Fix check mode in iptables_state for incomplete iptables-save files along with integration tests (#8029)

* Implement integration test to reproduce #7463 * Make new iptables_state checks async * Add missing commit to iptable_state integration test * Remove async when using checkmode in iptables_state integration tests * Do per table comparison in check mode for iptables_state * Calculate changes of iptables state per table based on result * Output target iptables state in checkmode * Refactor calculation of invidual table states in iptables_state * Add missing return for table calculation * Add missing arg to regex check * Remove leftover debug output for target iptable state * Parse per table state from raw state string * Join restored state for extration of table specific rules * Switch arguments for joining restored iptable state * Output final ip table state * Compare content of tables * Complete iptables partial tables test cases * Correct order of test iptables data * Update docu for iptables tables_after * Add changelog fragment * Appease the linting gods for iptables_state * Adjust spelling and remove tables_after from return values
2025-06-27 10:40:22 -07:00 · 2024-03-24 18:02:48 +01:00 · 2024-03-24 18:02:48 +01:00 · 23396e62dc
commit 23396e62dc
parent 4363f8764b
4 changed files with 104 additions and 18 deletions
--- a/tests/integration/targets/iptables_state/tasks/main.yml
+++ b/tests/integration/targets/iptables_state/tasks/main.yml
@ -29,6 +29,12 @@
      when:
        - xtables_lock is undefined

+    - name: include tasks to test partial restore files
+      include_tasks: tests/02-partial-restore.yml
+      when:
+        - xtables_lock is undefined
+
+
    - name: include tasks to test rollbacks
      include_tasks: tests/10-rollback.yml
      when:
--- a/tests/integration/targets/iptables_state/tasks/tests/02-partial-restore.yml
+++ b/tests/integration/targets/iptables_state/tasks/tests/02-partial-restore.yml
@ -0,0 +1,66 @@
+---
+# Copyright (c) Ansible Project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+- name: "Create initial rule set to use"
+  copy:
+    dest: "{{ iptables_tests }}"
+    content: |
+      *filter
+      :INPUT ACCEPT [0:0]
+      :FORWARD ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
+      COMMIT
+      *nat
+      :PREROUTING ACCEPT [151:17304]
+      :INPUT ACCEPT [151:17304]
+      :OUTPUT ACCEPT [151:17304]
+      :POSTROUTING ACCEPT [151:17304]
+      -A POSTROUTING -o eth0 -j MASQUERADE
+      COMMIT
+
+- name: "Restore initial state"
+  iptables_state:
+    path: "{{ iptables_tests }}"
+    state: restored
+  async: "{{ ansible_timeout }}"
+  poll: 0
+
+- name: "Create partial ruleset only specifying input"
+  copy:
+    dest: "{{ iptables_tests }}"
+    content: |
+      *filter
+      :INPUT ACCEPT [0:0]
+      :FORWARD ACCEPT [0:0]
+      :OUTPUT ACCEPT [0:0]
+      -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
+      COMMIT
+
+- name: "Check restoring partial state"
+  iptables_state:
+    path: "{{ iptables_tests }}"
+    state: restored
+  check_mode: true
+  register: iptables_state
+
+
+- name: "assert that no changes are detected in check mode"
+  assert:
+    that:
+      - iptables_state is not changed
+
+- name: "Restore partial state"
+  iptables_state:
+    path: "{{ iptables_tests }}"
+    state: restored
+  register: iptables_state
+  async: "{{ ansible_timeout }}"
+  poll: 0
+
+- name: "assert that no changes are made"
+  assert:
+    that:
+      - iptables_state is not changed