Support for setting the default firewalld zone

[jwatt]

SUMMARY

Unless I'm missing something in the docs for the firewalld module, it is possible to create zones but not to set the default zone. I guess this can be worked around by using a command with firewall-cmd --set-default-zone=<zone> but it would be cleaner if the firewalld module supported this.

ISSUE TYPE

• Feature Idea

COMPONENT NAME

ansible.posix.firewalld

ADDITIONAL INFORMATION

I'd like to use ansible to create a new zone and set it as the default.

[saito-hideki]

@jwatt indeed. thank you for the feature request! :)

[nodiscc]

The correct solution solution to this, is probably to edit the main firewalld.conf configuration file, since the default zone is explicitly defined in this file:

$ sudo head -n6 /etc/firewalld/firewalld.conf
# firewalld config file

# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public

I don't think this should be handled by the firewalld module. template or lineinfile are sufficient.

[gnfzdz]

@jwatt @saito-hideki This should be pretty trivial to implement so I'm open to raising a pull request. Even ignoring the simple alternative mentioned by @nodiscc though, there are a few quirks that give me pause.

1. At least with firewall-cmd, the change appears to be applied both immediate and permanent, regardless of whether the --permanent argument is actually passed. Assuming that's a fundamental limitation of the underlying firewalld python library (which I haven't confirmed yet), we could guard against misuse here by returning an error if an invalid combination of immediate/permanent is actually passed. The same pattern is currently used when adding/removing a zone.
2. More importantly, I'm not sure there's an obvious api for this feature that feels consistent with the rest of the module. Assuming state remains a required parameter, how should the negative values be interpreted?

Options for the positive case seem pretty straightforward

- ansible.posix.firewalld:
    zone: custom
    default: True
    state: enabled

- ansible.posix.firewalld:
    default_zone: custom
    state: enabled

But if default zone is already 'custom', how should these cases behave?

One option would be to switch back to the upstream default (public)? Alternatively, the negative cases could just be ignored (and documented accordingly).

- ansible.posix.firewalld:
    zone: custom
    default: True
    state: disabled

- ansible.posix.firewalld:
    zone: custom
    default: False
    state: enabled

- ansible.posix.firewalld:
    default_zone: custom
    state: disabled