From 3bb707a1bd60ff4811fa34fc89523c6f93cd082c Mon Sep 17 00:00:00 2001 From: nicholasmhughes Date: Fri, 29 Nov 2024 15:50:38 -0500 Subject: [PATCH] fixes saltstack/salt#67078 nftables module check function doesn't understand that braces are optional --- changelog/67078.fixed.md | 1 + salt/modules/nftables.py | 9 +++++---- tests/pytests/unit/modules/test_nftables.py | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 changelog/67078.fixed.md diff --git a/changelog/67078.fixed.md b/changelog/67078.fixed.md new file mode 100644 index 000000000000..7625de1d3904 --- /dev/null +++ b/changelog/67078.fixed.md @@ -0,0 +1 @@ +Fix nftables module check function doesn't understand that braces are optional diff --git a/salt/modules/nftables.py b/salt/modules/nftables.py index 4c9f1aad44af..2ef6092e0630 100644 --- a/salt/modules/nftables.py +++ b/salt/modules/nftables.py @@ -569,13 +569,14 @@ def check(table="filter", chain=None, rule=None, family="ipv4"): return res nft_family = _NFTABLES_FAMILIES[family] - cmd = "{} --handle --numeric --numeric --numeric list chain {} {} {}".format( + cmd = "{} --handle list chain {} {} {}".format( _nftables_cmd(), nft_family, table, chain ) - search_rule = f"{rule} #" - out = __salt__["cmd.run"](cmd, python_shell=False).find(search_rule) + search_rule = f"{rule} #".replace("{ ", "{? ?").replace(" }", " ?}?") + out = __salt__["cmd.run"](cmd, python_shell=False) + found = re.search(search_rule, out) - if out == -1: + if not found: ret["comment"] = ( "Rule {} in chain {} in table {} in family {} does not exist".format( rule, chain, table, family diff --git a/tests/pytests/unit/modules/test_nftables.py b/tests/pytests/unit/modules/test_nftables.py index 8c866a523054..cf26c648b17b 100644 --- a/tests/pytests/unit/modules/test_nftables.py +++ b/tests/pytests/unit/modules/test_nftables.py @@ -1062,3 +1062,18 @@ def test_set_policy(): assert nftables.set_policy( table="filter", chain="input", policy="accept", family="ipv4" ) + + +@pytest.mark.parametrize( + "rule", + ["ct state { new } tcp dport { 22 } accept", "ct state new tcp dport 22 accept"], +) +def test_check_should_handles_braces_for_single_value_returns(rule): + ret = { + "result": True, + "comment": f"Rule {rule} in chain input in table filter in family ipv4 exists", + } + nft_list_out = "table ip filter {\n\tchain input { # handle 1\n\t\tct state new tcp dport 22 accept # handle 6\n\t}\n}" + mock = MagicMock(return_value=nft_list_out) + with patch.dict(nftables.__salt__, {"cmd.run": mock}): + assert nftables.check(chain="input", rule=rule) == ret