From 8098f050cbe8a96077368330dbe9728ba9a426eb Mon Sep 17 00:00:00 2001
From: Jonas Maurus <jonas-github@maurus.net>
Date: Wed, 17 Apr 2024 00:22:25 +0200
Subject: [PATCH] Fix #66382 (nftables): Produce correct ip family for rules
 with saddr or daddr

---
 changelog/66382.fixed.md                    |  1 +
 salt/modules/nftables.py                    |  4 ++--
 tests/pytests/unit/modules/test_nftables.py | 20 ++++++++++++++++++++
 3 files changed, 23 insertions(+), 2 deletions(-)
 create mode 100644 changelog/66382.fixed.md

diff --git a/changelog/66382.fixed.md b/changelog/66382.fixed.md
new file mode 100644
index 000000000000..20d4e5d7a24e
--- /dev/null
+++ b/changelog/66382.fixed.md
@@ -0,0 +1 @@
+Fixed nftables.build_rule breaks ipv6 rules by using the wrong syntax for source and destination addresses
\ No newline at end of file
diff --git a/salt/modules/nftables.py b/salt/modules/nftables.py
index 11ac05915bd1..f64f58200d8e 100644
--- a/salt/modules/nftables.py
+++ b/salt/modules/nftables.py
@@ -165,14 +165,14 @@ def build_rule(
         del kwargs["counter"]
 
     if "saddr" in kwargs or "source" in kwargs:
-        rule += "ip saddr {} ".format(kwargs.get("saddr") or kwargs.get("source"))
+        rule += "{} saddr {} ".format(nft_family, kwargs.get("saddr") or kwargs.get("source"))
         if "saddr" in kwargs:
             del kwargs["saddr"]
         if "source" in kwargs:
             del kwargs["source"]
 
     if "daddr" in kwargs or "destination" in kwargs:
-        rule += "ip daddr {} ".format(kwargs.get("daddr") or kwargs.get("destination"))
+        rule += "{} daddr {} ".format(nft_family, kwargs.get("daddr") or kwargs.get("destination"))
         if "daddr" in kwargs:
             del kwargs["daddr"]
         if "destination" in kwargs:
diff --git a/tests/pytests/unit/modules/test_nftables.py b/tests/pytests/unit/modules/test_nftables.py
index 855e7712e7f8..0ab80e39f708 100644
--- a/tests/pytests/unit/modules/test_nftables.py
+++ b/tests/pytests/unit/modules/test_nftables.py
@@ -103,6 +103,26 @@ def test_build_rule():
         "comment": "Successfully built rule",
     }
 
+    assert nftables.build_rule(
+        table="filter",
+        chain="input",
+        family="ip6",
+        command="insert",
+        position="3",
+        full="True",
+        connstate="related,established",
+        saddr="::/0",
+        daddr="fe80:cafe::1",
+        jump="accept",
+    ) == {
+        "result": True,
+        "rule": (
+            "nft insert rule ip filter input position 3 ct state {"
+            " related,established } ip saddr ::/0 ip daddr fe80:cafe::1 accept"
+        ),
+        "comment": "Successfully built rule",
+    }
+
     assert nftables.build_rule() == {"result": True, "rule": "", "comment": ""}