From 468f8c3a924e0e87c0ddd5a1e766d4b32563c554 Mon Sep 17 00:00:00 2001 From: sjat Date: Fri, 19 Jun 2026 10:32:09 +0200 Subject: [PATCH] fix(integration): match live nft `priority filter` in the ubongo verify `nft list ruleset` prints the symbolic chain priority (`filter` = 0); the ubongo profile asserted `priority 0` (the rendered-file format the Molecule scenario checks), so the live-ruleset assertion failed even though the firewall was correct. Assert `priority filter` for the input/forward policy lines. Caught by the harness GREEN gate (`make test-integration HOST=ubongo`). Co-Authored-By: Claude Opus 4.8 (1M context) --- tests/integration/verify.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/integration/verify.yml b/tests/integration/verify.yml index 129b908..1f460f5 100644 --- a/tests/integration/verify.yml +++ b/tests/integration/verify.yml @@ -71,8 +71,10 @@ when: integration_profile == 'ubongo' ansible.builtin.assert: that: - - "'hook input priority 0; policy drop;' in _nft.stdout" - - "'hook forward priority 0; policy accept;' in _nft.stdout" + # live `nft list ruleset` prints the SYMBOLIC priority (`filter` = 0), unlike the + # rendered /etc/nftables.conf (`priority 0`) that the Molecule scenario asserts against. + - "'hook input priority filter; policy drop;' in _nft.stdout" + - "'hook forward priority filter; policy accept;' in _nft.stdout" # the ssh-from-control lifeline (base__firewall_control_addr) — the reconnect path - "'ip saddr 192.168.150.1 tcp dport 22 accept' in _nft.stdout" - "'ip saddr 192.168.150.98 tcp dport 22 accept' in _nft.stdout"