diff --git a/changelog/66382.fixed.md b/changelog/66382.fixed.md new file mode 100644 index 00000000000..15875838cff --- /dev/null +++ b/changelog/66382.fixed.md @@ -0,0 +1 @@ +Fixed nftables.build_rule breaks ipv6 rules by using the wrong syntax for source and destination addresses diff --git a/salt/modules/nftables.py b/salt/modules/nftables.py index 347b03c0897..29479d10ddc 100644 --- a/salt/modules/nftables.py +++ b/salt/modules/nftables.py @@ -165,14 +165,18 @@ def build_rule( del kwargs["counter"] if "saddr" in kwargs or "source" in kwargs: - rule += "ip saddr {} ".format(kwargs.get("saddr") or kwargs.get("source")) + rule += "{} saddr {} ".format( + nft_family, kwargs.get("saddr") or kwargs.get("source") + ) if "saddr" in kwargs: del kwargs["saddr"] if "source" in kwargs: del kwargs["source"] if "daddr" in kwargs or "destination" in kwargs: - rule += "ip daddr {} ".format(kwargs.get("daddr") or kwargs.get("destination")) + rule += "{} daddr {} ".format( + nft_family, kwargs.get("daddr") or kwargs.get("destination") + ) if "daddr" in kwargs: del kwargs["daddr"] if "destination" in kwargs: diff --git a/tests/pytests/unit/modules/test_nftables.py b/tests/pytests/unit/modules/test_nftables.py index 855e7712e7f..8c866a52305 100644 --- a/tests/pytests/unit/modules/test_nftables.py +++ b/tests/pytests/unit/modules/test_nftables.py @@ -103,6 +103,26 @@ def test_build_rule(): "comment": "Successfully built rule", } + assert nftables.build_rule( + table="filter", + chain="input", + family="ip6", + command="insert", + position="3", + full="True", + connstate="related,established", + saddr="::/0", + daddr="fe80:cafe::1", + jump="accept", + ) == { + "result": True, + "rule": ( + "nft insert rule ip6 filter input position 3 ct state {" + " related,established } ip6 saddr ::/0 ip6 daddr fe80:cafe::1 accept" + ), + "comment": "Successfully built rule", + } + assert nftables.build_rule() == {"result": True, "rule": "", "comment": ""}