-
Notifications
You must be signed in to change notification settings - Fork 48
Config corruption when using pfsense_alias #13
Comments
Hi, Sorry about that. I can't reproduce that issue. Which version of pfsense are you running on the corrupted firewall ? |
Would it be possible to get a diff of the config.xml before and after? |
Hello, Thanks a lot for your help. I joined a diff file from before and after applying ansible state. It seems it removed all CDATA, not much else. I wonder if that's the cause of the issue. Thanks again |
Thanks. It should be ok with the last commit. |
It works perfectly, thanks a lot. |
My bad, there's still some issue. The alias is created, but description (for alias and per network/ip) are empty and some error is triggered each time on pfSense:
|
Some fields in "interface" seems to have the same issue than earlier in the config.xml:
I doubt it'll fix the empty description fields, but I think that's what triggers the error on pfSense. |
To have a description on your aliases, you have to use the descr parameter in your playbook. The interface xml looks ok to me. It's just the python xml parser that is shortening elements. I suppose Orion used the 'html' style to prevent that but it was not closing some tags in that mode (like the area), which triggers your initial issue. You can see that around line 1000: https://github.com/python/cpython/blob/2.7/Lib/xml/etree/ElementTree.py. Is there any information in rules.debug that would help us to identify what is wrong ? Have you created any rule with pfsense_rule ? or is it using an alias created with pfsense_alias ? |
I used the fields "descr" and "detail", both seems to have no effect:
I'm not refering to the closed brackets, but some CDATA disappears just like on the first diff. Not sure if that's an issue or not. I'm not using pfsense_rule at all for the moment, only pfsense_alias.
It seems to be the cause of the error reported above. Not sure if that really helps you, since I don't know what the value should be. Please let me know if you need anything else. Thanks. |
The stripping of CDATA is a known quirk with ElementTree and hasn't been an issue before. I suspect the changing of the closing element style is an issue - pfsense seems to use an odd/custom XML parser/generator. That is why I specified method='html' when generating the config.xml file. I'm not quite sure I follow what the initial issue here was though that led @f-bor to change that to method='xml'. |
The initial issue was that the configuration was completely broken, making pfSense unusable (no WebUI access at all, reporting error in the first message, and same behavior from ansible). Changing it to "xml" fixed the issue, the aliases are added, but no description (per alias or ip/network) are provided, and an error (non-critical, does not prevent access to WebUI or ansible) is thrown: |
@Hakujou I can't reproduce the description issue. Can you post your the playbook you're using to create or update the alias ? |
@opoplawski, I did some tests before pushing the fix. It does not seems to affect the ability of pfsense to read the configuration file. Also, one change in the GUI and pfsense generates again elements with closing style. |
Sure, here's the playbook:
With the following variables:
|
What I'd like to see is a diff of the initial working config.xml and the broken config.xml generated with method='html'. I don't yet understand the XML output that's making pfsense complain. |
Diff was provided here: #13 (comment) |
Yes, but it makes comparing updates visually much easier. Unless it's just not possible, I want to keep using method='html' to try to keep the formatting as similar as possible. |
This seems to indicate that it is encountering a line with just tabs after a line ending with 'rface>'. I don't see that in the diff. Is that in the generated config.xml file somewhere? |
I tried to reproduce the error but I got a different error this time:
Following variable used with the above playbook:
Here's the diff: config.diff.txt |
@opoplawski
When writing html, the python xml library considers an area tag must be empty (no inner text). So it does not close the tag and generates malformed xml. You can see that around line 1000 in the 2.7 library: https://github.com/python/cpython/blob/2.7/Lib/xml/etree/ElementTree.py |
@Hakujou, in your playbook, your are not using the detail and descr variables you have defined. That's why you don't have any description. You have to use them like address, name or type. |
Ah, thanks for being explicit about '<area>' - I didn't catch that. |
@Hakujou I don't think the rules.debug issue is related to us and I can't reproduce it. Those rules are generated when you uncheck "IP Do-Not-Fragment compatibility" and "Disable Firewall Scrub" in System / Advanced / Firewall & NAT. They are checked by default. Can you try to delete the alert, recheck those two boxes, save, uncheck them again, save, play around with psense_alias to make some changes and tell us if the alert appears again at any time ? |
My bad for the playbook, I completely forgot to readd them, I deleted them for testing... I feel stupid. Regarding the other issue, "IP Do-Not-Fragment compatibility" and "Disable Firewall Scrub" are not checked by default (because they are violations of RFC for compatibility, which has its uses but is still bad practice).
It must be related to ansible-pfsense, since I had the same behaviour on five pfSense VMs, which never had any issue (not any error at all) before using it. I think it somehow breaks the configuration, as any modification of firewall rule (even without making changes, just by re-saving existing parameters) triggers the error again. |
The issue was caused by aliases having the same name as interfaces. It wan't tested in pfsense_alias. I fixed that. You just have to delete the aliases that have the same name as interfaces and the error will be gone. |
Hi,
I'm trying to use your module to manage aliases, but unfortunately, it seems to corrupt configuration. Here's a sample from my role:
(It's pretty much the only task, for testing purposes).
After applying it, it seems successful:
But when I try to reload web ui (or reapply task), I get the following error:
Could you please check ? Thanks
The text was updated successfully, but these errors were encountered: