Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix nftables module check function doesn't understand that braces are optional #67079

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix nftables module check function doesn't understand that braces are optional #67079

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3bb707a
fixes saltstack/salt#67078 nftables module check function doesn't und…
nicholasmhughes Nov 29, 2024
3654ccf
use f-strings
nicholasmhughes Dec 3, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog/67078.fixed.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix nftables module check function doesn't understand that braces are optional
11 changes: 5 additions & 6 deletions salt/modules/nftables.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -569,13 +569,12 @@ def check(table="filter", chain=None, rule=None, family="ipv4"):
return res

nft_family = _NFTABLES_FAMILIES[family]
cmd = "{} --handle --numeric --numeric --numeric list chain {} {} {}".format(
_nftables_cmd(), nft_family, table, chain
)
search_rule = f"{rule} #"
out = __salt__["cmd.run"](cmd, python_shell=False).find(search_rule)
cmd = f"{_nftables_cmd()} --handle list chain {nft_family} {table} {chain}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did you remove --numeric? While I don't think multiple --numeric args has any different effect, at least one does and is probably desired.

search_rule = f"{rule} #".replace("{ ", "{? ?").replace(" }", " ?}?")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to be in the business of trying to parse and maintain the syntax of nftables rules. I suggest trying to find a way to have the tools canonicalize both rules. nft also has a --json flag to give json output which may also be cleaner/safer to handle.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are other things that would make the rules not normalized and therefore not match like extra whitespaces. Here is a list according to copilot:

Whitespace: Variations in spaces or tabs can impact rule formatting, although it generally doesn’t affect functionality.

Comments: Inline or separate comments within rules might not be present in the canonical form.

Ordering: The sequence of rules and attributes can differ.

Default actions: When default actions aren’t explicitly stated, different interpretations may arise.

Aliases: Using aliases for set names or interfaces may introduce variations.

Optional attributes: Omitting certain attributes might create differences.

Nesting: The manner and extent of nesting in expressions might vary.

out = __salt__["cmd.run"](cmd, python_shell=False)
found = re.search(search_rule, out)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We did not escape the search_rule before using it as a regex so regex special characters like . and [ will not be treated as literal.


if out == -1:
if not found:
ret["comment"] = (
"Rule {} in chain {} in table {} in family {} does not exist".format(
rule, chain, table, family
Expand Down
15 changes: 15 additions & 0 deletions tests/pytests/unit/modules/test_nftables.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1062,3 +1062,18 @@ def test_set_policy():
assert nftables.set_policy(
table="filter", chain="input", policy="accept", family="ipv4"
)


@pytest.mark.parametrize(
"rule",
["ct state { new } tcp dport { 22 } accept", "ct state new tcp dport 22 accept"],
)
def test_check_should_handles_braces_for_single_value_returns(rule):
ret = {
"result": True,
"comment": f"Rule {rule} in chain input in table filter in family ipv4 exists",
}
nft_list_out = "table ip filter {\n\tchain input { # handle 1\n\t\tct state new tcp dport 22 accept # handle 6\n\t}\n}"
mock = MagicMock(return_value=nft_list_out)
with patch.dict(nftables.__salt__, {"cmd.run": mock}):
assert nftables.check(chain="input", rule=rule) == ret
Loading