You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
The nftables module's check function does not handle optional braces in the output of the nft list command, causing non-idempotent behavior.
If a rule enters the check function like so:
ct state { new } tcp dport { 22 } accept
But nft list outputs an equivalent rule without braces:
ct state new tcp dport 22 accept
The check function compares the rule definition, it fails to recognize that both versions are equivalent due to the presence or absence of braces.
Steps to Reproduce the behavior
Just run this SLS file multiple times.
Expected behavior
The check function should identify that both rule formats are equivalent and not attempt to re-add the rule.
Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)
alt Version:
Salt: 3006.9Python Version:
Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]Dependency Versions:
cffi: 1.14.6cherrypy: 18.6.1cryptography: 42.0.5dateutil: 2.8.1docker-py: Not Installedgitdb: Not Installedgitpython: Not InstalledJinja2: 3.1.4libgit2: Not Installedlooseversion: 1.0.2M2Crypto: Not InstalledMako: Not Installedmsgpack: 1.0.2msgpack-pure: Not Installedmysql-python: Not Installedpackaging: 22.0pycparser: 2.21pycrypto: Not Installedpycryptodome: 3.19.1pygit2: Not Installedpython-gnupg: 0.4.8PyYAML: 6.0.1PyZMQ: 23.2.0relenv: 0.17.0smmap: Not Installedtimelib: 0.2.4Tornado: 4.5.3ZMQ: 4.3.4System Versions:
dist: rhel 9.5 Plowlocale: utf-8machine: x86_64release: 5.14.0-503.15.1.el9_5.x86_64system: Linuxversion: Red Hat Enterprise Linux 9.5 Plow
Additional context
State modules relying on the check function repeatedly add the rule, resulting in non-idempotent behavior.
The text was updated successfully, but these errors were encountered:
Description
The
nftables
module'scheck
function does not handle optional braces in the output of thenft list
command, causing non-idempotent behavior.If a rule enters the
check
function like so:But
nft list
outputs an equivalent rule without braces:The
check
function compares the rule definition, it fails to recognize that both versions are equivalent due to the presence or absence of braces.Steps to Reproduce the behavior
Just run this SLS file multiple times.
Expected behavior
The
check
function should identify that both rule formats are equivalent and not attempt to re-add the rule.Versions Report
salt --versions-report
(Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)Additional context
State modules relying on the
check
function repeatedly add the rule, resulting in non-idempotent behavior.The text was updated successfully, but these errors were encountered: