fix: update WG tests to assert rp_filter is absent from PostUp/PostDown
Unit Tests / test (push) Successful in 11m46s
Unit Tests / test (push) Successful in 11m46s
The pic1 commit (c65beb2) correctly removed rp_filter sysctl from
WireGuard PostUp/PostDown because writing /proc/sys fails in the
unprivileged (NET_ADMIN-only) container and crashed wg-quick. Two
tests that asserted rp_filter was present were left stale. Replace
them with a single test asserting rp_filter is NOT in the generated
config, restoring green main.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -494,13 +494,12 @@ class TestWireGuardSysctlAndPortCheck(unittest.TestCase):
|
||||
|
||||
# ── generate_config sysctl safety ────────────────────────────────────────
|
||||
|
||||
def test_generate_config_postup_has_nonfatal_sysctl(self):
|
||||
def test_generate_config_omits_rp_filter_sysctl(self):
|
||||
# rp_filter is removed from PostUp/PostDown: writing /proc/sys fails in
|
||||
# the unprivileged (NET_ADMIN-only) WireGuard container and crashed
|
||||
# wg-quick. It is a perf/security tweak, not required for WG or NAT.
|
||||
cfg = self.wg.generate_config()
|
||||
self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=0 || true', cfg)
|
||||
|
||||
def test_generate_config_postdown_has_nonfatal_sysctl(self):
|
||||
cfg = self.wg.generate_config()
|
||||
self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=1 || true', cfg)
|
||||
self.assertNotIn('rp_filter', cfg)
|
||||
|
||||
def test_generate_config_has_masquerade(self):
|
||||
cfg = self.wg.generate_config()
|
||||
|
||||
Reference in New Issue
Block a user