flatkey / ansible-firewalld-role Goto Github PK

It's not possible to remove an interface from a zone or purge unconfigured interfaces.

In check mode, set firewalld default zone fails with this error:

The conditional check 'defaultzone.stdout != default_zone' failed. The error was: error while evaluating conditional (defaultzone.stdout != default_zone): 'dict object' has no attribute 'stdout'

because the tasks is skipped.

To prevent this, you should add check_mode: no into the task :

- name: get actual firewalld default zone
  command: /bin/firewall-cmd --get-default-zone
  register: defaultzone
  changed_when: false
  check_mode: no
  tags: firewalld

Thx

The example in README.md refers to "firewalld__zone_interface" but it should be "firewalld_zone_interface" (one underscore between firewall and zone).

The purge of unconfigured rich rules should be possible.

I'm getting this conditional check error since recently:

The conditional check 'firewalld_purge_services and item not in firewalld_service_rules' failed. The error was: error while evaluating conditional (firewalld_purge_services and item not in firewalld_service_rules): 'firewalld_purge_services' is undefined\n\nThe error appears to have been in '/var/lib/awx/projects/_10__soe/roles/FlatKey.firewalld/tasks/main.yml': line 53, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: purge unconfigured firewalld service rules\n ^ here\n

I don't have the firewalld_purge_services variable defined, but thought it was optional

set firewalld default zone fails when default_zone not set because of the conditional:
when: defaultzone.stdout != default_zone

I suggest removing the conditional altogether, as well as task "get actual firewalld default zone", since removing these would produce the same effect:

1. If default zone isn't 'public' it would be changed to public;
2. If default zone is 'public', it won't do anything.

There seems to be a hardcoded interface name in https://github.com/FlatKey/ansible-firewalld-role/blob/master/tasks/main.yml#L25 :

if [[ "$(/bin/firewall-cmd --get-zone-of-interface=enp4s0)" != "public" ]]

Most tasks where a zone is required default to 'public'.
I suggest they should default to 'default_zone' and then to public, which can be achieved by doing this:
zone: "{{ item.value.zone|default(default_zone|default('public')) }}"