From 54c80de95ced6f1d64f28ad4e6815dbe028bfda1 Mon Sep 17 00:00:00 2001 From: Mingli Yu Date: Thu, 16 May 2024 15:35:37 +0800 Subject: [PATCH] test: Move firewalld tests into one file Moving firewalld related tests into one file should be convenient for the user who doesn't care firewalld. Signed-off-by: Mingli Yu --- test/100-bridge-iptables.bats | 37 -------------------- test/200-bridge-firewalld.bats | 64 ++++++++++++++++++++++++++++++++++ test/250-bridge-nftables.bats | 35 ------------------- 3 files changed, 64 insertions(+), 72 deletions(-) diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats index 9a37528d8..8cc6a7ca0 100644 --- a/test/100-bridge-iptables.bats +++ b/test/100-bridge-iptables.bats @@ -1021,43 +1021,6 @@ EOF assert_json ".error" "invalid host ip \"abcd\" provided for port 8080" "host ip error" } -@test "$fw_driver - test firewalld reload" { - setup_firewalld - - run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path) - - check_simple_bridge_iptables - assert "$(<$NETAVARK_TMPDIR/config/firewall/firewall-driver)" "==" "iptables" "firewall-driver file content" - - run_in_host_netns firewall-cmd --reload - - # After a firewalld reload we expect rules to be deleted - # expected_rc=1 run_in_host_netns iptables -S NETAVARK_FORWARD - # There was a firewalld change in 3.0 that it no longer flushes all rules, howver we can still check if - # we are added to trusted. - run_in_host_netns firewall-cmd --zone=trusted --list-sources - assert "$output" == "" "no trusted sources" - - # start reload service on start it should restore the rules - run_netavark_firewalld_reload - - # this run in the background so give it some time to add the rules - sleep 1 - check_simple_bridge_iptables - run_in_host_netns firewall-cmd --zone=trusted --list-sources - assert "$output" == "10.88.0.0/16" "container subnet is trusted after start" - - run_in_host_netns firewall-cmd --reload - sleep 1 - check_simple_bridge_iptables - run_in_host_netns firewall-cmd --zone=trusted --list-sources - assert "$output" == "10.88.0.0/16" "container subnet is trusted after reload" -} - -@test "$fw_driver - port forwarding ipv4 - tcp with firewalld reload" { - test_port_fw firewalld_reload=true -} - function check_simple_bridge_iptables() { # check iptables POSTROUTING chain run_in_host_netns iptables -S POSTROUTING -t nat diff --git a/test/200-bridge-firewalld.bats b/test/200-bridge-firewalld.bats index 29e13a415..c861bb376 100644 --- a/test/200-bridge-firewalld.bats +++ b/test/200-bridge-firewalld.bats @@ -329,3 +329,67 @@ function setup() { expected_rc=1 run_netavark -f ${TESTSDIR}/testfiles/invalid-port.json setup $(get_container_netns_path) assert_json ".error" "invalid host ip \"abcd\" provided for port 8080" "host ip error" } + +@test "$fw_driver - test firewalld reload" { + NETAVARK_FW=iptables run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path) + + check_simple_bridge_iptables + assert "$(<$NETAVARK_TMPDIR/config/firewall/firewall-driver)" "==" "iptables" "firewall-driver file content" + + run_in_host_netns firewall-cmd --reload + + # After a firewalld reload we expect rules to be deleted + # expected_rc=1 run_in_host_netns iptables -S NETAVARK_FORWARD + # There was a firewalld change in 3.0 that it no longer flushes all rules, howver we can still check if + # we are added to trusted. + run_in_host_netns firewall-cmd --zone=trusted --list-sources + assert "$output" == "" "no trusted sources" + + # start reload service on start it should restore the rules + run_netavark_firewalld_reload + + # this run in the background so give it some time to add the rules + sleep 1 + check_simple_bridge_iptables + run_in_host_netns firewall-cmd --zone=trusted --list-sources + assert "$output" == "10.88.0.0/16" "container subnet is trusted after start" + + run_in_host_netns firewall-cmd --reload + sleep 1 + check_simple_bridge_iptables + run_in_host_netns firewall-cmd --zone=trusted --list-sources + assert "$output" == "10.88.0.0/16" "container subnet is trusted after reload" +} + +@test "$fw_driver - port forwarding ipv4 - tcp with firewalld reload" { + test_port_fw firewalld_reload=true +} + +@test "$fw_driver - test firewalld reload" { + NETAVARK_FW=nftables run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path) + + check_simple_bridge_nftables + assert "$(<$NETAVARK_TMPDIR/config/firewall/firewall-driver)" "==" "nftables" "firewall-driver file content" + + run_in_host_netns firewall-cmd --reload + + # There was a firewalld change in 3.0 that it no longer flushes all rules, howver we can still check if + # we are added to trusted. + run_in_host_netns firewall-cmd --zone=trusted --list-sources + assert "$output" == "" "no trusted sources" + + # start reload service on start it should restore the rules + run_netavark_firewalld_reload + + # this run in the background so give it some time to add the rules + sleep 1 + check_simple_bridge_nftables + run_in_host_netns firewall-cmd --zone=trusted --list-sources + assert "$output" == "10.88.0.0/16" "container subnet is trusted after start" + + run_in_host_netns firewall-cmd --reload + sleep 1 + check_simple_bridge_nftables + run_in_host_netns firewall-cmd --zone=trusted --list-sources + assert "$output" == "10.88.0.0/16" "container subnet is trusted after reload" +} diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats index c5687acd0..807f23ad1 100644 --- a/test/250-bridge-nftables.bats +++ b/test/250-bridge-nftables.bats @@ -914,41 +914,6 @@ EOF assert_json ".error" "invalid host ip \"abcd\" provided for port 8080" "host ip error" } -@test "$fw_driver - test firewalld reload" { - setup_firewalld - - run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path) - - check_simple_bridge_nftables - assert "$(<$NETAVARK_TMPDIR/config/firewall/firewall-driver)" "==" "nftables" "firewall-driver file content" - - run_in_host_netns firewall-cmd --reload - - # There was a firewalld change in 3.0 that it no longer flushes all rules, howver we can still check if - # we are added to trusted. - run_in_host_netns firewall-cmd --zone=trusted --list-sources - assert "$output" == "" "no trusted sources" - - # start reload service on start it should restore the rules - run_netavark_firewalld_reload - - # this run in the background so give it some time to add the rules - sleep 1 - check_simple_bridge_nftables - run_in_host_netns firewall-cmd --zone=trusted --list-sources - assert "$output" == "10.88.0.0/16" "container subnet is trusted after start" - - run_in_host_netns firewall-cmd --reload - sleep 1 - check_simple_bridge_nftables - run_in_host_netns firewall-cmd --zone=trusted --list-sources - assert "$output" == "10.88.0.0/16" "container subnet is trusted after reload" -} - -@test "$fw_driver - port forwarding ipv4 - tcp with firewalld reload" { - test_port_fw firewalld_reload=true -} - function check_simple_bridge_nftables() { # check nftables POSTROUTING chain run_in_host_netns nft list chain inet netavark POSTROUTING