[Devel] [PATCH vz10] selftests: drv-net: avoid host firewall interference
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Jun 25 13:43:56 MSK 2026
On 6/25/26 00:33, Eva Kurchatova wrote:
> The NetDrvEpEnv test environment creates a netdevsim device in
> init_net and a peer in a separate network namespace. Tests such as
> ping.py's test_tcp start a socat listener in init_net and expect the
> remote namespace to connect to it via random port.
>
> When a host firewall (e.g. firewalld with nftables backend) is active,
> its INPUT chain rejects inbound TCP connections to ports not in its
> allow-list. ICMP is explicitly permitted, so ping tests pass, but
> TCP-based tests hang indefinitely: the socat listener never receives a
> connection, and bkg(exit_wait=True) waits forever for it to exit,
> resulting in a timeout failure.
>
> Fix this by adding the local netdevsim interface to the firewalld
> trusted zone after creating the test topology in create_local().
> The trusted zone accepts all traffic unconditionally, bypassing any
> filtering rules. The interface is removed from the zone during
> cleanup in __del__(). Both operations use fail=False so they are
> silently skipped on systems without firewalld.
But we don't have firewalld, though we have INPUT rules, yes.
systemctl status firewalld
○ firewalld.service
Loaded: masked (Reason: Unit firewalld.service is masked.)
Active: inactive (dead)
2026-06-22 11:51:51 UTC: | rempylib.212 : rempy at 10.34.67.25: 'systemctl is-active --quiet firewalld'
2026-06-22 11:51:51 UTC: |hci-kselftests.259 : firewalld service is inactive
nft list ruleset
...
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 844559 bytes 253833791 jump CUSTOM
counter packets 844559 bytes 253833791 jump VZ_IN
counter packets 840852 bytes 253523485 jump VZ_IN_VE
ct state related,established counter packets 2415 bytes 251040 accept
ip protocol icmp counter packets 0 bytes 0 accept
iifname "lo" counter packets 35 bytes 17565 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 838402 bytes 253254880 reject with icmp type host-prohibited
counter packets 0 bytes 0 jump VZ_IN_TAIL
}
so firewall-cmd will fail, and test will fail even after this fix, I guess.
Adding Dmitry Andreev to CC.
What is a right way to allow input from our netdevsim device on hci-8 for
a kernel selftest? Should we just add a rule similar to `iifname "lo"...` ?
>
> Signed-off-by: Eva Kurchatova <eva.kurchatova at virtuozzo.com>
>
> https://virtuozzo.atlassian.net/browse/VSTOR-135793
> Feature: fix selftests
>
> ---
> tools/testing/selftests/drivers/net/lib/py/env.py | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/tools/testing/selftests/drivers/net/lib/py/env.py b/tools/testing/selftests/drivers/net/lib/py/env.py
> index 1ea9bb695e94..b3d4c1accb25 100644
> --- a/tools/testing/selftests/drivers/net/lib/py/env.py
> +++ b/tools/testing/selftests/drivers/net/lib/py/env.py
> @@ -92,6 +92,7 @@ class NetDrvEpEnv:
> self._netns = None
> self._ns = None
> self._ns_peer = None
> + self._fw_ifname = None
>
> if "NETIF" in self.env:
> if nsim_test is True:
> @@ -156,6 +157,13 @@ class NetDrvEpEnv:
> ip(f"-6 addr add dev {self._ns_peer.nsims[0].ifname} {self.nsim_v6_pfx}2/64 nodad", ns=self._netns)
> ip(f" link set dev {self._ns_peer.nsims[0].ifname} up", ns=self._netns)
>
> + # Allow all inbound traffic on the local test interface.
> + # A host firewall (e.g. firewalld) may reject connections to
> + # random test ports, causing TCP-based tests to time out.
> + self._fw_ifname = self._ns.nsims[0].ifname
> + cmd(f"firewall-cmd --zone=trusted --add-interface={self._fw_ifname}",
> + fail=False)
> +
> def _check_env(self):
> vars_needed = [
> ["LOCAL_V4", "LOCAL_V6"],
> @@ -190,6 +198,11 @@ class NetDrvEpEnv:
> self.__del__()
>
> def __del__(self):
> + if self._fw_ifname:
> + cmd(f"firewall-cmd --zone=trusted "
> + f"--remove-interface={self._fw_ifname}",
> + fail=False)
> + self._fw_ifname = None
> if self._ns:
> self._ns.remove()
> self._ns = None
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list