okd/roles/os_firewall/tasks/firewall/firewalld.yml

---
- name: Install firewalld packages
  package:
    name: firewalld
    state: present

- name: Ensure iptables services are not enabled
  systemd:
    name: "{{ item }}"
    state: stopped
    enabled: no
    masked: yes
  with_items:
    - iptables
    - ip6tables
  register: task_result
  failed_when: task_result|failed and 'could not' not in task_result.msg|lower

- name: Wait 10 seconds after disabling iptables
  pause:
    seconds: 10
  when: task_result | changed

- name: Start and enable firewalld service
  systemd:
    name: firewalld
    state: started
    enabled: yes
    masked: no
    daemon_reload: yes
  register: result

- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
  pause: seconds=10
  when: result | changed

- name: Restart polkitd
  systemd:
    name: polkit
    state: restarted
  when: result | changed

# Fix suspected race between firewalld and polkit BZ1436964
- name: Wait for polkit action to have been created
  command: pkaction --action-id=org.fedoraproject.FirewallD1.config.info
  ignore_errors: true
  register: pkaction
  changed_when: false
  until: pkaction.rc == 0
  retries: 6
  delay: 10

- name: Add firewalld allow rules
  firewalld:
    port: "{{ item.port }}"
    permanent: true
    immediate: true
    state: enabled
  with_items: "{{ os_firewall_allow }}"

- name: Remove firewalld allow rules
  firewalld:
    port: "{{ item.port }}"
    permanent: true
    immediate: true
    state: disabled
  with_items: "{{ os_firewall_deny }}"