Support none parameter on NETAVARK_FW

Passing environment valuepair NETAVARK_FW=none disables all firewall/portmapper related features leaving configuration of firewall to user.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>

src/firewall/fwnone.rs

@@ -0,0 +1,32 @@
+use crate::firewall;
+use crate::firewall::NetavarkResult;
+use crate::network::internal_types::{
+    PortForwardConfig, SetupNetwork, TearDownNetwork, TeardownPortForward,
+};
+
+// Iptables driver - uses direct iptables commands via the iptables crate.
+pub struct Fwnone {}
+
+pub fn new() -> NetavarkResult<Box<dyn firewall::FirewallDriver>> {
+    Ok(Box::new(Fwnone {}))
+}
+
+impl firewall::FirewallDriver for Fwnone {
+    fn setup_network(&self, _network_setup: SetupNetwork) -> NetavarkResult<()> {
+        Ok(())
+    }
+
+    // teardown_network should only be called in the case of
+    // a complete teardown.
+    fn teardown_network(&self, _tear: TearDownNetwork) -> NetavarkResult<()> {
+        Ok(())
+    }
+
+    fn setup_port_forward(&self, _setup_portfw: PortForwardConfig) -> NetavarkResult<()> {
+        Ok(())
+    }
+
+    fn teardown_port_forward(&self, _tear: TeardownPortForward) -> NetavarkResult<()> {
+        Ok(())
+    }
+}

src/firewall/mod.rs

@@ -7,6 +7,7 @@ use std::env;
 use zbus::blocking::Connection;
 
 pub mod firewalld;
+pub mod fwnone;
 pub mod iptables;
 mod varktables;
 
@@ -29,12 +30,13 @@ enum FirewallImpl {
     Iptables,
     Firewalld(Connection),
     Nftables,
+    Fwnone,
 }
 
 /// What firewall implementations does this system support?
 fn get_firewall_impl() -> NetavarkResult<FirewallImpl> {
     // First, check the NETAVARK_FW env var.
-    // It respects "firewalld", "iptables", "nftables".
+    // It respects "firewalld", "iptables", "nftables", "none".
     if let Ok(var) = env::var("NETAVARK_FW") {
         debug!("Forcibly using firewall driver {}", var);
         match var.to_lowercase().as_str() {
@@ -52,6 +54,7 @@ fn get_firewall_impl() -> NetavarkResult<FirewallImpl> {
             }
             "iptables" => return Ok(FirewallImpl::Iptables),
             "nftables" => return Ok(FirewallImpl::Nftables),
+            "none" => return Ok(FirewallImpl::Fwnone),
             any => {
                 return Err(NetavarkError::Message(format!(
                     "Must provide a valid firewall backend, got {}",
@@ -101,6 +104,10 @@ pub fn get_supported_firewall_driver() -> NetavarkResult<Box<dyn FirewallDriver>
                     "nftables support presently not available",
                 ))
             }
+            FirewallImpl::Fwnone => {
+                info!("Not using firewall");
+                fwnone::new()
+            }
         },
         Err(e) => Err(e),
     }

test/500-bridge-fwnone.bats

@@ -0,0 +1,13 @@
+#!/usr/bin/env bats   -*- bats -*-
+#
+# bridge driver tests with none firewall driver
+#
+
+load helpers
+
+fw_driver=none
+
+@test "check none firewall driver is in use" {
+    RUST_LOG=netavark=info NETAVARK_FW="none" run_netavark --file ${TESTSDIR}/testfiles/simplebridge.json setup $(get_container_netns_path)
+    assert "${lines[0]}" "==" "[INFO  netavark::firewall] Not using firewall" "none firewall driver is in use"
+}