okd/roles/container_runtime/tasks/crio_firewall.yml

---
- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
  block:
  - name: Make sure iptables-services is installed
    package:
      name: iptables-services
      state: present

  - name: Add iptables allow rules
    os_firewall_manage_iptables:
      name: "{{ item.service }}"
      action: add
      protocol: "{{ item.port.split('/')[1] }}"
      port: "{{ item.port.split('/')[0] }}"
    when: item.cond | default(True)
    with_items: "{{ r_crio_os_firewall_allow }}"

  - name: Remove iptables rules
    os_firewall_manage_iptables:
      name: "{{ item.service }}"
      action: remove
      protocol: "{{ item.port.split('/')[1] }}"
      port: "{{ item.port.split('/')[0] }}"
    when: item.cond | default(True)
    with_items: "{{ r_crio_os_firewall_deny }}"

- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
  block:
  - name: Add firewalld allow rules
    firewalld:
      port: "{{ item.port }}"
      permanent: true
      immediate: true
      state: enabled
    when: item.cond | default(True)
    with_items: "{{ r_crio_os_firewall_allow }}"

  - name: Remove firewalld allow rules
    firewalld:
      port: "{{ item.port }}"
      permanent: true
      immediate: true
      state: disabled
    when: item.cond | default(True)
    with_items: "{{ r_crio_os_firewall_deny }}"