fix: Fix "interface_pci_id" role option

Cause: The introduction of this feature in commit 2b0bb1b was broken:
The new `interface_pci_id` option was not passed to `firewall_lib`. The
integration test case was very shallow and did not verify the success of
the operation.

Consequence: Calling the role with `interface_pci_id` had no effect,
that setting was ignored.

Fix: Pass the option to the module.

Rework the test, which was pretty much completely broken:

 - Add a positive assertion that the interface mapped to the given PCI
   ID actually appears in the nftables/iptables rules.

 - Replace the hardcoded 1af4:0001 ID in the test with runtime
   detection. That *happens* to be the ID of QEMU's virtio card, but
   this is neither obvious nor reliable nor does it apply to other
   environments such as Testing Farm.

 - Container environments don't have any "real" (PCI) interface, so
   skip the test if we can't find any.

 - The iptables vs. nftables detection was also broken on RHEL > 9 and
   Fedora, as `dbus-send` is not installed by default any more
   (`busctl` is more modern, but not yet available in RHEL 7), and the
   D-Bus property does not exist on RHEL 7 either. This was shadowed by
   the bug above (the actually checked backend didn't matter). The
   dynamic detection is too hard/brittle to fix, and there is no
   surprise about the backend anyway: RHEL 7 uses iptables, everything
   else nftables. So put that condition into the test directly, which
   is much more robust.

Fixes #272

Author: martinpitt

tasks/main.yml

@@ -98,6 +98,7 @@
     source: "{{ item.source | default(omit) }}"
     destination: "{{ item.destination | default(omit) }}"
     interface: "{{ item.interface | default(omit) }}"
+    interface_pci_id: "{{ item.interface_pci_id | default(omit) }}"
     icmp_block: "{{ item.icmp_block | default(omit) }}"
     icmp_block_inversion: "{{ item.icmp_block_inversion | default(omit) }}"
     timeout: "{{ item.timeout | default(omit) }}"

tests/tests_interface_pci.yml

@@ -7,32 +7,46 @@
     - linux-system-roles.firewall
 
   tasks:
-    - name: Get backend from dbus
-      command: >-
-        dbus-send --system --print-reply --type=method_call
-        --dest=org.fedoraproject.FirewallD1
-        /org/fedoraproject/FirewallD1/config
-        org.freedesktop.DBus.Properties.Get
-        string:"org.fedoraproject.FirewallD1.config"
-        string:"FirewallBackend"
-      ignore_errors: true  # noqa ignore-errors
-      register: result
-      changed_when: false
-
-    - name: Get backend from result
+    - name: Set expected backend
       set_fact:
         nftables_backend:
-          "{{ result is not failed and 'nftables' in result.stdout }}"
+          "{{ true
+            if ansible_distribution in ['RedHat', 'CentOS', 'Fedora']
+            and ansible_distribution_major_version is version('8', '>=')
+            else false }}"
+
+    - name: Find ethernet interface
+      shell: |
+        set -euo pipefail
+        I=$(find /sys/class/net -name 'e*' | head -n1)
+        # containers only have virtual devices; for PCI we need a real one
+        if [ -n "$I" ] && [ -e "$I/device/vendor" ]; then
+          echo "$I"
+        fi
+      register: find_iface
+      changed_when: false
 
     - name: Test interfaces with PCI ids
+      # this can't be tested in containers or similar envs without any real
+      # ethernet devices
+      when: find_iface.stdout != ""
       block:
+        - name: Determine interface vendor/product ID
+          shell: |
+            set -euo pipefail
+            VID="$(sed 's/^0x//' < {{ find_iface.stdout | quote }}/device/vendor)"
+            PID="$(sed 's/^0x//' < {{ find_iface.stdout | quote }}/device/device)"
+            echo "$VID:$PID"
+          register: pci_id
+          changed_when: false
+
         - name: Add pci device ethernet controller
           include_role:
             name: linux-system-roles.firewall
           vars:
             firewall:
               zone: internal
-              interface_pci_id: 1af4:0001
+              interface_pci_id: "{{ pci_id.stdout }}"
               state: enabled
               permanent: true
 
@@ -42,31 +56,43 @@
           vars:
             firewall:
               zone: internal
-              interface_pci_id: 1af4:0001
+              interface_pci_id: "{{ pci_id.stdout }}"
               state: enabled
               permanent: true
 
-        - name: Assert pcid not in nftable ruleset
+        - name: Get nftable ruleset
           command: nft list ruleset
-          register: result
-          failed_when: result is failed or '1af4:0001' in result.stdout
-          when: nftables_backend | bool
+          register: nft_list
           changed_when: false
+          when: nftables_backend | bool
+
+        - name: Assert that interface is in nftable ruleset
+          assert:
+            that:
+              - find_iface.stdout | basename in nft_list.stdout
+              - pci_id.stdout | trim not in nft_list.stdout
+          when: nftables_backend | bool
 
-        - name: Assert pcid not in iptables rules
+        - name: Get iptables ruleset
           command: iptables -S
-          register: result
-          failed_when: result is failed or '1af4:0001' in result.stdout
-          when: not nftables_backend | bool
+          register: ipt_list
           changed_when: false
+          when: not nftables_backend | bool
+
+        - name: Assert that interface is in iptables ruleset
+          assert:
+            that:
+              - find_iface.stdout | basename in ipt_list.stdout
+              - pci_id.stdout | trim not in ipt_list.stdout
+          when: not nftables_backend | bool
 
         - name: Remove interface from internal
           include_role:
             name: linux-system-roles.firewall
           vars:
             firewall:
               zone: internal
-              interface_pci_id: 1af4:0001
+              interface_pci_id: "{{ pci_id.stdout }}"
               state: disabled
               permanent: true
       always: