From 2631f76c6d2d66ab0cad0d2e68b272623a75b415 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sat, 26 Oct 2019 19:34:25 +0200
Subject: [PATCH] roles/common: Use iptables backend for firewalld on Debian

For some reason the nftables set support in firewalld doesn't seem
to be working. I see that sets (aka ipsets in nftables lingo) are
created, but they are empty. For now I will just leave these tasks
as they are to revert the behavior on current hosts (should do no
change on new installed, as the regexp won't match).
---
 roles/common/tasks/firewall_Debian.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index 8b00c8e..210d9ac 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -13,12 +13,12 @@
     when: ansible_distribution_major_version is version_compare('9', '>=')
     apt: pkg={{ debian_firewall_packages }} state=present
 
-  - name: Use nftables backend in firewalld
+  - name: Use iptables backend in firewalld
     when: ansible_distribution_major_version is version_compare('10', '>=')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
-      regexp: '^FirewallBackend=iptables$'
-      line: 'FirewallBackend=nftables'
+      regexp: '^FirewallBackend=nftables$'
+      line: 'FirewallBackend=iptables'
     notify:
       - restart firewalld
 
@@ -29,8 +29,8 @@
     when: ansible_distribution_major_version is version_compare('10', '>=')
     lineinfile:
       dest: /etc/firewalld/firewalld.conf
-      regexp: '^IndividualCalls=no$'
-      line: 'IndividualCalls=yes'
+      regexp: '^IndividualCalls=yes$'
+      line: 'IndividualCalls=no'
     notify:
       - restart firewalld