From 20512b8436fb602f3d9048ef5f4b686c542b2369 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Thu, 20 Mar 2014 10:30:44 +0000 Subject: [PATCH] Add test for converting network XML to iptables rules Using the virCommand dry run capability, capture iptables rules created by various network XML documents. Signed-off-by: Daniel P. Berrange --- tests/Makefile.am | 17 +- .../nat-default-linux.args | 30 ++++ tests/networkxml2firewalldata/nat-default.xml | 10 ++ .../nat-ipv6-linux.args | 44 +++++ tests/networkxml2firewalldata/nat-ipv6.xml | 15 ++ .../nat-many-ips-linux.args | 58 +++++++ .../networkxml2firewalldata/nat-many-ips.xml | 12 ++ .../nat-no-dhcp-linux.args | 42 +++++ tests/networkxml2firewalldata/nat-no-dhcp.xml | 7 + .../nat-tftp-linux.args | 32 ++++ tests/networkxml2firewalldata/nat-tftp.xml | 11 ++ .../route-default-linux.args | 20 +++ .../networkxml2firewalldata/route-default.xml | 10 ++ tests/networkxml2firewalltest.c | 163 ++++++++++++++++++ tests/testutils.c | 51 ++++++ tests/testutils.h | 2 + 16 files changed, 522 insertions(+), 2 deletions(-) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.args create mode 100644 tests/networkxml2firewalldata/nat-default.xml create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.args create mode 100644 tests/networkxml2firewalldata/nat-ipv6.xml create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.args create mode 100644 tests/networkxml2firewalldata/nat-many-ips.xml create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.args create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp.xml create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.args create mode 100644 tests/networkxml2firewalldata/nat-tftp.xml create mode 100644 tests/networkxml2firewalldata/route-default-linux.args create mode 100644 tests/networkxml2firewalldata/route-default.xml create mode 100644 tests/networkxml2firewalltest.c diff --git a/tests/Makefile.am b/tests/Makefile.am index 19c1efcabf..bda3632742 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -91,6 +91,7 @@ EXTRA_DIST = \ networkxml2confdata \ networkxml2xmlupdatein \ networkxml2xmlupdateout \ + networkxml2firewalldata \ nodedevschemadata \ nodedevschematest \ nodeinfodata \ @@ -253,10 +254,16 @@ if WITH_YAJL test_programs += jsontest endif WITH_YAJL -test_programs += networkxml2xmltest networkxml2xmlupdatetest +test_programs += \ + networkxml2xmltest \ + networkxml2xmlupdatetest \ + $(NULL) if WITH_NETWORK -test_programs += networkxml2conftest +test_programs += \ + networkxml2conftest \ + networkxml2firewalltest \ + $(NULL) endif WITH_NETWORK if WITH_STORAGE_SHEEPDOG @@ -664,6 +671,12 @@ networkxml2conftest_SOURCES = \ networkxml2conftest.c \ testutils.c testutils.h networkxml2conftest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS) + +networkxml2firewalltest_SOURCES = \ + networkxml2firewalltest.c \ + testutils.c testutils.h +networkxml2firewalltest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS) + else ! WITH_NETWORK EXTRA_DIST += networkxml2conftest.c endif ! WITH_NETWORK diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args new file mode 100644 index 0000000000..b92a84528f --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -0,0 +1,30 @@ +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-default.xml b/tests/networkxml2firewalldata/nat-default.xml new file mode 100644 index 0000000000..d7241d0c16 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default.xml @@ -0,0 +1,10 @@ + + default + + + + + + + + diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args new file mode 100644 index 0000000000..2fae0db542 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -0,0 +1,44 @@ +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +ip6tables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 547 --jump ACCEPT +iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 --jump ACCEPT +ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 --jump ACCEPT +iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6.xml b/tests/networkxml2firewalldata/nat-ipv6.xml new file mode 100644 index 0000000000..337e71de20 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6.xml @@ -0,0 +1,15 @@ + + default + + + + + + + + + + + + + diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args new file mode 100644 index 0000000000..8e8923dadf --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -0,0 +1,58 @@ +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +iptables --table filter --insert FORWARD --source 192.168.128.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +iptables --table filter --insert FORWARD --source 192.168.150.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!' \ +--destination 192.168.150.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-many-ips.xml b/tests/networkxml2firewalldata/nat-many-ips.xml new file mode 100644 index 0000000000..0c8dcff30d --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips.xml @@ -0,0 +1,12 @@ + + default + + + + + + + + + + diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args new file mode 100644 index 0000000000..e6635f0ad7 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -0,0 +1,42 @@ +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +ip6tables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 547 --jump ACCEPT +iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 --jump ACCEPT +ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 --jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-no-dhcp.xml b/tests/networkxml2firewalldata/nat-no-dhcp.xml new file mode 100644 index 0000000000..0bccd1da48 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp.xml @@ -0,0 +1,7 @@ + + default + + + + + diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args new file mode 100644 index 0000000000..2eac1e0668 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -0,0 +1,32 @@ +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 69 --jump ACCEPT +iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-tftp.xml b/tests/networkxml2firewalldata/nat-tftp.xml new file mode 100644 index 0000000000..17e8e0a4a1 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp.xml @@ -0,0 +1,11 @@ + + default + + + + + + + + + diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args new file mode 100644 index 0000000000..2ebef08fe2 --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -0,0 +1,20 @@ +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --jump ACCEPT +iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/route-default.xml b/tests/networkxml2firewalldata/route-default.xml new file mode 100644 index 0000000000..3bc7bb98fa --- /dev/null +++ b/tests/networkxml2firewalldata/route-default.xml @@ -0,0 +1,10 @@ + + default + + + + + + + + diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c new file mode 100644 index 0000000000..9255e0149c --- /dev/null +++ b/tests/networkxml2firewalltest.c @@ -0,0 +1,163 @@ +/* + * networkxml2firewalltest.c: Test iptables rule generation + * + * Copyright (C) 2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#if defined (__linux__) + +# include "testutils.h" +# include "network/bridge_driver_platform.h" +# include "virbuffer.h" + +# define __VIR_FIREWALL_PRIV_H_ALLOW__ +# include "virfirewallpriv.h" + +# define __VIR_COMMAND_PRIV_H_ALLOW__ +# include "vircommandpriv.h" + +# define VIR_FROM_THIS VIR_FROM_NONE + +static const char *abs_top_srcdir; + +# ifdef __linux__ +# define RULESTYPE "linux" +# else +# error "test case not ported to this platform" +# endif + +static int testCompareXMLToArgvFiles(const char *xml, + const char *cmdline) +{ + char *expectargv = NULL; + int len; + char *actualargv = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + virNetworkDefPtr def = NULL; + int ret = -1; + + virCommandSetDryRun(&buf, NULL, NULL); + + if (!(def = virNetworkDefParseFile(xml))) + goto cleanup; + + if (networkAddFirewallRules(def) < 0) + goto cleanup; + + if (virBufferError(&buf)) + goto cleanup; + + actualargv = virBufferContentAndReset(&buf); + virtTestClearCommandPath(actualargv); + virCommandSetDryRun(NULL, NULL, NULL); + + len = virtTestLoadFile(cmdline, &expectargv); + if (len < 0) + goto cleanup; + + if (STRNEQ(expectargv, actualargv)) { + virtTestDifference(stderr, expectargv, actualargv); + goto cleanup; + } + + ret = 0; + + cleanup: + virBufferFreeAndReset(&buf); + VIR_FREE(expectargv); + VIR_FREE(actualargv); + virNetworkDefFree(def); + return ret; +} + +struct testInfo { + const char *name; +}; + + +static int +testCompareXMLToIPTablesHelper(const void *data) +{ + int result = -1; + const struct testInfo *info = data; + char *xml = NULL; + char *args = NULL; + + if (virAsprintf(&xml, "%s/networkxml2firewalldata/%s.xml", + abs_srcdir, info->name) < 0 || + virAsprintf(&args, "%s/networkxml2firewalldata/%s-%s.args", + abs_srcdir, info->name, RULESTYPE) < 0) + goto cleanup; + + result = testCompareXMLToArgvFiles(xml, args); + + cleanup: + VIR_FREE(xml); + VIR_FREE(args); + return result; +} + + +static int +mymain(void) +{ + int ret = 0; + + abs_top_srcdir = getenv("abs_top_srcdir"); + if (!abs_top_srcdir) + abs_top_srcdir = abs_srcdir "/.."; + +# define DO_TEST(name) \ + do { \ + static struct testInfo info = { \ + name, \ + }; \ + if (virtTestRun("Network XML-2-iptables " name, \ + testCompareXMLToIPTablesHelper, &info) < 0) \ + ret = -1; \ + } while (0) + + if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { + ret = -1; + goto cleanup; + } + + DO_TEST("nat-default"); + DO_TEST("nat-tftp"); + DO_TEST("nat-many-ips"); + DO_TEST("nat-no-dhcp"); + DO_TEST("nat-ipv6"); + DO_TEST("route-default"); + DO_TEST("route-default"); + + cleanup: + return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIRT_TEST_MAIN(mymain) + +#else /* ! defined (__linux__) */ + +int main(void) +{ + return EXIT_AM_SKIP; +} + +#endif /* ! defined (__linux__) */ diff --git a/tests/testutils.c b/tests/testutils.c index feda22bd00..dbe4773f14 100644 --- a/tests/testutils.c +++ b/tests/testutils.c @@ -855,6 +855,57 @@ int virtTestClearLineRegex(const char *pattern, } +/* + * @cmdset contains a list of command line args, eg + * + * "/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT + * /usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT + * /usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT + * /usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT + * /usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT" + * + * And we're munging it in-place to strip the path component + * of the command line, to produce + * + * "iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT + * iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT + * iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT + * iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT + * iptables --table filter --insert FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT" + */ +void virtTestClearCommandPath(char *cmdset) +{ + size_t offset = 0; + char *lineStart = cmdset; + char *lineEnd = strchr(lineStart, '\n'); + + while (lineStart) { + char *dirsep; + char *movestart; + size_t movelen; + dirsep = strchr(lineStart, ' '); + if (dirsep) { + while (dirsep > lineStart && *dirsep != '/') + dirsep--; + if (*dirsep == '/') + dirsep++; + movestart = dirsep; + } else { + movestart = lineStart; + } + movelen = lineEnd ? lineEnd - movestart : strlen(movestart); + + if (movelen) { + memmove(cmdset + offset, movestart, movelen + 1); + offset += movelen + 1; + } + lineStart = lineEnd ? lineEnd + 1 : NULL; + lineEnd = lineStart ? strchr(lineStart, '\n') : NULL; + } + cmdset[offset] = '\0'; +} + + virCapsPtr virTestGenericCapsInit(void) { virCapsPtr caps; diff --git a/tests/testutils.h b/tests/testutils.h index e89492bf62..ad28ea78c0 100644 --- a/tests/testutils.h +++ b/tests/testutils.h @@ -59,6 +59,8 @@ int virtTestCaptureProgramOutput(const char *const argv[], char **buf, int maxle int virtTestClearLineRegex(const char *pattern, char *string); +void virtTestClearCommandPath(char *cmdset); + int virtTestDifference(FILE *stream, const char *expect, const char *actual);