fix: unmask firewalld on run, disable conflicting services

README.md

@@ -3,6 +3,10 @@ firewall
 ![CI Testing](https://github.com/linux-system-roles/firewall/workflows/tox/badge.svg)
 
 This role configures the firewall on machines that are using firewalld.
+If firewalld is not in use, the role will install (if not already installed),
+unmask, and enable firewalld.
+
+The role can also attempt to disable known conflicting services.
 
 For the configuration the role uses the firewalld client interface
 which is available in RHEL-7 and later.
@@ -196,6 +200,29 @@ permanent change was made to each setting:
 Variables
 ---------
 
+## firewall_disable_conflicting_services
+
+By default, the firewall role does not attempt to disable conflicting services due to the
+overhead associated with enumerating the services when disabling services is potentially unecessary.
+To enable this feature, set the variable `firewall_disable_conflicting_services` to `true`:
+
+```yaml
+- name: Enable firewalld, disable conflicting services
+  include_role: linux-system-roles.firewall
+  vars:
+    firewall_disable_conflicting_services: true
+```
+
+List of known conflicting services:
+- iptables
+- nftables
+- ufw
+
+Please submit a GitHub issue at the linux-system-roles/firewall there are services missing or
+add it locally to `vars/main.yml`.
+
+## firewall
+
 The firewall role uses the variable `firewall` to specify the parameters.  This variable is a `list` of `dict` values.  Each `dict` value is comprised of one or more keys listed below. These are the variables that can be passed to the role:
 
 ### set_default_zone

defaults/main.yml

@@ -1,2 +1,3 @@
 ---
 firewall: []
+firewall_disable_conflicting_services: false

tasks/main.yml

@@ -2,6 +2,30 @@
 - name: Setup firewalld
   include_tasks: firewalld.yml
 
+- name: Collect service facts
+  service_facts:
+  when: firewall_disable_conflicting_services | bool
+
+- name: Attempt to stop and disable conflicting services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop: "{{ __firewall_conflicting_services }}"
+  vars:
+    __service_name: "{{ (ansible_facts.service_mgr == 'systemd') |
+      ternary(item ~ '.service', item) }}"
+  when:
+    - firewall_disable_conflicting_services | bool
+    - __service_name | string in ansible_facts.services
+    - ansible_facts.services[__service_name]["status"] == "enabled"
+
+- name: Unmask firewalld service
+  systemd:
+    name: "{{ __firewall_service }}"
+    masked: false
+  when: ansible_facts.service_mgr == "systemd"
+
 - name: Enable and start firewalld service
   service:
     name: "{{ __firewall_service }}"

tests/tests_startup_conflicts.yml

@@ -0,0 +1,41 @@
+---
+- name: Ensure role handles startup issues
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: Attempt to run role with default parameters (1)
+      include_role:
+        name: linux-system-roles.firewall
+
+    - name: Mask firewalld
+      systemd:
+        name: firewalld
+        masked: true
+
+    - name: Attempt to run role with default parameters (2)
+      include_role:
+        name: linux-system-roles.firewall
+
+    - name: Install conflicting service
+      package:
+        name: nftables
+        state: present
+
+    - name: Enable conflicting service
+      service:
+        name: nftables
+        enabled: true
+
+    - name: Attempt to run role, disabling conflicting services
+      include_role:
+        name: linux-system-roles.firewall
+      vars:
+        firewall_disable_conflicting_services: true
+
+    - name: Check that conflicting service is disabled
+      service:
+        name: nftables
+        enabled: false
+      check_mode: true
+      register: result
+      failed_when: result.changed

vars/main.yml

@@ -6,7 +6,13 @@ __firewall_firewalld_conf: "{{ __firewall_firewalld_dir }}/firewalld.conf"
 __firewall_required_facts:
   - python_interpreter
   - python_version
+  - service_mgr
 
 __firewall_packages_base: [firewalld]
 
 __firewall_service: firewalld
+
+__firewall_conflicting_services:
+  - nftables
+  - iptables
+  - ufw