From f96ecd141cc78b916e71c1aa07efa5969cf9f695 Mon Sep 17 00:00:00 2001 From: Marek Czernek Date: Mon, 13 May 2024 11:29:48 +0200 Subject: [PATCH] Normalize new rich rules before comparing to old Firewallcmd rich rule output quotes each assigned part of the rich rule, for example: rule family="ipv4" source port port="161" ... The firewalld module must first normalize the user defined rich rules to match the firewallcmd output before comparison to ensure idempotency. --- salt/states/firewalld.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/salt/states/firewalld.py b/salt/states/firewalld.py index d3e69560a25e..fe530674eb9b 100644 --- a/salt/states/firewalld.py +++ b/salt/states/firewalld.py @@ -376,6 +376,27 @@ def service(name, ports=None, protocols=None): return ret +def _normalize_rich_rules(rich_rules): + normalized_rules = [] + for rich_rule in rich_rules: + normalized_rule = "" + for cmd in rich_rule.split(" "): + cmd_components = cmd.split("=", 1) + if len(cmd_components) == 2: + assigned_component = cmd_components[1] + if not assigned_component.startswith( + '"' + ) and not assigned_component.endswith('"'): + if assigned_component.startswith( + "'" + ) and assigned_component.endswith("'"): + assigned_component = assigned_component[1:-1] + cmd_components[1] = f'"{assigned_component}"' + normalized_rule = f"{normalized_rule} {'='.join(cmd_components)}" + normalized_rules.append(normalized_rule.lstrip()) + return normalized_rules + + def _present( name, block_icmp=None, @@ -767,6 +788,7 @@ def _present( if rich_rules or prune_rich_rules: rich_rules = rich_rules or [] + rich_rules = _normalize_rich_rules(rich_rules) try: _current_rich_rules = __salt__["firewalld.get_rich_rules"]( name, permanent=True