test: Use `nft` instead of `iptables`

`iptables` has been a backwards compatibility shim for nftables for a long time now, and finally does not work on CentOS/RHEL 10 any more. The first case in TestConnection.testBasic takes the socket away on the login page with a TCP reset reply. We can get the same effect by just stopping the socket. The second case silently drops the packets to cover the "reply timeout" functionality of the shell. Replace `iptables` with the corresponding `nft` commands. It would be nice to use firewalld for that, but that has a default rule to always allow packets on established connections -- but severing that is exactly the goal of this test.
2024-04-17 12:04:34 +02:00 · 2024-04-17 12:04:34 +02:00 · 5516784bc7
parent ef77aee7f7
commit 5516784bc7
1 changed files with 16 additions and 9 deletions
--- a/test/verify/check-connection
+++ b/test/verify/check-connection
@ -123,10 +123,10 @@ class TestConnection(testlib.MachineCase):
        b.set_val("#login-password-input", "foobar")

        # sever the connection on the login page
-        m.execute("iptables -w -I INPUT -p tcp --dport 9090 -j REJECT --reject-with tcp-reset")
+        stop_cockpit()
        b.click('#login-button')
        b.wait_text_not('#login-fatal-message', "")
-        m.execute("iptables -w -D INPUT -p tcp --dport 9090 -j REJECT --reject-with tcp-reset")
+        start_cockpit()
        b.reload()
        b.wait_visible("#login")
        b.set_val("#login-user-input", "admin")
@ -135,14 +135,21 @@ class TestConnection(testlib.MachineCase):
        b.enter_page("/system")

        # sever the connection on the server page
-        m.execute("iptables -w -I INPUT -p tcp --dport 9090 -j REJECT")
-        b.switch_to_top()
-        with b.wait_timeout(60):
-            b.wait_visible(".curtains-ct")
+        # would be nice to use `firewall-cmd --add-rich-rule`, but firewalld always allows "established" connections
+        m.execute("nft add table ip cockpittest")
+        m.execute("nft add chain ip cockpittest INPUT '{ type filter hook input priority 0; policy accept; }'")
+        m.execute("nft insert rule ip cockpittest INPUT tcp dport 9090 reject")
+
+        try:
+            b.switch_to_top()
+            with b.wait_timeout(60):
+                b.wait_visible(".curtains-ct")
+
+            b.wait_in_text(".curtains-ct h1", "Disconnected")
+            b.wait_in_text('.curtains-ct .pf-v5-c-empty-state__body', "Connection has timed out.")
+        finally:
+            m.execute("nft delete table ip cockpittest")

-        b.wait_in_text(".curtains-ct h1", "Disconnected")
-        b.wait_in_text('.curtains-ct .pf-v5-c-empty-state__body', "Connection has timed out.")
-        m.execute("iptables -w -D INPUT -p tcp --dport 9090 -j REJECT")
        b.click("#machine-reconnect")
        b.enter_page("/system")
        b.logout()