We currently have two different test modules to test the firewall together with the container engines: docker_firewall and podman_firewall. We should merge the two into one module.

In addition, the docker_firewall module runs checks on the underlying firewall backend, here iptables. We should change the design to not make any backend assumptions, but to test the effect of it. This means, instead of checking if some rules are present, we should check if the EFFECT of the rules is present, i.e. if a container can reach the external network and if a container can (or cannot) be reached.

So instead of checking for iptable rules, we should check:

• can a container access the network, when the firewall is present?
• Is the firewall blocking access to an exposed container port by default?
• When adding firewalld rules to allow access to a container, can the container then be accessed?

For now, we should only test the default network backend.

Acceptance criterum¶

• Merge docker_firewall and podman_firewall into one module
• Get rid of all backend assumptions, i.e. remove the iptables function calls
• Test the effect of the network rules, not probe for the rules themselves