Skip to content

Commit

Permalink
Fix saltstack#66382 (nftables): Produce correct ip family for rules w…
Browse files Browse the repository at this point in the history
…ith saddr or daddr
  • Loading branch information
jdelic committed Apr 16, 2024
1 parent aad71fd commit 2c5d6ff
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 2 deletions.
1 change: 1 addition & 0 deletions changelog/66382.fixed.md
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fixed nftables.build_rule breaks ipv6 rules by using the wrong syntax for source and destination addresses
8 changes: 6 additions & 2 deletions salt/modules/nftables.py
Original file line number Diff line number Diff line change
Expand Up @@ -165,14 +165,18 @@ def build_rule(
del kwargs["counter"]

if "saddr" in kwargs or "source" in kwargs:
rule += "ip saddr {} ".format(kwargs.get("saddr") or kwargs.get("source"))
rule += "{} saddr {} ".format(
nft_family, kwargs.get("saddr") or kwargs.get("source")
)
if "saddr" in kwargs:
del kwargs["saddr"]
if "source" in kwargs:
del kwargs["source"]

if "daddr" in kwargs or "destination" in kwargs:
rule += "ip daddr {} ".format(kwargs.get("daddr") or kwargs.get("destination"))
rule += "{} daddr {} ".format(
nft_family, kwargs.get("daddr") or kwargs.get("destination")
)
if "daddr" in kwargs:
del kwargs["daddr"]
if "destination" in kwargs:
Expand Down
20 changes: 20 additions & 0 deletions tests/pytests/unit/modules/test_nftables.py
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,26 @@ def test_build_rule():
"comment": "Successfully built rule",
}

assert nftables.build_rule(
table="filter",
chain="input",
family="ip6",
command="insert",
position="3",
full="True",
connstate="related,established",
saddr="::/0",
daddr="fe80:cafe::1",
jump="accept",
) == {
"result": True,
"rule": (
"nft insert rule ip filter input position 3 ct state {"
" related,established } ip saddr ::/0 ip daddr fe80:cafe::1 accept"
),
"comment": "Successfully built rule",
}

assert nftables.build_rule() == {"result": True, "rule": "", "comment": ""}


Expand Down

0 comments on commit 2c5d6ff

Please sign in to comment.