Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ipset module new_set() function broken: Syntax error: unknown inet family #63224

Open
ixs opened this issue Dec 6, 2022 · 1 comment
Open

ipset module new_set() function broken: Syntax error: unknown inet family #63224

ixs opened this issue Dec 6, 2022 · 1 comment
Labels
Bug broken, incorrect, or confusing behavior Execution-Module needs-triage

Comments

@ixs
Copy link
Contributor

ixs commented Dec 6, 2022
edited

It does look like the ipset module has been broken for quite a while in a way, that was not obvious before.

I have a state that has been running fine on CentOS7 in the past but is now broken since the 3005 release.

ssh_blacklist:
  ipset.set_present:
    - name: fail2ban-ssh-global
    - set_type: hash:ip
    - family: ipv4
    - comment: true
    - timeout: 43200

ipset will report the following error:

          ID: ssh_blacklist
    Function: ipset.set_present
        Name: fail2ban-ssh-global
      Result: False
     Comment: Failed to create set fail2ban-ssh-global for ipv4: ipset v7.11: Syntax error: unknown inet family ['/usr/sbin/ipset', 'create', 'fail2ban-ssh-global', 'hash:ip', 'timeout', 43200, 'family', [...], 'inet', 'comment']
     Started: 20:23:47.099776
    Duration: 26.852 ms
     Changes:

Do note the [...] field in the comment.

This is due to an error in

salt/salt/modules/ipset.py

Line 331 in 5b18e86

cmd.extend(["family", cmd, ipset_family])
.

Instead of extending the cmd with itself (["family", cmd, ipset_family]), it should only be extended by the family parameter and the ipset_family parameter.

Removing the superfluous cmd fixes the command:

----------
          ID: ssh_blacklist
    Function: ipset.set_present
        Name: fail2ban-ssh-global
      Result: True
     Comment: ipset set fail2ban-ssh-global created successfully for ipv4
     Started: 20:24:49.040701
    Duration: 23.402 ms
     Changes:
              ----------
              locale:
                  fail2ban-ssh-global

The error was introduced in 0e46c14

I would write a PR to fix this problem but for a PR to be merged tests are required and I have no idea how I would test for such a kind of error.
/cc: @s0undt3ch as the original author of the regression change.
@ixs ixs changed the title ipset module new_set() function broken ipset module new_set() function broken: Syntax error: unknown inet family Dec 6, 2022
ixs referenced this issue Dec 6, 2022
@s0undt3ch
Fix and migrate tests/unit/modules/test_ipset.py to PyTest
0e46c14
@Ch3LL
Copy link
Contributor

Ch3LL commented Dec 6, 2022

I fixed something in ipset here recently: #63065

It should be easy to add test coverage for this issue using the tests I added as inspiration, if you're wiling to add a PR. I'm willing to help push the PR through.

@OrangeDog OrangeDog added Bug broken, incorrect, or confusing behavior needs-triage Execution-Module labels Dec 7, 2022
@sbourkeostk sbourkeostk mentioned this issue Aug 24, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior Execution-Module needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ixs @OrangeDog @Ch3LL