From 8f9c09edd4c2ba01cf9091c663ab8b6583b41a47 Mon Sep 17 00:00:00 2001
From: Rob Murray <rob.murray@docker.com>
Date: Thu, 9 Jan 2025 18:49:18 +0000
Subject: [PATCH] Fix unit tests for an nftables host

On a freshly rebooted Linux host that's configured to use nftables
with the iptables front-end, "make test-unit" fails "TestUserChains"
on the first run - it's ok in subsequent runs.

The unit tests run in moby's dev container.

The first test in TestUserChain runs with ip6tables disabled, so the
bridge driver doesn't try to load the ip6_tables module. Then, because
the module isn't loaded (it wasn't needed by the daemon running on the
nftables host when it started), the test fails because it can't check
what's in the ip6tables filter chain.

The next test in TestUserChain does the same thing, but with ip6tables
enabled. So the module gets loaded by the bridge driver, and everything
works normally after that.

The dev container used to try to load the module on startup, but that
was removed in commit 2af19b6b ("Don't try to modprobe ip6_tables in
the moby dev container"), as part of a change to give the daemon a way
to load modules itself.

Rather that put back the dev container's code to load ip6_tables on
startup (which would mean the daemon's module-loading code not getting
to run on nftables/firewalld hosts) ...

Run the tests in TestUserChains in a different order, with iptables
enabled in the first test will make it happen to work. At least for
now.

It's not ideal, but we'll be switching to nftables soon, so the issue
will go away.

Signed-off-by: Rob Murray <rob.murray@docker.com>
---
 libnetwork/firewall_linux_test.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/libnetwork/firewall_linux_test.go b/libnetwork/firewall_linux_test.go
index 4308da22e61b5..57c94f45e0807 100644
--- a/libnetwork/firewall_linux_test.go
+++ b/libnetwork/firewall_linux_test.go
@@ -27,10 +27,6 @@ func TestUserChain(t *testing.T) {
 		iptables bool
 		append   bool // append other rules to FORWARD
 	}{
-		{
-			iptables: false,
-			append:   false,
-		},
 		{
 			iptables: true,
 			append:   false,
@@ -39,6 +35,10 @@ func TestUserChain(t *testing.T) {
 			iptables: true,
 			append:   true,
 		},
+		{
+			iptables: false,
+			append:   false,
+		},
 	}
 
 	for _, tc := range tests {