Skip to content

Commit

Permalink
fixes saltstack#67078 nftables module check function doesn't understa…
Browse files Browse the repository at this point in the history
…nd that braces are optional
  • Loading branch information
nicholasmhughes committed Nov 29, 2024
1 parent 9233e1c commit 3bb707a
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 4 deletions.
1 change: 1 addition & 0 deletions changelog/67078.fixed.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix nftables module check function doesn't understand that braces are optional
9 changes: 5 additions & 4 deletions salt/modules/nftables.py
Original file line number Diff line number Diff line change
Expand Up @@ -569,13 +569,14 @@ def check(table="filter", chain=None, rule=None, family="ipv4"):
return res

nft_family = _NFTABLES_FAMILIES[family]
cmd = "{} --handle --numeric --numeric --numeric list chain {} {} {}".format(
cmd = "{} --handle list chain {} {} {}".format(
_nftables_cmd(), nft_family, table, chain
)
search_rule = f"{rule} #"
out = __salt__["cmd.run"](cmd, python_shell=False).find(search_rule)
search_rule = f"{rule} #".replace("{ ", "{? ?").replace(" }", " ?}?")
out = __salt__["cmd.run"](cmd, python_shell=False)
found = re.search(search_rule, out)

if out == -1:
if not found:
ret["comment"] = (
"Rule {} in chain {} in table {} in family {} does not exist".format(
rule, chain, table, family
Expand Down
15 changes: 15 additions & 0 deletions tests/pytests/unit/modules/test_nftables.py
Original file line number Diff line number Diff line change
Expand Up @@ -1062,3 +1062,18 @@ def test_set_policy():
assert nftables.set_policy(
table="filter", chain="input", policy="accept", family="ipv4"
)


@pytest.mark.parametrize(
"rule",
["ct state { new } tcp dport { 22 } accept", "ct state new tcp dport 22 accept"],
)
def test_check_should_handles_braces_for_single_value_returns(rule):
ret = {
"result": True,
"comment": f"Rule {rule} in chain input in table filter in family ipv4 exists",
}
nft_list_out = "table ip filter {\n\tchain input { # handle 1\n\t\tct state new tcp dport 22 accept # handle 6\n\t}\n}"
mock = MagicMock(return_value=nft_list_out)
with patch.dict(nftables.__salt__, {"cmd.run": mock}):
assert nftables.check(chain="input", rule=rule) == ret

0 comments on commit 3bb707a

Please sign in to comment.