[Devel] [PATCH vz10] selftests: drv-net: avoid host firewall interference

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Jun 25 13:43:56 MSK 2026



On 6/25/26 00:33, Eva Kurchatova wrote:
> The NetDrvEpEnv test environment creates a netdevsim device in
> init_net and a peer in a separate network namespace. Tests such as
> ping.py's test_tcp start a socat listener in init_net and expect the
> remote namespace to connect to it via random port.
> 
> When a host firewall (e.g. firewalld with nftables backend) is active,
> its INPUT chain rejects inbound TCP connections to ports not in its
> allow-list. ICMP is explicitly permitted, so ping tests pass, but
> TCP-based tests hang indefinitely: the socat listener never receives a
> connection, and bkg(exit_wait=True) waits forever for it to exit,
> resulting in a timeout failure.
> 
> Fix this by adding the local netdevsim interface to the firewalld
> trusted zone after creating the test topology in create_local().
> The trusted zone accepts all traffic unconditionally, bypassing any
> filtering rules. The interface is removed from the zone during
> cleanup in __del__(). Both operations use fail=False so they are
> silently skipped on systems without firewalld.

But we don't have firewalld, though we have INPUT rules, yes.

systemctl status firewalld
○ firewalld.service
     Loaded: masked (Reason: Unit firewalld.service is masked.)
     Active: inactive (dead)

2026-06-22 11:51:51 UTC: |    rempylib.212 : rempy at 10.34.67.25: 'systemctl is-active --quiet firewalld'
2026-06-22 11:51:51 UTC: |hci-kselftests.259 : firewalld service is inactive

nft list ruleset
...
table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy accept;
		counter packets 844559 bytes 253833791 jump CUSTOM
		counter packets 844559 bytes 253833791 jump VZ_IN
		counter packets 840852 bytes 253523485 jump VZ_IN_VE
		ct state related,established counter packets 2415 bytes 251040 accept
		ip protocol icmp counter packets 0 bytes 0 accept
		iifname "lo" counter packets 35 bytes 17565 accept
		ct state invalid counter packets 0 bytes 0 drop
		counter packets 838402 bytes 253254880 reject with icmp type host-prohibited
		counter packets 0 bytes 0 jump VZ_IN_TAIL
	}

so firewall-cmd will fail, and test will fail even after this fix, I guess.

Adding Dmitry Andreev to CC.

What is a right way to allow input from our netdevsim device on hci-8 for
a kernel selftest? Should we just add a rule similar to `iifname "lo"...` ?

> 
> Signed-off-by: Eva Kurchatova <eva.kurchatova at virtuozzo.com>
> 
> https://virtuozzo.atlassian.net/browse/VSTOR-135793
> Feature: fix selftests
> 
> ---
>  tools/testing/selftests/drivers/net/lib/py/env.py | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/tools/testing/selftests/drivers/net/lib/py/env.py b/tools/testing/selftests/drivers/net/lib/py/env.py
> index 1ea9bb695e94..b3d4c1accb25 100644
> --- a/tools/testing/selftests/drivers/net/lib/py/env.py
> +++ b/tools/testing/selftests/drivers/net/lib/py/env.py
> @@ -92,6 +92,7 @@ class NetDrvEpEnv:
>          self._netns = None
>          self._ns = None
>          self._ns_peer = None
> +        self._fw_ifname = None
>  
>          if "NETIF" in self.env:
>              if nsim_test is True:
> @@ -156,6 +157,13 @@ class NetDrvEpEnv:
>          ip(f"-6 addr add dev {self._ns_peer.nsims[0].ifname} {self.nsim_v6_pfx}2/64 nodad", ns=self._netns)
>          ip(f"   link set dev {self._ns_peer.nsims[0].ifname} up", ns=self._netns)
>  
> +        # Allow all inbound traffic on the local test interface.
> +        # A host firewall (e.g. firewalld) may reject connections to
> +        # random test ports, causing TCP-based tests to time out.
> +        self._fw_ifname = self._ns.nsims[0].ifname
> +        cmd(f"firewall-cmd --zone=trusted --add-interface={self._fw_ifname}",
> +            fail=False)
> +
>      def _check_env(self):
>          vars_needed = [
>              ["LOCAL_V4", "LOCAL_V6"],
> @@ -190,6 +198,11 @@ class NetDrvEpEnv:
>          self.__del__()
>  
>      def __del__(self):
> +        if self._fw_ifname:
> +            cmd(f"firewall-cmd --zone=trusted "
> +                f"--remove-interface={self._fw_ifname}",
> +                fail=False)
> +            self._fw_ifname = None
>          if self._ns:
>              self._ns.remove()
>              self._ns = None

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.



More information about the Devel mailing list