2013-03-04 16:30:40 +00:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2013-2014 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include "testutils.h"
|
|
|
|
|
2014-05-01 18:43:58 +00:00
|
|
|
#if defined(__linux__)
|
2013-03-04 16:30:40 +00:00
|
|
|
|
2020-09-15 12:00:53 +00:00
|
|
|
# include <gio/gio.h>
|
|
|
|
|
2014-05-01 18:43:58 +00:00
|
|
|
# include "virbuffer.h"
|
2021-11-16 19:27:00 +00:00
|
|
|
# include "virfirewall.h"
|
|
|
|
|
2018-12-13 14:53:50 +00:00
|
|
|
# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
|
2014-05-01 18:43:58 +00:00
|
|
|
# include "vircommandpriv.h"
|
2019-01-09 19:11:32 +00:00
|
|
|
# define LIBVIRT_VIRFIREWALLDPRIV_H_ALLOW
|
|
|
|
# include "virfirewalldpriv.h"
|
2014-05-01 18:43:58 +00:00
|
|
|
|
|
|
|
# define VIR_FROM_THIS VIR_FROM_FIREWALL
|
|
|
|
|
2017-11-03 12:09:47 +00:00
|
|
|
# define TEST_FILTER_TABLE_LIST \
|
|
|
|
"Chain INPUT (policy ACCEPT)\n" \
|
|
|
|
"target prot opt source destination\n" \
|
|
|
|
"\n" \
|
|
|
|
"Chain FORWARD (policy ACCEPT)\n" \
|
|
|
|
"target prot opt source destination\n" \
|
|
|
|
"\n" \
|
|
|
|
"Chain OUTPUT (policy ACCEPT)\n" \
|
2013-03-04 16:30:40 +00:00
|
|
|
"target prot opt source destination\n"
|
|
|
|
|
2017-11-03 12:09:47 +00:00
|
|
|
# define TEST_NAT_TABLE_LIST \
|
|
|
|
"Chain PREROUTING (policy ACCEPT)\n" \
|
|
|
|
"target prot opt source destination\n" \
|
|
|
|
"\n" \
|
|
|
|
"Chain INPUT (policy ACCEPT)\n" \
|
|
|
|
"target prot opt source destination\n" \
|
|
|
|
"\n" \
|
|
|
|
"Chain OUTPUT (policy ACCEPT)\n" \
|
|
|
|
"target prot opt source destination\n" \
|
|
|
|
"\n" \
|
|
|
|
"Chain POSTROUTING (policy ACCEPT)\n" \
|
2013-03-04 16:30:40 +00:00
|
|
|
"target prot opt source destination\n"
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
|
2021-03-11 07:16:13 +00:00
|
|
|
virFirewallRule *fwrule;
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT", NULL);
|
2020-11-17 18:51:45 +00:00
|
|
|
virFirewallRuleAddArg(fw, fwrule, "--source");
|
2013-03-04 16:30:40 +00:00
|
|
|
virFirewallRemoveRule(fw, fwrule);
|
|
|
|
|
|
|
|
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT", NULL);
|
2020-11-17 18:51:45 +00:00
|
|
|
virFirewallRuleAddArg(fw, fwrule, "--source");
|
2013-03-04 16:30:40 +00:00
|
|
|
virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
|
|
|
|
virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A OUTPUT --jump DROP\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "OUTPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "OUTPUT",
|
|
|
|
"--jump", "DROP", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static void
|
|
|
|
testFirewallRollbackHook(const char *const*args,
|
2019-10-14 12:45:03 +00:00
|
|
|
const char *const*env G_GNUC_UNUSED,
|
|
|
|
const char *input G_GNUC_UNUSED,
|
|
|
|
char **output G_GNUC_UNUSED,
|
|
|
|
char **error G_GNUC_UNUSED,
|
2013-03-04 16:30:40 +00:00
|
|
|
int *status,
|
2019-10-14 12:45:03 +00:00
|
|
|
void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
|
|
|
bool isAdd = false;
|
|
|
|
while (*args) {
|
|
|
|
/* Fake failure on the command with this IP addr */
|
|
|
|
if (STREQ(*args, "-A")) {
|
|
|
|
isAdd = true;
|
|
|
|
} else if (isAdd && STREQ(*args, "192.168.122.255")) {
|
|
|
|
*status = 127;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
args++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A OUTPUT --jump DROP\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRollbackHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "OUTPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "OUTPUT",
|
|
|
|
"--jump", "DROP", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A OUTPUT --jump DROP\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRollbackHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
true, NULL, NULL,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "OUTPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "OUTPUT",
|
|
|
|
"--jump", "DROP", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRollbackHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) == 0) {
|
|
|
|
fprintf(stderr, "Firewall apply unexpectedly worked\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRollbackHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartRollback(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) == 0) {
|
|
|
|
fprintf(stderr, "Firewall apply unexpectedly worked\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRollbackHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartRollback(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartRollback(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) == 0) {
|
|
|
|
fprintf(stderr, "Firewall apply unexpectedly worked\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.127 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source 192.168.122.127 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source 192.168.122.255 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -D INPUT --source '!192.168.122.1' --jump REJECT\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallRollbackHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartRollback(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.127",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartRollback(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.127",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.255",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-D", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) == 0) {
|
|
|
|
fprintf(stderr, "Firewall apply unexpectedly worked\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static const char *expectedLines[] = {
|
|
|
|
"Chain INPUT (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
"Chain FORWARD (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
"Chain OUTPUT (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
"Chain PREROUTING (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
"Chain INPUT (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
"Chain OUTPUT (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
"Chain POSTROUTING (policy ACCEPT)",
|
|
|
|
"target prot opt source destination",
|
|
|
|
"",
|
|
|
|
};
|
|
|
|
static size_t expectedLineNum;
|
|
|
|
static bool expectedLineError;
|
|
|
|
|
|
|
|
static void
|
|
|
|
testFirewallQueryHook(const char *const*args,
|
2019-10-14 12:45:03 +00:00
|
|
|
const char *const*env G_GNUC_UNUSED,
|
|
|
|
const char *input G_GNUC_UNUSED,
|
2013-03-04 16:30:40 +00:00
|
|
|
char **output,
|
2019-10-14 12:45:03 +00:00
|
|
|
char **error G_GNUC_UNUSED,
|
2019-10-20 11:49:46 +00:00
|
|
|
int *status G_GNUC_UNUSED,
|
2019-10-14 12:45:03 +00:00
|
|
|
void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2021-09-14 08:40:42 +00:00
|
|
|
if (STREQ(args[0], IPTABLES) &&
|
2020-11-17 00:20:53 +00:00
|
|
|
STREQ(args[1], "-w") &&
|
|
|
|
STREQ(args[2], "-L")) {
|
2019-10-20 11:49:46 +00:00
|
|
|
*output = g_strdup(TEST_FILTER_TABLE_LIST);
|
2021-09-14 08:40:42 +00:00
|
|
|
} else if (STREQ(args[0], IPTABLES) &&
|
2020-11-17 00:20:53 +00:00
|
|
|
STREQ(args[1], "-w") &&
|
|
|
|
STREQ(args[2], "-t") &&
|
|
|
|
STREQ(args[3], "nat") &&
|
|
|
|
STREQ(args[4], "-L")) {
|
2019-10-20 11:49:46 +00:00
|
|
|
*output = g_strdup(TEST_NAT_TABLE_LIST);
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
testFirewallQueryCallback(virFirewall *fw,
|
2018-12-04 16:33:28 +00:00
|
|
|
virFirewallLayer layer,
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *const *lines,
|
2019-10-14 12:45:03 +00:00
|
|
|
void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
|
|
|
size_t i;
|
2018-12-04 16:33:28 +00:00
|
|
|
virFirewallAddRule(fw, layer,
|
2013-03-04 16:30:40 +00:00
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.129",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
for (i = 0; lines[i] != NULL; i++) {
|
2019-10-15 11:55:26 +00:00
|
|
|
if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
|
2013-03-04 16:30:40 +00:00
|
|
|
expectedLineError = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (STRNEQ(expectedLines[expectedLineNum], lines[i])) {
|
|
|
|
fprintf(stderr, "Mismatch '%s' vs '%s' at %zu, %zu\n",
|
|
|
|
expectedLines[expectedLineNum], lines[i],
|
|
|
|
expectedLineNum, i);
|
|
|
|
expectedLineError = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
expectedLineNum++;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2019-10-14 12:45:03 +00:00
|
|
|
testFirewallQuery(const void *opaque G_GNUC_UNUSED)
|
2013-03-04 16:30:40 +00:00
|
|
|
{
|
2020-07-02 23:35:41 +00:00
|
|
|
g_auto(virBuffer) cmdbuf = VIR_BUFFER_INITIALIZER;
|
2020-07-04 20:35:10 +00:00
|
|
|
g_autoptr(virFirewall) fw = virFirewallNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
const char *actual = NULL;
|
|
|
|
const char *expected =
|
2021-09-14 08:40:42 +00:00
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.127 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -L\n"
|
|
|
|
IPTABLES " -w -t nat -L\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.130 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.129' --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.129' --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source 192.168.122.128 --jump REJECT\n"
|
|
|
|
IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
|
2021-04-01 15:54:09 +00:00
|
|
|
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
expectedLineNum = 0;
|
|
|
|
expectedLineError = false;
|
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, testFirewallQueryHook, NULL);
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "ACCEPT", NULL);
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.127",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
false,
|
|
|
|
testFirewallQueryCallback,
|
|
|
|
NULL,
|
|
|
|
"-L", NULL);
|
|
|
|
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
false,
|
|
|
|
testFirewallQueryCallback,
|
|
|
|
NULL,
|
|
|
|
"-t", "nat", "-L", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.130",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
|
|
|
|
virFirewallStartTransaction(fw, 0);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "192.168.122.128",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
|
|
|
|
"-A", "INPUT",
|
2020-11-17 18:51:45 +00:00
|
|
|
"--source", "!192.168.122.1",
|
2013-03-04 16:30:40 +00:00
|
|
|
"--jump", "REJECT", NULL);
|
|
|
|
|
|
|
|
if (virFirewallApply(fw) < 0)
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
|
|
|
|
actual = virBufferCurrentContent(&cmdbuf);
|
|
|
|
|
|
|
|
if (expectedLineError) {
|
|
|
|
fprintf(stderr, "Got some unexpected query data\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
tests: Use virTestCompareToString() more
Instead of using:
if (STRNEQ(a, b)) {
virTestDifference(stderr, a, b);
...
}
we can use:
if (virTestCompareToString(a, b) < ) {
...
}
Generated by the following spatch:
@@
expression a, b;
@@
- if (STRNEQ(a, b)) {
+ if (virTestCompareToString(a, b) < 0) {
...
- virTestDifference(stderr, a, b);
...
}
and its variations (STRNEQ_NULLABLE() instead of STRNEQ(), then
in some cases variables passed to STRNEQ() are in reversed order
when compared to virTestCompareToString()).
However, coccinelle failed to recognize the pattern in
testNWFilterEBIPTablesAllTeardown() so I had to fix it manually.
Also, I manually fixed testFormat() in tests/sockettest.c as I
didn't bother writing another spatch rule just for that.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jonathon Jongsma <jjongsma@redhat.com>
2022-11-30 08:57:49 +00:00
|
|
|
if (virTestCompareToString(expected, actual) < 0) {
|
2018-12-04 17:08:14 +00:00
|
|
|
fprintf(stderr, "Unexpected command execution\n");
|
2021-11-15 01:05:32 +00:00
|
|
|
return -1;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2021-11-15 01:05:32 +00:00
|
|
|
return 0;
|
2013-03-04 16:30:40 +00:00
|
|
|
}
|
|
|
|
|
2017-04-07 14:11:14 +00:00
|
|
|
|
2013-03-04 16:30:40 +00:00
|
|
|
static int
|
|
|
|
mymain(void)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
# define RUN_TEST(name, method) \
|
2017-11-03 12:09:47 +00:00
|
|
|
do { \
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
if (virTestRun(name, method, NULL) < 0) \
|
2017-11-03 12:09:47 +00:00
|
|
|
ret = -1; \
|
2013-03-04 16:30:40 +00:00
|
|
|
} while (0)
|
|
|
|
|
|
|
|
RUN_TEST("single group", testFirewallSingleGroup);
|
|
|
|
RUN_TEST("remove rule", testFirewallRemoveRule);
|
|
|
|
RUN_TEST("many groups", testFirewallManyGroups);
|
|
|
|
RUN_TEST("ignore fail group", testFirewallIgnoreFailGroup);
|
|
|
|
RUN_TEST("ignore fail rule", testFirewallIgnoreFailRule);
|
|
|
|
RUN_TEST("no rollback", testFirewallNoRollback);
|
|
|
|
RUN_TEST("single rollback", testFirewallSingleRollback);
|
|
|
|
RUN_TEST("many rollback", testFirewallManyRollback);
|
|
|
|
RUN_TEST("chained rollback", testFirewallChainedRollback);
|
|
|
|
RUN_TEST("query transaction", testFirewallQuery);
|
|
|
|
|
|
|
|
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
|
|
|
|
}
|
|
|
|
|
tests: remove firewalld backend tests from virfirewalltest.c
When libvirt added support for firewalld, all iptables/ebtables rules
were added via the firewalld "passthrough" API when firewalld was
enabled (the "firewalld backend"), or run directly by libvirt when
firewalld was disabled (the so-called "direct
backend"). virfirewalltest.c dutifully ran each test twice, once with
the each backend enabled.
But commit b19863640d changed the code to *always* directly run
iptables/ebtables commands, and never use the firewalld passthrough
API, effectively making the direct and firewalld backends identical,
except that when libvirt receives notice that firewalld has restarted
or reloaded its rules, the firewalld backend sends an extra "iptables
-V" command via firewalld's passthrough API (and waits for a response)
prior to running all the rest of the iptables commands directly; this
assures that a newly-restarted firewalld has finished its work on the
filter tables before libvirt starts messing with it. (Because this
code is only executed in response to an event from dbus, it isn't
tested in the unit tests).
In spite of this, we still go through all the virfirewall tests twice
though - once for the direct backend, and once for the firewalld
backend, even though these take the same codepath.
In commit b19863640d I had left this double-testing in thinking that
someday we might go back to actually doing something useful with the
firewalld backend in the course of adding support for native nftables,
but I've now realized that for the case of nftables we will be *even
more* divorced from firewalld, so there is really no point in keeping
this code around any longer. (It's likely/probable that the tests will
be done twice again in the future, but it will be enough different
that it is better to remove this code and re-implement from scratch
when adding the nftables backend, rather than trying to directly
modify the existing code and end up with something even more
confusing).
This patch eliminates all the test duplication in virfirewalltest.c,
including mocking dbus, which is unnecessary since none of the tests
use dbus (for now we ensure that by explicitly setting the virfirewall
backend to DIRECT before any of the tests have run. Eventually the
concept of a "firewalld backend" will disappear completely, but that's
for another patch.)
Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2021-11-14 20:50:26 +00:00
|
|
|
VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall"))
|
2014-05-01 18:43:58 +00:00
|
|
|
|
|
|
|
#else /* ! defined (__linux__) */
|
|
|
|
|
|
|
|
int main(void)
|
|
|
|
{
|
|
|
|
return EXIT_AM_SKIP;
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* ! defined(__linux__) */
|