Merge pull request #840 from Luap99/firewalld-reload

Add firewalld reload service
author: openshift-merge-bot[bot] <148852131+openshift-merge-bot[bot]@users.noreply.github.com> 2023-11-15 20:22:08 +0000
committer: GitHub <noreply@github.com> 2023-11-15 20:22:08 +0000
commit: 48cc2f4b2aba9dff9d220bd4c48688ded1d723b2 (patch)
tree: d5cf866dd90b2d92e1e519f3a71185c93340ba84 /test
parent: 7cd6bc261dff55380c8ba78ff838c2e60df52cf8 (diff)
parent: 708bd438410362f63711402a453edbdc0cc20a91 (diff)
3 files changed, 124 insertions, 62 deletions
diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats
index fc564eb..2b5165f 100644
--- a/test/100-bridge-iptables.bats
+++ b/test/100-bridge-iptables.bats
@@ -68,28 +68,7 @@ fw_driver=iptables
 
     run_in_host_netns ping -c 1 10.88.0.2
 
-    # check iptables POSTROUTING chain
-    run_in_host_netns iptables -S POSTROUTING -t nat
-    assert "${lines[1]}" =~ "-A POSTROUTING -j NETAVARK-HOSTPORT-MASQ" "POSTROUTING HOSTPORT-MASQ rule"
-    assert "${lines[2]}" =~ "-A POSTROUTING -s 10.88.0.0/16 -j NETAVARK-1D8721804F16F" "POSTROUTING container rule"
-    assert "${#lines[@]}" = 3 "too many POSTROUTING rules"
-
-    # check iptables NETAVARK-1D8721804F16F chain
-    run_in_host_netns iptables -S NETAVARK-1D8721804F16F -t nat
-    assert "${lines[1]}" =~ "-A NETAVARK-1D8721804F16F -d 10.88.0.0/16 -j ACCEPT" "NETAVARK-1D8721804F16F ACCEPT rule"
-    assert "${lines[2]}" == "-A NETAVARK-1D8721804F16F ! -d 224.0.0.0/4 -j MASQUERADE" "NETAVARK-1D8721804F16F MASQUERADE rule"
-    assert "${#lines[@]}" = 3 "too many NETAVARK-1D8721804F16F rules"
-
-    # check FORWARD rules
-    run_in_host_netns iptables -S FORWARD
-    assert "${lines[1]}" == "-A FORWARD -m comment --comment \"netavark firewall rules\" -j NETAVARK_FORWARD" "FORWARD rule"
-    assert "${#lines[@]}" = 2 "too many FORWARD rules"
-
-    run_in_host_netns iptables -S NETAVARK_FORWARD
-    assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1"
-    assert "${lines[2]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 2"
-    assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 3"
-    assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
+    check_simple_bridge_iptables
 
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json teardown $(get_container_netns_path)
 
@@ -1003,3 +982,57 @@ EOF
     expected_rc=1 run_netavark -f ${TESTSDIR}/testfiles/invalid-port.json setup $(get_container_netns_path)
     assert_json ".error" "invalid host ip \"abcd\" provided for port 8080" "host ip error"
 }
+
+@test "$fw_driver - test firewalld reload" {
+    setup_firewalld
+
+    run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
+
+    check_simple_bridge_iptables
+    assert "$(<$NETAVARK_TMPDIR/config/firewall/firewall-driver)" "==" "iptables" "firewall-driver file content"
+
+    run_in_host_netns firewall-cmd --reload
+
+    # After a firewalld reload we expect rules to be deleted
+    expected_rc=1 run_in_host_netns iptables -S NETAVARK_FORWARD
+
+    # start reload service on start it should restore the rules
+    run_netavark_firewalld_reload
+
+    # this run in the background so give it some time to add the rules
+    sleep 1
+    check_simple_bridge_iptables
+
+    run_in_host_netns firewall-cmd --reload
+    sleep 1
+    check_simple_bridge_iptables
+}
+
+@test "$fw_driver - port forwarding ipv4 - tcp with firewalld reload" {
+    test_port_fw firewalld_reload=true
+}
+
+function check_simple_bridge_iptables() {
+    # check iptables POSTROUTING chain
+    run_in_host_netns iptables -S POSTROUTING -t nat
+    assert "${lines[1]}" =~ "-A POSTROUTING -j NETAVARK-HOSTPORT-MASQ" "POSTROUTING HOSTPORT-MASQ rule"
+    assert "${lines[2]}" =~ "-A POSTROUTING -s 10.88.0.0/16 -j NETAVARK-1D8721804F16F" "POSTROUTING container rule"
+    assert "${#lines[@]}" = 3 "too many POSTROUTING rules"
+
+    # check iptables NETAVARK-1D8721804F16F chain
+    run_in_host_netns iptables -S NETAVARK-1D8721804F16F -t nat
+    assert "${lines[1]}" =~ "-A NETAVARK-1D8721804F16F -d 10.88.0.0/16 -j ACCEPT" "NETAVARK-1D8721804F16F ACCEPT rule"
+    assert "${lines[2]}" == "-A NETAVARK-1D8721804F16F ! -d 224.0.0.0/4 -j MASQUERADE" "NETAVARK-1D8721804F16F MASQUERADE rule"
+    assert "${#lines[@]}" = 3 "too many NETAVARK-1D8721804F16F rules"
+
+    # check FORWARD rules
+    run_in_host_netns iptables -S FORWARD
+    assert "${lines[1]}" == "-A FORWARD -m comment --comment \"netavark firewall rules\" -j NETAVARK_FORWARD" "FORWARD rule"
+    assert "${#lines[@]}" = 2 "too many FORWARD rules"
+
+    run_in_host_netns iptables -S NETAVARK_FORWARD
+    assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1"
+    assert "${lines[2]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 2"
+    assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 3"
+    assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules"
+}
diff --git a/test/200-bridge-firewalld.bats b/test/200-bridge-firewalld.bats
index 7864f5f..29e13a4 100644
--- a/test/200-bridge-firewalld.bats
+++ b/test/200-bridge-firewalld.bats
@@ -9,46 +9,7 @@ fw_driver=firewalld
 
 function setup() {
     basic_setup
-
-    # first, create a new dbus session
-    DBUS_SYSTEM_BUS_ADDRESS=unix:path=$NETAVARK_TMPDIR/netavark-firewalld
-    run_in_host_netns dbus-daemon --address="$DBUS_SYSTEM_BUS_ADDRESS" --print-pid --config-file="${TESTSDIR}/testfiles/firewalld-dbus.conf"
-    DBUS_PID="$output"
-    # export DBUS_SYSTEM_BUS_ADDRESS so firewalld and netavark will use the correct socket
-    export DBUS_SYSTEM_BUS_ADDRESS
-
-    # second, start firewalld in the netns with the dbus socket
-    # do not use run_in_host_netns because we want to run this in background
-    # use --nopid (we cannot change the pid file location), --nofork do not run as daemon so we can kill it by pid
-    # change --system-config to make sure that we do not write any config files to the host location
-    nsenter -n -t $HOST_NS_PID firewalld --nopid --nofork --system-config "$NETAVARK_TMPDIR" &>"$NETAVARK_TMPDIR/firewalld.log" &
-    FIREWALLD_PID=$!
-    echo "firewalld pid: $FIREWALLD_PID"
-
-    # wait for firewalld to become ready
-    timeout=5
-    while [ $timeout -gt 0 ]; do
-        # query firewalld with firewall-cmd
-        expected_rc="?" run_in_host_netns firewall-cmd --state
-        if [ "$status" -eq 0 ]; then
-            break
-        fi
-        sleep 1
-        timeout=$(($timeout - 1))
-        if [ $timeout -eq 0 ]; then
-            cat "$NETAVARK_TMPDIR/firewalld.log"
-            die "failed to start firewalld - timeout"
-        fi
-    done
-}
-
-function teardown() {
-    kill -9 $FIREWALLD_PID
-    kill -9 $DBUS_PID
-
-    unset DBUS_SYSTEM_BUS_ADDRESS
-
-    basic_teardown
+    setup_firewalld
 }
 
 @test "check firewalld driver is in use" {
diff --git a/test/helpers.bash b/test/helpers.bash
index 6a25f06..dec8150 100644
--- a/test/helpers.bash
+++ b/test/helpers.bash
@@ -47,6 +47,7 @@ function basic_setup() {
 }
 
 function basic_teardown() {
+    teardown_firewalld
     kill -9 $HOST_NS_PID
     for i in "${!CONTAINER_NS_PIDS[@]}"; do
         kill -9 "${CONTAINER_NS_PIDS[$i]}"
@@ -54,6 +55,52 @@ function basic_teardown() {
     rm -rf "$NETAVARK_TMPDIR"
 }
 
+function setup_firewalld() {
+    # first, create a new dbus session
+    DBUS_SYSTEM_BUS_ADDRESS=unix:path=$NETAVARK_TMPDIR/netavark-firewalld
+    run_in_host_netns dbus-daemon --address="$DBUS_SYSTEM_BUS_ADDRESS" --print-pid --config-file="${TESTSDIR}/testfiles/firewalld-dbus.conf"
+    DBUS_PID="$output"
+    # export DBUS_SYSTEM_BUS_ADDRESS so firewalld and netavark will use the correct socket
+    export DBUS_SYSTEM_BUS_ADDRESS
+
+    # second, start firewalld in the netns with the dbus socket
+    # do not use run_in_host_netns because we want to run this in background
+    # use --nopid (we cannot change the pid file location), --nofork do not run as daemon so we can kill it by pid
+    # change --system-config to make sure that we do not write any config files to the host location
+    nsenter -n -t $HOST_NS_PID firewalld --nopid --nofork --system-config "$NETAVARK_TMPDIR" &>"$NETAVARK_TMPDIR/firewalld.log" &
+    FIREWALLD_PID=$!
+    echo "firewalld pid: $FIREWALLD_PID"
+
+    # wait for firewalld to become ready
+    timeout=5
+    while [ $timeout -gt 0 ]; do
+        # query firewalld with firewall-cmd
+        expected_rc="?" run_in_host_netns firewall-cmd --state
+        if [ "$status" -eq 0 ]; then
+            break
+        fi
+        sleep 1
+        timeout=$(($timeout - 1))
+        if [ $timeout -eq 0 ]; then
+            cat "$NETAVARK_TMPDIR/firewalld.log"
+            die "failed to start firewalld - timeout"
+        fi
+    done
+}
+
+function teardown_firewalld() {
+    if [ -n "${NETAVARK_FIREWALLD_RELOAD_PID}" ]; then
+        kill -9 $NETAVARK_FIREWALLD_RELOAD_PID
+    fi
+    if [ -n "${FIREWALLD_PID}" ]; then
+        kill -9 $FIREWALLD_PID
+    fi
+    if [ -n "${DBUS_PID}" ]; then
+        kill -9 $DBUS_PID
+    fi
+    unset DBUS_SYSTEM_BUS_ADDRESS
+}
+
 # Provide the above as default methods.
 function setup() {
     basic_setup
@@ -90,6 +137,13 @@ function run_netavark() {
     --config "$NETAVARK_TMPDIR/config" "$@"
 }
 
+function run_netavark_firewalld_reload() {
+    # need to use nsetner as this will be run in the background
+    nsenter -n -t $HOST_NS_PID $NETAVARK --config "$NETAVARK_TMPDIR/config" firewalld-reload &
+    NETAVARK_FIREWALLD_RELOAD_PID=$!
+}
+
+
 ################
 #  run_in_container_netns  #  Run args in container netns
 ################
@@ -342,6 +396,7 @@ function assert_json() {
 #     containerport=$port the port which is binded in the container
 #     range=$num >=1 specify a port range which will forward hostport+range ports
 #     connectip=$ip the ip which is used to connect to in the ncat test
+#     firewalld_reload={false,true} call firewall-cmd --reload to check for port rules
 #
 function test_port_fw() {
     local ipv4=true
@@ -386,6 +441,9 @@ function test_port_fw() {
         range)
             range="$value"
             ;;
+        firewalld_reload)
+            firewalld_reload="$value"
+            ;;
         *) die "unknown argument for '$arg' test_port_fw" ;;
         esac
         shift
@@ -472,9 +530,19 @@ EOF
     # echo the config here this is useful for debugging in case a test fails
     echo "$config"
 
+    if [ $firewalld_reload = true ]; then
+        setup_firewalld
+        run_netavark_firewalld_reload
+    fi
+
     run_netavark setup $(get_container_netns_path) <<<"$config"
     result="$output"
 
+    if [ $firewalld_reload = true ]; then
+        run_in_host_netns firewall-cmd --reload
+        sleep 1
+    fi
+
     # protocol can be a comma separated list of protocols names
     # split it into an array
     IFS=',' read -ra protocols <<<"$proto"
author	openshift-merge-bot[bot] <148852131+openshift-merge-bot[bot]@users.noreply.github.com>	2023-11-15 20:22:08 +0000
committer	GitHub <noreply@github.com>	2023-11-15 20:22:08 +0000
commit	48cc2f4b2aba9dff9d220bd4c48688ded1d723b2 (patch)
tree	d5cf866dd90b2d92e1e519f3a71185c93340ba84 /test
parent	7cd6bc261dff55380c8ba78ff838c2e60df52cf8 (diff)
parent	708bd438410362f63711402a453edbdc0cc20a91 (diff)