2014-04-01 07:19:38 +01:00
|
|
|
/*
|
|
|
|
* nwfilterxml2firewalltest.c: Test iptables rule generation
|
|
|
|
*
|
|
|
|
* Copyright (C) 2014 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#if defined (__linux__)
|
|
|
|
|
|
|
|
# include "testutils.h"
|
|
|
|
# include "nwfilter/nwfilter_ebiptables_driver.h"
|
|
|
|
# include "virbuffer.h"
|
|
|
|
|
2018-12-13 14:53:50 +00:00
|
|
|
# define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW
|
2014-04-01 07:19:38 +01:00
|
|
|
# include "virfirewallpriv.h"
|
|
|
|
|
2018-12-13 14:53:50 +00:00
|
|
|
# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
|
2014-04-01 07:19:38 +01:00
|
|
|
# include "vircommandpriv.h"
|
|
|
|
|
|
|
|
# define VIR_FROM_THIS VIR_FROM_NONE
|
|
|
|
|
|
|
|
# ifdef __linux__
|
|
|
|
# define RULESTYPE "linux"
|
|
|
|
# else
|
|
|
|
# error "test case not ported to this platform"
|
|
|
|
# endif
|
|
|
|
|
|
|
|
typedef struct _virNWFilterInst virNWFilterInst;
|
|
|
|
struct _virNWFilterInst {
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterDef **filters;
|
2014-04-01 07:19:38 +01:00
|
|
|
size_t nfilters;
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterRuleInst **rules;
|
2014-04-01 07:19:38 +01:00
|
|
|
size_t nrules;
|
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Some sets of rules that will be common to all test files,
|
|
|
|
* so we don't bother including them in the test data files
|
|
|
|
* as that would just bloat them
|
|
|
|
*/
|
|
|
|
|
|
|
|
static const char *commonRules[] = {
|
|
|
|
/* Dropping ebtables rules */
|
2021-04-06 14:19:40 +02:00
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-D PREROUTING \\\n-i vnet0 \\\n-j libvirt-J-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-D POSTROUTING \\\n-o vnet0 \\\n-j libvirt-P-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-L libvirt-J-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-L libvirt-P-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-F libvirt-J-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-X libvirt-J-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-F libvirt-P-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-X libvirt-P-vnet0\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* Creating ebtables chains */
|
2021-04-06 14:19:40 +02:00
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-N libvirt-J-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-N libvirt-P-vnet0\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* Dropping iptables rules */
|
2021-04-06 14:19:40 +02:00
|
|
|
"iptables \\\n-w \\\n-D libvirt-out \\\n-m physdev \\\n--physdev-is-bridged \\\n--physdev-out vnet0 \\\n-g FP-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-D libvirt-out \\\n-m physdev \\\n--physdev-out vnet0 \\\n-g FP-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-D libvirt-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g FJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-D libvirt-host-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g HJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-F FP-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-X FP-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-F FJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-X FJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-F HJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-X HJ-vnet0\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* Creating iptables chains */
|
2021-04-06 14:19:40 +02:00
|
|
|
"iptables \\\n-w \\\n-N libvirt-in\n"
|
|
|
|
"iptables \\\n-w \\\n-N libvirt-out\n"
|
|
|
|
"iptables \\\n-w \\\n-N libvirt-in-post\n"
|
|
|
|
"iptables \\\n-w \\\n-N libvirt-host-in\n"
|
|
|
|
"iptables \\\n-w \\\n-D FORWARD \\\n-j libvirt-in\n"
|
|
|
|
"iptables \\\n-w \\\n-D FORWARD \\\n-j libvirt-out\n"
|
|
|
|
"iptables \\\n-w \\\n-D FORWARD \\\n-j libvirt-in-post\n"
|
|
|
|
"iptables \\\n-w \\\n-D INPUT \\\n-j libvirt-host-in\n"
|
|
|
|
"iptables \\\n-w \\\n-I FORWARD 1 \\\n-j libvirt-in\n"
|
|
|
|
"iptables \\\n-w \\\n-I FORWARD 2 \\\n-j libvirt-out\n"
|
|
|
|
"iptables \\\n-w \\\n-I FORWARD 3 \\\n-j libvirt-in-post\n"
|
|
|
|
"iptables \\\n-w \\\n-I INPUT 1 \\\n-j libvirt-host-in\n"
|
|
|
|
"iptables \\\n-w \\\n-N FP-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-N FJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-N HJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-A libvirt-out \\\n-m physdev \\\n--physdev-is-bridged \\\n--physdev-out vnet0 \\\n-g FP-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-A libvirt-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g FJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-A libvirt-host-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g HJ-vnet0\n"
|
|
|
|
"iptables \\\n-w \\\n-D libvirt-in-post \\\n-m physdev \\\n--physdev-in vnet0 \\\n-j ACCEPT\n"
|
|
|
|
"iptables \\\n-w \\\n-A libvirt-in-post \\\n-m physdev \\\n--physdev-in vnet0 \\\n-j ACCEPT\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* Dropping ip6tables rules */
|
2021-04-06 14:19:40 +02:00
|
|
|
"ip6tables \\\n-w \\\n-D libvirt-out \\\n-m physdev \\\n--physdev-is-bridged \\\n--physdev-out vnet0 \\\n-g FP-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D libvirt-out \\\n-m physdev \\\n--physdev-out vnet0 \\\n-g FP-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D libvirt-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g FJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D libvirt-host-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g HJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-F FP-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-X FP-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-F FJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-X FJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-F HJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-X HJ-vnet0\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* Creating ip6tables chains */
|
2021-04-06 14:19:40 +02:00
|
|
|
"ip6tables \\\n-w \\\n-N libvirt-in\n"
|
|
|
|
"ip6tables \\\n-w \\\n-N libvirt-out\n"
|
|
|
|
"ip6tables \\\n-w \\\n-N libvirt-in-post\n"
|
|
|
|
"ip6tables \\\n-w \\\n-N libvirt-host-in\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D FORWARD \\\n-j libvirt-in\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D FORWARD \\\n-j libvirt-out\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D FORWARD \\\n-j libvirt-in-post\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D INPUT \\\n-j libvirt-host-in\n"
|
|
|
|
"ip6tables \\\n-w \\\n-I FORWARD 1 \\\n-j libvirt-in\n"
|
|
|
|
"ip6tables \\\n-w \\\n-I FORWARD 2 \\\n-j libvirt-out\n"
|
|
|
|
"ip6tables \\\n-w \\\n-I FORWARD 3 \\\n-j libvirt-in-post\n"
|
|
|
|
"ip6tables \\\n-w \\\n-I INPUT 1 \\\n-j libvirt-host-in\n"
|
|
|
|
"ip6tables \\\n-w \\\n-N FP-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-N FJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-N HJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-A libvirt-out \\\n-m physdev \\\n--physdev-is-bridged \\\n--physdev-out vnet0 \\\n-g FP-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-A libvirt-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g FJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-A libvirt-host-in \\\n-m physdev \\\n--physdev-in vnet0 \\\n-g HJ-vnet0\n"
|
|
|
|
"ip6tables \\\n-w \\\n-D libvirt-in-post \\\n-m physdev \\\n--physdev-in vnet0 \\\n-j ACCEPT\n"
|
|
|
|
"ip6tables \\\n-w \\\n-A libvirt-in-post \\\n-m physdev \\\n--physdev-in vnet0 \\\n-j ACCEPT\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* Inserting ebtables rules */
|
2021-04-06 14:19:40 +02:00
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-A PREROUTING \\\n-i vnet0 \\\n-j libvirt-J-vnet0\n"
|
|
|
|
"ebtables \\\n--concurrent \\\n-t nat \\\n-A POSTROUTING \\\n-o vnet0 \\\n-j libvirt-P-vnet0\n",
|
2014-04-01 07:19:38 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
2020-10-22 19:04:18 +02:00
|
|
|
static GHashTable *
|
|
|
|
virNWFilterCreateVarsFrom(GHashTable *vars1,
|
|
|
|
GHashTable *vars2)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *res = virHashNew(virNWFilterVarValueHashFree);
|
2014-04-01 07:19:38 +01:00
|
|
|
if (!res)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (virNWFilterHashTablePutAll(vars1, res) < 0)
|
|
|
|
goto err_exit;
|
|
|
|
|
|
|
|
if (virNWFilterHashTablePutAll(vars2, res) < 0)
|
|
|
|
goto err_exit;
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
|
|
|
err_exit:
|
2018-04-26 12:09:18 +01:00
|
|
|
virHashFree(res);
|
2014-04-01 07:19:38 +01:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterRuleInstFree(virNWFilterRuleInst *inst)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
|
|
|
if (!inst)
|
|
|
|
return;
|
|
|
|
|
2018-04-26 12:09:18 +01:00
|
|
|
virHashFree(inst->vars);
|
2021-02-03 14:35:02 -05:00
|
|
|
g_free(inst);
|
2014-04-01 07:19:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterInstReset(virNWFilterInst *inst)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < inst->nfilters; i++)
|
|
|
|
virNWFilterDefFree(inst->filters[i]);
|
|
|
|
VIR_FREE(inst->filters);
|
|
|
|
inst->nfilters = 0;
|
|
|
|
|
|
|
|
for (i = 0; i < inst->nrules; i++)
|
|
|
|
virNWFilterRuleInstFree(inst->rules[i]);
|
|
|
|
VIR_FREE(inst->rules);
|
|
|
|
inst->nrules = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
virNWFilterDefToInst(const char *xml,
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *vars,
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterInst *inst);
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterRuleDefToRuleInst(virNWFilterDef *def,
|
|
|
|
virNWFilterRuleDef *rule,
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *vars,
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterInst *inst)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterRuleInst *ruleinst;
|
2014-04-01 07:19:38 +01:00
|
|
|
int ret = -1;
|
|
|
|
|
2020-09-23 00:42:45 +02:00
|
|
|
ruleinst = g_new0(virNWFilterRuleInst, 1);
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
ruleinst->chainSuffix = def->chainsuffix;
|
|
|
|
ruleinst->chainPriority = def->chainPriority;
|
|
|
|
ruleinst->def = rule;
|
|
|
|
ruleinst->priority = rule->priority;
|
2020-10-20 18:41:27 +02:00
|
|
|
if (!(ruleinst->vars = virHashNew(virNWFilterVarValueHashFree)))
|
2014-04-01 07:19:38 +01:00
|
|
|
goto cleanup;
|
|
|
|
if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (VIR_APPEND_ELEMENT(inst->rules,
|
|
|
|
inst->nrules,
|
|
|
|
ruleinst) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
ruleinst = NULL;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
virNWFilterRuleInstFree(ruleinst);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDef *inc,
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *vars,
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterInst *inst)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *tmpvars = NULL;
|
2014-04-01 07:19:38 +01:00
|
|
|
int ret = -1;
|
|
|
|
char *xml;
|
|
|
|
|
2019-10-22 15:26:14 +02:00
|
|
|
xml = g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcdir,
|
|
|
|
inc->filterref);
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
/* create a temporary hashmap for depth-first tree traversal */
|
|
|
|
if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
|
|
|
|
vars)))
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virNWFilterDefToInst(xml,
|
|
|
|
tmpvars,
|
|
|
|
inst) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
if (ret < 0)
|
|
|
|
virNWFilterInstReset(inst);
|
2018-04-26 12:09:18 +01:00
|
|
|
virHashFree(tmpvars);
|
2014-04-01 07:19:38 +01:00
|
|
|
VIR_FREE(xml);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
virNWFilterDefToInst(const char *xml,
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *vars,
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterInst *inst)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
int ret = -1;
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterDef *def = virNWFilterDefParseFile(xml);
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
if (!def)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (VIR_APPEND_ELEMENT_COPY(inst->filters,
|
|
|
|
inst->nfilters,
|
|
|
|
def) < 0) {
|
|
|
|
virNWFilterDefFree(def);
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < def->nentries; i++) {
|
|
|
|
if (def->filterEntries[i]->rule) {
|
|
|
|
if (virNWFilterRuleDefToRuleInst(def,
|
|
|
|
def->filterEntries[i]->rule,
|
|
|
|
vars,
|
|
|
|
inst) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
} else if (def->filterEntries[i]->include) {
|
|
|
|
if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include,
|
|
|
|
vars,
|
|
|
|
inst) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
cleanup:
|
|
|
|
if (ret < 0)
|
|
|
|
virNWFilterInstReset(inst);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static void testRemoveCommonRules(char *rules)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
char *offset = rules;
|
|
|
|
|
2019-10-15 13:55:26 +02:00
|
|
|
for (i = 0; i < G_N_ELEMENTS(commonRules); i++) {
|
2014-04-01 07:19:38 +01:00
|
|
|
char *tmp = strstr(offset, commonRules[i]);
|
|
|
|
size_t len = strlen(commonRules[i]);
|
|
|
|
if (tmp) {
|
|
|
|
memmove(tmp, tmp + len, (strlen(tmp) + 1) - len);
|
|
|
|
offset = tmp;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2020-10-22 19:04:18 +02:00
|
|
|
static int testSetOneParameter(GHashTable *vars,
|
2014-04-01 07:19:38 +01:00
|
|
|
const char *name,
|
|
|
|
const char *value)
|
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virNWFilterVarValue *val;
|
2014-04-01 07:19:38 +01:00
|
|
|
|
2018-04-26 11:51:28 +01:00
|
|
|
if ((val = virHashLookup(vars, name)) == NULL) {
|
2014-04-01 07:19:38 +01:00
|
|
|
val = virNWFilterVarValueCreateSimpleCopyValue(value);
|
|
|
|
if (!val)
|
2019-11-12 17:46:29 -03:00
|
|
|
return -1;
|
2018-04-26 12:09:18 +01:00
|
|
|
if (virHashUpdateEntry(vars, name, val) < 0) {
|
2014-04-01 07:19:38 +01:00
|
|
|
virNWFilterVarValueFree(val);
|
2019-11-12 17:46:29 -03:00
|
|
|
return -1;
|
2014-04-01 07:19:38 +01:00
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (virNWFilterVarValueAddValueCopy(val, value) < 0)
|
2019-11-12 17:46:29 -03:00
|
|
|
return -1;
|
2014-04-01 07:19:38 +01:00
|
|
|
}
|
2019-11-12 17:46:29 -03:00
|
|
|
|
|
|
|
return 0;
|
2014-04-01 07:19:38 +01:00
|
|
|
}
|
|
|
|
|
2020-10-22 19:04:18 +02:00
|
|
|
static int testSetDefaultParameters(GHashTable *vars)
|
2014-04-01 07:19:38 +01:00
|
|
|
{
|
|
|
|
if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 ||
|
|
|
|
testSetOneParameter(vars, "A", "1.1.1.1") ||
|
|
|
|
testSetOneParameter(vars, "A", "2.2.2.2") ||
|
|
|
|
testSetOneParameter(vars, "A", "3.3.3.3") ||
|
|
|
|
testSetOneParameter(vars, "A", "3.3.3.3") ||
|
|
|
|
testSetOneParameter(vars, "B", "80") ||
|
|
|
|
testSetOneParameter(vars, "B", "90") ||
|
|
|
|
testSetOneParameter(vars, "B", "80") ||
|
|
|
|
testSetOneParameter(vars, "B", "80") ||
|
|
|
|
testSetOneParameter(vars, "C", "1080") ||
|
|
|
|
testSetOneParameter(vars, "C", "1090") ||
|
|
|
|
testSetOneParameter(vars, "C", "1100") ||
|
|
|
|
testSetOneParameter(vars, "C", "1110"))
|
|
|
|
return -1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int testCompareXMLToArgvFiles(const char *xml,
|
|
|
|
const char *cmdline)
|
|
|
|
{
|
|
|
|
char *actualargv = NULL;
|
2020-07-02 19:35:41 -04:00
|
|
|
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
|
2020-10-22 19:04:18 +02:00
|
|
|
GHashTable *vars = virHashNew(virNWFilterVarValueHashFree);
|
2014-04-01 07:19:38 +01:00
|
|
|
virNWFilterInst inst;
|
|
|
|
int ret = -1;
|
2021-04-01 17:54:09 +02:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
memset(&inst, 0, sizeof(inst));
|
|
|
|
|
2021-04-06 14:19:40 +02:00
|
|
|
virCommandSetDryRun(dryRunToken, &buf, true, true, NULL, NULL);
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
if (!vars)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (testSetDefaultParameters(vars) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (virNWFilterDefToInst(xml,
|
|
|
|
vars,
|
|
|
|
&inst) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
if (ebiptables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0)
|
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
actualargv = virBufferContentAndReset(&buf);
|
|
|
|
|
|
|
|
testRemoveCommonRules(actualargv);
|
|
|
|
|
2021-04-06 14:19:40 +02:00
|
|
|
if (virTestCompareToFileFull(actualargv, cmdline, false) < 0)
|
2014-04-01 07:19:38 +01:00
|
|
|
goto cleanup;
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
cleanup:
|
|
|
|
VIR_FREE(actualargv);
|
|
|
|
virNWFilterInstReset(&inst);
|
2018-04-26 12:09:18 +01:00
|
|
|
virHashFree(vars);
|
2014-04-01 07:19:38 +01:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct testInfo {
|
|
|
|
const char *name;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
testCompareXMLToIPTablesHelper(const void *data)
|
|
|
|
{
|
|
|
|
int result = -1;
|
|
|
|
const struct testInfo *info = data;
|
|
|
|
char *xml = NULL;
|
|
|
|
char *args = NULL;
|
|
|
|
|
2019-10-22 15:26:14 +02:00
|
|
|
xml = g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml",
|
|
|
|
abs_srcdir, info->name);
|
|
|
|
args = g_strdup_printf("%s/nwfilterxml2firewalldata/%s-%s.args",
|
|
|
|
abs_srcdir, info->name, RULESTYPE);
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
result = testCompareXMLToArgvFiles(xml, args);
|
|
|
|
|
|
|
|
VIR_FREE(xml);
|
|
|
|
VIR_FREE(args);
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2017-04-07 15:11:14 +01:00
|
|
|
static bool
|
|
|
|
hasNetfilterTools(void)
|
|
|
|
{
|
|
|
|
return virFileIsExecutable(IPTABLES_PATH) &&
|
|
|
|
virFileIsExecutable(IP6TABLES_PATH) &&
|
|
|
|
virFileIsExecutable(EBTABLES_PATH);
|
|
|
|
}
|
|
|
|
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
static int
|
|
|
|
mymain(void)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
|
2017-11-03 13:09:47 +01:00
|
|
|
# define DO_TEST(name) \
|
|
|
|
do { \
|
|
|
|
static struct testInfo info = { \
|
|
|
|
name, \
|
|
|
|
}; \
|
|
|
|
if (virTestRun("NWFilter XML-2-firewall " name, \
|
|
|
|
testCompareXMLToIPTablesHelper, &info) < 0) \
|
|
|
|
ret = -1; \
|
2014-04-01 07:19:38 +01:00
|
|
|
} while (0)
|
|
|
|
|
|
|
|
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
|
2017-04-07 15:11:14 +01:00
|
|
|
if (!hasNetfilterTools()) {
|
|
|
|
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
|
|
|
|
return EXIT_AM_SKIP;
|
|
|
|
}
|
2019-11-12 17:46:29 -03:00
|
|
|
return EXIT_FAILURE;
|
2014-04-01 07:19:38 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
DO_TEST("ah");
|
|
|
|
DO_TEST("ah-ipv6");
|
|
|
|
DO_TEST("all");
|
|
|
|
DO_TEST("all-ipv6");
|
|
|
|
DO_TEST("arp");
|
|
|
|
DO_TEST("comment");
|
|
|
|
DO_TEST("conntrack");
|
|
|
|
DO_TEST("esp");
|
|
|
|
DO_TEST("esp-ipv6");
|
|
|
|
DO_TEST("example-1");
|
|
|
|
DO_TEST("example-2");
|
|
|
|
DO_TEST("hex-data");
|
|
|
|
DO_TEST("icmp-direction2");
|
|
|
|
DO_TEST("icmp-direction3");
|
|
|
|
DO_TEST("icmp-direction");
|
|
|
|
DO_TEST("icmp");
|
|
|
|
DO_TEST("icmpv6");
|
|
|
|
DO_TEST("igmp");
|
|
|
|
DO_TEST("ip");
|
|
|
|
DO_TEST("ipset");
|
|
|
|
DO_TEST("ipt-no-macspoof");
|
|
|
|
DO_TEST("ipv6");
|
|
|
|
DO_TEST("iter1");
|
|
|
|
DO_TEST("iter2");
|
|
|
|
DO_TEST("iter3");
|
|
|
|
DO_TEST("mac");
|
|
|
|
DO_TEST("rarp");
|
|
|
|
DO_TEST("sctp");
|
|
|
|
DO_TEST("sctp-ipv6");
|
|
|
|
DO_TEST("stp");
|
|
|
|
DO_TEST("target2");
|
|
|
|
DO_TEST("target");
|
|
|
|
DO_TEST("tcp");
|
|
|
|
DO_TEST("tcp-ipv6");
|
|
|
|
DO_TEST("udp");
|
|
|
|
DO_TEST("udp-ipv6");
|
|
|
|
DO_TEST("udplite");
|
|
|
|
DO_TEST("udplite-ipv6");
|
|
|
|
DO_TEST("vlan");
|
|
|
|
|
|
|
|
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
|
2017-03-29 16:45:42 +02:00
|
|
|
VIR_TEST_MAIN(mymain)
|
2014-04-01 07:19:38 +01:00
|
|
|
|
|
|
|
#else /* ! defined (__linux__) */
|
|
|
|
|
|
|
|
int main(void)
|
|
|
|
{
|
|
|
|
return EXIT_AM_SKIP;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* ! defined (__linux__) */
|