New version of Robot Firewall introduced breaking changes #75
Comments
filviu
changed the title
|
Well, I guess it's nice that they finally added IPv6 support and outgoing connection support, but it's pretty annoying that they did this with an unannounced breaking change which invalidates every existing client of the API... I'll try to extend the module in the next days... |
|
Yes, they usually at least announce it - especially since it looks like an improvement. But now complete silence, I only found out when my ansible scripts started to produce unaccessible servers. Anyways, I'm available if I can help with testing. |
|
I started working on this in #76. Please note that I have tested nothing except the firewall_info so far, so the firewall module might or might not work (and might also do strange stuff, burn down datacenters, ... :) ) at this stage. |
|
Yes, only today. The moment I wrote I have time to test my work Jira lit up 😆 It works and produces an usable configuration by adding the outgoing allow all rule. I also tested adding rules with But then I ran into a weird situation. If I add this rule under - name: tailscale
dst_port: 41641
protocol: udp
action: acceptI get the following error: I assumed - name: tailscale
ip_version: ipv4
dst_port: 41641
protocol: udp
action: acceptIcing on the cake: I can go into the robot web interface and set ip_version to '*' and it saves and applies corectly 🤷 |
|
In the UI you cannot configure |
|
You are right, I missed seeing that it switched protocl from udp to '*' in the UI. |
7.4.0 Major Changes ------------- community.hrobot ~~~~~~~~~~~~~~~~ - firewall - Hetzner added output rules support to the firewall. This change unfortunately means that using old versions of the firewall module will always set the output rule list to empty, thus disallowing the server to send out packets (ansible-collections/community.hrobot#75, ansible-collections/community.hrobot#76). community.vmware ~~~~~~~~~~~~~~~~ - Use true/false (lowercase) for boolean values in documentation and examples (ansible-collections/community.vmware#1660). fortinet.fortios ~~~~~~~~~~~~~~~~ - Add annotations of member operation for every module. - Update ``fortios.py`` for higher performance; - supports temporary session key and pre/post login banner; - update the examples on how to use member operation in Q&A. purestorage.fusion ~~~~~~~~~~~~~~~~~~ - Patching of resource properties was brought to parity with underlying Python SDK, meaning the collection can create/update/delete all resource properties the SDK can - fusion_volume - fixed and reorganized, arguments changed
SUMMARY
Hetzner introduced (without prior notification I might add) a breaking change to the robot firewall:
You now have to separately define an outgoing rule. Using the
community.hrobot.firewallmodule results in an unaccessible server as the outgoing rules are left blank.Secondly you can now refer to ipv4 / ipv6 or wildcard when defining an incoming / outgoing rule. If I read the API correctly https://robot.hetzner.com/doc/webservice/en.html#post-firewall-server-id you need to leave out protocol version in order to attein the wildcard. Again this is not supported
msg: 'missing required arguments: ip_version found in rules -> input'Third: you have the option called ** Filter IPv6 packets ** setting this is also not supported right now.
ISSUE TYPE
COMPONENT NAME
ommunity.hrobot.firewall
ANSIBLE VERSION
COLLECTION VERSION
OS / ENVIRONMENT
Ubuntu 22.04 under wsl2
The text was updated successfully, but these errors were encountered: