Masquerade and Icmp-Block Inversion get enabled when string is set to no

[vrindle]

SUMMARY

Icmp block inversion and masquerade are string types which means any string will enable them. If we update ICMP block inversion and masquerade schemas to boolean values this could break many playbooks.

ISSUE TYPE

• Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible [core 2.12.0.dev0] (devel 767b2f07b0) last updated 2021/07/27 19:55:15 (GMT -400)

COLLECTION VERSION

1ebacfb195b000ee7f0478a8a1ea040c995eb249

CONFIGURATION

n/a

OS / ENVIRONMENT

STEPS TO REPRODUCE

- ansible.posix.firewalld:
    zone: drop
    state: enabled
    permanent: yes
    icmp_block_inversion: no

EXPECTED RESULTS

Icmp block inversion should be set to no

ACTUAL RESULTS

Icmp block inversion is set to yes.

[Akasurde]

@vrindle Thanks for reporting this issue.

[mo-markcrossland]

Is there any fix to this at all? I notice that when setting masquerade and ICMP block inversion, the value for each is completely ignored if set to 'no' and is set on whether or not "state" is equal to "enabled" or "disabled". This is definitely not expected and caused considerable head scratching when using the firewalld module.

This sets masquerade to yes:

- ansible.posix.firewalld:
    zone: drop
    masquerade: 'no'
    state: enabled
    permanent: yes

This sets masquerade to no (I can kind of understand this one as you are disabling the setting and setting it back to the default):

- ansible.posix.firewalld:
    zone: drop
    masquerade: 'yes'
    state: disabled
    permanent: yes

I can work around this, but it leaves a yucky taste where I have to try and anticipate the module version being used (or fix it to an old module version).