Check and unmask iptables/firewalld.

roles/os_firewall/tasks/firewall/firewalld.yml

@@ -24,6 +24,18 @@
   command: systemctl daemon-reload
   when: install_result | changed
 
+- name: Determine if firewalld service masked
+  command: >
+    systemctl is-enabled firewalld
+  register: os_firewall_firewalld_masked_output
+  changed_when: false
+  failed_when: false
+
+- name: Unmask firewalld service
+  command: >
+    systemctl unmask firewalld
+  when: os_firewall_firewalld_masked_output.stdout == "masked"
+
 - name: Start and enable firewalld service
   service:
     name: firewalld

roles/os_firewall/tasks/firewall/iptables.yml

@@ -32,6 +32,24 @@
   command: systemctl daemon-reload
   when: install_result | changed
 
+- name: Determine if iptables service masked
+  command: >
+    systemctl is-enabled {{ item }}
+  with_items:
+  - iptables
+  - ip6tables
+  register: os_firewall_iptables_masked_output
+  changed_when: false
+  failed_when: false
+
+- name: Unmask iptables service
+  command: >
+    systemctl unmask {{ item }}
+  with_items:
+  - iptables
+  - ip6tables
+  when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')"
+
 - name: Start and enable iptables service
   service:
     name: iptables