Skip to content

add diff support to ufw module #10666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

add diff support to ufw module #10666

wants to merge 12 commits into from

Conversation

wytmttft-cmd
Copy link

SUMMARY

minor_changes:

  • ufw - now reports diff
ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

ufw

ADDITIONAL INFORMATION

before this code change:

changed: [myhost] => (item={'rule': 'allow', 'direction': 'in', 'name': 'OpenSSH', 'from_ip': '10.10.10.8/32', 'comment': 'mgmt - XXXXX'})

after this code change:

--- before
+++ after
@@ -16,6 +16,9 @@
 :ufw-user-limit - [0:0]
 :ufw-user-limit-accept - [0:0]
 ### RULES ###
+
+### tuple ### allow tcp 22 0.0.0.0/0 any 10.10.10.10 OpenSSH - in comment='[Ansible managed] mgmt - XXXXX'
+-A ufw-user-input -p tcp --dport 22 -s 10.10.10.10 -j ACCEPT -m comment --comment 'dapp_OpenSSH'
 
 ### END RULES ###
 

changed: [myhost] => (item={'rule': 'allow', 'direction': 'in', 'name': 'OpenSSH', 'from_ip': '10.10.10.8/32', 'comment': 'mgmt - XXXXX'})

@ansibullbot
Copy link
Collaborator

cc @ahtik @ovcharenko @pyykkis
click here for bot help

@ansibullbot ansibullbot added feature This issue/PR relates to a feature request module module new_contributor Help guide this first time contributor plugins plugin (any type) labels Aug 14, 2025
@ansibullbot

This comment was marked as outdated.

Sign in to view
@ansibullbot ansibullbot added the needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR label Aug 14, 2025
@ansibullbot

This comment was marked as outdated.

Sign in to view
@ansibullbot

This comment was marked as outdated.

Sign in to view
@ansibullbot ansibullbot added tests tests unit tests/unit labels Aug 14, 2025
@felixfontein felixfontein added check-before-release PR will be looked at again shortly before release and merged if possible. backport-11 Automatically create a backport for the stable-10 branch labels Aug 14, 2025
felixfontein
felixfontein reviewed Aug 15, 2025
View reviewed changes
Copy link
Collaborator

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your contribution! Please add a changelog fragment. Thanks.

I've added some first comments below. Please note that right now, the tests are failing.

plugins/modules/ufw.py
params = module.params

commands = {key: params[key] for key in command_keys if params[key]}
commands = dict((key, params[key]) for key in command_keys if params[key])
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please keep the dictionary literal syntax.

plugins/modules/ufw.py
cmd.append([params['comment'], "comment '%s'" % params['comment']])

rules_dry = execute(cmd)
cmd = [[ufw_bin], ["--dry-run route allow in on foo out on bar from 1.1.1.2 port 7000 to 8.8.8.8 port 7001 proto tcp"]]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These hard-coded values look wrong. What is this supposed to do?

plugins/modules/ufw.py
if not module.check_mode:
post_state = execute([[ufw_bin], ['status'], ['verbose']])
post_rules = get_current_rules()
if (not changed):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (not changed):
if not changed:

plugins/modules/ufw.py
Comment on lines +641 to +646
if (diff is not None) and (diff["before"] == diff["after"]):
diff = None

if (changed) and (diff is None):
raise Exception("ufw module reported a change, but no differences detected")
elif (changed is False) and (diff is not None):
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's unusual to use these many brackets in Python:

Suggested change
if (diff is not None) and (diff["before"] == diff["after"]):
diff = None
if (changed) and (diff is None):
raise Exception("ufw module reported a change, but no differences detected")
elif (changed is False) and (diff is not None):
if diff is not None and diff["before"] == diff["after"]:
diff = None
if changed and diff is None:
raise Exception("ufw module reported a change, but no differences detected")
elif changed is False and diff is not None:

@wytmttft-cmd
Copy link
Author

wytmttft-cmd commented Aug 19, 2025 via email

@ansibullbot ansibullbot added the stale_ci CI is older than 7 days, rerun before merging label Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixfontein felixfontein felixfontein left review comments

Assignees
No one assigned
Labels
backport-11 Automatically create a backport for the stable-10 branch check-before-release PR will be looked at again shortly before release and merged if possible. feature This issue/PR relates to a feature request module module needs_revision This PR fails CI tests or a maintainer has requested a review/revision of the PR new_contributor Help guide this first time contributor plugins plugin (any type) stale_ci CI is older than 7 days, rerun before merging tests tests unit tests/unit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wytmttft-cmd @ansibullbot @felixfontein