fixes to better deal with gce image defaults

- remove exception if INPUT rules are not found, gce centos-7 image is stripped of
  default rules
- ignore_errors for systemctl mask operation, fails with permission denied on
  gce centos-7 image.

roles/os_firewall/library/os_firewall_manage_iptables.py

@@ -150,17 +150,10 @@ class IpTablesManager:
                             continue
                         last_rule_target = rule[1]
 
-                # Raise an exception if we do not find a valid rule
-                if not last_rule_num or not last_rule_target:
-                   raise IpTablesCreateJumpRuleError(
-                        chain=self.chain,
-                        msg="Failed to find existing %s rules" % self.jump_rule_chain,
-                        cmd=None, exit_code=None, output=None)
-
                 # Naively assume that if the last row is a REJECT rule, then
                 # we can add insert our rule right before it, otherwise we
                 # assume that we can just append the rule.
-                if last_rule_target == 'REJECT':
+                if last_rule_num and last_rule_target and last_rule_target == 'REJECT':
                     # insert rule
                     cmd = self.cmd + ['-I', self.jump_rule_chain, str(last_rule_num)]
                 else:

roles/os_firewall/tasks/firewall/firewalld.yml

@@ -44,6 +44,7 @@
   - iptables
   - ip6tables
   when: pkg_check.rc == 0
+  ignore_errors: yes
 
 # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
 # enabling rules and making them permanent with the immediate flag

roles/os_firewall/tasks/firewall/iptables.yml

@@ -42,6 +42,7 @@
   register: result
   changed_when: "'firewalld' in result.stdout"
   when: pkg_check.rc == 0
+  ignore_errors: yes
 
 - name: Add iptables allow rules
   os_firewall_manage_iptables: