roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

fix: update WG tests to assert rp_filter is absent from PostUp/PostDown
Unit Tests / test (push) Successful in 11m46s
Details

Browse Source 
The pic1 commit (c65beb2) correctly removed rp_filter sysctl from
WireGuard PostUp/PostDown because writing /proc/sys fails in the
unprivileged (NET_ADMIN-only) container and crashed wg-quick. Two
tests that asserted rp_filter was present were left stale. Replace
them with a single test asserting rp_filter is NOT in the generated
config, restoring green main.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-06-10 14:53:58 -04:00
parent c65beb27a6
commit c3ba82251a
1 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/test_wireguard_manager.py
+5 -6
View File
@@ -494,13 +494,12 @@ class TestWireGuardSysctlAndPortCheck(unittest.TestCase):
# ── generate_config sysctl safety ──────────────────────────────────────── # ── generate_config sysctl safety ────────────────────────────────────────
def test_generate_config_postup_has_nonfatal_sysctl(self): def test_generate_config_omits_rp_filter_sysctl(self):
# rp_filter is removed from PostUp/PostDown: writing /proc/sys fails in
# the unprivileged (NET_ADMIN-only) WireGuard container and crashed
# wg-quick. It is a perf/security tweak, not required for WG or NAT.
cfg = self.wg.generate_config() cfg = self.wg.generate_config()
self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=0 || true', cfg) self.assertNotIn('rp_filter', cfg)
def test_generate_config_postdown_has_nonfatal_sysctl(self):
cfg = self.wg.generate_config()
self.assertIn('sysctl -q net.ipv4.conf.all.rp_filter=1 || true', cfg)
def test_generate_config_has_masquerade(self): def test_generate_config_has_masquerade(self):
cfg = self.wg.generate_config() cfg = self.wg.generate_config()