Support proto for IPSec policy extension in iptables state #47113
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Support
--proto
for iptables IPSec policy extension in iptables state.What issues does this PR fix or reference?
I found no issues (open or closed) referencing this problem.
Previous Behavior
Consider the following state:
Prior to this fix, applying
ipt-test
would produce this incorrect iptables rule:New Behavior
The state
ipt-test
now produces the correct iptables rule:Notice how the
proto
is now interpreted as a parameter of the IPSec policy extension of iptables.Tests written?
Automating tests for this would require iptables to be installed and working on the test system. If requested, I will attempt to make the necessary changes to SaltTesting. The full test case I used is copied below. The details of the state failure are shown in the
Previous Behavior
section. I compared the rules generated by the execution and state modules before and after the change against the rules generated with the raw iptables commands.Raw commands
salt iptables.append
command linesalt state.single iptables.append
command lineiptables-save
outputiptables -vL
outputResults
Commits signed with GPG?
Yes