From 605f0f787efe66cc123bc529760a0f5e85fadb7e Mon Sep 17 00:00:00 2001
From: Jason DeTiberus <jdetiber@redhat.com>
Date: Mon, 9 Mar 2015 12:46:29 -0400
Subject: os_firewall fixes

- Fix variable references to os_firewall_{allow,deny} instead of {allow, deny}
- Fix ordering of service stop/start to ensure firewall rules are properly
  initiated after service startup
- Add test for package installed before attempting to disable or mask services
---
 roles/os_firewall/tasks/firewall/iptables.yml | 33 ++++++++++++++++-----------
 1 file changed, 20 insertions(+), 13 deletions(-)

(limited to 'roles/os_firewall/tasks/firewall/iptables.yml')

diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 24c87d5e3..87e77c083 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -7,6 +7,19 @@
   - iptables
   - iptables-services
 
+- name: Check if firewalld is installed
+  command: rpm -q firewalld
+  register: pkg_check
+  failed_when: pkg_check.rc > 1
+  changed_when: no
+
+- name: Ensure firewalld service is not enabled
+  service:
+    name: firewalld
+    state: stopped
+    enabled: no
+  when: pkg_check.rc == 0
+
 - name: Start and enable iptables services
   service:
     name: "{{ item }}"
@@ -21,18 +34,12 @@
   pause: seconds=10
   when: result | changed
 
-- name: Ensure firewalld service is not enabled
-  service:
-    name: firewalld
-    state: stopped
-    enabled: no
-
+# TODO: submit PR upstream to add mask/unmask to service module
 - name: Mask firewalld service
   command: systemctl mask firewalld
   register: result
-  failed_when: result.rc != 0
-  changed_when: False
-  ignore_errors: yes
+  changed_when: "'firewalld' in result.stdout"
+  when: pkg_check.rc == 0
 
 - name: Add iptables allow rules
   os_firewall_manage_iptables:
@@ -40,8 +47,8 @@
     action: add
     protocol: "{{ item.port.split('/')[1] }}"
     port: "{{ item.port.split('/')[0] }}"
-  with_items: allow
-  when: allow is defined
+  with_items: os_firewall_allow
+  when: os_firewall_allow is defined
 
 - name: Remove iptables rules
   os_firewall_manage_iptables:
@@ -49,5 +56,5 @@
     action: remove
     protocol: "{{ item.port.split('/')[1] }}"
     port: "{{ item.port.split('/')[0] }}"
-  with_items: deny
-  when: deny is defined
+  with_items: os_firewall_deny
+  when: os_firewall_deny is defined
-- 
cgit v1.2.3