diff options
Diffstat (limited to 'test')
-rw-r--r-- | test/100-bridge-iptables.bats | 77 | ||||
-rw-r--r-- | test/200-bridge-firewalld.bats | 41 | ||||
-rw-r--r-- | test/helpers.bash | 68 |
3 files changed, 124 insertions, 62 deletions
diff --git a/test/100-bridge-iptables.bats b/test/100-bridge-iptables.bats index fc564eb..2b5165f 100644 --- a/test/100-bridge-iptables.bats +++ b/test/100-bridge-iptables.bats @@ -68,28 +68,7 @@ fw_driver=iptables run_in_host_netns ping -c 1 10.88.0.2 - # check iptables POSTROUTING chain - run_in_host_netns iptables -S POSTROUTING -t nat - assert "${lines[1]}" =~ "-A POSTROUTING -j NETAVARK-HOSTPORT-MASQ" "POSTROUTING HOSTPORT-MASQ rule" - assert "${lines[2]}" =~ "-A POSTROUTING -s 10.88.0.0/16 -j NETAVARK-1D8721804F16F" "POSTROUTING container rule" - assert "${#lines[@]}" = 3 "too many POSTROUTING rules" - - # check iptables NETAVARK-1D8721804F16F chain - run_in_host_netns iptables -S NETAVARK-1D8721804F16F -t nat - assert "${lines[1]}" =~ "-A NETAVARK-1D8721804F16F -d 10.88.0.0/16 -j ACCEPT" "NETAVARK-1D8721804F16F ACCEPT rule" - assert "${lines[2]}" == "-A NETAVARK-1D8721804F16F ! -d 224.0.0.0/4 -j MASQUERADE" "NETAVARK-1D8721804F16F MASQUERADE rule" - assert "${#lines[@]}" = 3 "too many NETAVARK-1D8721804F16F rules" - - # check FORWARD rules - run_in_host_netns iptables -S FORWARD - assert "${lines[1]}" == "-A FORWARD -m comment --comment \"netavark firewall rules\" -j NETAVARK_FORWARD" "FORWARD rule" - assert "${#lines[@]}" = 2 "too many FORWARD rules" - - run_in_host_netns iptables -S NETAVARK_FORWARD - assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1" - assert "${lines[2]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 2" - assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 3" - assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules" + check_simple_bridge_iptables run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json teardown $(get_container_netns_path) @@ -1003,3 +982,57 @@ EOF expected_rc=1 run_netavark -f ${TESTSDIR}/testfiles/invalid-port.json setup $(get_container_netns_path) assert_json ".error" "invalid host ip \"abcd\" provided for port 8080" "host ip error" } + +@test "$fw_driver - test firewalld reload" { + setup_firewalld + + run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path) + + check_simple_bridge_iptables + assert "$(<$NETAVARK_TMPDIR/config/firewall/firewall-driver)" "==" "iptables" "firewall-driver file content" + + run_in_host_netns firewall-cmd --reload + + # After a firewalld reload we expect rules to be deleted + expected_rc=1 run_in_host_netns iptables -S NETAVARK_FORWARD + + # start reload service on start it should restore the rules + run_netavark_firewalld_reload + + # this run in the background so give it some time to add the rules + sleep 1 + check_simple_bridge_iptables + + run_in_host_netns firewall-cmd --reload + sleep 1 + check_simple_bridge_iptables +} + +@test "$fw_driver - port forwarding ipv4 - tcp with firewalld reload" { + test_port_fw firewalld_reload=true +} + +function check_simple_bridge_iptables() { + # check iptables POSTROUTING chain + run_in_host_netns iptables -S POSTROUTING -t nat + assert "${lines[1]}" =~ "-A POSTROUTING -j NETAVARK-HOSTPORT-MASQ" "POSTROUTING HOSTPORT-MASQ rule" + assert "${lines[2]}" =~ "-A POSTROUTING -s 10.88.0.0/16 -j NETAVARK-1D8721804F16F" "POSTROUTING container rule" + assert "${#lines[@]}" = 3 "too many POSTROUTING rules" + + # check iptables NETAVARK-1D8721804F16F chain + run_in_host_netns iptables -S NETAVARK-1D8721804F16F -t nat + assert "${lines[1]}" =~ "-A NETAVARK-1D8721804F16F -d 10.88.0.0/16 -j ACCEPT" "NETAVARK-1D8721804F16F ACCEPT rule" + assert "${lines[2]}" == "-A NETAVARK-1D8721804F16F ! -d 224.0.0.0/4 -j MASQUERADE" "NETAVARK-1D8721804F16F MASQUERADE rule" + assert "${#lines[@]}" = 3 "too many NETAVARK-1D8721804F16F rules" + + # check FORWARD rules + run_in_host_netns iptables -S FORWARD + assert "${lines[1]}" == "-A FORWARD -m comment --comment \"netavark firewall rules\" -j NETAVARK_FORWARD" "FORWARD rule" + assert "${#lines[@]}" = 2 "too many FORWARD rules" + + run_in_host_netns iptables -S NETAVARK_FORWARD + assert "${lines[1]}" == "-A NETAVARK_FORWARD -m conntrack --ctstate INVALID -j DROP" "NETAVARK_FORWARD rule 1" + assert "${lines[2]}" == "-A NETAVARK_FORWARD -d 10.88.0.0/16 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" "NETAVARK_FORWARD rule 2" + assert "${lines[3]}" == "-A NETAVARK_FORWARD -s 10.88.0.0/16 -j ACCEPT" "NETAVARK_FORWARD rule 3" + assert "${#lines[@]}" = 4 "too many NETAVARK_FORWARD rules" +} diff --git a/test/200-bridge-firewalld.bats b/test/200-bridge-firewalld.bats index 7864f5f..29e13a4 100644 --- a/test/200-bridge-firewalld.bats +++ b/test/200-bridge-firewalld.bats @@ -9,46 +9,7 @@ fw_driver=firewalld function setup() { basic_setup - - # first, create a new dbus session - DBUS_SYSTEM_BUS_ADDRESS=unix:path=$NETAVARK_TMPDIR/netavark-firewalld - run_in_host_netns dbus-daemon --address="$DBUS_SYSTEM_BUS_ADDRESS" --print-pid --config-file="${TESTSDIR}/testfiles/firewalld-dbus.conf" - DBUS_PID="$output" - # export DBUS_SYSTEM_BUS_ADDRESS so firewalld and netavark will use the correct socket - export DBUS_SYSTEM_BUS_ADDRESS - - # second, start firewalld in the netns with the dbus socket - # do not use run_in_host_netns because we want to run this in background - # use --nopid (we cannot change the pid file location), --nofork do not run as daemon so we can kill it by pid - # change --system-config to make sure that we do not write any config files to the host location - nsenter -n -t $HOST_NS_PID firewalld --nopid --nofork --system-config "$NETAVARK_TMPDIR" &>"$NETAVARK_TMPDIR/firewalld.log" & - FIREWALLD_PID=$! - echo "firewalld pid: $FIREWALLD_PID" - - # wait for firewalld to become ready - timeout=5 - while [ $timeout -gt 0 ]; do - # query firewalld with firewall-cmd - expected_rc="?" run_in_host_netns firewall-cmd --state - if [ "$status" -eq 0 ]; then - break - fi - sleep 1 - timeout=$(($timeout - 1)) - if [ $timeout -eq 0 ]; then - cat "$NETAVARK_TMPDIR/firewalld.log" - die "failed to start firewalld - timeout" - fi - done -} - -function teardown() { - kill -9 $FIREWALLD_PID - kill -9 $DBUS_PID - - unset DBUS_SYSTEM_BUS_ADDRESS - - basic_teardown + setup_firewalld } @test "check firewalld driver is in use" { diff --git a/test/helpers.bash b/test/helpers.bash index 6a25f06..dec8150 100644 --- a/test/helpers.bash +++ b/test/helpers.bash @@ -47,6 +47,7 @@ function basic_setup() { } function basic_teardown() { + teardown_firewalld kill -9 $HOST_NS_PID for i in "${!CONTAINER_NS_PIDS[@]}"; do kill -9 "${CONTAINER_NS_PIDS[$i]}" @@ -54,6 +55,52 @@ function basic_teardown() { rm -rf "$NETAVARK_TMPDIR" } +function setup_firewalld() { + # first, create a new dbus session + DBUS_SYSTEM_BUS_ADDRESS=unix:path=$NETAVARK_TMPDIR/netavark-firewalld + run_in_host_netns dbus-daemon --address="$DBUS_SYSTEM_BUS_ADDRESS" --print-pid --config-file="${TESTSDIR}/testfiles/firewalld-dbus.conf" + DBUS_PID="$output" + # export DBUS_SYSTEM_BUS_ADDRESS so firewalld and netavark will use the correct socket + export DBUS_SYSTEM_BUS_ADDRESS + + # second, start firewalld in the netns with the dbus socket + # do not use run_in_host_netns because we want to run this in background + # use --nopid (we cannot change the pid file location), --nofork do not run as daemon so we can kill it by pid + # change --system-config to make sure that we do not write any config files to the host location + nsenter -n -t $HOST_NS_PID firewalld --nopid --nofork --system-config "$NETAVARK_TMPDIR" &>"$NETAVARK_TMPDIR/firewalld.log" & + FIREWALLD_PID=$! + echo "firewalld pid: $FIREWALLD_PID" + + # wait for firewalld to become ready + timeout=5 + while [ $timeout -gt 0 ]; do + # query firewalld with firewall-cmd + expected_rc="?" run_in_host_netns firewall-cmd --state + if [ "$status" -eq 0 ]; then + break + fi + sleep 1 + timeout=$(($timeout - 1)) + if [ $timeout -eq 0 ]; then + cat "$NETAVARK_TMPDIR/firewalld.log" + die "failed to start firewalld - timeout" + fi + done +} + +function teardown_firewalld() { + if [ -n "${NETAVARK_FIREWALLD_RELOAD_PID}" ]; then + kill -9 $NETAVARK_FIREWALLD_RELOAD_PID + fi + if [ -n "${FIREWALLD_PID}" ]; then + kill -9 $FIREWALLD_PID + fi + if [ -n "${DBUS_PID}" ]; then + kill -9 $DBUS_PID + fi + unset DBUS_SYSTEM_BUS_ADDRESS +} + # Provide the above as default methods. function setup() { basic_setup @@ -90,6 +137,13 @@ function run_netavark() { --config "$NETAVARK_TMPDIR/config" "$@" } +function run_netavark_firewalld_reload() { + # need to use nsetner as this will be run in the background + nsenter -n -t $HOST_NS_PID $NETAVARK --config "$NETAVARK_TMPDIR/config" firewalld-reload & + NETAVARK_FIREWALLD_RELOAD_PID=$! +} + + ################ # run_in_container_netns # Run args in container netns ################ @@ -342,6 +396,7 @@ function assert_json() { # containerport=$port the port which is binded in the container # range=$num >=1 specify a port range which will forward hostport+range ports # connectip=$ip the ip which is used to connect to in the ncat test +# firewalld_reload={false,true} call firewall-cmd --reload to check for port rules # function test_port_fw() { local ipv4=true @@ -386,6 +441,9 @@ function test_port_fw() { range) range="$value" ;; + firewalld_reload) + firewalld_reload="$value" + ;; *) die "unknown argument for '$arg' test_port_fw" ;; esac shift @@ -472,9 +530,19 @@ EOF # echo the config here this is useful for debugging in case a test fails echo "$config" + if [ $firewalld_reload = true ]; then + setup_firewalld + run_netavark_firewalld_reload + fi + run_netavark setup $(get_container_netns_path) <<<"$config" result="$output" + if [ $firewalld_reload = true ]; then + run_in_host_netns firewall-cmd --reload + sleep 1 + fi + # protocol can be a comma separated list of protocols names # split it into an array IFS=',' read -ra protocols <<<"$proto" |