lib/python3.7/json/decoder.py\", line 337, in decode\r\n obj, end = self.raw_decode(s, idx=_w(s, 0).end())\r\n File \"/usr/local/lib/python3.7/json/decoder.py\", line 355, in raw_decode\r\n raise JSONDecodeError(\"Expecting value\", s, err.value) from None\r\njson.decoder.JSONDecodeError: Expecting value: line 2 column 1 (char 1)\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Message from gui
PHP ERROR: Type: 1, File: Standard input code, Line: 2, Message: Uncaught Error: Call to undefined function is_jumbo_capable() in Standard input code:2
I am setting up a Netgate 6100. Just saw this module published last week! I was attempting to setup the statics in my host_vars
file, but I keep getting an IndexError when I try and loop. If I set the vars statically like name: "{{ host_dhcp.statics.name }}"
it will work, but no loops will.
My host_vars
host_dhcp:
statics:
- name: "example1"
macaddr: "xx:xx:xx:xx:xx:xx"
ipaddr: "10.XX.XX.XX"
state: present
- name: "example2"
macaddr: "yy:yy:yy:yy:yy:yy"
ipaddr: "10.XX.XX.YY"
state: present
The task:
- name: Configure Static DHCP Entries
pfsensible.core.pfsense_dhcp_static:
name: "{{ item.name }}"
state: "{{ item.state }}"
macaddr: "{{ item.macaddr }}"
ipaddr: "{{ item.ipaddr }}"
loop: "{{ host_dhcp.statics }}"
The error:
failed: [netgate6100] (item={'name': 'example1', 'macaddr': 'xx:xx:xx:xx:xx:xx', 'ipaddr': '10.XX.XX.XX', 'state': 'present'}) => changed=false
ansible_loop_var: item
item:
ipaddr: 10.XX.XX.XX
macaddr: xx:xx:xx:xx:xx:xx
name: example1
state: present
module_stderr: |-
Shared connection to 10.XX.XX.1 closed.
module_stdout: |-
Traceback (most recent call last):
File "/root/.ansible/tmp/ansible-tmp-1674504929.533209-47389-111350374029904/AnsiballZ_pfsense_dhcp_static.py", line 107, in <module>
_ansiballz_main()
File "/root/.ansible/tmp/ansible-tmp-1674504929.533209-47389-111350374029904/AnsiballZ_pfsense_dhcp_static.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/root/.ansible/tmp/ansible-tmp-1674504929.533209-47389-111350374029904/AnsiballZ_pfsense_dhcp_static.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.pfsensible.core.plugins.modules.pfsense_dhcp_static', init_globals=dict(_module_fqn='ansible_collections.pfsensible.core.plugins.modules.pfsense_dhcp_static', _modlib_path=modlib_path),
File "/usr/local/lib/python3.8/runpy.py", line 207, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/local/lib/python3.8/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/local/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_bjgy4rbm/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 362, in <module>
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_bjgy4rbm/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 357, in main
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_bjgy4rbm/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 232, in run
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_bjgy4rbm/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/module_utils/module_base.py", line 169, in _add
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_bjgy4rbm/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 296, in _copy_and_add_target
File "/tmp/ansible_pfsensible.core.pfsense_dhcp_static_payload_bjgy4rbm/ansible_pfsensible.core.pfsense_dhcp_static_payload.zip/ansible_collections/pfsensible/core/plugins/modules/pfsense_dhcp_static.py", line 284, in _find_last_dhcp_static_index
IndexError: list index out of range
The logic here:
core/plugins/modules/pfsense_user.py
Line 156 in 92a6186
Could do with some improvement as there are valid bcrypt hashes which start with characters other than $2b
. For example, I pulled the config.xml
from one of my pfSense instances (running latest version) and the password hashes begin with $2y
.
Seems that variable certtype is missing from cert plugin and has no effect the use of "server". It always creates a user certificate.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.