From ee9df947629c1e7f644e403aa0a556d3b679cf93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rob=C3=A9rt=20S=2E=20Guhr?=
 <20595746+rsguhr@users.noreply.github.com>
Date: Tue, 14 Feb 2023 23:20:47 +0100
Subject: [PATCH 1/5] Add support for protocol parameter

---
 .../fragments/xxx-add-protocol-parameter.yml  |  2 +
 plugins/modules/firewalld.py                  | 73 ++++++++++++++++++-
 2 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/fragments/xxx-add-protocol-parameter.yml

diff --git a/changelogs/fragments/xxx-add-protocol-parameter.yml b/changelogs/fragments/xxx-add-protocol-parameter.yml
new file mode 100644
index 0000000..ad78cea
--- /dev/null
+++ b/changelogs/fragments/xxx-add-protocol-parameter.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- firewalld - add `protocol` parameter
diff --git a/plugins/modules/firewalld.py b/plugins/modules/firewalld.py
index 52a2a5a..765e575 100644
--- a/plugins/modules/firewalld.py
+++ b/plugins/modules/firewalld.py
@@ -19,6 +19,10 @@ options:
       - Name of a service to add/remove to/from firewalld.
       - The service must be listed in output of firewall-cmd --get-services.
     type: str
+  protocol:
+    description:
+      - Name of a protocol to add/remove to/from firewalld.
+    type: str
   port:
     description:
       - Name of a port or port range to add/remove to/from firewalld.
@@ -144,6 +148,12 @@ EXAMPLES = r'''
     permanent: true
     state: enabled
 
+- name: permit ospf traffic
+  ansible.posix.firewalld:
+    protocol: ospf
+    permanent: true
+    state: enabled
+
 - name: do not permit traffic in default zone on port 8081/tcp
   ansible.posix.firewalld:
     port: 8081/tcp
@@ -343,6 +353,47 @@ class ServiceTransaction(FirewallTransaction):
         self.update_fw_settings(fw_zone, fw_settings)
 
 
+class ProtocolTransaction(FirewallTransaction):
+    """
+    ProtocolTransaction
+    """
+
+    def __init__(self, module, action_args=None, zone=None, desired_state=None, permanent=False, immediate=False):
+        super(ProtocolTransaction, self).__init__(
+            module, action_args=action_args, desired_state=desired_state, zone=zone, permanent=permanent, immediate=immediate
+        )
+
+    def get_enabled_immediate(self, protocol, timeout):
+        if protocol in self.fw.getProtocols(self.zone):
+            return True
+        else:
+            return False
+
+    def get_enabled_permanent(self, protocol, timeout):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+
+        if protocol in fw_settings.getProtocols():
+            return True
+        else:
+            return False
+
+    def set_enabled_immediate(self, protocol, timeout):
+        self.fw.addProtocol(self.zone, protocol, timeout)
+
+    def set_enabled_permanent(self, protocol, timeout):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        fw_settings.addProtocol(protocol)
+        self.update_fw_settings(fw_zone, fw_settings)
+
+    def set_disabled_immediate(self, protocol, timeout):
+        self.fw.removeProtocol(self.zone, protocol)
+
+    def set_disabled_permanent(self, protocol, timeout):
+        fw_zone, fw_settings = self.get_fw_zone_settings()
+        fw_settings.removeProtocol(protocol)
+        self.update_fw_settings(fw_zone, fw_settings)
+
+
 class MasqueradeTransaction(FirewallTransaction):
     """
     MasqueradeTransaction
@@ -748,6 +799,7 @@ def main():
             icmp_block=dict(type='str'),
             icmp_block_inversion=dict(type='str'),
             service=dict(type='str'),
+            protocol=dict(type='str'),
             port=dict(type='str'),
             port_forward=dict(type='list', elements='dict'),
             rich_rule=dict(type='str'),
@@ -769,7 +821,7 @@ def main():
             source=('permanent',),
         ),
         mutually_exclusive=[
-            ['icmp_block', 'icmp_block_inversion', 'service', 'port', 'port_forward', 'rich_rule',
+            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol' 'port', 'port_forward', 'rich_rule',
              'interface', 'masquerade', 'source', 'target']
         ],
     )
@@ -798,6 +850,7 @@ def main():
     icmp_block = module.params['icmp_block']
     icmp_block_inversion = module.params['icmp_block_inversion']
     service = module.params['service']
+    protocol = module.params['protocol']
     rich_rule = module.params['rich_rule']
     source = module.params['source']
     zone = module.params['zone']
@@ -829,7 +882,7 @@ def main():
             port_forward_toaddr = port_forward['toaddr']
 
     modification = False
-    if any([icmp_block, icmp_block_inversion, service, port, port_forward, rich_rule,
+    if any([icmp_block, icmp_block_inversion, service, protocol, port, port_forward, rich_rule,
             interface, masquerade, source, target]):
         modification = True
     if modification and desired_state in ['absent', 'present'] and target is None:
@@ -893,6 +946,22 @@ def main():
         if changed is True:
             msgs.append("Changed service %s to %s" % (service, desired_state))
 
+    if protocol is not None:
+
+        transaction = ProtocolTransaction(
+            module,
+            action_args=(protocol, timeout),
+            zone=zone,
+            desired_state=desired_state,
+            permanent=permanent,
+            immediate=immediate,
+        )
+
+        changed, transaction_msgs = transaction.run()
+        msgs = msgs + transaction_msgs
+        if changed is True:
+            msgs.append("Changed protocol %s to %s" % (protocol, desired_state))
+
     if source is not None:
 
         transaction = SourceTransaction(

From a9920ae1898f134d4f6fb4187e086a155c0abcbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rob=C3=A9rt=20S=2E=20Guhr?=
 <20595746+rsguhr@users.noreply.github.com>
Date: Tue, 14 Feb 2023 23:26:44 +0100
Subject: [PATCH 2/5] Changed changelog file name

---
 ...-add-protocol-parameter.yml => 417-add-protocol-parameter.yml} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename changelogs/fragments/{xxx-add-protocol-parameter.yml => 417-add-protocol-parameter.yml} (100%)

diff --git a/changelogs/fragments/xxx-add-protocol-parameter.yml b/changelogs/fragments/417-add-protocol-parameter.yml
similarity index 100%
rename from changelogs/fragments/xxx-add-protocol-parameter.yml
rename to changelogs/fragments/417-add-protocol-parameter.yml

From b2f053a856dc4dddddad45a1d16e320726593c6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rob=C3=A9rt=20S=2E=20Guhr?=
 <20595746+rsguhr@users.noreply.github.com>
Date: Tue, 14 Feb 2023 23:39:17 +0100
Subject: [PATCH 3/5] Adjust assert for firewalld source test permanent

---
 tests/integration/targets/firewalld/tasks/source_test_cases.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/targets/firewalld/tasks/source_test_cases.yml b/tests/integration/targets/firewalld/tasks/source_test_cases.yml
index 172a47e..4bc8b65 100644
--- a/tests/integration/targets/firewalld/tasks/source_test_cases.yml
+++ b/tests/integration/targets/firewalld/tasks/source_test_cases.yml
@@ -82,4 +82,4 @@
   assert:
     that:
     - result is not changed
-    - "result.msg == 'parameters are mutually exclusive: icmp_block|icmp_block_inversion|service|port|port_forward|rich_rule|interface|masquerade|source|target'"
+    - "result.msg == 'parameters are mutually exclusive: icmp_block|icmp_block_inversion|service|protocol|port|port_forward|rich_rule|interface|masquerade|source|target'"

From 2ac6fbb84bcf85333786ae1c389c227a17174b0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rob=C3=A9rt=20S=2E=20Guhr?=
 <20595746+rsguhr@users.noreply.github.com>
Date: Wed, 15 Feb 2023 00:26:57 +0100
Subject: [PATCH 4/5] added forgotten comma

---
 plugins/modules/firewalld.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/modules/firewalld.py b/plugins/modules/firewalld.py
index 765e575..79c1440 100644
--- a/plugins/modules/firewalld.py
+++ b/plugins/modules/firewalld.py
@@ -821,7 +821,7 @@ def main():
             source=('permanent',),
         ),
         mutually_exclusive=[
-            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol' 'port', 'port_forward', 'rich_rule',
+            ['icmp_block', 'icmp_block_inversion', 'service', 'protocol', 'port', 'port_forward', 'rich_rule',
              'interface', 'masquerade', 'source', 'target']
         ],
     )

From 0d2ff1d2d8bc62c428507330f50449054e2f204b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rob=C3=A9rt=20S=2E=20Guhr?=
 <20595746+rsguhr@users.noreply.github.com>
Date: Wed, 15 Feb 2023 00:41:57 +0100
Subject: [PATCH 5/5] added integrations tests for protocol parameter

---
 .../firewalld/tasks/protocol_test_cases.yml   | 65 +++++++++++++++++++
 .../targets/firewalld/tasks/run_all_tests.yml |  3 +
 2 files changed, 68 insertions(+)
 create mode 100644 tests/integration/targets/firewalld/tasks/protocol_test_cases.yml

diff --git a/tests/integration/targets/firewalld/tasks/protocol_test_cases.yml b/tests/integration/targets/firewalld/tasks/protocol_test_cases.yml
new file mode 100644
index 0000000..2af8921
--- /dev/null
+++ b/tests/integration/targets/firewalld/tasks/protocol_test_cases.yml
@@ -0,0 +1,65 @@
+# Test playbook for the firewalld module - protocol operations
+# (c) 2022, Robért S. Guhr <rguhr@cronon.net>
+
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+- name: firewalld protocol test permanent enabled
+  firewalld:
+    protocol: ospf
+    permanent: true
+    state: enabled
+  register: result
+
+- name: assert firewalld protocol test permanent enabled worked
+  assert:
+    that:
+    - result is changed
+
+- name: firewalld protocol test permanent enabled rerun (verify not changed)
+  firewalld:
+    protocol: ospf
+    permanent: true
+    state: enabled
+  register: result
+
+- name: assert firewalld protocol test permanent enabled rerun worked (verify not changed)
+  assert:
+    that:
+    - result is not changed
+
+- name: firewalld protocol test permanent disabled
+  firewalld:
+    protocol: ospf
+    permanent: true
+    state: disabled
+  register: result
+
+- name: assert firewalld protocol test permanent disabled worked
+  assert:
+    that:
+    - result is changed
+
+- name: firewalld protocol test permanent disabled rerun (verify not changed)
+  firewalld:
+    protocol: ospf
+    permanent: true
+    state: disabled
+  register: result
+
+- name: assert firewalld protocol test permanent disabled rerun worked (verify not changed)
+  assert:
+    that:
+    - result is not changed
diff --git a/tests/integration/targets/firewalld/tasks/run_all_tests.yml b/tests/integration/targets/firewalld/tasks/run_all_tests.yml
index 5027c1c..ff25847 100644
--- a/tests/integration/targets/firewalld/tasks/run_all_tests.yml
+++ b/tests/integration/targets/firewalld/tasks/run_all_tests.yml
@@ -10,6 +10,9 @@
 # firewalld service operation test cases
 - include_tasks: service_test_cases.yml
 
+# firewalld protocol operation test cases
+- include_tasks: protocol_test_cases.yml
+
 # firewalld port operation test cases
 - include_tasks: port_test_cases.yml