feat(pfsense_rule): add state tracking options#253
Open
adriangalilea wants to merge 1 commit intopfsensible:masterfrom
Open
feat(pfsense_rule): add state tracking options#253adriangalilea wants to merge 1 commit intopfsensible:masterfrom
adriangalilea wants to merge 1 commit intopfsensible:masterfrom
Conversation
…_states, etc.) Add support for PF state tracking advanced options to the pfsense_rule module. These were previously listed in RULE_UNMANAGED_ELEMENTS and are now fully managed parameters: - max_src_conn: max established connections per source host - max_src_states: max state entries per source host - max_src_nodes: max unique source hosts - max_src_conn_rate: max new connections per time interval - max_src_conn_rates: time interval (seconds) for max_src_conn_rate - statetimeout: state timeout in seconds These map to the pfSense XML config elements max-src-conn, max-src-states, max-src-nodes, max-src-conn-rate, max-src-conn-rates, and statetimeout respectively. Validation ensures: - State tracking options only apply to pass rules - max_src_conn/max_src_conn_rate require TCP protocol - max_src_conn_rate and max_src_conn_rates must be set together
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds support for PF state tracking advanced options to the
pfsense_rulemodule. These fields were previously listed inRULE_UNMANAGED_ELEMENTS(preserved but not configurable). This PR promotes them to fully managed parameters.New parameters
max_src_connmax-src-connmax_src_statesmax-src-statesmax_src_nodesmax-src-nodesmax_src_conn_ratemax-src-conn-ratemax_src_conn_ratesmax-src-conn-ratesmax_src_conn_ratestatetimeoutstatetimeoutExample usage
Validation
passrules (pfSense requirement)max_src_connandmax_src_conn_raterequire TCP protocolmax_src_conn_rateandmax_src_conn_ratesmust be set togetherMotivation
The pfSense REST API package (
pfSense-pkg-RESTAPI) does not expose these fields either, making Ansible via pfsensible the only programmatic way to manage PF rate-limiting rules. These options are critical for protecting services from connection floods (SYN floods, DDoS) without manual Web UI configuration.Changes
plugins/module_utils/rule.py: Added 6 params toRULE_ARGUMENT_SPEC, XML mapping in_params_to_obj, validation in_validate_params, removal handling, and loggingplugins/modules/pfsense_rule.py: Added documentation and example for new paramstests/unit/plugins/modules/test_pfsense_rule_create.py: Added 8 tests covering creation, validation, and error cases