From b1a5b11af60e5f6388932a5410d97038583b090c Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Fri, 22 May 2026 14:18:19 +0200
Subject: [PATCH] feat: add ufw portless proto support

---
 defaults/main.yaml  | 6 ++++++
 tasks/firewall.yaml | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index 781d17f..035c4f8 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -30,6 +30,12 @@ firewall_basic_rules:
     to_port: "22"
     from_ip: "192.168.10.55"
 firewall_host_rules: []
+firewall_portless_protocols:
+  - "ah"
+  - "esp"
+  - "gre"
+  - "igmp"
+  - "vrrp"
 
 # ntp
 ntp_server: "time.cloudflare.com"
diff --git a/tasks/firewall.yaml b/tasks/firewall.yaml
index 048d5d2..515c154 100644
--- a/tasks/firewall.yaml
+++ b/tasks/firewall.yaml
@@ -60,7 +60,8 @@
                 direction: "in"
                 proto: "{{ item.proto | default('tcp') }}"
                 from_ip: "{{ item.from_ip }}"
-                to_port: "{{ item.to_port }}"
+                to_port:
+                  "{{ omit if (item.proto | default('tcp')) in common_firewall_portless_protocols else item.to_port }}"
               loop: "{{ __firewall_all_rules  }}"
               loop_control:
                 label: " {{ item.name }}"