[3007.x] Fix/add nftables icmpv6 support #67884
Conversation
jdelic
changed the title
jdelic
force-pushed
the
fix/add-nftables-icmpv6-support
branch
from
4b40a25 to
7416cf3
Compare
jdelic
force-pushed
the
fix/add-nftables-icmpv6-support
branch
from
b58fd24 to
5dc26bf
Compare
I explained in the PR description why I didn't. That argument still stands. |
|
@jdelic Regardless of opinions, if you change code, you write a test to check that code, unless there is already a test which covers the change. This rule applies to the core team too. In the past, before 2019, Salt would allow code to be merged after code review without tests been written for it, and this led to a mess, hence since 2019, all code changes require tests, and tests using pytest. Using mock can test the code without having to have an actual VM up etc., noting even simple unnoticed typo's parsing a kwarg can trip code up. |
|
@dmurphy18 For example, the first test for mock_ret = {
"result": False,
"comment": "Table nat in family ipv4 does not exist",
}
with patch("salt.modules.nftables.check_table", MagicMock(return_value=mock_ret)):
ret = nftables.delete_table(table="nat")
assert ret == {
"result": False,
"comment": "Table nat in family ipv4 does not exist",
}This looks very involved, but all it does is check that this code res = check_table(table, family=family)
if not res["result"]:
return reswhich thanks to mocking translates to: if not False:
return mock_retworks. My personal opinion is that this type of testing is problematic in any project, but as a OSS project (of a 51 billion USD p.a. company no less), demanding it from the community is a bad way to deal with free labor provided by the community. I The test I now added is exactly this sequence of code every time: ret = {"comment": "", "rule": "", "result": False}
rule = ""
rule += "icmpv6 type { echo-reply,echo-response }"
after_jump = ["accept "]
for item in after_jump:
rule += item
ret["rule"] = "{} {} rule {} {} {} {}".format(
"/usr/sbin/nft", "add", "ip6", "filter", "input", rule
)
assert ret["rule"].strip() == "/usr/bin/nft add ip6 filter input icmpv6 type { echo-reply,echo-response } accept"Like every other test in the module It will deterministically detect if Python's string assignment or comparison operators ever stop working, or if someone changes the order of format arguments in line 300. Regardless of whether that breaks actual nftables or not. As I noted in the PR description I can't contribute the time to rearchitect the nftables tests to a point where they would serve as actual tests, so this will have to do. 🚀 |
| @@ -156,6 +156,10 @@ def build_rule( | |||
| rule += "icmp type {{ {0} }} ".format(kwargs["icmp-type"]) | |||
| del kwargs["icmp-type"] | |||
|
|
|||
| if "icmpv6-type" in kwargs: | |||
| rule += "icmpv6 type {{ {0} }} ".format(kwargs["icmpv6-type"]) | |||
There was a problem hiding this comment.
This is better written using f-strings, using Python 3.10 as python version
rule += f"icmpv6 type {{ {kwargs["icmpv6-type"]} }} "
There was a problem hiding this comment.
@dmurphy18
I agree. But wouldn't it be much better to first make this small simple change first and then later change all of the .formats in the file? Instead of changing just one single instance or mixing this .format change in with this PR?
There was a problem hiding this comment.
I'm surprised it wasn't caught by pre-commit
|
@jdelic Understand that sometimes, mock tests only test mock and not real tests, hence I favor integration tests, unless that is too complicated a test situation to instantiate. Trying to get better tests, but now very limited resources to do this compared to just over a year ago. Mock was a suggestion, but code changes required tests, and something is better than nothing, at times ;). |
dwoz
force-pushed
the
fix/add-nftables-icmpv6-support
branch
from
20c985a to
9a6a3c6
Compare
add changelog entry for 67882 newline at the end of changelog
dwoz
force-pushed
the
fix/add-nftables-icmpv6-support
branch
from
9a6a3c6 to
4a174b4
Compare
What does this PR do?
Fixes #67882
The nftables state just sends its kwargs to the nftables module. This in turn is currently missing support for ipv6 icmp packet types (icmpv6). This means that currently Salt cannot configure a firewall in such a way that it allows pings, for example. This small patch remedies that.
Previous Behavior
The following was impossible:
New Behavior
The above works now.
Merge requirements satisfied?
[NOTICE] Bug fixes or features added to Salt require tests.
I have not added any test for the above.
cmd.run. Sonftis never executed by the tests, so you'd never know if any of this code produced an invalid rule. I do not have the time to contribute to Salt to essentially rewrite the nftables module, so this will have to live without tests.Commits signed with GPG?
Yes