fix - unmask firewalld on run, disable conflicting services

Role will now always attempt to unmask on role run add variable 'firewall_disable_conflicting_services' to enable the disabling of conflicting services - Set to false by default - Requires that services are enumerated on managed nodes, which can introduce potentially unnecessary runtime overhead Update README to document the following behavior of the system role: - linux-system-roles.firewall will attempt to install, unmask, and enable firewalld - linux-system-roles.firewall can attempt to disable directly conflicting services to firewalld - and that is enabled by setting the variable 'firewall_disable_conflicting_services' to true - list of conflicting services present in vars/main.yml test cases for these changes in tests/tests_default.yml Addresses GitHub Issues: #103, #136
linux-system-roles · Jul 12, 2023 · b17a74a · b17a74a
1 parent 156614e
commit b17a74a
Show file tree

Hide file tree

Showing 5 changed files with 97 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -3,6 +3,12 @@ firewall
 ![CI Testing](https://github.com/linux-system-roles/firewall/workflows/tox/badge.svg)
 
 This role configures the firewall on machines that are using firewalld.
+If firewalld is not in use, the role will install (if not already installed),
+unmask, and enable firewalld.
+
+The role can also attempt to disable known conflicting services.
+The list of known conflicting services can be found in `vars/main.yml`,
+please sumbit an issue if there are any unaccounted-for services.
 
 For the configuration the role uses the firewalld client interface
 which is available in RHEL-7 and later.
@@ -195,6 +201,21 @@ permanent change was made to each setting:
 
 Variables
 ---------
+## firewall_disable_conflicting_services
+
+By default, the firewall role does not attempt to disable conflicting services such as `nftables.service` due to the
+overhead associated with enumerating the services when disabling services is potentially unecessary.
+To enable this feature, set the variable `firewall_disable_conflicting_services` to `true`:
+
+```yaml
+- name: Enable firewalld, disable conflicting services
+  include_role: linux-system-roles.firewall
+  vars:
+    firewall_disable_conflicting_services: true
+```
+
+
+## firewall
 
 The firewall role uses the variable `firewall` to specify the parameters.  This variable is a `list` of `dict` values.  Each `dict` value is comprised of one or more keys listed below. These are the variables that can be passed to the role:
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1,2 +1,3 @@
 ---
 firewall: []
+firewall_disable_conflicting_services: false
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -2,6 +2,43 @@
 - name: Setup firewalld
   include_tasks: firewalld.yml
 
+- name: Collect service facts
+  service_facts:
+  when: firewall_disable_conflicting_services | bool
+
+- name: Attempt to stop and disable conflicting services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop: "{{ __firewall_conflicting_services }}"
+  when:
+    - firewall_disable_conflicting_services | bool
+    - (
+        ansible_facts.service_mgr == "systemd" and
+        item + ".service" | string in ansible_facts.services
+      )
+        or
+      (
+        ansible_facts.service_mgr != "systemd" and
+        item | string in ansible_facts.services
+      )
+    - (
+        ansible_facts.service_mgr == "systemd" and
+        ansible_facts.services[item + ".service"]["status"] == "enabled"
+      )
+        or
+      (
+        ansible_facts.service_mgr != "systemd" and
+        ansible_facts.services[item]["status"] == "enabled"
+      )
+
+- name: Unmask firewalld service
+  systemd:
+    name: "{{ __firewall_service }}"
+    masked: false
+  when: ansible_facts.service_mgr == "systemd"
+
 - name: Enable and start firewalld service
   service:
     name: "{{ __firewall_service }}"

diff --git a/tests/tests_default.yml b/tests/tests_default.yml
@@ -2,5 +2,35 @@
 - name: Ensure that the roles runs with default parameters
   hosts: all
   gather_facts: false
-  roles:
-    - linux-system-roles.firewall
+  tasks:
+    - name: Attempt to run role with default parameters (1)
+      include_role:
+        name: linux-system-roles.firewall
+
+    - name: Mask firewalld
+      systemd:
+        name: firewalld
+        masked: true
+
+    - name: Attempt to run role with default parameters (2)
+      include_role:
+        name: linux-system-roles.firewall
+
+    - name: Enable conflicting service
+      service:
+        name: nftables
+        enabled: true
+
+    - name: Attempt to run role with default parameters (3)
+      include_role:
+        name: linux-system-roles.firewall
+      vars:
+        firewall_disable_conflicting_services: true
+
+    - name: Check that conflicting service is disabled
+      service:
+        name: nftables
+        enabled: false
+      check_mode: true
+      register: result
+      failed_when: result.changed
diff --git a/vars/main.yml b/vars/main.yml
@@ -6,7 +6,13 @@ __firewall_firewalld_conf: "{{ __firewall_firewalld_dir }}/firewalld.conf"
 __firewall_required_facts:
   - python_interpreter
   - python_version
+  - service_mgr
 
 __firewall_packages_base: [firewalld]
 
 __firewall_service: firewalld
+
+__firewall_conflicting_services:
+  - nftables
+  - iptables
+  - ufw