Testing of openconnect on "real" firewalls

[joe.elusive]

Hey everyone!

I noticed that openconnect project relies on 

1. Maintainers having access to real hardware
2. Issue reporter providing a lot of log files/dumps for maintainers to work on

While (1) is not ideal because not every maintainer has access to firewalls in question, (2) is limited too because sometimes it's really hard to get enough info, and not every bug reporter can even give exact firewall software version info, not to mention a relevant configuration of firewall.

Here comes my suggestion/question:

Would you accept a pull request with some kind of local firewall deployment automation, for developers to experiment on (if they have time, of course)?

I imagine the following artifacts:

1. Shell scripts/Vagrant Box to bring VM up
2. Ansible playbooks (maybe triggered from vagrant itself) for idempotent configuration of VPN in question

So in best case scenario, to reproduce some case, developer should:

get a .qcow2 file of virtual firewall in question (the hardest part),
cd to

    integration/anyconnect/asav-x.y.z-some-test-case

and execute 
   
    vagrant up

, then get a preferred beverage while vagrant and ansible prepares a test environment for them, and start hacking!

The other variant is to utilize GNS3, or even EVE-NG for creating and sharing topologies, but i think that:
a) Vagrant and ansible are more usable in other day-to-day tasks for developer enthusiast, and more transferable as skills to use on other projects, making them more interesting/rewarding
b) I want a workflow to be as pain-free as possible, because getting images to work on is a pain already, and executing single command seems simple enough
c) We don't need "a topology", we need one firewall with "public" and "private" interface, without outbound internet access, and a SSL-VPN daemon to interact with, nothing more, so a single VM seems good enough
d) Some advanced cases might require other VMs/Containers, i.e. radius server, SSO server and so one, and GNS3 and friends are not really the tools to deploy and maintain that.

There are some conceptual questions though:

1. Vagrant is not that portable, and cisco, for example, targets KVM, ESXi and HyperV only, leaving VirtualBox users and whatever macOS has as hypervisor for themselves 
2. Ansible is also "best served" on linux
3. I don't have anything other that linux to test and support this on, so basically i hope that developers are linux users themselves
4. Getting a proper OS image would most certainly require some kind of support contract, and while checksums of images are mostly accessible from vendor websites, and there are a lot of images lying on some nice http/ftp servers around the web, some people might not even bother downloading and checking them, due to legality concerns and their limited free time

So, before i started hacking in this direction (which might even fail due to some Vagrant issues), would maintainers of openconnect even be interested in this?

And hey, thanks for giving me an opportunity to work on my favorite OS for years, without tainting my machine with some proprietary cr.. i mean, software.

With best regards,
Joe