From 6635b8391137ab84e1f9199f880b8282fab74625 Mon Sep 17 00:00:00 2001
From: Evert Hessel <evert@everthessel.nl>
Date: Sun, 30 Jan 2022 12:22:57 +0100
Subject: [PATCH] Integration test: ensure forwarding start disabled
 Integration test: verify error message if firewalld<0.9.0 Added changelog
 fragment

---
 .../320_firewalld_intra_zone_forwarding.yml   |   4 +
 .../firewalld/tasks/forward_test_cases.yml    | 115 ++++++++++++------
 2 files changed, 79 insertions(+), 40 deletions(-)
 create mode 100644 changelogs/fragments/320_firewalld_intra_zone_forwarding.yml

diff --git a/changelogs/fragments/320_firewalld_intra_zone_forwarding.yml b/changelogs/fragments/320_firewalld_intra_zone_forwarding.yml
new file mode 100644
index 0000000..b707262
--- /dev/null
+++ b/changelogs/fragments/320_firewalld_intra_zone_forwarding.yml
@@ -0,0 +1,4 @@
+---
+minor_changes:
+- firewalld - Added parameter ``forward`` to support enabling/disabling intra-zone 
+  forwarding.
diff --git a/tests/integration/targets/firewalld/tasks/forward_test_cases.yml b/tests/integration/targets/firewalld/tasks/forward_test_cases.yml
index 00b8939..c8b8d62 100644
--- a/tests/integration/targets/firewalld/tasks/forward_test_cases.yml
+++ b/tests/integration/targets/firewalld/tasks/forward_test_cases.yml
@@ -2,50 +2,85 @@
 # (c) 2017, Adam Miller <admiller@redhat.com>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 
-- name: firewalld forward test permanent enabled
-  firewalld:
-    forward: yes
-    permanent: true
-    state: enabled
-  register: result
+- name: query firewalld version
+  package_facts:
 
-- name: assert firewalld forward test permanent enabled worked
-  assert:
-    that:
-    - result is changed
+- name: run tests if intra zone forwarding is supported
+  block:
 
-- name: firewalld forward test permanent enabled rerun (verify not changed)
-  firewalld:
-    forward: yes
-    permanent: true
-    state: enabled
-  register: result
+  # Starting with firewalld 1.0.0 intra-zone forwarding is enabled by default.
+  # Ensure it is disabled before starting our tests.
+  - name: ensure forwarding starts disabled
+    firewalld:
+      forward: yes
+      permanent: true
+      state: disabled
 
-- name: assert firewalld forward test permanent enabled rerun worked (verify not changed)
-  assert:
-    that:
-    - result is not changed
+  - name: firewalld forward test permanent enabled
+    firewalld:
+      forward: yes
+      permanent: true
+      state: enabled
+    register: result
 
-- name: firewalld forward test permanent disabled
-  firewalld:
-    forward: no
-    permanent: true
-    state: disabled
-  register: result
+  - name: assert firewalld forward test permanent enabled worked
+    assert:
+      that:
+      - result is changed
 
-- name: assert firewalld forward test permanent disabled worked
-  assert:
-    that:
-    - result is changed
+  - name: firewalld forward test permanent enabled rerun (verify not changed)
+    firewalld:
+      forward: yes
+      permanent: true
+      state: enabled
+    register: result
 
-- name: firewalld forward test permanent disabled rerun (verify not changed)
-  firewalld:
-    forward: no
-    permanent: true
-    state: disabled
-  register: result
+  - name: assert firewalld forward test permanent enabled rerun worked (verify not changed)
+    assert:
+      that:
+      - result is not changed
 
-- name: assert firewalld forward test permanent disabled rerun worked (verify not changed)
-  assert:
-    that:
-    - result is not changed
+  - name: firewalld forward test permanent disabled
+    firewalld:
+      forward: no
+      permanent: true
+      state: disabled
+    register: result
+
+  - name: assert firewalld forward test permanent disabled worked
+    assert:
+      that:
+      - result is changed
+
+  - name: firewalld forward test permanent disabled rerun (verify not changed)
+    firewalld:
+      forward: no
+      permanent: true
+      state: disabled
+    register: result
+
+  - name: assert firewalld forward test permanent disabled rerun worked (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+  when: ansible_facts.packages.firewalld[0].version is version('0.9.0', '>=')
+
+- name: run tests if intra zone forwarding is not supported
+  block:
+
+  - name: try to enable intra zone forwarding
+    firewalld:
+      forward: yes
+      permanent: yes
+      state: enabled
+    ignore_errors: yes
+    register: result
+
+  - name: assert unsupported firewalld version
+    assert:
+      that:
+      - result is failed
+      - "'Intra zone forwarding requires firewalld>=0.9.0. Current version is' in result.msg"
+
+  when: ansible_facts.packages.firewalld[0].version is version('0.9.0', '<')
\ No newline at end of file