fix: Fix "interface_pci_id" role option

martinpitt · martinpitt · commit 9adb323731bb · 2025-05-20T12:46:08.000+02:00
Cause: The introduction of this feature in commit 2b0bb1b was broken: The new `interface_pci_id` option was not passed to `firewall_lib`. The integration test case was very shallow and did not verify the success of the operation. Consequence: Calling the role with `interface_pci_id` had no effect, that setting was ignored. Fix: Pass the option to the module. Rework the test to add a positive assertion that the interface mapped to the given PCI ID actually appears in the nftables/iptables rules. Also replace the hardcoded 1af4:0001 ID in the test with runtime detection. That *happens* to be the ID of QEMU's virtio card, but this is neither obvious nor reliable nor does it apply to other environments such as Testing Farm. Fixes #277
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -98,6 +98,7 @@
     source: "{{ item.source | default(omit) }}"
     destination: "{{ item.destination | default(omit) }}"
     interface: "{{ item.interface | default(omit) }}"
+    interface_pci_id: "{{ item.interface_pci_id | default(omit) }}"
     icmp_block: "{{ item.icmp_block | default(omit) }}"
     icmp_block_inversion: "{{ item.icmp_block_inversion | default(omit) }}"
     timeout: "{{ item.timeout | default(omit) }}"
diff --git a/tests/tests_interface_pci.yml b/tests/tests_interface_pci.yml
@@ -26,13 +26,30 @@
 
     - name: Test interfaces with PCI ids
       block:
+        - name: Find network interface
+          shell: |
+            set -euo pipefail
+            find /sys/class/net -mindepth 1 ! -name lo | head -n1
+          register: find_iface
+          changed_when: false
+          failed_when: find_iface is failed or (find_iface.stdout | trim) == ""
+
+        - name: Determine interface vendor/product ID
+          shell: |
+            set -euo pipefail
+            VID="$(sed 's/^0x//' < {{find_iface.stdout}}/device/vendor)"
+            PID="$(sed 's/^0x//' < {{find_iface.stdout}}/device/device)"
+            echo "$VID:$PID"
+          register: pci_id
+          changed_when: false
+
         - name: Add pci device ethernet controller
           include_role:
             name: linux-system-roles.firewall
           vars:
             firewall:
               zone: internal
-              interface_pci_id: 1af4:0001
+              interface_pci_id: "{{pci_id.stdout}}"
               state: enabled
               permanent: true
 
@@ -42,31 +59,43 @@
           vars:
             firewall:
               zone: internal
-              interface_pci_id: 1af4:0001
+              interface_pci_id: "{{pci_id.stdout}}"
               state: enabled
               permanent: true
 
-        - name: Assert pcid not in nftable ruleset
+        - name: Get nftable ruleset
           command: nft list ruleset
-          register: result
-          failed_when: result is failed or '1af4:0001' in result.stdout
-          when: nftables_backend | bool
+          register: nft_list
           changed_when: false
+          when: nftables_backend | bool
 
-        - name: Assert pcid not in iptables rules
+        - name: Assert that interface is in nftable ruleset
+          assert:
+            that:
+              - find_iface.stdout | basename in nft_list.stdout
+              - pci_id.stdout | trim not in nft_list.stdout
+          when: nftables_backend | bool
+
+        - name: Get iptables ruleset
           command: iptables -S
-          register: result
-          failed_when: result is failed or '1af4:0001' in result.stdout
-          when: not nftables_backend | bool
+          register: ipt_list
           changed_when: false
+          when: not nftables_backend | bool
+
+        - name: Assert that interface is in iptables ruleset
+          assert:
+            that:
+              - find_iface.stdout | basename in ipt_list.stdout
+              - pci_id.stdout | trim not in ipt_list.stdout
+          when: not nftables_backend | bool
 
         - name: Remove interface from internal
           include_role:
             name: linux-system-roles.firewall
           vars:
             firewall:
               zone: internal
-              interface_pci_id: 1af4:0001
+              interface_pci_id: "{{pci_id.stdout}}"
               state: disabled
               permanent: true
       always:
