Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] nftables module check function doesn't understand that braces are optional #67078

Open
nicholasmhughes opened this issue Nov 29, 2024 · 0 comments · May be fixed by #67079
Open

[BUG] nftables module check function doesn't understand that braces are optional #67078

nicholasmhughes opened this issue Nov 29, 2024 · 0 comments · May be fixed by #67079
Assignees
Labels
Bug broken, incorrect, or confusing behavior

Comments

@nicholasmhughes
Copy link
Collaborator

Description
The nftables module's check function does not handle optional braces in the output of the nft list command, causing non-idempotent behavior.

If a rule enters the check function like so:

ct state { new } tcp dport { 22 } accept

But nft list outputs an equivalent rule without braces:

ct state new tcp dport 22 accept

The check function compares the rule definition, it fails to recognize that both versions are equivalent due to the presence or absence of braces.

Steps to Reproduce the behavior
Just run this SLS file multiple times.

filter:
  nftables.table_present:
    - family: ip

input:
  nftables.chain_present:
    - family: ip
    - table: filter

openssh:
  nftables.append:
    - table: filter
    - chain: input
    - jump: accept
    - match: state
    - connstate: new
    - dport: 22
    - proto: tcp
    - save: true

output:
  nftables.chain_present:
    - family: ip
    - table: filter

Expected behavior
The check function should identify that both rule formats are equivalent and not attempt to re-add the rule.

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.)
alt Version:
          Salt: 3006.9
 
Python Version:
        Python: 3.10.14 (main, Jun 26 2024, 11:44:37) [GCC 11.2.0]
 
Dependency Versions:
          cffi: 1.14.6
      cherrypy: 18.6.1
  cryptography: 42.0.5
      dateutil: 2.8.1
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.4
       libgit2: Not Installed
  looseversion: 1.0.2
      M2Crypto: Not Installed
          Mako: Not Installed
       msgpack: 1.0.2
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     packaging: 22.0
     pycparser: 2.21
      pycrypto: Not Installed
  pycryptodome: 3.19.1
        pygit2: Not Installed
  python-gnupg: 0.4.8
        PyYAML: 6.0.1
         PyZMQ: 23.2.0
        relenv: 0.17.0
         smmap: Not Installed
       timelib: 0.2.4
       Tornado: 4.5.3
           ZMQ: 4.3.4
 
System Versions:
          dist: rhel 9.5 Plow
        locale: utf-8
       machine: x86_64
       release: 5.14.0-503.15.1.el9_5.x86_64
        system: Linux
       version: Red Hat Enterprise Linux 9.5 Plow

Additional context
State modules relying on the check function repeatedly add the rule, resulting in non-idempotent behavior.

@nicholasmhughes nicholasmhughes added Bug broken, incorrect, or confusing behavior needs-triage and removed needs-triage labels Nov 29, 2024
@nicholasmhughes nicholasmhughes self-assigned this Nov 29, 2024
nicholasmhughes added a commit to nicholasmhughes/salt that referenced this issue Nov 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug broken, incorrect, or confusing behavior
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant