From 25e0fd35574846569567cc566d2e2b3ec8214e89 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Fri, 18 Oct 2019 22:49:29 +0300
Subject: [PATCH] roles/common: Use individual calls with firewalld

Seems to work around an issue when firewalld is using the nftables
backend with iptables 1.8.2 on Debian 10. Alternatively I could go
back to using the iptables backend... hmm.

See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694
---
 roles/common/tasks/firewall_Debian.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index 0fc178d..b9473d7 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -17,6 +17,18 @@
     notify:
       - restart firewalld
 
+# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
+# backend. Using individual calls seems to work around it.
+# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
+  - name: Use individual iptables calls
+    when: ansible_distribution_major_version is version_compare('10', '>=')
+    lineinfile:
+      dest: /etc/firewalld/firewalld.conf
+      regexp: '^IndividualCalls=no$'
+      line: 'IndividualCalls=yes'
+    notify:
+      - restart firewalld
+
   - name: Copy firewalld public zone file
     when: ansible_distribution_major_version is version_compare('8', '>=')
     template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600