community.proxmox.proxmox_firewall_info module – Manage firewall rules in Proxmox

Note

This module is part of the community.proxmox collection (version 1.4.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.proxmox. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.proxmox.proxmox_firewall_info.

New in community.proxmox 1.4.0

Synopsis

  • Get firewall rules at cluster/group/vnet/node/vm level.

  • Get firewall security groups at cluster level.

  • Get aliases at cluster/VM level.

Requirements

The below requirements are needed on the host that executes this module.

  • proxmoxer >= 2.0

  • requests

Parameters

Parameter

Comments

api_host

string / required

Specify the target host of the Proxmox VE cluster.

Uses the PROXMOX_HOST environment variable if not specified.

api_password

string

Specify the password to authenticate with.

Uses the PROXMOX_PASSWORD environment variable if not specified.

api_port

integer

Specify the target port of the Proxmox VE cluster.

Uses the PROXMOX_PORT environment variable if not specified.

api_token_id

string

Specify the token ID.

Uses the PROXMOX_TOKEN_ID environment variable if not specified.

api_token_secret

string

Specify the token secret.

Uses the PROXMOX_TOKEN_SECRET environment variable if not specified.

api_user

string / required

Specify the user to authenticate with.

Uses the PROXMOX_USER environment variable if not specified.

group

string

Name of the group to which the rule belongs.

Only needed when level=group.

level

string

Level at which the firewall rule applies.

Choices:

  • "cluster" ← (default)

  • "group"

  • "vnet"

  • "node"

  • "vm"

node

string

Name of the node.

Only needed when level=node.

pos

integer

Position of the rule in the list.

validate_certs

boolean

If false, SSL certificates will not be validated.

This should only be used on personally controlled sites using self-signed certificates.

Uses the PROXMOX_VALIDATE_CERTS environment variable if not specified.

Choices:

  • false ← (default)

  • true

vmid

integer

ID of the VM to which the rule applies.

Only needed when level=vm.

vnet

string

Name of the virtual network for the rule.

Only needed when level=vnet.

Attributes

Attribute

Support

Description

action_group

Action group: community.proxmox.proxmox

Use group/community.proxmox.proxmox in module_defaults to set defaults for this module.

check_mode

Support: full

This action does not modify state.

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: N/A

This action does not modify state.

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Examples

- name: Get Cluster level firewall rules, aliases, and security groups
  community.proxmox.proxmox_firewall:
    api_user: "{{ pc.proxmox.api_user }}"
    api_token_id: "{{ pc.proxmox.api_token_id }}"
    api_token_secret: "{{ vault.proxmox.api_token_secret }}"
    api_host: "{{ pc.proxmox.api_host }}"
    validate_certs: false
    level: cluster

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

aliases

list / elements=dictionary

List of alias present at given level.

Aliases are only available for cluster and VM level so if any other level it’ll be empty list.

Returned: on success

Sample: [{"cidr": "10.10.1.0/24", "digest": "978391f460484e8d4fb3ca785cfe5a9d16fe8b1f", "ipversion": 4, "name": "test1"}, {"cidr": "10.10.2.0/24", "digest": "978391f460484e8d4fb3ca785cfe5a9d16fe8b1f", "ipversion": 4, "name": "test2"}, {"cidr": "10.10.3.0/24", "digest": "978391f460484e8d4fb3ca785cfe5a9d16fe8b1f", "ipversion": 4, "name": "test3"}]

firewall_rules

list / elements=dictionary

List of firewall rules at given level.

Returned: on success

Sample: [{"action": "ACCEPT", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "dport": "53", "enable": 1, "ipversion": 4, "log": "nolog", "pos": 0, "proto": "udp", "source": "192.168.1.0/24", "type": "in"}, {"action": "ACCEPT", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "dport": "53", "enable": 1, "ipversion": 4, "log": "nolog", "pos": 1, "proto": "tcp", "source": "192.168.1.0/24", "type": "in"}, {"action": "ACCEPT", "dest": "192.168.1.0/24", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "enable": 1, "ipversion": 4, "log": "nolog", "pos": 2, "type": "out"}, {"action": "ACCEPT", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "enable": 1, "ipversion": 4, "log": "nolog", "pos": 3, "source": "192.168.1.0/24", "type": "in"}, {"action": "ACCEPT", "dest": "+sdn/test2-gateway", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "enable": 1, "iface": "test2", "log": "nolog", "macro": "DNS", "pos": 4, "type": "in"}, {"action": "ACCEPT", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "enable": 1, "iface": "test2", "log": "nolog", "macro": "DHCPfwd", "pos": 5, "type": "in"}, {"action": "ACCEPT", "dest": "+sdn/test2-all", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "dport": "68", "enable": 1, "log": "nolog", "pos": 6, "proto": "udp", "source": "+sdn/test2-gateway", "sport": "67", "type": "out"}, {"action": "DROP", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "enable": 1, "log": "nolog", "pos": 7, "type": "in"}, {"action": "DROP", "digest": "b5ddaed23b415b9368706fc9edc83d037526aae9", "enable": 1, "log": "nolog", "pos": 8, "type": "out"}]

groups

list / elements=string

List of firewall security groups.

This will always be given for cluster level regardless of the level passed.

Because only at cluster level we can have firewall security groups.

Returned: on success

Sample: ["test"]

ip_sets

list / elements=dictionary

List of IP Sets.

These are only supported on the level = cluster, other inputs are ignored.

Returned: on success

Sample: [{"cidrs": [], "digest": "8c4a5e793355b2a877659315faaa78cbd0bc9f6c", "name": "emptytest"}, {"cidrs": [{"cidr": "192.168.1.10", "comment": "Proxmox pve-01", "digest": "ed830373d096f6b9f868e59c6182e0b2042e6bad", "nomatch": false}, {"cidr": "192.168.1.11", "comment": "Proxmox pve-02", "digest": "ed830373d096f6b9f868e59c6182e0b2042e6bad", "nomatch": true}], "comment": "PVE hosts", "digest": "8c4a5e793355b2a877659315faaa78cbd0bc9f6c", "name": "hypervisors"}, {"cidrs": [{"cidr": "10.10.1.0", "comment": "Proxmox pve-01", "digest": "f15cef67632375227d849ee0a449d845ab136677", "nomatch": false}], "comment": "PVE hosts", "digest": "8c4a5e793355b2a877659315faaa78cbd0bc9f6c", "name": "test"}]

Authors

  • Jana Hoch