Removing some unused functions from nftables module and state. Updating the versionadded to be Helium instead of Hydrogen. Updating docstrings to replace iptables with nftables syntax.

2024-11-08 01:18:58 +00:00 · 2014-03-18 11:07:14 -07:00 · 2014-03-18 11:07:14 -07:00 · 4a586baac9
commit 4a586baac9
parent 9f812e21d0
2 changed files with 28 additions and 85 deletions
--- a/salt/modules/nftables.py
+++ b/salt/modules/nftables.py
@ -80,16 +80,15 @@ def version():
 def build_rule(table=None, chain=None, command=None, position='', full=None, family='ipv4',
               **kwargs):
    '''
-    Build a well-formatted iptables rule based on kwargs. Long options must be
-    used (`--jump` instead of `-j`) because they will have the `--` added to
-    them. A `table` and `chain` are not required, unless `full` is True.
+    Build a well-formatted nftables rule based on kwargs.
+    A `table` and `chain` are not required, unless `full` is True.

    If `full` is `True`, then `table`, `chain` and `command` are required.
-    `command` may be specified as either a short option ('I') or a long option
-    (`--insert`). This will return the iptables command, exactly as it would
+    `command` may be specified as either insert, append, or delete.
+    This will return the nftables command, exactly as it would
    be used from the command line.

-    If a position is required (as with `-I` or `-D`), it may be specified as
+    If a position is required (as with `insert` or `delete`), it may be specified as
    `position`. This will only be useful if `full` is True.

    If `connstate` is passed in, it will automatically be changed to `state`.
@ -98,17 +97,17 @@ def build_rule(table=None, chain=None, command=None, position='', full=None, fam

    .. code-block:: bash

-        salt '*' iptables.build_rule match=state \\
+        salt '*' nftables.build_rule match=state \\
            connstate=RELATED,ESTABLISHED jump=ACCEPT
-        salt '*' iptables.build_rule filter INPUT command=I position=3 \\
-            full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT
+        salt '*' nftables.build_rule filter input command=insert position=3 \\
+            full=True match=state state=related,established jump=accept

        IPv6:
-        salt '*' iptables.build_rule match=state \\
-            connstate=RELATED,ESTABLISHED jump=ACCEPT \\
+        salt '*' nftables.build_rule match=state \\
+            connstate=related,established jump=accept \\
            family=ipv6
-        salt '*' iptables.build_rule filter INPUT command=I position=3 \\
-            full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT \\
+        salt '*' nftables.build_rule filter input command=insert position=3 \\
+            full=True match=state state=related,established jump=accept \\
            family=ipv6

    '''
@ -134,7 +133,6 @@ def build_rule(table=None, chain=None, command=None, position='', full=None, fam
        del kwargs['of']

    if 'proto' in kwargs:
-        #rule += '-p {0} '.format(kwargs['proto'])
        proto = kwargs['proto']

    if 'state' in kwargs:
@ -439,7 +437,7 @@ def check(table='filter', chain=None, rule=None, family='ipv4'):

 def check_chain(table='filter', chain=None, family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Check for the existence of a chain in the table

@ -493,7 +491,7 @@ def check_table(table=None, family='ipv4'):

 def new_table(table, family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Create new custom table.

@ -525,7 +523,7 @@ def new_table(table, family='ipv4'):

 def delete_table(table, family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Create new custom table.

@ -556,7 +554,7 @@ def delete_table(table, family='ipv4'):

 def new_chain(table='filter', chain=None, table_type=None, hook=None, priority=None, family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Create new chain to the specified table.

@ -612,7 +610,7 @@ def new_chain(table='filter', chain=None, table_type=None, hook=None, priority=N

 def delete_chain(table='filter', chain=None, family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Delete the chain from the specified table.

--- a/salt/states/nftables.py
+++ b/salt/states/nftables.py
@ -3,7 +3,7 @@
 Management of nftables
 ======================

-This is an iptables-specific module designed to manage Linux firewalls. It is
+This is an nftables-specific module designed to manage Linux firewalls. It is
 expected that this state module, and other system-specific firewall states, may
 at some point be deprecated in favor of a more generic `firewall` state.

@ -115,7 +115,7 @@ def __virtual__():

 def chain_present(name, table='filter', table_type=None, hook=None, priority=None, family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Verify the chain is exist.

@ -169,7 +169,7 @@ def chain_present(name, table='filter', table_type=None, hook=None, priority=Non

 def chain_absent(name, table='filter', family='ipv4'):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Verify the chain is absent.

@ -195,7 +195,7 @@ def chain_absent(name, table='filter', family='ipv4'):
        if command is True:
            ret['changes'] = {'locale': name}
            ret['result'] = True
-            ret['comment'] = ('iptables {0} chain in {1} table delete success for {2}'
+            ret['comment'] = ('nftables {0} chain in {1} table delete success for {2}'
                              .format(name, table, family))
        else:
            ret['result'] = False
@ -226,7 +226,7 @@ def append(name, family='ipv4', **kwargs):
        Network family, ipv4 or ipv6.

    All other arguments are passed in with the same name as the long option
-    that would normally be used for iptables, with one exception: `--state` is
+    that would normally be used for nftables, with one exception: `--state` is
    specified as `connstate` instead of `state` (not to be confused with
    `ctstate`).
    '''
@ -281,7 +281,7 @@ def append(name, family='ipv4', **kwargs):

 def insert(name, family='ipv4', **kwargs):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Insert a rule into a chain

@ -293,7 +293,7 @@ def insert(name, family='ipv4', **kwargs):
        Networking family, either ipv4 or ipv6

    All other arguments are passed in with the same name as the long option
-    that would normally be used for iptables, with one exception: `--state` is
+    that would normally be used for nftables, with one exception: `--state` is
    specified as `connstate` instead of `state` (not to be confused with
    `ctstate`).
    '''
@ -347,7 +347,7 @@ def insert(name, family='ipv4', **kwargs):

 def delete(name, family='ipv4', **kwargs):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Delete a rule to a chain

@ -359,7 +359,7 @@ def delete(name, family='ipv4', **kwargs):
        Networking family, either ipv4 or ipv6

    All other arguments are passed in with the same name as the long option
-    that would normally be used for iptables, with one exception: `--state` is
+    that would normally be used for nftables, with one exception: `--state` is
    specified as `connstate` instead of `state` (not to be confused with
    `ctstate`).
    '''
@ -424,64 +424,9 @@ def delete(name, family='ipv4', **kwargs):
        return ret


-def set_policy(name, family='ipv4', **kwargs):
-    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
-
-    Sets the default policy for iptables firewall tables
-
-    family
-        Networking family, either ipv4 or ipv6
-
-    '''
-    ret = {'name': name,
-        'changes': {},
-        'result': None,
-        'comment': ''}
-
-    for ignore in _STATE_INTERNAL_KEYWORDS:
-        if ignore in kwargs:
-            del kwargs[ignore]
-
-    if __salt__['iptables.get_policy'](
-            kwargs['table'],
-            kwargs['chain'],
-            family) == kwargs['policy']:
-        ret['result'] = True
-        ret['comment'] = ('iptables default policy for {0} for {1} already set to {2}'
-                          .format(kwargs['table'], family, kwargs['policy']))
-        return ret
-
-    if not __salt__['iptables.set_policy'](
-            kwargs['table'],
-            kwargs['chain'],
-            kwargs['policy'],
-            family):
-        ret['changes'] = {'locale': name}
-        ret['result'] = True
-        ret['comment'] = 'Set default policy for {0} to {1} family {2}'.format(
-            kwargs['chain'],
-            kwargs['policy'],
-            family
-        )
-        if 'save' in kwargs:
-            if kwargs['save']:
-                __salt__['iptables.save'](filename=None, family=family)
-                ret['comment'] = 'Set and Saved default policy for {0} to {1} family {2}'.format(
-                    kwargs['chain'],
-                    kwargs['policy'],
-                    family
-                )
-        return ret
-    else:
-        ret['result'] = False
-        ret['comment'] = 'Failed to set iptables default policy'
-        return ret
-
-
 def flush(name, family='ipv4', **kwargs):
    '''
-    .. versionadded:: 2014.1.0 (Hydrogen)
+    .. versionadded:: Helium

    Flush current nftables state

@ -531,5 +476,5 @@ def flush(name, family='ipv4', **kwargs):
        return ret
    else:
        ret['result'] = False
-        ret['comment'] = 'Failed to flush iptables rules'
+        ret['comment'] = 'Failed to flush nftables rules'
        return ret