[pfsense_setup] added sshguard_whitelist option (fixes #129)

opoplawski · opoplawski · commit f456a4f9971c · 2026-03-15T14:38:23.000-06:00
diff --git a/changelogs/fragments/129_sshguard_whitelist.yaml b/changelogs/fragments/129_sshguard_whitelist.yaml
@@ -0,0 +1,2 @@
+minor_changes:
+  - pfsense_setup - added sshguard_whitelist option (https://github.com/pfsensible/core/issues/129).
diff --git a/plugins/modules/pfsense_setup.py b/plugins/modules/pfsense_setup.py
@@ -153,6 +153,12 @@
     description: Show hostname on login banner
     required: false
     type: bool
+  sshguard_whitelist:
+    description: Addresses (in CIDR notation) listed will bypass login protection.
+    required: false
+    type: list
+    elements: str
+    version_added: 0.7.2
 """
 
 EXAMPLES = """
@@ -229,6 +235,7 @@
     roworderdragging=dict(required=False, type='bool'),
     logincss=dict(required=False, type='str'),
     loginshowhost=dict(required=False, type='bool'),
+    sshguard_whitelist=dict(required=False, type='list', elements='str'),
 )
 
 
@@ -242,6 +249,14 @@ def p2o_dnslocalhost(self, name, params, obj):
             obj[name] = 'local'
 
 
+def p2o_network_list_to_space_separated(self, name, params, obj):
+    if params[name] is not None:
+        for net in params[name]:
+            if not (self.pfsense.is_ipv4_network(net, strict=False) or self.pfsense.is_ipv6_network(net, strict=False)):
+                self.module.fail_json(msg=f"Address {net} is not a valid network")
+        obj[name] = ' '.join(params[name])
+
+
 def p2o_webguicss(self, name, params, obj):
     if params[name] is not None:
         # Add .css suffix if not present
@@ -262,6 +277,7 @@ def validate_webguicss(self, webguicss):
 
 SETUP_ARG_ROUTE = dict(
     dnslocalhost=dict(parse=p2o_dnslocalhost),
+    sshguard_whitelist=dict(parse=p2o_network_list_to_space_separated),
     webguicert=dict(parse=p2o_cert, validate=validate_cert),
     webguicss=dict(parse=p2o_webguicss, validate=validate_webguicss),
 )
@@ -526,6 +542,13 @@ def _update(self):
 
         cmd += '$retval |= filter_configure();\n'
 
+        restart_sshguard = False
+        for param in ['sshguard_whitelist']:
+            if self.obj.get(param) != self.diff['before'].get(param):
+                restart_sshguard = True
+        if restart_sshguard:
+            cmd += 'system_sshguard_stop();$retval |= system_syslogd_start(true);\n'
+
         restart_webgui = False
         for param in ['ssl-certref']:
             if self.obj['webgui'].get(param) != self.diff['before']['webgui'].get(param):

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+minor_changes:`
	`2`	`+ - pfsense_setup - added sshguard_whitelist option (https://github.com/pfsensible/core/issues/129).`