---

- name: "3.4.3.1.1 | PATCH | Ensure iptables packages are installed"
  package:
      name:
          - iptables
          - iptables-services
      state: present
  when:
      - rhel9cis_rule_3_4_3_1_1
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.1.1

- name: "3.4.3.1.2 | PATCH | Ensure nftables is not installed with iptables"
  package:
      name: nftables
      state: absent
  when:
      - rhel9cis_rule_3_4_3_1_2
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.1.2

# The control allows the service it be masked or not installed
# We have chosen not installed
- name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables"
  block:
      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
        systemd:
            name: firewalld
            masked: true
            state: stopped
        when:
            - rhel9cis_iptables_firewalld_state == "masked"

      - name: "3.4.3.1.3 | PATCH | Ensure firewalld is either not installed or masked with iptables | mask service"
        package:
            name: firewalld
            state: absent
        when:
            - rhel9cis_iptables_firewalld_state == "absent"
  when:
      - rhel9cis_rule_3_4_3_1_3
  tags:
      - level1-server
      - level1-workstation
      - automated
      - patch
      - iptables
      - rule_3.4.3.1.3