From cac38af09b66f867c730eac2ab3b29c80adb2ed6 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Fri, 18 Oct 2019 19:02:17 +0300
Subject: [PATCH] roles/common: Use nftables firewalld backend on Debian 10

nftables is the iptables replacement. There is support for nftables
in firewalld since v0.6.0.

See: https://firewalld.org/2018/07/nftables-backend
---
 roles/common/tasks/firewall_Debian.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml
index 6cd3ab1..0fc178d 100644
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -8,6 +8,15 @@
       - firewalld
       - tidy
 
+  - name: Use nftables backend in firewalld
+    when: ansible_distribution_major_version is version_compare('10', '>=')
+    lineinfile:
+      dest: /etc/firewalld/firewalld.conf
+      regexp: '^FirewallBackend=iptables$'
+      line: 'FirewallBackend=nftables'
+    notify:
+      - restart firewalld
+
   - name: Copy firewalld public zone file
     when: ansible_distribution_major_version is version_compare('8', '>=')
     template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600