Fix broken negation in iptables

Introduced in 7c6ff77c and released with 2017.7.
2024-11-07 17:09:03 +00:00 · 2017-08-16 10:30:45 -07:00 · 2017-08-16 10:30:45 -07:00 · 1a987cb948
commit 1a987cb948
parent f9b4976c02
2 changed files with 7 additions and 1 deletions
--- a/salt/modules/iptables.py
+++ b/salt/modules/iptables.py
@ -493,8 +493,11 @@ def build_rule(table='filter', chain=None, command=None, position='', full=None,
                after_jump.append('--{0} {1}'.format(after_jump_argument, value))
            del kwargs[after_jump_argument]

-    for key, value in kwargs.items():
+    for key in kwargs:
        negation = maybe_add_negation(key)
+        # don't use .items() since maybe_add_negation removes the prefix from
+        # the value in the kwargs, thus we need to fetch it after that has run
+        value = kwargs[key]
        flag = '-' if len(key) == 1 else '--'
        value = '' if value in (None, '') else ' {0}'.format(value)
        rule.append('{0}{1}{2}{3}'.format(negation, flag, key, value))
--- a/tests/unit/modules/test_iptables.py
+++ b/tests/unit/modules/test_iptables.py
@ -60,6 +60,9 @@ class IptablesTestCase(TestCase, LoaderModuleMockMixin):
            self.assertEqual(iptables.build_rule(**{'if': 'not eth0'}),
                             '! -i eth0')

+            self.assertEqual(iptables.build_rule(**{'proto': 'tcp', 'syn': '!'}),
+                            '-p tcp ! --syn')
+
            self.assertEqual(iptables.build_rule(dports=[80, 443], proto='tcp'),
                             '-p tcp -m multiport --dports 80,443')