saltstack · s0undt3ch · May 14, 2024 · Apr 16, 2024
@@ -0,0 +1 @@
+Fixed nftables.build_rule breaks ipv6 rules by using the wrong syntax for source and destination addresses
@@ -165,14 +165,18 @@ def build_rule(
         del kwargs["counter"]
 
     if "saddr" in kwargs or "source" in kwargs:
-        rule += "ip saddr {} ".format(kwargs.get("saddr") or kwargs.get("source"))
+        rule += "{} saddr {} ".format(
+            nft_family, kwargs.get("saddr") or kwargs.get("source")
+        )
         if "saddr" in kwargs:
             del kwargs["saddr"]
         if "source" in kwargs:
             del kwargs["source"]
 
     if "daddr" in kwargs or "destination" in kwargs:
-        rule += "ip daddr {} ".format(kwargs.get("daddr") or kwargs.get("destination"))
+        rule += "{} daddr {} ".format(
+            nft_family, kwargs.get("daddr") or kwargs.get("destination")
+        )
         if "daddr" in kwargs:
             del kwargs["daddr"]
         if "destination" in kwargs:

@@ -103,6 +103,26 @@ def test_build_rule():
         "comment": "Successfully built rule",
     }
 
+    assert nftables.build_rule(
+        table="filter",
+        chain="input",
+        family="ip6",
+        command="insert",
+        position="3",
+        full="True",
+        connstate="related,established",
+        saddr="::/0",
+        daddr="fe80:cafe::1",
+        jump="accept",
+    ) == {
+        "result": True,
+        "rule": (
+            "nft insert rule ip6 filter input position 3 ct state {"
+            " related,established } ip6 saddr ::/0 ip6 daddr fe80:cafe::1 accept"
+        ),
+        "comment": "Successfully built rule",
+    }
+
     assert nftables.build_rule() == {"result": True, "rule": "", "comment": ""}