From 2a0c376e421fbfd19d58389dd9a4d4640ff471c5 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kecarter@redhat.com>
Date: Wed, 18 Dec 2019 08:35:50 -0600
Subject: [PATCH] Change drop action

The new firewall rule action plugin was setting the rule state as absent
when using the drop "action", this change updates that so we're adding
drop rules and appending them to the rule chain.

Change-Id: I5105c007d890ec98b34eafba3ab410bf9ba4f089
Signed-off-by: Kevin Carter <kecarter@redhat.com>
(cherry picked from commit 8f11437b1c5173d3dda669b8b1d700837b33b245)
---
 tripleo_ansible/ansible_plugins/action/tripleo_iptables.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/tripleo_ansible/ansible_plugins/action/tripleo_iptables.py b/tripleo_ansible/ansible_plugins/action/tripleo_iptables.py
index 7cd75df71..24ec70f7d 100644
--- a/tripleo_ansible/ansible_plugins/action/tripleo_iptables.py
+++ b/tripleo_ansible/ansible_plugins/action/tripleo_iptables.py
@@ -177,11 +177,12 @@ class ActionModule(ActionBase):
 
             action = rule_data['action'] = rule.get('action', 'insert')
             if action == 'drop':
-                rule_data['action'] = 'insert'
-                rule_data['state'] = 'absent'
+                rule_data['action'] = 'append'
+                rule_data['jump'] = rule.get('jump', 'DROP')
+            else:
+                rule_data['jump'] = rule.get('jump', 'ACCEPT')
 
             rule_data['chain'] = rule.get('chain', 'INPUT')
-            rule_data['jump'] = rule.get('jump', 'ACCEPT')
             rule_data['protocol'] = rule.get('proto', 'tcp')
             if 'table' in rule:
                 rule_data['table'] = rule['table']