Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[BUG] nftables module check function doesn't understand that braces are optional #67078

New issue
New issue
Open
#67079
Open
[BUG] nftables module check function doesn't understand that braces are optional#67078
#67079
Assignees
nicholasmhughes
Labels
bugbroken, incorrect, or confusing behavior
@nicholasmhughes

Description

@nicholasmhughes
nicholasmhughes
opened on Nov 29, 2024

Description
The nftables module's check function does not handle optional braces in the output of the nft list command, causing non-idempotent behavior.

If a rule enters the check function like so:

ct state { new } tcp dport { 22 } accept

But nft list outputs an equivalent rule without braces:

ct state new tcp dport 22 accept

The check function compares the rule definition, it fails to recognize that both versions are equivalent due to the presence or absence of braces.

Steps to Reproduce the behavior
Just run this SLS file multiple times.

filter:
  nftables.table_present:
    - family: ip

input:
  nftables.chain_present:
    - family: ip
    - table: filter

openssh:
  nftables.append:
    - table: filter
    - chain: input
    - jump: accept
    - match: state
    - connstate: new
    - dport: 22
    - proto: tcp
    - save: true

output:
  nftables.chain_present:
    - family: ip
    - table: filter

Expected behavior
The check function should identify that both rule formats are equivalent and not attempt to re-add the rule.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
alt Version:
          Salt: 3006.9
 
Python Version:
        Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
  cryptography: 42.0.5
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.17.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: rhel 9.5 Plow
        locale: utf-8
       machine: x86_64
       release: 5.14.0-503.15.1.el9_5.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 9.5 Plow

Additional context
State modules relying on the check function repeatedly add the rule, resulting in non-idempotent behavior.

Metadata

Metadata

Assignees

Labels

bugbroken, incorrect, or confusing behavior

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions