Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix nftables module check function doesn't understand that braces are optional #67079

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog/67078.fixed.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix nftables module check function doesn't understand that braces are optional
11 changes: 5 additions & 6 deletions salt/modules/nftables.py
Original file line number Diff line number Diff line change
Expand Up @@ -569,13 +569,12 @@ def check(table="filter", chain=None, rule=None, family="ipv4"):
return res

nft_family = _NFTABLES_FAMILIES[family]
cmd = "{} --handle --numeric --numeric --numeric list chain {} {} {}".format(
_nftables_cmd(), nft_family, table, chain
)
search_rule = f"{rule} #"
out = __salt__["cmd.run"](cmd, python_shell=False).find(search_rule)
cmd = f"{_nftables_cmd()} --handle list chain {nft_family} {table} {chain}"
search_rule = f"{rule} #".replace("{ ", "{? ?").replace(" }", " ?}?")
out = __salt__["cmd.run"](cmd, python_shell=False)
found = re.search(search_rule, out)

if out == -1:
if not found:
ret["comment"] = (
"Rule {} in chain {} in table {} in family {} does not exist".format(
rule, chain, table, family
Expand Down
15 changes: 15 additions & 0 deletions tests/pytests/unit/modules/test_nftables.py
Original file line number Diff line number Diff line change
Expand Up @@ -1062,3 +1062,18 @@ def test_set_policy():
assert nftables.set_policy(
table="filter", chain="input", policy="accept", family="ipv4"
)


@pytest.mark.parametrize(
"rule",
["ct state { new } tcp dport { 22 } accept", "ct state new tcp dport 22 accept"],
)
def test_check_should_handles_braces_for_single_value_returns(rule):
ret = {
"result": True,
"comment": f"Rule {rule} in chain input in table filter in family ipv4 exists",
}
nft_list_out = "table ip filter {\n\tchain input { # handle 1\n\t\tct state new tcp dport 22 accept # handle 6\n\t}\n}"
mock = MagicMock(return_value=nft_list_out)
with patch.dict(nftables.__salt__, {"cmd.run": mock}):
assert nftables.check(chain="input", rule=rule) == ret
Loading