Add proxmox_firewall module

[danthonywalker]

SUMMARY

It would be nice if a proxmox_firewall module existed that allowed modifying the firewall at the cluster, node, and CT/VM levels.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

proxmox_firewall

ADDITIONAL INFORMATION

Which level of firewall the module modifies can depend on various parameters of the module. For example, if vmid is provided then the CT/VM firewall will be modified (which one depends on what vmid is referring to). If vmid is not provided, but node is provided, then the node firewall is modified. If neither vmid or node is provided then the cluster firewall is modified.

This feature would help fill in the gaps of my automation. Currently, with Proxmox firewall enabled, when I create a CT (and likely applies to a VM as well), Ansible cannot SSH into it because by default all INPUT are dropped. I have to create an explicit rule for the CT to accept SSH. This can somewhat be easily done by manually modifying the /etc/pve/firewall/<vmid>.conf file, but it seems preferable that this collection could handle it.

There are also other parts of the firewall besides rules that the module could modify.

# Set firewall rules for CT/VM 1000
community.proxmox.proxmox_firewall:
  api_host: ""
  api_port: ""
  api_user: ""
  api_token_id: ""
  api_token_secret: ""
  vmid: 100
  rules:
    - enable: true
       type: in
       action: ACCEPT
       protocol: tcp
       dport: 22
       comment: ssh
    - enable: true
       type: in
       action: ACCEPT
       protocol: tcp
       dport: 443
       comment: https

# Append mynetwork alias to cluster firewall
community.proxmox.proxmox_firewall:
  api_host: ""
  api_port: ""
  api_user: ""
  api_token_id: ""
  api_token_secret: ""
  append_aliases: true
  aliases:
    - name: mynetwork
       cidr: 10.10.10.10/24
       comment: mynetwork

Rules could probably be merged similar to how ansible.builtin.user handles groups. If append_rules is false, then the rules are set as they are defined. However, if true, then rules are appended if they do not exist yet.

Other firewall options could also be modified by this module. For example, whether the firewall is enabled at all, input/output/forward policies, DHCP/NDP/RA enabled, log_level_x, etc. If an option is provided that doesn't work for the current firewall level (for example, forward policies are only applicable to cluster level) then the module could either ignore it or throw an error.

[IamLunchbox]

I hacked together a simple CRUD-style module to change vm firewall rules here. Maybe it helps somebody to get started - I sadly lack the time right now to do anything more advanced.

The module is manually tested and I am using it in a single playbook standalone, thats why the proxmox.py helper class is copied from upstream. And it will probably fail any linting, my main focus was ansible-doc and successful execution.

[JanaHoch]

I actually didn't see this before. but I was implementing SDN Stack and as part of that I've created this #183 It includes create/update/delete firewall rules at cluster/group/vnet/vm level and few more things.

[Thulium-Drake]

#183 has been implemented 🥳 so it's in the next release!