[Devel] [PATCH vz10] selftests: drv-net: avoid host firewall interference

Eva Kurchatova eva.kurchatova at virtuozzo.com
Thu Jun 25 01:33:58 MSK 2026


The NetDrvEpEnv test environment creates a netdevsim device in
init_net and a peer in a separate network namespace. Tests such as
ping.py's test_tcp start a socat listener in init_net and expect the
remote namespace to connect to it via random port.

When a host firewall (e.g. firewalld with nftables backend) is active,
its INPUT chain rejects inbound TCP connections to ports not in its
allow-list. ICMP is explicitly permitted, so ping tests pass, but
TCP-based tests hang indefinitely: the socat listener never receives a
connection, and bkg(exit_wait=True) waits forever for it to exit,
resulting in a timeout failure.

Fix this by adding the local netdevsim interface to the firewalld
trusted zone after creating the test topology in create_local().
The trusted zone accepts all traffic unconditionally, bypassing any
filtering rules. The interface is removed from the zone during
cleanup in __del__(). Both operations use fail=False so they are
silently skipped on systems without firewalld.

Signed-off-by: Eva Kurchatova <eva.kurchatova at virtuozzo.com>

https://virtuozzo.atlassian.net/browse/VSTOR-135793
Feature: fix selftests

---
 tools/testing/selftests/drivers/net/lib/py/env.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/testing/selftests/drivers/net/lib/py/env.py b/tools/testing/selftests/drivers/net/lib/py/env.py
index 1ea9bb695e94..b3d4c1accb25 100644
--- a/tools/testing/selftests/drivers/net/lib/py/env.py
+++ b/tools/testing/selftests/drivers/net/lib/py/env.py
@@ -92,6 +92,7 @@ class NetDrvEpEnv:
         self._netns = None
         self._ns = None
         self._ns_peer = None
+        self._fw_ifname = None
 
         if "NETIF" in self.env:
             if nsim_test is True:
@@ -156,6 +157,13 @@ class NetDrvEpEnv:
         ip(f"-6 addr add dev {self._ns_peer.nsims[0].ifname} {self.nsim_v6_pfx}2/64 nodad", ns=self._netns)
         ip(f"   link set dev {self._ns_peer.nsims[0].ifname} up", ns=self._netns)
 
+        # Allow all inbound traffic on the local test interface.
+        # A host firewall (e.g. firewalld) may reject connections to
+        # random test ports, causing TCP-based tests to time out.
+        self._fw_ifname = self._ns.nsims[0].ifname
+        cmd(f"firewall-cmd --zone=trusted --add-interface={self._fw_ifname}",
+            fail=False)
+
     def _check_env(self):
         vars_needed = [
             ["LOCAL_V4", "LOCAL_V6"],
@@ -190,6 +198,11 @@ class NetDrvEpEnv:
         self.__del__()
 
     def __del__(self):
+        if self._fw_ifname:
+            cmd(f"firewall-cmd --zone=trusted "
+                f"--remove-interface={self._fw_ifname}",
+                fail=False)
+            self._fw_ifname = None
         if self._ns:
             self._ns.remove()
             self._ns = None
-- 
2.52.0



More information about the Devel mailing list