Ensure when we're adding chunks to the rules when running aggregation we use a copy of the chunk otherwise we end up with a recursive mess. Updating mod_aggregate test to use real data.

2025-04-16 09:40:20 +00:00 · 2022-12-06 14:22:47 -08:00 · 2022-12-06 14:22:47 -08:00 · fa4f9ffe65
commit fa4f9ffe65
parent b84e72a51c
2 changed files with 131 additions and 4 deletions
--- a/salt/states/iptables.py
+++ b/salt/states/iptables.py
@ -245,6 +245,8 @@ Example rules for IPSec policy:
    output of iptables-save. This may have unintended consequences on legacy
    releases of ``iptables``.
 """
+import copy
+
 from salt.state import STATE_INTERNAL_KEYWORDS as _STATE_INTERNAL_KEYWORDS


@ -432,6 +434,8 @@ def append(name, table="filter", family="ipv4", **kwargs):
        ret["comment"] = "\n".join(comments)
        return ret

+    if "__agg__" in kwargs:
+        del kwargs["__agg__"]
    for ignore in _STATE_INTERNAL_KEYWORDS:
        if ignore in kwargs:
            del kwargs[ignore]
@ -892,7 +896,7 @@ def mod_aggregate(low, chunks, running):
                continue

            if chunk not in rules:
-                rules.append(chunk)
+                rules.append(copy.deepcopy(chunk))
                chunk["__agg__"] = True

    if rules:
--- a/tests/pytests/unit/states/test_iptables.py
+++ b/tests/pytests/unit/states/test_iptables.py
@ -6,12 +6,17 @@
 import pytest

 import salt.states.iptables as iptables
+import salt.utils.state as state_utils
 from tests.support.mock import MagicMock, patch


@pytest.fixture
 def configure_loader_modules():
-    return {iptables: {}}
+    return {
+        iptables: {
+            "__utils__": {"state.gen_tag": state_utils.gen_tag},
+        }
+    }


 def test_chain_present():
@ -606,6 +611,124 @@ def test_mod_aggregate():
    """
    Test to mod_aggregate function
    """
-    assert iptables.mod_aggregate({"fun": "salt"}, [], []) == {"fun": "salt"}
+    low = {
+        "state": "iptables",
+        "name": "accept_local_interface",
+        "__sls__": "iptables",
+        "__env__": "base",
+        "__id__": "append_accept_local_interface",
+        "table": "filter",
+        "chain": "INPUT",
+        "in-interface": "lo",
+        "jump": "ACCEPT",
+        "save": True,
+        "order": 10000,
+        "fun": "append",
+    }

-    assert iptables.mod_aggregate({"fun": "append"}, [], []) == {"fun": "append"}
+    chunks = [
+        {
+            "state": "iptables",
+            "name": "accept_local_interface",
+            "__sls__": "iptables",
+            "__env__": "base",
+            "__id__": "append_accept_local_interface",
+            "table": "filter",
+            "chain": "INPUT",
+            "in-interface": "lo",
+            "jump": "ACCEPT",
+            "save": True,
+            "order": 10000,
+            "fun": "append",
+        },
+        {
+            "state": "iptables",
+            "name": "append_accept_loopback_output",
+            "__sls__": "iptables",
+            "__env__": "base",
+            "__id__": "append_accept_loopback_output",
+            "table": "filter",
+            "chain": "OUTPUT",
+            "out-interface": "lo",
+            "jump": "ACCEPT",
+            "save": True,
+            "order": 10001,
+            "fun": "append",
+        },
+        {
+            "state": "iptables",
+            "name": "append_drop_non_loopback",
+            "__sls__": "iptables",
+            "__env__": "base",
+            "__id__": "append_drop_non_loopback",
+            "table": "filter",
+            "chain": "INPUT",
+            "source": "127.0.0.0/8",
+            "jump": "DROP",
+            "save": True,
+            "order": 10002,
+            "fun": "append",
+        },
+    ]
+
+    expected = {
+        "state": "iptables",
+        "name": "accept_local_interface",
+        "__sls__": "iptables",
+        "__env__": "base",
+        "__id__": "append_accept_local_interface",
+        "table": "filter",
+        "chain": "INPUT",
+        "in-interface": "lo",
+        "jump": "ACCEPT",
+        "save": True,
+        "order": 10000,
+        "fun": "append",
+        "rules": [
+            {
+                "state": "iptables",
+                "name": "accept_local_interface",
+                "__sls__": "iptables",
+                "__env__": "base",
+                "__id__": "append_accept_local_interface",
+                "table": "filter",
+                "chain": "INPUT",
+                "in-interface": "lo",
+                "jump": "ACCEPT",
+                "save": True,
+                "order": 10000,
+                "fun": "append",
+            },
+            {
+                "state": "iptables",
+                "name": "append_accept_loopback_output",
+                "__sls__": "iptables",
+                "__env__": "base",
+                "__id__": "append_accept_loopback_output",
+                "table": "filter",
+                "chain": "OUTPUT",
+                "out-interface": "lo",
+                "jump": "ACCEPT",
+                "save": True,
+                "order": 10001,
+                "fun": "append",
+            },
+            {
+                "state": "iptables",
+                "name": "append_drop_non_loopback",
+                "__sls__": "iptables",
+                "__env__": "base",
+                "__id__": "append_drop_non_loopback",
+                "table": "filter",
+                "chain": "INPUT",
+                "source": "127.0.0.0/8",
+                "jump": "DROP",
+                "save": True,
+                "order": 10002,
+                "fun": "append",
+            },
+        ],
+    }
+
+    res = iptables.mod_aggregate(low, chunks, {})
+    assert res == expected