From 90a66b4786c38b54eb7c925d1648a2d794bcbc5b Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Tue, 7 Jan 2025 16:43:06 +0100
Subject: [PATCH] test: Disable firewalld StrictForwardPorts on RHEL 10

RHEL 10 started to break `podman -p` port forwarding to localhost by
default [1]. This was a deliberate change [2][3]. We really don't care
about firewalling localhost ports from containers (does anybody
really?), so revert back to the previous behaviour (which is still the
default on Fedora) of having StrictForwardPorts=no.

This obsoletes our naughty https://github.com/cockpit-project/bots/issues/7291

[1] https://issues.redhat.com/browse/RHEL-72937
[2] https://firewalld.org/2024/11/strict-forward-ports
[3] https://github.com/firewalld/firewalld/issues/1380
---
 test/vm.install | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/vm.install b/test/vm.install
index fbbc62c9..b5d9cabe 100755
--- a/test/vm.install
+++ b/test/vm.install
@@ -23,6 +23,12 @@ Delegate=cpu cpuset io memory pids
 EOF
 fi
 
+if grep -q platform:el10 /usr/lib/os-release; then
+    # HACK: unbreak container port forwarding to localhost
+    # https://firewalld.org/2024/11/strict-forward-ports and https://github.com/firewalld/firewalld/issues/1380
+    sed -i 's/StrictForwardPorts=yes/StrictForwardPorts=no/' /etc/firewalld/firewalld.conf
+fi
+
 # don't force https:// (self-signed cert)
 mkdir -p /etc/cockpit
 printf "[WebService]\\nAllowUnencrypted=true\\n" > /etc/cockpit/cockpit.conf