test: add test case that 'nspawn --network-veth' enables IP forwarding

3 files changed, 67 insertions, 2 deletions

diff --git a/test/TEST-13-NSPAWN/test.sh b/test/TEST-13-NSPAWN/test.sh
index 5c85b0c5dc..3ab52d0eee 100755
--- a/test/TEST-13-NSPAWN/test.sh
+++ b/test/TEST-13-NSPAWN/test.sh
@@ -17,6 +17,8 @@ test_append_files() {
 
     # For virtual wlan interface.
     instmods mac80211_hwsim
+    # for IPMasquerade=
+    instmods "=net/netfilter"
     generate_module_dependencies
 
     # Create a dummy container "template" with a minimal toolset, which we can
diff --git a/test/test-functions b/test/test-functions
index e41e5792a3..8f08d84ad8 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1454,10 +1454,31 @@ install_missing_libraries() {
         [[ -e "$libgcc_s" ]] && inst_library "$libgcc_s"
     done < <(ldconfig -p | awk '/\/libgcc_s.so.1$/ { print $4 }')
 
-    local lib path
+    local lib path libs
     # A number of dependencies is now optional via dlopen, so the install
     # script will not pick them up, since it looks at linkage.
-    for lib in libcryptsetup libidn libidn2 pwquality libqrencode tss2-esys tss2-rc tss2-mu tss2-tcti-device libfido2 libbpf libelf libdw xkbcommon p11-kit-1 libarchive libgcrypt libkmod; do
+    libs=(
+        libarchive
+        libbpf
+        libcryptsetup
+        libdw
+        libelf
+        libfido2
+        libgcrypt
+        libidn
+        libidn2
+        libip4tc
+        libkmod
+        libqrencode
+        p11-kit-1
+        pwquality
+        tss2-esys
+        tss2-mu
+        tss2-rc
+        tss2-tcti-device
+        xkbcommon
+    )
+    for lib in "${libs[@]}"; do
         ddebug "Searching for $lib via pkg-config"
         if pkg-config --exists "$lib"; then
                 path="$(pkg-config --variable=libdir "$lib")"
diff --git a/test/units/TEST-13-NSPAWN.nspawn.sh b/test/units/TEST-13-NSPAWN.nspawn.sh
index 80ba5c97a3..2de9f9079f 100755
--- a/test/units/TEST-13-NSPAWN.nspawn.sh
+++ b/test/units/TEST-13-NSPAWN.nspawn.sh
@@ -1014,4 +1014,46 @@ EOF
     rm -fr "$root"
 }
 
+testcase_ip_masquerade() {
+    local root
+
+    if ! command -v networkctl >/dev/null; then
+        echo "This test requires systemd-networkd, skipping..."
+        return 0
+    fi
+
+    systemctl unmask systemd-networkd.service
+    systemctl edit --runtime --stdin systemd-networkd.service --drop-in=debug.conf <<EOF
+[Service]
+Environment=SYSTEMD_LOG_LEVEL=debug
+EOF
+    systemctl start systemd-networkd.service
+
+    root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.ip_masquerade.XXX)"
+    create_dummy_container "$root"
+
+    systemd-run --unit=nspawn-hoge.service \
+                systemd-nspawn \
+                --register=no \
+                --directory="$root" \
+                --ephemeral \
+                --machine=hoge \
+                --network-veth \
+                bash -x -c "ip link set host0 up; sleep 30s"
+
+    /usr/lib/systemd/systemd-networkd-wait-online -i ve-hoge --timeout 30s
+
+    # Check IPMasquerade= for ve-* and friends enabled IP forwarding.
+    [[ "$(cat /proc/sys/net/ipv4/conf/all/forwarding)" == "1" ]]
+    [[ "$(cat /proc/sys/net/ipv4/conf/default/forwarding)" == "1" ]]
+    [[ "$(cat /proc/sys/net/ipv6/conf/all/forwarding)" == "1" ]]
+    [[ "$(cat /proc/sys/net/ipv6/conf/default/forwarding)" == "1" ]]
+
+    systemctl stop nspawn-hoge.service || :
+    systemctl stop systemd-networkd.service
+    systemctl mask systemd-networkd.service
+
+    rm -fr "$root"
+}
+
 run_testcases