rosa-luxemburgstiftung-berlin / ansible-opnsense Goto Github PK

'<' not supported between instances of 'AnsibleUnsafeText' and 'int'

caused by #48

example:
changing in a rule the source/any to source/network: XYZ results in

        <source>
         <any>1</any>
+        <network>XYZ</network>

here the any tag must be cleaned

as opnsense has it's own logic of sorting the interfaces in a filter rule, ansible run will re-deploy them and cause a diff, despite beeng the same list but just in a different order.
avoid diff's like

     - key: type
       value: pass
     - key: interface
-      value: i1,i2,i3
+      value: i2,i3,i1
     - key: ipprotocol
       value: inet
     - key: statetype

support the new instance configuration for openvpn
the existing openvpn server should be marked as deprecated / legacy implementation.
similar to #42

fix syntax highlighting for some xpath expressions

using the opnsense API (https://docs.opnsense.org/development/api.html)

a enabled alias requires the xml tag

<enabled>1</enabled>

disabling a enabled alias will require setting the tag to 0

for now we have no default for this value; opnsense handles a missing tag as enabled an adds the tag (but only after the first edit)

unbound settings are dead, long live unboundplus ...

#12 related

after adding vlan call handler
/usr/local/opnsense/scripts/interfaces/reconfigure_vlans.php

with linting and a sample xml file updating with VARs for each task including a assertion of the expected result

As discussed on https://github.com/naturalis/ansible-opnsense/issues/38
Can you contact me by email and we discuss further?
You can find my details in the contributor list.

ipsec phase2 tunnels removed from config are not deleted in the xml / on the remote, they require a explicit

opn_unset:
  - ipsec/phase2[uniqid="ee0e6..."]

typo type: hosts leads to a invalid alias, as it should be type: host

update to the newer ansible-lint version

If deploying a new rule into a existing config, the order of the rules is not respected as defined in the list.
The new rule will just be the last.
But: order matters here!

bring the ansible syntax up to date by using FQCN notation

a disabled phase1 is marked with

<disabled>1</disabled>

enabled phase1 miss this entry (and have no <enabled>1</enabled> tag)

i'm currently a bit struggeling with the group tasks. I didn't find a suitable variable construct that add more then one member to the group.

Here's an example

    opn_group:
      - name: test
        member:
        settings:
          - key: description
            value: Testgruppe
          - key: gid
            value: 2000
          - key: member
            value: 0
          - key: member
            value: 2000
          - key: member
            value: 2001

The groups - add users to groups task will never run, because groups - count member nodes will count all member nodes from all groups.

But even when i remove the member count condition it's not working, because it is looking for item.1.member. But item.1 has only key and value. When i reformat my variable to something like this:

      - name: admins
        settings:
          - member: 0
          - member: 2000
          - member: 2001

and remove the member count condition it will add the members. But it will add the members every time the playbook runs.

I would rework the tasks to something that works. I think a combination of the json_query filter and set_children instead of add children should do the job.

Are you using the group management? If so, how are your variables?

I am attempting to use tags to update my router partially.

the actual use case I am using is update only dhcp entries.

For some reason fetch is not working, although I can see that there is an always tag. I works only if I explicitly include the "fetch" tag. I am not sure what the reason is, but it could be that the always applies only to the include-tasks, and the tasks inside are all "fetch" only.

Then there is the application and reload, I think they also need the always tag. when: config.changed will not be processed unless the task is selected by tags first, I think.

Partial execution would be a nice to have feature as configuration of the router keeps growing. would provide more agility while building the router configuration.

https://docs.opnsense.org/manual/vpnet.html#migrating-from-tunnels-to-connections

Hi, we created the original version of the ansible-opnsense repository. We would like to remove this repository, because it is outdated and not maintained by us anymore.

Can you update your readme file, to let users know that the original upstream repository is removed and that your branch is now leading.

Another option may be to transfer ownership of the naturalis/ansible-opnsense repo to you. Please let us know what your suggestions are.

Regards, Rudi

similar to #45
but regarding the content of aliases

for now updating rules is not working as expected
for example restricting src/dest addresses on a existing rule

-      - key: source/any
-        value: '1'
+      - key: source/address
+        value: MY_ALLOWED_SRC_ALIAS

updating the XML will result in

       <source>
        <any>1</any>
        <address>MY_ALLOWED_SRC_ALIAS</address>
       </source>

and opnsense will still interpret this as any
Same happens when switching dest/src from network to address.
So: source and destination child tags must be set in bulk w/ set_children. And this will break the idempotence of the task ....

Hi @zerwes

I have a suspicion that the latest patch on conditional reload of systems depending on configuration change may have broken something related to the firewall.

I have been working on the firewall today, and after uploading new configuration the DNS (unbound) breaks.

An NSLOOKUP comes back with:
;; communications error to 127.0.1.1#53: timed out

And looking at the firewall logs I could see that the flow was blocked due to state. rebooting the firewall fixed it.

I will keep an eye on this. Did you notice similar issues?

at least for the port type, it seems that newer opnsense versions sort the alias entries

Currently the RLS main.yml tasks just has a split up of the apply handler into 2 steps:

• configctl filter sync for a simpler and non-invasive sync of the filter rules
• configctl service reload all for a hard reload of all services (resulting sometimes in interupted network traffic / restet of connections)
  It would be desirable to have a finer control over the required steps for applying the changes. i.e. just a simple change in the wireguard configuration should not require the restart of all services.
  So each task should notify just the required services for a restart.

When creating URL aliases that load Tables, such as:

opn_alias:

  # Blacklists

  - uuid: 0d561ada-f0e4-11e9-b9f0-00051b40070c
    settings:
      - key: name
        value: spamhouse_drops
      - key: type
        value: urltable
      - key: updatefreq
        value: "0.041666666666666664"
      - key: content
        list:
          - https://www.spamhaus.org/drop/drop.txt
          - https://www.spamhaus.org/drop/edrop.txt
      - key: description
        value: Spamhouse Drop and EDrop blacklists

The alias will be created but it wont be loaded up. This type of rule needs to be "applied" from the web ui for tables to be instantiated, for some reason.

since some release opnsense uses natural sorting for

  <rule>
    </interface>a,b,c</interface>
  </rule>

Hi!

I need to upgrade my firewall... but again, up to which version?

Would be nice to have the latest version of OPNSense this version is compatible with somwhere:

Perhaps in the Readme.md?
Perhaps in Release/Change logs?

What is the last tested opnsense version compatible with this playbook?