---
# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
# enabling rules and making them permanent with the immediate flag
- name: "Add firewalld allow rules"
  firewalld:
    port: "{{ item.port }}"
    permanent: false
    state: enabled
  with_items: allow
  when: allow is defined

- name: "Persist firewalld allow rules"
  firewalld:
    port: "{{ item.port }}"
    permanent: true
    state: enabled
  with_items: allow
  when: allow is defined

- name: "Remove firewalld allow rules"
  firewalld:
    port: "{{ item.port }}"
    permanent: false
    state: disabled
  with_items: deny
  when: deny is defined

- name: "Persist removal of firewalld allow rules"
  firewalld:
    port: "{{ item.port }}"
    permanent: true
    state: disabled
  with_items: deny
  when: deny is defined