[BUG] nftables state module not idempotent #62203
Description
Description
nftables.append keeps appending rules that have connstate set.
Edit: This also applies for if/of with a different cause (nft list does not include meta before iifname/oifname).
Edit2: This also applies for jump: dnat with to-destination set (nft list prints dnat to <target>, not dnat <target>).
Setup
Salt minion on Debian 11 VM
Steps to Reproduce the behavior
testtable:
nftables.table_present: []
testchain:
nftables.chain_present:
- table: testtable
This is not idempotent:
nftables.append:
- table: testtable
- chain: testchain
- jump: accept
- connstate: established,relatedExpected behavior
Be idempotent.
Screenshots
$ nft list ruleset
$ salt-call state.apply nft_idem
$ nft list ruleset
table ip testtable {
chain testchain {
ct state { established, related } accept
}
}
$ salt-call state.apply nft_idem
$ nft list ruleset
table ip testtable {
chain testchain {
ct state { established, related } accept
ct state { established, related } accept
}
}Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Salt Version:
Salt: 3004.2
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.8.1
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.11.3
libgit2: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack: 1.0.0
msgpack-pure: Not Installed
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: Not Installed
pycryptodome: 3.9.7
pygit2: Not Installed
Python: 3.9.2 (default, Feb 28 2021, 17:03:44)
python-gnupg: Not Installed
PyYAML: 5.3.1
PyZMQ: 20.0.0
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.4
System Versions:
dist: debian 11 bullseye
locale: utf-8
machine: x86_64
release: 5.10.0-13-amd64
system: Linux
version: Debian GNU/Linux 11 bullseyeAdditional context
This behavior is caused by nftables.check execution module not recognizing the rule correctly. It lists the rules with the --numeric switch, which translates the connection states to hex values, but searches for them using their string representation.
Example output:
$ nft --handle --numeric --numeric --numeric list chain ip testtable testchain # why 3x numeric btw? copied from source
table ip testtable {
chain testchain { # handle 1
ct state { 0x2, 0x4 } accept # handle 3
ct state { 0x2, 0x4 } accept # handle 5
}
}Workaround possible by specifying the values in hex (which should break the analogy to iptables afaik):
testtable:
nftables.table_present: []
testchain:
nftables.chain_present:
- table: testtable
This is idempotent:
nftables.append:
- table: testtable
- chain: testchain
- jump: accept
- connstate: '0x2, 0x4'