fix: reload on resetting to defaults

.sanity-ansible-ignore-2.12.txt

@@ -2,3 +2,4 @@ plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib.py validate-modules:missing-examples
 roles/firewall/files/get_files_checksums.sh shebang!skip
+tests/firewall/files/test_ping.sh shebang!skip

.sanity-ansible-ignore-2.13.txt

@@ -2,3 +2,4 @@ plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib.py validate-modules:missing-examples
 roles/firewall/files/get_files_checksums.sh shebang!skip
+tests/firewall/files/test_ping.sh shebang!skip

.sanity-ansible-ignore-2.14.txt

@@ -2,3 +2,4 @@ plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib.py validate-modules:missing-examples
 roles/firewall/files/get_files_checksums.sh shebang!skip
+tests/firewall/files/test_ping.sh shebang!skip

.sanity-ansible-ignore-2.15.txt

@@ -2,3 +2,4 @@ plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib.py validate-modules:missing-examples
 roles/firewall/files/get_files_checksums.sh shebang!skip
+tests/firewall/files/test_ping.sh shebang!skip

.sanity-ansible-ignore-2.9.txt

@@ -2,3 +2,4 @@ plugins/modules/firewall_lib.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib_facts.py validate-modules:missing-gplv3-license
 plugins/modules/firewall_lib.py validate-modules:missing-examples
 roles/firewall/files/get_files_checksums.sh shebang!skip
+tests/firewall/files/test_ping.sh shebang!skip

files/get_files_checksums.sh

@@ -4,8 +4,7 @@ set -euo pipefail
 
 python_cmd="$1"
 firewall_conf_root="${2:-/etc/firewalld}"
-firewall_service="${3:-firewalld}"
-remove="${4:-false}"
+remove="${3:-false}"
 
 listfile=$(mktemp)
 firewallconf=$(mktemp)
@@ -33,7 +32,7 @@ if [ "${remove:-false}" = true ]; then
     find "$firewall_conf_root" -name \*.xml -exec rm -f {} \;
     rm -f "$firewall_conf_root/firewalld.conf"
     if [ -s "$listfile" ] ; then
-        systemctl restart "$firewall_service"
+        firewall-cmd --reload > /dev/null
     fi
 fi
 

tasks/main.yml

@@ -45,8 +45,7 @@
   script:
     cmd: >
       files/get_files_checksums.sh {{ __firewall_python_cmd | quote }}
-      {{ __firewall_firewalld_dir | quote }} {{ __firewall_service | quote }}
-      true
+      {{ __firewall_firewalld_dir | quote }} true
   register: __firewall_config_files_before
   changed_when: false
   when: __firewall_previous_replaced | bool

tests/files/test_ping.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Author - Brennan Paciorek <[email protected]>
+# Description - Benchmark firewalld downtime while reloading and while restarting
+# by measuring how many packets are dropped while firewalld is restarting/reloading
+set -euo pipefail
+
+cleanup() {
+  rm -f /tmp/ping0
+  rm -f /tmp/ping2
+  rm -f /tmp/ping1
+  rm -f /tmp/Containerfile
+  podman stop --all
+  podman rm --all
+  podman network rm podmanbr0 || :
+}
+trap "cleanup 1>/dev/null" EXIT
+
+cat > /tmp/Containerfile << EOF
+FROM quay.io/centos/centos:stream8
+RUN dnf -y install systemd
+RUN dnf -y install firewalld nc
+EXPOSE 31337
+CMD /usr/lib/systemd/systemd 
+EOF
+
+# Initial container setup #
+{
+  podman network create --subnet 172.16.1.0/24 --gateway 172.16.1.1 --interface-name podmanbr0 podmanbr0
+  imageid=$(podman build -q /tmp)
+  podman run -d --rm --rmi --privileged --net podmanbr0 --ip 172.16.1.2 --name test-firewalld "$imageid" /usr/lib/systemd/systemd
+  sleep 5 # Wait reasonable amount of time for container to start services
+
+  # Firewall rule setup #
+  podman exec test-firewalld firewall-cmd --permanent --add-icmp-block "echo-request"
+  # firewall-cmd reload waits for dbus response, systemctl will not
+  podman exec test-firewalld firewall-cmd --reload
+} > /dev/null 2>/dev/null
+
+NUM_PINGS=50
+TIMEOUT=2
+
+# The following ping should have 100% packet loss
+ping -c "$NUM_PINGS" -W "$TIMEOUT" -i 0.01 172.16.1.2 1>/tmp/ping0 || :
+
+# Begin downtime comparision #
+ping -c "$NUM_PINGS" -W "$TIMEOUT" -i 0.01 172.16.1.2 1>/tmp/ping1 || : &
+pid="$!"
+podman exec test-firewalld systemctl reload firewalld.service
+wait "$pid"
+
+ping -c "$NUM_PINGS" -W "$TIMEOUT" -i 0.01 172.16.1.2 1>/tmp/ping2 || : &
+pid="$!"
+podman exec test-firewalld systemctl restart firewalld.service
+wait "$pid"
+
+# Print Results
+tail -2 /tmp/ping0 | head -1 | awk '{print $4}'
+tail -2 /tmp/ping1 | head -1 | awk '{print $4}'
+tail -2 /tmp/ping2 | head -1 | awk '{print $4}'
+

tests/tests_reload_on_reset.yml

@@ -0,0 +1,31 @@
+---
+- name: Setup a vm with podman on it
+  hosts: all
+  pre_tasks:
+    - name: Test not supported on EL7
+      meta: end_host
+      when:
+        - ansible_distribution in ['RedHat', 'CentOS']
+        - ansible_distribution_major_version | int < 8
+  tasks:
+    - name: Install podman
+      package:
+        name: podman
+        state: present
+
+    - name: Run test
+      script:
+        cmd: files/test_ping.sh
+        executable: /bin/bash
+      register: test_results
+
+    - name: Process test results
+      vars:
+        coherence_check: "{{ test_results.stdout_lines[0] }}"
+        restart_check: "{{ test_results.stdout_lines[2] }}"
+        reload_check: "{{ test_results.stdout_lines[1] }}"
+      fail:
+        msg: Either coherence check or benchmark failed
+      when: >-
+        coherence_check | int != 0
+        or restart_check | int < reload_check | int