Improve firewalld support

[decoyjoe]

Description

I started out meaning to just fix a couple of bugs with the firewalld provider. I ended up needing to refactor and modernize the firewalld implementation in order to get it into a supportable state. Many bugs were fixed along the way.

Key changes in this release:

• Rich Rules on firewalld: The firewall_rule resource now creates rich rules on firewalld platforms instead of using the deprecated --direct interface.
• Flexible firewall selection: The cookbook now uses the default['firewall']['solution'] attribute to determine the firewall solution to use instead of a hardcoded assignment for each platform. It defaults to the platform's native firewall (same as previous hardcoded values).
• Firewalld 2.0.0: Platforms using firewalld 2.0.0 and later, such as RHEL 10 and Ubuntu 24.04, are now supported.

Added

• Support for firewalld 2.0.0 and the platforms that use it; RHEL 10 and Ubuntu 24.04.
  • priority, ingress_priority, egress_priority properties added to firewalld_zone.
• Added firewalld_rich_rule resource for adding/removing rich rules to/from firewalld zones.
• Support for IPv6 rules on firewalld platforms.
• Support for using any compatible firewall solution on any platform. Defaults to the operating system's default firewall solution.

Changed

• Ensure firewalld service remains enabled and started when installed.
• firewall_rule resource now creates rich rules on firewalld platforms, instead of the using the deprecated --direct firewalld interface.

Fixed

• Fixed: firewall_rule resource fails with a --zone is an invalid option with --direct error on firewalld.
• Fixed: New zones created by firewalld_zone unexpectedly have forwarding enabled by default.
• Fixed: firewalld_* resources ignore properties whose value is false.
• Fixed: firewalld_* resources were not idempotent when using ports, source_ports, and rich_rules properties.
• Fixed: ufw provider doesn't ensure ufw service is enabled.

Removed

• Removed deprecated disabled property from firewall resource.
• Removed all default['firewall']['firewalld'] attributes. Use the firewalld_zone resource to manage firewalld zone configuration.
• Removed firewalld action :save from firewall resource. Firewalld rules are now always added permanently.
• Removed firewalld property permanent from firewall_rule resource. Firewalld rules are now always added permanently.
• Removed properties disabled_zone and enabled_zone from firewall resource. Use the firewalld_zone resource to manage firewalld zone configuration.
• Removed recipe firewall::firewalld. Its functionality has been merged into the firewall::default recipe.
• Removed attributes default['firewall']['ubuntu_iptables'] and default['firewall']['redhat7_iptables']. Use the new default['firewall']['solution'] attribute to set the desired firewall solution to use.

Issues Resolved

• Fixes Zone attribute change breaks compatibility with Oracle 8 & 9 (probably RHEL 8 & 9 as well) #298
• Fixes Firewalld ipv6 support #86

Check List

• A summary of changes made is included in the CHANGELOG under ## Unreleased
• New functionality includes testing.
• New functionality has been documented in the README if applicable.