Fix check mode in iptables_state for incomplete iptables-save files along with integration tests #8029
+104
−18
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ok, a58bc16 can reproduce the issue described. Incomplete iptables save files are not handled properly in check mode. |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
1 task
changelogs/fragments/8029-iptables-state-restore-check-mode.yml
Outdated
Show resolved
Hide resolved
|
Fixed as suggested and removed the additional return value introduced. I'll make an additional PR against master to readd that once this PR is merged, as it depends on the changes made here. |
Backport to stable-7: 💚 backport PR created✅ Backport PR branch: Backported as #8136 🤖 @patchback |
|
@Maxopoly thanks for your contribution! |
patchback bot
pushed a commit
that referenced
this pull request
Mar 24, 2024
…long with integration tests (#8029) * Implement integration test to reproduce #7463 * Make new iptables_state checks async * Add missing commit to iptable_state integration test * Remove async when using checkmode in iptables_state integration tests * Do per table comparison in check mode for iptables_state * Calculate changes of iptables state per table based on result * Output target iptables state in checkmode * Refactor calculation of invidual table states in iptables_state * Add missing return for table calculation * Add missing arg to regex check * Remove leftover debug output for target iptable state * Parse per table state from raw state string * Join restored state for extration of table specific rules * Switch arguments for joining restored iptable state * Output final ip table state * Compare content of tables * Complete iptables partial tables test cases * Correct order of test iptables data * Update docu for iptables tables_after * Add changelog fragment * Appease the linting gods for iptables_state * Adjust spelling and remove tables_after from return values (cherry picked from commit 23396e6)
Backport to stable-8: 💚 backport PR created✅ Backport PR branch: Backported as #8137 🤖 @patchback |
patchback bot
pushed a commit
that referenced
this pull request
Mar 24, 2024
…long with integration tests (#8029) * Implement integration test to reproduce #7463 * Make new iptables_state checks async * Add missing commit to iptable_state integration test * Remove async when using checkmode in iptables_state integration tests * Do per table comparison in check mode for iptables_state * Calculate changes of iptables state per table based on result * Output target iptables state in checkmode * Refactor calculation of invidual table states in iptables_state * Add missing return for table calculation * Add missing arg to regex check * Remove leftover debug output for target iptable state * Parse per table state from raw state string * Join restored state for extration of table specific rules * Switch arguments for joining restored iptable state * Output final ip table state * Compare content of tables * Complete iptables partial tables test cases * Correct order of test iptables data * Update docu for iptables tables_after * Add changelog fragment * Appease the linting gods for iptables_state * Adjust spelling and remove tables_after from return values (cherry picked from commit 23396e6)
felixfontein
pushed a commit
that referenced
this pull request
Mar 24, 2024
…te for incomplete iptables-save files along with integration tests (#8136) Fix check mode in iptables_state for incomplete iptables-save files along with integration tests (#8029) * Implement integration test to reproduce #7463 * Make new iptables_state checks async * Add missing commit to iptable_state integration test * Remove async when using checkmode in iptables_state integration tests * Do per table comparison in check mode for iptables_state * Calculate changes of iptables state per table based on result * Output target iptables state in checkmode * Refactor calculation of invidual table states in iptables_state * Add missing return for table calculation * Add missing arg to regex check * Remove leftover debug output for target iptable state * Parse per table state from raw state string * Join restored state for extration of table specific rules * Switch arguments for joining restored iptable state * Output final ip table state * Compare content of tables * Complete iptables partial tables test cases * Correct order of test iptables data * Update docu for iptables tables_after * Add changelog fragment * Appease the linting gods for iptables_state * Adjust spelling and remove tables_after from return values (cherry picked from commit 23396e6) Co-authored-by: Maxopoly <max@dermax.org>
felixfontein
pushed a commit
that referenced
this pull request
Mar 24, 2024
…te for incomplete iptables-save files along with integration tests (#8137) Fix check mode in iptables_state for incomplete iptables-save files along with integration tests (#8029) * Implement integration test to reproduce #7463 * Make new iptables_state checks async * Add missing commit to iptable_state integration test * Remove async when using checkmode in iptables_state integration tests * Do per table comparison in check mode for iptables_state * Calculate changes of iptables state per table based on result * Output target iptables state in checkmode * Refactor calculation of invidual table states in iptables_state * Add missing return for table calculation * Add missing arg to regex check * Remove leftover debug output for target iptable state * Parse per table state from raw state string * Join restored state for extration of table specific rules * Switch arguments for joining restored iptable state * Output final ip table state * Compare content of tables * Complete iptables partial tables test cases * Correct order of test iptables data * Update docu for iptables tables_after * Add changelog fragment * Appease the linting gods for iptables_state * Adjust spelling and remove tables_after from return values (cherry picked from commit 23396e6) Co-authored-by: Maxopoly <max@dermax.org>
Massl123
pushed a commit
to Massl123/community.general
that referenced
this pull request
Feb 7, 2025
…long with integration tests (ansible-collections#8029) * Implement integration test to reproduce ansible-collections#7463 * Make new iptables_state checks async * Add missing commit to iptable_state integration test * Remove async when using checkmode in iptables_state integration tests * Do per table comparison in check mode for iptables_state * Calculate changes of iptables state per table based on result * Output target iptables state in checkmode * Refactor calculation of invidual table states in iptables_state * Add missing return for table calculation * Add missing arg to regex check * Remove leftover debug output for target iptable state * Parse per table state from raw state string * Join restored state for extration of table specific rules * Switch arguments for joining restored iptable state * Output final ip table state * Compare content of tables * Complete iptables partial tables test cases * Correct order of test iptables data * Update docu for iptables tables_after * Add changelog fragment * Appease the linting gods for iptables_state * Adjust spelling and remove tables_after from return values
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SUMMARY
Fixes #7463
ISSUE TYPE
COMPONENT NAME
iptables_state
ADDITIONAL INFORMATION
This PR first attempted to reproduce the behavior observed in #7463 through integration tests. iptables-save doesn't work in docker, so this was tested against the azure pipeline through this PR, please excuse the commit spam.
a58bc16 was able reproduce the issue in #7463 based on incomplete iptables-save files. Initially, all tables are empty and uninitialized, which will make iptables-save return nothing for them.
For example when creating a nat rule and then deleting it, an output of iptables-save may look like this:
while one on a new container/machine which has never had a nat rule will look like this:
This broke the existing check_mode checks, which did simple string comparison. Most likely there were also edge cases outside of check mode in regards to uninitialized tables of existing iptables-save dumps, which would report changes when restoring them, despite nothing changing. This is only the case for iptables-save files created through means other than this module.
To circument this I implemented parsing of iptables-save dumps into a simple data structure based on preexisting code. If a table currently has some kind of state (including rules) but is not referenced in the iptables-save dump, it will not be touched by iptables-restore and now handled properly by this module.
I also added the tables
tables_afterafter restoring as a data structure, similar to the already existing statetablesbefore running the module