check.py

CLEANUP_MODULES_ON_EXIT_REGEX = re.compile(r"(?i)CleanupModulesOnExit\s*=\s*(yes|true)")

def _is_modules_cleanup_enabled():
    """Verify firewalld modules cleanup config is enabled.

    :returns: Whether or not the CleanupModulesOnExit is set to true in
        firewalld config.
    :rtype: bool
    """
    # Return false if the config file does not exist. Either it means that
    # firewalld is not installed or the config file was removed.
    if not os.path.exists(FIREWALLD_CONFIG_FILE):
        logger.debug("%s does not exist." % FIREWALLD_CONFIG_FILE)
        return False

    contents = []
    with open(FIREWALLD_CONFIG_FILE, mode="r") as handler:
        contents = [line.strip() for line in handler.readlines() if line.strip()]

    # Contents list is empty for some reason, better to assume that there
    # is no content in the file that was read.
    if not contents:
        logger.debug("%s is empty." % FIREWALLD_CONFIG_FILE)
        return True

    # If the CleanupModulesOnExit is not present inside the contents list, we
    # can return True since the default behavior for firewalld is to consider
    # CleanupModulesOnExit as true.
    if "CleanupModulesOnExit" not in contents:
        logger.debug(
            "Couldn't find CleanupModulesOnExit in firewalld.conf. Treating it as enabled because of default behavior."
        )
        return True
    
    # If the config file has this option set to true/yes, then we need to
    # return True to ask the user to change it to False.
    if list(filter(CLEANUP_MODULES_ON_EXIT_REGEX.match, contents)):
        logger.debug("CleanupModulesOnExit option enabled in %s" % FIREWALLD_CONFIG_FILE)
        return True

    # Default to return False as it is possible that the CleanupModulesOnExit
    # is set to no in the config already.
    return False