[Devel] [PATCH vz10] selftests: drv-net: avoid host firewall interference
Eva Kurchatova
eva.kurchatova at virtuozzo.com
Thu Jun 25 01:33:58 MSK 2026
The NetDrvEpEnv test environment creates a netdevsim device in
init_net and a peer in a separate network namespace. Tests such as
ping.py's test_tcp start a socat listener in init_net and expect the
remote namespace to connect to it via random port.
When a host firewall (e.g. firewalld with nftables backend) is active,
its INPUT chain rejects inbound TCP connections to ports not in its
allow-list. ICMP is explicitly permitted, so ping tests pass, but
TCP-based tests hang indefinitely: the socat listener never receives a
connection, and bkg(exit_wait=True) waits forever for it to exit,
resulting in a timeout failure.
Fix this by adding the local netdevsim interface to the firewalld
trusted zone after creating the test topology in create_local().
The trusted zone accepts all traffic unconditionally, bypassing any
filtering rules. The interface is removed from the zone during
cleanup in __del__(). Both operations use fail=False so they are
silently skipped on systems without firewalld.
Signed-off-by: Eva Kurchatova <eva.kurchatova at virtuozzo.com>
https://virtuozzo.atlassian.net/browse/VSTOR-135793
Feature: fix selftests
---
tools/testing/selftests/drivers/net/lib/py/env.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/tools/testing/selftests/drivers/net/lib/py/env.py b/tools/testing/selftests/drivers/net/lib/py/env.py
index 1ea9bb695e94..b3d4c1accb25 100644
--- a/tools/testing/selftests/drivers/net/lib/py/env.py
+++ b/tools/testing/selftests/drivers/net/lib/py/env.py
@@ -92,6 +92,7 @@ class NetDrvEpEnv:
self._netns = None
self._ns = None
self._ns_peer = None
+ self._fw_ifname = None
if "NETIF" in self.env:
if nsim_test is True:
@@ -156,6 +157,13 @@ class NetDrvEpEnv:
ip(f"-6 addr add dev {self._ns_peer.nsims[0].ifname} {self.nsim_v6_pfx}2/64 nodad", ns=self._netns)
ip(f" link set dev {self._ns_peer.nsims[0].ifname} up", ns=self._netns)
+ # Allow all inbound traffic on the local test interface.
+ # A host firewall (e.g. firewalld) may reject connections to
+ # random test ports, causing TCP-based tests to time out.
+ self._fw_ifname = self._ns.nsims[0].ifname
+ cmd(f"firewall-cmd --zone=trusted --add-interface={self._fw_ifname}",
+ fail=False)
+
def _check_env(self):
vars_needed = [
["LOCAL_V4", "LOCAL_V6"],
@@ -190,6 +198,11 @@ class NetDrvEpEnv:
self.__del__()
def __del__(self):
+ if self._fw_ifname:
+ cmd(f"firewall-cmd --zone=trusted "
+ f"--remove-interface={self._fw_ifname}",
+ fail=False)
+ self._fw_ifname = None
if self._ns:
self._ns.remove()
self._ns = None
--
2.52.0
More information about the Devel
mailing list