From c3ba82251a03e3804823b5f5ad3884db6cc65652 Mon Sep 17 00:00:00 2001 From: Dmitrii Iurco Date: Wed, 10 Jun 2026 14:53:58 -0400 Subject: [PATCH] fix: update WG tests to assert rp_filter is absent from PostUp/PostDown The pic1 commit (c65beb2) correctly removed rp_filter sysctl from WireGuard PostUp/PostDown because writing /proc/sys fails in the unprivileged (NET_ADMIN-only) container and crashed wg-quick. Two tests that asserted rp_filter was present were left stale. Replace them with a single test asserting rp_filter is NOT in the generated config, restoring green main. Co-Authored-By: Claude Fable 5 --- tests/test_wireguard_manager.py | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/tests/test_wireguard_manager.py b/tests/test_wireguard_manager.py index fca501c..c3d852e 100644 --- a/tests/test_wireguard_manager.py +++ b/tests/test_wireguard_manager.py @@ -494,13 +494,12 @@ class TestWireGuardSysctlAndPortCheck(unittest.TestCase): # ── generate_config sysctl safety ──────────────────────────────────────── - def test_generate_config_postup_has_nonfatal_sysctl(self): + def test_generate_config_omits_rp_filter_sysctl(self): + # rp_filter is removed from PostUp/PostDown: writing /proc/sys fails in + # the unprivileged (NET_ADMIN-only) WireGuard container and crashed + # wg-quick. It is a perf/security tweak, not required for WG or NAT. cfg = self.wg.generate_config() - self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=0 || true', cfg) - - def test_generate_config_postdown_has_nonfatal_sysctl(self): - cfg = self.wg.generate_config() - self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=1 || true', cfg) + self.assertNotIn('rp_filter', cfg) def test_generate_config_has_masquerade(self): cfg = self.wg.generate_config()