Update firewalld module to consider the value of the icmp_block_inversion parameter when determining if icmp_block_inversion should be enabled/disabled.

plugins/modules/firewalld.py

@@ -846,12 +846,21 @@ def main():
             msgs.append("Changed icmp-block %s to %s" % (icmp_block, desired_state))
 
     if icmp_block_inversion is not None:
+        # Type of icmp_block_inversion will be changed to boolean in a future release.
+        icmp_block_inversion_status = True
+        try:
+            icmp_block_inversion_status = boolean(icmp_block_inversion, True)
+        except TypeError:
+            module.warn('The value of the icmp_block_inversion option is "%s". '
+                        'The type of the option will be changed from string to boolean in a future release. '
+                        'To avoid unexpected behavior, please change the value to boolean.' % icmp_block_inversion)
+        expected_state = 'enabled' if (desired_state == 'enabled') == icmp_block_inversion_status else 'disabled'
 
         transaction = IcmpBlockInversionTransaction(
             module,
             action_args=(),
             zone=zone,
-            desired_state=desired_state,
+            desired_state=expected_state,
             permanent=permanent,
             immediate=immediate,
         )
@@ -861,14 +870,6 @@ def main():
         if changed is True:
             msgs.append("Changed icmp-block-inversion %s to %s" % (icmp_block_inversion, desired_state))
 
-        # Type of icmp_block_inversion will be changed to boolean in a future release.
-        try:
-            boolean(icmp_block_inversion, True)
-        except TypeError:
-            module.warn('The value of the icmp_block_inversion option is "%s". '
-                        'The type of the option will be changed from string to boolean in a future release. '
-                        'To avoid unexpected behavior, please change the value to boolean.' % icmp_block_inversion)
-
     if service is not None:
 
         transaction = ServiceTransaction(

tests/integration/targets/firewalld/tasks/icmp_block_inversion_test_cases.yml

@@ -0,0 +1,172 @@
+# Test playbook for the firewalld module - icmp block inversion operations
+# (c) 2022, Gregory Furlong <gnfzdz@fzdz.io>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+- name: Icmp block inversion enabled when icmp block inversion is truthy and state is enabled
+  block:
+  - name: Testing enable icmp block inversion
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: yes
+      permanent:  yes
+      state:      enabled
+    register: result
+
+  - name: assert icmp block inversion is enabled
+    assert:
+      that:
+      - result is changed
+
+  - name: Testing enable icmp block inversion (verify not changed)
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: yes
+      permanent:  yes
+      state:      enabled
+    register: result
+
+  - name: assert icmp block inversion is enabled (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+- name: Icmp block inversion disabled when icmp block inversion is falsy and state is enabled
+  block:
+  - name: Testing disable icmp block inversion
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: no
+      permanent:  yes
+      state:      enabled
+    register: result
+
+  - name: assert icmp block inversion is disabled
+    assert:
+      that:
+      - result is changed
+
+  - name: Testing disable icmp block inversion (verify not changed)
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: no
+      permanent:  yes
+      state:      enabled
+    register: result
+
+  - name: assert icmp block inversion is disabled (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+- name: Icmp block inversion enabled when icmp block inversion is falsy and state is disabled
+  block:
+  - name: Testing enable icmp block inversion
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: no
+      permanent:  yes
+      state:      disabled
+    register: result
+
+  - name: assert icmp block inversion is enabled
+    assert:
+      that:
+      - result is changed
+
+  - name: Testing enable icmp block inversion (verify not changed)
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: no
+      permanent:  yes
+      state:      disabled
+    register: result
+
+  - name: assert icmp block inversion is enabled (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+- name: Icmp block inversion disabled when icmp block inversion is truthy and state is disabled
+  block:
+  - name: Testing disable icmp block inversion
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: yes
+      permanent:  yes
+      state:      disabled
+    register: result
+
+  - name: assert icmp block inversion is disabled
+    assert:
+      that:
+      - result is changed
+
+  - name: Testing disable icmp block inversion (verify not changed)
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: yes
+      permanent:  yes
+      state:      disabled
+    register: result
+
+  - name: assert icmp block inversion is disabled (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+# Validate backwards compatible behavior until icmp block inversion is switched from string to boolean type
+- name: Icmp block inversion enabled when icmp block inversion is non-boolean string and state is enabled
+  block:
+  - name: Testing enable icmp block inversion
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: 'some string'
+      permanent:  yes
+      state:      enabled
+    register: result
+
+  - name: assert icmp block inversion is enabled
+    assert:
+      that:
+      - result is changed
+
+  - name: Testing enable icmp block inversion (verify not changed)
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: 'some string'
+      permanent:  yes
+      state:      enabled
+    register: result
+
+  - name: assert icmp block inversion is enabled (verify not changed)
+    assert:
+      that:
+      - result is not changed
+
+- name: Icmp block inversion disabled when icmp block inversion is non-boolean string and state is disabled
+  block:
+  - name: Testing disable icmp block inversion
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: 'some string'
+      permanent:  yes
+      state:      disabled
+    register: result
+
+  - name: assert icmp block inversion is disabled
+    assert:
+      that:
+      - result is changed
+
+  - name: Testing disable icmp block inversion (verify not changed)
+    ansible.posix.firewalld:
+      zone:       trusted
+      icmp_block_inversion: 'some string'
+      permanent:  yes
+      state:      disabled
+    register: result
+
+  - name: assert icmp block inversion is disabled (verify not changed)
+    assert:
+      that:
+      - result is not changed

tests/integration/targets/firewalld/tasks/masquerade_test_cases.yml

@@ -1,4 +1,4 @@
-# Test playbook for the firewalld module
+# Test playbook for the firewalld module - masquerade operations
 # (c) 2022, Gregory Furlong <gnfzdz@fzdz.io>
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 

tests/integration/targets/firewalld/tasks/run_all_tests.yml

@@ -24,3 +24,6 @@
 
 # firewalld masquerade operation test cases
 - include_tasks: masquerade_test_cases.yml
+
+# firewalld icmp block inversion operation test cases
+- include_tasks: icmp_block_inversion_test_cases.yml