Add test cases that existed for iptables but not for nftables

l0rd · l0rd · commit aa8c63e4afd8 · 2025-11-10T18:23:01.000+01:00
Signed-off-by: Mario Loriedo &lt;mario.loriedo@gmail.com&gt;
diff --git a/test/250-bridge-nftables.bats b/test/250-bridge-nftables.bats
@@ -147,8 +147,15 @@ export NETAVARK_FW=nftables
     run_helper ps "$aardvark_pid"
     assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p $dns_port run" "aardvark not running or bad options"
 
-    NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge-network-container-dns-server.json \
+    # Use run_helper instead of run_netavark here to check network namespace detection logic.
+    # See https://github.com/containers/netavark/issues/911 for details.
+    NETAVARK_DNS_PORT="$dns_port" run_helper $NETAVARK --config "$NETAVARK_TMPDIR/config" --rootless "$rootless" --file ${TESTSDIR}/testfiles/dualstack-bridge-network-container-dns-server.json \
         update podman1 --network-dns-servers 8.8.8.8
+    assert "$output" = ""
+
+    # after update the pid should never change
+    aardvark_pid2=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
+    assert "$aardvark_pid2" == "$aardvark_pid" "aardvark-dns pid after nv update"
 
     # check aardvark config and running
     run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
@@ -271,7 +278,7 @@ export NETAVARK_FW=nftables
 }
 
 @test "$fw_driver - bridge driver must generate config for aardvark with multiple custom dns server" {
-    # get a random port directly to avoid low ports e.g. 53 would not create nftables
+    # get a random port directly to avoid low ports e.g. 53 would not create nftables rules
     dns_port=$((RANDOM+10000))
 
     NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge-multiple-custom-dns-server.json \
@@ -351,6 +358,94 @@ export NETAVARK_FW=nftables
     expected_rc=1 run_helper ps "$aardvark_pid"
 }
 
+@test "$fw_driver - dns with default drop policy" {
+    run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+        setup $(get_container_netns_path)
+
+    run_in_host_netns nft add chain inet netavark INPUT \{ type filter hook input priority 0 \; policy drop \; \}
+    run_in_host_netns nft add rule inet netavark INPUT ct state related,established accept
+    run_in_host_netns nft add rule inet netavark INPUT meta l4proto ipv6-icmp accept # allow ICMPv6, required for DNS resolution
+
+    # check aardvark config and running
+    run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
+    assert "${lines[0]}" =~ "10.89.3.1,fd10:88:a::1" "aardvark set to listen to all IPs"
+    assert "${lines[1]}" =~ "^[0-9a-f]{64} 10.89.3.2 fd10:88:a::2 somename$" "aardvark config's container"
+    assert "${#lines[@]}" = 2 "too many lines in aardvark config"
+
+    aardvark_pid=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
+    assert "$ardvark_pid" =~ "[0-9]*" "aardvark pid not found"
+    run_helper ps "$aardvark_pid"
+    assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p 53 run" "aardvark not running or bad options"
+
+    # test redirection actually works
+    run_in_container_netns dig +short "somename.dns.podman" @10.89.3.1 A "somename.dns.podman" @10.89.3.1 AAAA
+    assert "${lines[0]}" =~ "10.89.3.2" "ipv4 dns resolution works 1/2"
+    assert "${lines[1]}" =~ "fd10:88:a::2" "ipv6 dns resolution works 2/2"
+
+    run_in_container_netns dig +short "somename.dns.podman" @fd10:88:a::1
+    assert "${lines[0]}" =~ "10.89.3.2" "ipv6 dns resolution works"
+
+    run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+        teardown $(get_container_netns_path)
+
+    # check nftables rules were removed
+    run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
+    assert "${#lines[@]}" = 4 "too many v4 NETAVARK_HOSTPORT-DNAT rules after teardown"
+
+    # check aardvark config got cleared, process killed
+    expected_rc=2 run_helper ls "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
+    expected_rc=1 run_helper ps "$aardvark_pid"
+}
+
+@test "$fw_driver - dns with default drop policy with non-default dns port" {
+    # get a random port
+    dns_port=$((RANDOM+10000))
+
+    NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+        setup $(get_container_netns_path)
+
+    # check that random DNS port was added to nftables rules
+    run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
+    assert "${lines[2]}" =~ "ip6 daddr fd10:88:a::1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip6 to \[fd10:88:a::1\]:$dns_port" "DNS forward rule ip6"
+    assert "${lines[3]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule ip4"
+
+    run_in_host_netns nft add chain inet netavark INPUT \{ type filter hook input priority 0 \; policy drop \; \}
+    run_in_host_netns nft add rule inet netavark INPUT ip saddr 10.89.3.0/24 meta l4proto \{ tcp, udp \} th dport $dns_port accept
+    run_in_host_netns nft add rule inet netavark INPUT ip6 saddr fd10:88:a::/64 meta l4proto \{ tcp, udp \} th dport $dns_port accept
+    run_in_host_netns nft add rule inet netavark INPUT ct state related,established accept
+    run_in_host_netns nft add rule inet netavark INPUT meta l4proto ipv6-icmp accept # allow ICMPv6, required for DNS resolution
+
+    # check aardvark config and running
+    run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
+    assert "${lines[0]}" =~ "10.89.3.1,fd10:88:a::1" "aardvark set to listen to all IPs"
+    assert "${lines[1]}" =~ "^[0-9a-f]{64} 10.89.3.2 fd10:88:a::2 somename$" "aardvark config's container"
+    assert "${#lines[@]}" = 2 "too many lines in aardvark config"
+
+    aardvark_pid=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
+    assert "$ardvark_pid" =~ "[0-9]*" "aardvark pid not found"
+    run_helper ps "$aardvark_pid"
+    assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p $dns_port run" "aardvark not running or bad options"
+
+    # test redirection actually works
+    run_in_container_netns dig +short "somename.dns.podman" @10.89.3.1 A "somename.dns.podman" @10.89.3.1 AAAA
+    assert "${lines[0]}" =~ "10.89.3.2" "ipv4 dns resolution works 1/2"
+    assert "${lines[1]}" =~ "fd10:88:a::2" "ipv6 dns resolution works 2/2"
+
+    run_in_container_netns dig +short "somename.dns.podman" @fd10:88:a::1
+    assert "${lines[0]}" =~ "10.89.3.2" "ipv6 dns resolution works"
+
+    NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge.json \
+        teardown $(get_container_netns_path)
+
+    # check nftables rules were removed
+    run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
+    assert "${#lines[@]}" = 4 "too many v4 NETAVARK_HOSTPORT-DNAT rules after teardown"
+
+    # check aardvark config got cleared, process killed
+    expected_rc=2 run_helper ls "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
+    expected_rc=1 run_helper ps "$aardvark_pid"
+}
+
 @test "$fw_driver - check error message from netns thread" {
     # create interface in netns to force error
     run_in_container_netns ip link add eth0 type dummy
@@ -477,6 +572,35 @@ export NETAVARK_FW=nftables
     test_port_fw hostip="127.0.0.1"
 }
 
+# Test that port forwarding works with strict Reverse Path Forwarding enabled on the host
+@test "$fw_driver - port forwarding with two networks and RPF - tcp" {
+    # First, enable strict RPF on host/container ns.
+    run_in_host_netns sysctl -w net.ipv4.conf.all.rp_filter=1
+    run_in_host_netns sysctl -w net.ipv4.conf.default.rp_filter=1
+    run_in_container_netns sysctl -w net.ipv4.conf.all.rp_filter=1
+    run_in_container_netns sysctl -w net.ipv4.conf.default.rp_filter=1
+
+    # We need a dummy interface with a host ip,
+    # if we connect directly to the bridge ip it doesn't reproduce.
+    add_dummy_interface_on_host dummy0 "10.0.0.1/24"
+
+    run_netavark --file ${TESTSDIR}/testfiles/two-networks.json setup $(get_container_netns_path)
+    result="$output"
+
+    run_in_host_netns cat /proc/sys/net/ipv4/conf/podman2/rp_filter
+    assert "2" "rp_filter podman2 bridge"
+    run_in_host_netns cat /proc/sys/net/ipv4/conf/podman3/rp_filter
+    assert "2" "rp_filter podman3 bridge"
+
+    run_in_container_netns cat /proc/sys/net/ipv4/conf/eth0/rp_filter
+    assert "2" "rp_filter eth0 interface"
+    run_in_container_netns cat /proc/sys/net/ipv4/conf/eth1/rp_filter
+    assert "2" "rp_filter eth1 interface"
+
+    # Important: Use the "host" ip here and not localhost or bridge ip.
+    run_connection_test "0" "tcp" 8080 "10.0.0.1" 8080
+}
+
 @test "bridge ipam none" {
            read -r -d '\0' config <<EOF
 {
@@ -985,6 +1109,7 @@ net/ipv4/conf/podman1/rp_filter = 2"
 @test "$fw_driver - port forwarding ipv4 - tcp with firewalld reload" {
     test_port_fw firewalld_reload=true
 }
+
 @test "$fw_driver - test firewall-reload" {
     # setup a simple bridge network
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
@@ -1015,7 +1140,6 @@ net/ipv4/conf/podman1/rp_filter = 2"
     run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json teardown $(get_container_netns_path)
 }
 
-
 function check_simple_bridge_nftables() {
     # check nftables POSTROUTING chain
     run_in_host_netns nft list chain inet netavark POSTROUTING
