Module's function output to variable in saltstack state

Question

I'm trying to develop a simple formula for Saltstack which would flush all iptables rules and apply another formula with updated rules, for that I need to switch INPUT policy to ACCEPT and then flush the rules. I'm trying to verify that in following way:

{% set policy = salt['pillar.get']('iptables.get_policy','') %}
{% if policy == "ACCEPT" %}
flush rules:
  iptables.flush:
    require:
      - default to accept
{% endif %}

Full code of my sls looks like:

include:
  - iptables

default to accept:
  iptables.set_policy:
    - chain: INPUT
    - policy: ACCEPT


{% set policy = salt['iptables.get_policy'] %}
{% if policy == "ACCEPT" %}
flush rules:
  iptables.flush:
    require:
      - default to accept
{% endif %}

iptables reapply:
  require:
    - sls: iptables

Apparently that doesn't work, could anyone advise what I'm doing wrong and if that's possible at all?

---

Solved

In case if someone needs similar formula, here's the formula which works for me:

include:
  - iptables

default to accept:
  iptables.set_policy:
    - chain: INPUT
    - policy: ACCEPT
    - order: 1

iptables.flush:
  module.run:
    - name: iptables.flush
    - order: 2

Answer 1

I haven't tested this, but I think you need to actually call the function.

{% set policy = salt['iptables.get_policy']() %}

Make sure to add the () to actually call the function

Answer 2

Looks like following syntax works in my case:

{{ salt.iptables.flush() }}

Other parts of the formula are not working yet, but main issue in this question is solved.

Answer 3

There is 1 downside of relying on Salt itself to do that.

If the connection between Salt master and Salt minion is blocked via iptables for any reason (e.g. wrong rules were applied), this not work.

So I think it's better to run system command to do that, my solution is making that done via a at cron which runs as testing mode or so.

iptables_flush_testing_mode:
  module.run:
    - name: at.at
    - args:
      - "now +1 min"
      - |
        # IPv4
        iptables -P INPUT ACCEPT;
        iptables -P OUTPUT ACCEPT;
        iptables -P FORWARD ACCEPT;
        iptables -F INPUT;
        iptables -F OUTPUT;
        iptables -F FORWARD;
        # IPv6
        ip6tables -P INPUT ACCEPT;
        ip6tables -P OUTPUT ACCEPT;
        ip6tables -P FORWARD ACCEPT;
        ip6tables -F INPUT;
        ip6tables -F OUTPUT;
        ip6tables -F FORWARD;

The full state is at flush.sls

Answer 4

As already pointed out, you didn't actually call the function (missing ()).

However, you don't need that templating or manual ordering at all. Just use onchanges:

include:
  - iptables

default to accept:
  iptables.set_policy:
    - chain: INPUT
    - policy: ACCEPT
    - require:
      - sls: iptables

iptables.flush:
  module.run:
    - onchanges:
      - default to accept