Skip to content

[3007.x] Fix/add nftables icmpv6 support #67884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jun 25, 2025

Conversation

jdelic
Copy link
Contributor

@jdelic jdelic commented Mar 17, 2025

What does this PR do?

Fixes #67882

The nftables state just sends its kwargs to the nftables module. This in turn is currently missing support for ipv6 icmp packet types (icmpv6). This means that currently Salt cannot configure a firewall in such a way that it allows pings, for example. This small patch remedies that.

Previous Behavior

The following was impossible:

icmp-recv-ipv4:
    nftables.append:
        - table: filter
        - family: ip4
        - chain: input
        - jump: accept
        - proto: icmp
        - icmp-type: echo-reply,destination-unreachable,source-quench,redirect,echo-request,time-exceeded,parameter-problem,timestamp-request,timestamp-reply,info-request,info-reply,address-mask-request,address-mask-reply,router-advertisement,router-solicitation
        - order: 4
        - save: True
        - require:
            - pkg: nftables


icmp-recv-ipv6:
    nftables.append:
        - table: filter
        - family: ip6
        - chain: input
        - jump: accept
        - proto: icmp
        # This wasn't supported until now --v
        - icmpv6-type: echo-reply,echo-request,nd-router-advert,nd-neighbor-solicit,nd-neighbor-advert
        - order: 4
        - save: True
        - require:
              - pkg: nftables

New Behavior

The above works now.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

I have not added any test for the above.

  1. The current icmp-type functionality is untested
  2. The current tests don't really test anything. They test that the module returns a state comment which fits the expectation and mock cmd.run. So nft is never executed by the tests, so you'd never know if any of this code produced an invalid rule. I do not have the time to contribute to Salt to essentially rewrite the nftables module, so this will have to live without tests.
  3. The current documentation isn't really explaining the list of available parameters from the module. Neither does the module. Both need improvement, as do the tests, but this PR is about simply adding support for icmpv6.

Commits signed with GPG?

Yes

@jdelic jdelic requested a review from a team as a code owner March 17, 2025 14:10
@jdelic jdelic mentioned this pull request Mar 17, 2025
3 tasks
@jdelic jdelic changed the title Fix/add nftables icmpv6 support [3007.x] Fix/add nftables icmpv6 support Mar 17, 2025
@jdelic jdelic force-pushed the fix/add-nftables-icmpv6-support branch from 4b40a25 to 7416cf3 Compare March 17, 2025 14:21
@jdelic jdelic force-pushed the fix/add-nftables-icmpv6-support branch from b58fd24 to 5dc26bf Compare March 17, 2025 14:24
Copy link
Contributor

@twangboy twangboy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please write a test for this

@dmurphy18 dmurphy18 added this to the Chlorine v3007.2 milestone Mar 26, 2025
@jdelic
Copy link
Contributor Author

jdelic commented Mar 26, 2025

Please write a test for this

I explained in the PR description why I didn't. That argument still stands.

@dmurphy18
Copy link
Contributor

@jdelic Regardless of opinions, if you change code, you write a test to check that code, unless there is already a test which covers the change. This rule applies to the core team too.
Just because some test doesn't already exist is no excuse to not write a test.

In the past, before 2019, Salt would allow code to be merged after code review without tests been written for it, and this led to a mess, hence since 2019, all code changes require tests, and tests using pytest. Using mock can test the code without having to have an actual VM up etc., noting even simple unnoticed typo's parsing a kwarg can trip code up.

twangboy
twangboy previously approved these changes Mar 27, 2025
@twangboy twangboy added this to the Chlorine v3007.4 milestone Jun 6, 2025
@twangboy twangboy removed merge-conflict PR has a merge conflict needs-testcase PR needs test cases written, or the issue is about a bug/feature that needs test cases needs-changelog labels Jun 11, 2025
@dwoz dwoz force-pushed the fix/add-nftables-icmpv6-support branch from 51725b6 to 9964d4e Compare June 25, 2025 08:16
@dwoz dwoz merged commit aeeb660 into saltstack:3007.x Jun 25, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
test:full Run the full test suite
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants