Add firewall rules to protect Docker gateway from external access (#6650)

Add iptables rules via a systemd transient unit to drop traffic addressed to the bridge gateway IP from non-bridge interfaces. The firewall manager waits for the transient unit to complete and verifies success via D-Bus property change signals. On failure, the system is marked unhealthy and host-network add-ons are prevented from booting. Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-17 23:33:35 +01:00 · 2026-03-19 16:46:17 +01:00
parent c16b3ca516
commit 36124eafae
8 changed files with 466 additions and 2 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -473,6 +473,18 @@ async def fixture_all_dbus_services(
    )


+@pytest.fixture(autouse=True)
+def _mock_firewall():
+    """Mock out firewall rules by default to avoid dbus signal timeouts."""
+    patcher = patch(
+        "supervisor.host.firewall.FirewallManager.apply_gateway_firewall_rules",
+        new_callable=AsyncMock,
+    )
+    patcher.start()
+    yield patcher
+    patcher.stop()
+
+
@pytest.fixture
 async def coresys(
    docker: DockerAPI,