1 files changed, 11 insertions, 28 deletions

diff --git a/roles/contiv/tasks/netplugin_firewalld.yml b/roles/contiv/tasks/netplugin_firewalld.yml
index 3aeffae56..5ac531ec6 100644
--- a/roles/contiv/tasks/netplugin_firewalld.yml
+++ b/roles/contiv/tasks/netplugin_firewalld.yml
@@ -1,34 +1,17 @@
 ---
-- name: Netplugin Firewalld | Open Netplugin port
+- name: Netplugin Firewalld | Add internal rules
   firewalld:
-    port: "{{ netplugin_port }}/tcp"
-    permanent: false
-    state: enabled
-  # in case this is also a node where firewalld turned off
-  ignore_errors: yes
-
-- name: Netplugin Firewalld | Save Netplugin port
-  firewalld:
-    port: "{{ netplugin_port }}/tcp"
+    immediate: true
     permanent: true
-    state: enabled
-  # in case this is also a node where firewalld turned off
-  ignore_errors: yes
-
-- name: Netplugin Firewalld | Open vxlan port
-  firewalld:
-    port: "8472/udp"
-    permanent: false
-    state: enabled
-  # in case this is also a node where firewalld turned off
-  ignore_errors: yes
-  when: contiv_encap_mode == "vxlan"
+    port: "{{ item[0] }}"
+    source: "{{ item[1] }}"
+  with_nested:
+    - "{{ contiv_netplugin_internal }}"
+    - "{{ groups.oo_nodes_to_config|difference(hostvars[inventory_hostname]['ansible_' + contiv_netmaster_interface].ipv4.address)|list }}"
 
-- name: Netplugin Firewalld | Save firewalld vxlan port for flanneld
+- name: Netplugin Firewalld | Add dns rule
   firewalld:
-    port: "8472/udp"
+    immediate: true
     permanent: true
-    state: enabled
-  # in case this is also a node where firewalld turned off
-  ignore_errors: yes
-  when: contiv_encap_mode == "vxlan"
+    port: "53/udp"
+    interface: contivh0