External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-11-03 20:01:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
f2a781ceb0
libvirt/tests/virfirewalltest.c

1200 lines
39 KiB
C
Raw Normal View History

Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
/*
* Copyright (C) 2013-2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
* Author: Daniel P. Berrange <berrange@redhat.com>
*/
#include <config.h>
#define __VIR_FIREWALL_PRIV_H_ALLOW__
#define __VIR_COMMAND_PRIV_H_ALLOW__
#include "testutils.h"
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
#if defined(__linux__)
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# include "virbuffer.h"
# include "vircommandpriv.h"
# include "virfirewallpriv.h"
# include "virmock.h"
# include "virdbuspriv.h"
# define VIR_FROM_THIS VIR_FROM_FIREWALL
# if WITH_DBUS
# include <dbus/dbus.h>
# endif
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
static bool fwDisabled = true;
static virBufferPtr fwBuf;
static bool fwError;
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# define TEST_FILTER_TABLE_LIST \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
"Chain INPUT (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain FORWARD (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain OUTPUT (policy ACCEPT)\n" \
"target prot opt source destination\n"
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# define TEST_NAT_TABLE_LIST \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
"Chain PREROUTING (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain INPUT (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain OUTPUT (policy ACCEPT)\n" \
"target prot opt source destination\n" \
"\n" \
"Chain POSTROUTING (policy ACCEPT)\n" \
"target prot opt source destination\n"
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# if WITH_DBUS
tests: Add more test suite mock helpers Rename the VIR_MOCK_IMPL* macros to VIR_MOCK_WRAP* and add new VIR_MOCK_IMPL macros which let you directly implement overrides in the preloaded source. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-06-03 11:02:52 +00:00
VIR_MOCK_WRAP_RET_ARGS(dbus_connection_send_with_reply_and_block,
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
DBusMessage *,
DBusConnection *, connection,
DBusMessage *, message,
int, timeout_milliseconds,
DBusError *, error)
{
DBusMessage *reply = NULL;
const char *service = dbus_message_get_destination(message);
const char *member = dbus_message_get_member(message);
size_t i;
size_t nargs = 0;
char **args = NULL;
char *type = NULL;
tests: Add more test suite mock helpers Rename the VIR_MOCK_IMPL* macros to VIR_MOCK_WRAP* and add new VIR_MOCK_IMPL macros which let you directly implement overrides in the preloaded source. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Jim Fehlig <jfehlig@suse.com>
2014-06-03 11:02:52 +00:00
VIR_MOCK_REAL_INIT(dbus_connection_send_with_reply_and_block);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
if (STREQ(service, "org.freedesktop.DBus") &&
STREQ(member, "ListNames")) {
const char *svc1 = "org.foo.bar.wizz";
const char *svc2 = VIR_FIREWALL_FIREWALLD_SERVICE;
DBusMessageIter iter;
DBusMessageIter sub;
reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN);
dbus_message_iter_init_append(reply, &iter);
dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY,
"s", &sub);
if (!dbus_message_iter_append_basic(&sub,
DBUS_TYPE_STRING,
&svc1))
goto error;
if (!fwDisabled &&
!dbus_message_iter_append_basic(&sub,
DBUS_TYPE_STRING,
&svc2))
goto error;
dbus_message_iter_close_container(&iter, &sub);
} else if (STREQ(service, VIR_FIREWALL_FIREWALLD_SERVICE) &&
STREQ(member, "passthrough")) {
bool isAdd = false;
bool doError = false;
if (virDBusMessageDecode(message,
"sa&s",
&type,
&nargs,
&args) < 0)
goto error;
for (i = 0; i < nargs; i++) {
/* Fake failure on the command with this IP addr */
if (STREQ(args[i], "-A")) {
isAdd = true;
} else if (isAdd && STREQ(args[i], "192.168.122.255")) {
doError = true;
}
}
if (fwBuf) {
if (STREQ(type, "ipv4"))
virBufferAddLit(fwBuf, IPTABLES_PATH);
else if (STREQ(type, "ipv4"))
virBufferAddLit(fwBuf, IP6TABLES_PATH);
else
virBufferAddLit(fwBuf, EBTABLES_PATH);
}
for (i = 0; i < nargs; i++) {
if (fwBuf) {
virBufferAddLit(fwBuf, " ");
virBufferEscapeShell(fwBuf, args[i]);
}
}
if (fwBuf)
virBufferAddLit(fwBuf, "\n");
if (doError) {
dbus_set_error_const(error,
"org.firewalld.error",
"something bad happened");
} else {
if (nargs == 1 &&
STREQ(type, "ipv4") &&
STREQ(args[0], "-L")) {
if (virDBusCreateReply(&reply,
"s", TEST_FILTER_TABLE_LIST) < 0)
goto error;
} else if (nargs == 3 &&
STREQ(type, "ipv4") &&
STREQ(args[0], "-t") &&
STREQ(args[1], "nat") &&
STREQ(args[2], "-L")) {
if (virDBusCreateReply(&reply,
"s", TEST_NAT_TABLE_LIST) < 0)
goto error;
} else {
if (virDBusCreateReply(&reply,
"s", "success") < 0)
goto error;
}
}
} else {
reply = dbus_message_new(DBUS_MESSAGE_TYPE_METHOD_RETURN);
}
cleanup:
VIR_FREE(type);
for (i = 0; i < nargs; i++)
VIR_FREE(args[i]);
VIR_FREE(args);
return reply;
error:
dbus: Don't unref NULL messages Apparently we are not the only ones with dumb free functions because dbus_message_unref() does not accept NULL either. But if I were to vote, this one is even more evil. Instead of returning an error just like we do it immediately dereference any pointer passed and thus crash you app. Well done DBus! Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7f878ebda700 (LWP 31264)] 0x00007f87be4016e5 in ?? () from /usr/lib64/libdbus-1.so.3 (gdb) bt #0 0x00007f87be4016e5 in ?? () from /usr/lib64/libdbus-1.so.3 #1 0x00007f87be3f004e in dbus_message_unref () from /usr/lib64/libdbus-1.so.3 #2 0x00007f87bf6ecf95 in virSystemdGetMachineNameByPID (pid=9849) at util/virsystemd.c:228 #3 0x00007f879761bd4d in qemuConnectCgroup (driver=0x7f87600a32a0, vm=0x7f87600c7550) at qemu/qemu_cgroup.c:909 #4 0x00007f87976386b7 in qemuProcessReconnect (opaque=0x7f87600db840) at qemu/qemu_process.c:3386 #5 0x00007f87bf6edfff in virThreadHelper (data=0x7f87600d5580) at util/virthread.c:206 #6 0x00007f87bb602334 in start_thread (arg=0x7f878ebda700) at pthread_create.c:333 #7 0x00007f87bb3481bd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 (gdb) frame 2 #2 0x00007f87bf6ecf95 in virSystemdGetMachineNameByPID (pid=9849) at util/virsystemd.c:228 228 dbus_message_unref(reply); (gdb) p reply $1 = (DBusMessage *) 0x0 Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-02-11 10:14:11 +00:00
virDBusMessageUnref(reply);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
reply = NULL;
if (error && !dbus_error_is_set(error))
dbus_set_error_const(error,
"org.firewalld.error",
"something unexpected happened");
goto cleanup;
}
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# endif
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
struct testFirewallData {
virFirewallBackend tryBackend;
virFirewallBackend expectBackend;
bool fwDisabled;
};
static int
testFirewallSingleGroup(const void *opaque)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
virCommandSetDryRun(&cmdbuf, NULL, NULL);
else
fwBuf = &cmdbuf;
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallRemoveRule(const void *opaque)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
virFirewallRulePtr fwrule;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
virCommandSetDryRun(&cmdbuf, NULL, NULL);
else
fwBuf = &cmdbuf;
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source-host");
virFirewallRemoveRule(fw, fwrule);
fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT", NULL);
virFirewallRuleAddArg(fw, fwrule, "--source-host");
virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallManyGroups(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT)
virCommandSetDryRun(&cmdbuf, NULL, NULL);
else
fwBuf = &cmdbuf;
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static void
testFirewallRollbackHook(const char *const*args,
const char *const*env ATTRIBUTE_UNUSED,
const char *input ATTRIBUTE_UNUSED,
char **output ATTRIBUTE_UNUSED,
char **error ATTRIBUTE_UNUSED,
int *status,
void *opaque ATTRIBUTE_UNUSED)
{
bool isAdd = false;
while (*args) {
/* Fake failure on the command with this IP addr */
if (STREQ(*args, "-A")) {
isAdd = true;
} else if (isAdd && STREQ(*args, "192.168.122.255")) {
*status = 127;
break;
}
args++;
}
}
static int
testFirewallIgnoreFailGroup(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallIgnoreFailRule(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A OUTPUT --jump DROP\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
true, NULL, NULL,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "OUTPUT",
"--jump", "DROP", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallNoRollback(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
tests: Rename virtTest00MActive to virTest00MActive. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:56 +00:00
if (virTestOOMActive())
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallSingleRollback(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwError = true;
fwBuf = &cmdbuf;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
tests: Rename virtTest00MActive to virTest00MActive. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:56 +00:00
if (virTestOOMActive())
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallManyRollback(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
tests: Rename virtTest00MActive to virTest00MActive. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:56 +00:00
if (virTestOOMActive())
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
testFirewallChainedRollback(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "192.168.122.255",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-D", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) == 0) {
fprintf(stderr, "Firewall apply unexpectedly worked\n");
goto cleanup;
}
tests: Rename virtTest00MActive to virTest00MActive. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:56 +00:00
if (virTestOOMActive())
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static const char *expectedLines[] = {
"Chain INPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain FORWARD (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain OUTPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain PREROUTING (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain INPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain OUTPUT (policy ACCEPT)",
"target prot opt source destination",
"",
"Chain POSTROUTING (policy ACCEPT)",
"target prot opt source destination",
"",
};
static size_t expectedLineNum;
static bool expectedLineError;
static void
testFirewallQueryHook(const char *const*args,
const char *const*env ATTRIBUTE_UNUSED,
const char *input ATTRIBUTE_UNUSED,
char **output,
char **error ATTRIBUTE_UNUSED,
int *status,
void *opaque ATTRIBUTE_UNUSED)
{
if (STREQ(args[0], IPTABLES_PATH) &&
STREQ(args[1], "-L")) {
if (VIR_STRDUP(*output, TEST_FILTER_TABLE_LIST) < 0)
*status = 127;
} else if (STREQ(args[0], IPTABLES_PATH) &&
STREQ(args[1], "-t") &&
STREQ(args[2], "nat") &&
STREQ(args[3], "-L")) {
if (VIR_STRDUP(*output, TEST_NAT_TABLE_LIST) < 0)
*status = 127;
}
}
static int
testFirewallQueryCallback(virFirewallPtr fw,
const char *const *lines,
void *opaque ATTRIBUTE_UNUSED)
{
size_t i;
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.129",
"--jump", "REJECT", NULL);
for (i = 0; lines[i] != NULL; i++) {
if (expectedLineNum >= ARRAY_CARDINALITY(expectedLines)) {
expectedLineError = true;
break;
}
if (STRNEQ(expectedLines[expectedLineNum], lines[i])) {
fprintf(stderr, "Mismatch '%s' vs '%s' at %zu, %zu\n",
expectedLines[expectedLineNum], lines[i],
expectedLineNum, i);
expectedLineError = true;
break;
}
expectedLineNum++;
}
return 0;
}
static int
testFirewallQuery(const void *opaque ATTRIBUTE_UNUSED)
{
virBuffer cmdbuf = VIR_BUFFER_INITIALIZER;
virFirewallPtr fw = NULL;
int ret = -1;
const char *actual = NULL;
const char *expected =
IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
IPTABLES_PATH " -L\n"
IPTABLES_PATH " -t nat -L\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
const struct testFirewallData *data = opaque;
expectedLineNum = 0;
expectedLineError = false;
fwDisabled = data->fwDisabled;
if (virFirewallSetBackend(data->tryBackend) < 0)
goto cleanup;
if (data->expectBackend == VIR_FIREWALL_BACKEND_DIRECT) {
virCommandSetDryRun(&cmdbuf, testFirewallQueryHook, NULL);
} else {
fwBuf = &cmdbuf;
fwError = true;
}
fw = virFirewallNew();
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.1",
"--jump", "ACCEPT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.127",
"--jump", "REJECT", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-L", NULL);
virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
false,
testFirewallQueryCallback,
NULL,
"-t", "nat", "-L", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.130",
"--jump", "REJECT", NULL);
virFirewallStartTransaction(fw, 0);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "192.168.122.128",
"--jump", "REJECT", NULL);
virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
"-A", "INPUT",
"--source-host", "!192.168.122.1",
"--jump", "REJECT", NULL);
if (virFirewallApply(fw) < 0)
goto cleanup;
if (virBufferError(&cmdbuf))
goto cleanup;
actual = virBufferCurrentContent(&cmdbuf);
if (expectedLineError) {
fprintf(stderr, "Got some unexpected query data\n");
goto cleanup;
}
if (STRNEQ_NULLABLE(expected, actual)) {
fprintf(stderr, "Unexected command execution\n");
Rename virtTestDifference to virTestDifference. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:51 +00:00
virTestDifference(stderr, expected, actual);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
goto cleanup;
}
ret = 0;
cleanup:
virBufferFreeAndReset(&cmdbuf);
fwBuf = NULL;
virCommandSetDryRun(NULL, NULL, NULL);
virFirewallFree(fw);
return ret;
}
static int
mymain(void)
{
int ret = 0;
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# define RUN_TEST_DIRECT(name, method) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
do { \
struct testFirewallData data; \
data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
data.fwDisabled = true; \
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:50 +00:00
if (virTestRun(name " auto direct", method, &data) < 0) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
ret = -1; \
data.tryBackend = VIR_FIREWALL_BACKEND_DIRECT; \
data.expectBackend = VIR_FIREWALL_BACKEND_DIRECT; \
data.fwDisabled = true; \
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:50 +00:00
if (virTestRun(name " manual direct", method, &data) < 0) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
ret = -1; \
} while (0)
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# if WITH_DBUS
# define RUN_TEST_FIREWALLD(name, method) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
do { \
struct testFirewallData data; \
data.tryBackend = VIR_FIREWALL_BACKEND_AUTOMATIC; \
data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
data.fwDisabled = false; \
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:50 +00:00
if (virTestRun(name " auto firewalld", method, &data) < 0) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
ret = -1; \
data.tryBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
data.expectBackend = VIR_FIREWALL_BACKEND_FIREWALLD; \
data.fwDisabled = false; \
tests: Rename virtTestRun to virTestRun. This function doesn't follow our convention of naming functions.
2016-05-26 15:01:50 +00:00
if (virTestRun(name " manual firewalld", method, &data) < 0) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
ret = -1; \
} while (0)
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# define RUN_TEST(name, method) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
RUN_TEST_DIRECT(name, method); \
RUN_TEST_FIREWALLD(name, method)
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# else /* ! WITH_DBUS */
# define RUN_TEST(name, method) \
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
RUN_TEST_DIRECT(name, method)
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# endif /* ! WITH_DBUS */
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
tests: Set up two more overrides for root builders There are two more places after commit 3865941b that need to be adapted in order to get rid of some test failures when building as root. Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-12-23 05:10:55 +00:00
virFirewallSetLockOverride(true);
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
RUN_TEST("single group", testFirewallSingleGroup);
RUN_TEST("remove rule", testFirewallRemoveRule);
RUN_TEST("many groups", testFirewallManyGroups);
RUN_TEST("ignore fail group", testFirewallIgnoreFailGroup);
RUN_TEST("ignore fail rule", testFirewallIgnoreFailRule);
RUN_TEST("no rollback", testFirewallNoRollback);
RUN_TEST("single rollback", testFirewallSingleRollback);
RUN_TEST("many rollback", testFirewallManyRollback);
RUN_TEST("chained rollback", testFirewallChainedRollback);
RUN_TEST("query transaction", testFirewallQuery);
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# if WITH_DBUS
tests: Rename virmockdbus -> virdbusmock for consistency All mock libraries were called vir*mock except for this one; now the naming is consistent across the board.
2016-02-11 13:08:11 +00:00
VIRT_TEST_MAIN_PRELOAD(mymain, abs_builddir "/.libs/virdbusmock.so")
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# else
Introduce an object for managing firewall rulesets The network and nwfilter drivers both have a need to update firewall rules. The currently share no code for interacting with iptables / firewalld. The nwfilter driver is fairly tied to the concept of creating shell scripts to execute which makes it very hard to port to talk to firewalld via DBus APIs. This patch introduces a virFirewallPtr object which is able to represent a complete sequence of rule changes, with the ability to have multiple transactional checkpoints with rollbacks. By formally separating the definition of the rules to be applied from the mechanism used to apply them, it is also possible to write a firewall engine that uses firewalld DBus APIs natively instead of via the slow firewalld-cmd. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-03-04 16:30:40 +00:00
VIRT_TEST_MAIN(mymain)
tests: skip virfirewalltest on non-Linux systems Currently firewalling is supported on Linux only, so skip the virfirewalltest on other platforms.
2014-05-01 18:43:58 +00:00
# endif
#else /* ! defined (__linux__) */
int main(void)
{
return EXIT_AM_SKIP;
}
#endif /* ! defined(__linux__) */
Reference in New Issue Copy Permalink