|
9 | 9 | name: linux-system-roles.firewall |
10 | 10 |
|
11 | 11 | - name: Get default zone |
12 | | - command: firewall-cmd --get-default-zone |
| 12 | + command: firewall-offline-cmd --get-default-zone |
13 | 13 | register: __default_zone |
14 | 14 | changed_when: false |
15 | 15 |
|
|
19 | 19 | # INIT TEST |
20 | 20 |
|
21 | 21 | - name: Remove custom zone |
22 | | - command: firewall-cmd --permanent --delete-zone=custom |
| 22 | + command: firewall-offline-cmd --delete-zone=custom |
23 | 23 | register: result |
24 | 24 | failed_when: result.failed and "INVALID_ZONE" not in result.stderr |
25 | 25 | changed_when: false |
26 | 26 |
|
27 | 27 | - name: Reset internal zone to defaults |
28 | | - command: firewall-cmd --permanent --load-zone-defaults=internal |
| 28 | + command: firewall-offline-cmd --load-zone-defaults=internal |
29 | 29 | register: result |
30 | 30 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
31 | 31 | changed_when: false |
32 | 32 |
|
33 | 33 | - name: Reset trusted zone to defaults |
34 | | - command: firewall-cmd --permanent --load-zone-defaults=trusted |
| 34 | + command: firewall-offline-cmd --load-zone-defaults=trusted |
35 | 35 | register: result |
36 | 36 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
37 | 37 | changed_when: false |
38 | 38 |
|
39 | 39 | - name: Reset dmz zone to defaults |
40 | | - command: firewall-cmd --permanent --load-zone-defaults=dmz |
| 40 | + command: firewall-offline-cmd --load-zone-defaults=dmz |
41 | 41 | register: result |
42 | 42 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
43 | 43 | changed_when: false |
44 | 44 |
|
45 | 45 | - name: Reset drop zone to defaults |
46 | | - command: firewall-cmd --permanent --load-zone-defaults=drop |
| 46 | + command: firewall-offline-cmd --load-zone-defaults=drop |
47 | 47 | register: result |
48 | 48 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
49 | 49 | changed_when: false |
50 | 50 |
|
51 | 51 | - name: Reset public zone to defaults |
52 | | - command: firewall-cmd --permanent --load-zone-defaults=public |
| 52 | + command: firewall-offline-cmd --load-zone-defaults=public |
53 | 53 | register: result |
54 | 54 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
55 | 55 | changed_when: false |
56 | 56 |
|
57 | 57 | - name: Reset default zone to defaults |
58 | 58 | shell: |
59 | 59 | cmd: | |
60 | | - zone=$(firewall-cmd --get-default-zone) |
61 | | - firewall-cmd --permanent --load-zone-defaults=$zone |
| 60 | + zone=$(firewall-offline-cmd --get-default-zone) |
| 61 | + firewall-offline-cmd --load-zone-defaults=$zone |
62 | 62 | register: result |
63 | 63 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
64 | 64 | changed_when: false |
65 | 65 |
|
66 | 66 | - name: Create custom zone |
67 | 67 | # noqa no-changed-when |
68 | | - command: firewall-cmd --permanent --new-zone=custom |
| 68 | + command: firewall-offline-cmd --new-zone=custom |
69 | 69 | register: result |
70 | 70 | failed_when: result.failed or not result.changed |
71 | 71 |
|
|
410 | 410 | failed_when: result is failed or result is changed |
411 | 411 |
|
412 | 412 | - name: Set the default zone to something other than dmz |
413 | | - command: firewall-cmd --set-default-zone public |
| 413 | + # --set-default-zone not idempotent: https://bugzilla.redhat.com/show_bug.cgi?id=2363037 |
| 414 | + shell: | |
| 415 | + cur_zone=$(firewall-offline-cmd --get-default-zone) |
| 416 | + if [ "$cur_zone" != public ]; then |
| 417 | + firewall-offline-cmd --set-default-zone public |
| 418 | + fi |
414 | 419 | changed_when: false |
415 | 420 |
|
416 | 421 | - name: Set default zone |
|
673 | 678 | # CLEANUP: RESET TO ZONE DEFAULTS |
674 | 679 |
|
675 | 680 | - name: Remove custom zone |
676 | | - command: firewall-cmd --permanent --delete-zone=custom |
| 681 | + command: firewall-offline-cmd --delete-zone=custom |
677 | 682 | register: result |
678 | 683 | failed_when: result.failed and "INVALID_ZONE" not in result.stderr |
679 | 684 | changed_when: false |
680 | 685 |
|
681 | 686 | - name: Remove customzone zone |
682 | | - command: firewall-cmd --permanent --delete-zone=customzone |
| 687 | + command: firewall-offline-cmd --delete-zone=customzone |
683 | 688 | register: result |
684 | 689 | failed_when: result.failed and "INVALID_ZONE" not in result.stderr |
685 | 690 | changed_when: false |
686 | 691 |
|
687 | 692 | - name: Reset internal zone to defaults |
688 | | - command: firewall-cmd --permanent --load-zone-defaults=internal |
| 693 | + command: firewall-offline-cmd --load-zone-defaults=internal |
689 | 694 | register: result |
690 | 695 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
691 | 696 | changed_when: false |
692 | 697 |
|
693 | 698 | - name: Reset trusted zone to defaults |
694 | | - command: firewall-cmd --permanent --load-zone-defaults=trusted |
| 699 | + command: firewall-offline-cmd --load-zone-defaults=trusted |
695 | 700 | register: result |
696 | 701 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
697 | 702 | changed_when: false |
698 | 703 |
|
699 | 704 | - name: Reset dmz zone to defaults |
700 | | - command: firewall-cmd --permanent --load-zone-defaults=dmz |
| 705 | + command: firewall-offline-cmd --load-zone-defaults=dmz |
701 | 706 | register: result |
702 | 707 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
703 | 708 | changed_when: false |
704 | 709 |
|
705 | 710 | - name: Reset drop zone to defaults |
706 | | - command: firewall-cmd --permanent --load-zone-defaults=drop |
| 711 | + command: firewall-offline-cmd --load-zone-defaults=drop |
707 | 712 | register: result |
708 | 713 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
709 | 714 | changed_when: false |
710 | 715 |
|
711 | 716 | - name: Reset public zone to defaults |
712 | | - command: firewall-cmd --permanent --load-zone-defaults=public |
| 717 | + command: firewall-offline-cmd --load-zone-defaults=public |
713 | 718 | register: result |
714 | 719 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
715 | 720 | changed_when: false |
716 | 721 |
|
717 | 722 | - name: Reset default zone to defaults |
718 | | - command: firewall-cmd --permanent --load-zone-defaults=public |
| 723 | + command: firewall-offline-cmd --load-zone-defaults=public |
719 | 724 | register: result |
720 | 725 | failed_when: result.failed and "NO_DEFAULTS" not in result.stderr |
721 | 726 | changed_when: false |
722 | 727 |
|
723 | 728 | - name: Reset default zone |
724 | | - command: >- |
725 | | - firewall-cmd |
726 | | - --set-default-zone={{ __default_zone.stdout | quote }} |
| 729 | + # --set-default-zone not idempotent: https://bugzilla.redhat.com/show_bug.cgi?id=2363037 |
| 730 | + shell: | |
| 731 | + cur_zone=$(firewall-offline-cmd --get-default-zone) |
| 732 | + if [ "$cur_zone" != {{ __default_zone.stdout | quote }} ]; then |
| 733 | + firewall-offline-cmd --set-default-zone={{ __default_zone.stdout | quote }} |
| 734 | + fi |
727 | 735 | changed_when: false |
728 | 736 |
|
729 | 737 | - name: Reload firewalld |
|
0 commit comments