Commit Graph

10 Commits

Author SHA1 Message Date
Daniel P. Berrangé
2a95dbd03c nwfilter: drop support for legacy iptables conntrack direction
Long ago we adapted to Linux kernel changes which inverted the
behaviour of the conntrack --ctdir setting:

  commit a6a04ea47a
  Author: Stefan Berger <stefanb@us.ibm.com>
  Date:   Wed May 15 21:02:11 2013 -0400

    nwfilter: check for inverted ctdir

    Linux netfilter at some point (Linux 2.6.39) inverted the meaning of the
    '--ctdir reply' and newer netfilter implementations now expect
    '--ctdir original' instead and vice-versa.
    We check for the kernel version and assume that all Linux kernels with version
    2.6.39 have the newer inverted logic.

    Any distro backporting the Linux kernel patch that inverts the --ctdir logic
    (Linux commit 96120d86f) must also backport this patch for Linux and
    adapt the kernel version being tested for.

    Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>

Given our supported platform targets, we no longer need to
consider a version of Linux before 2.6.39, so can drop
support for the old direction behaviour.

The test suite updates are triggered because that never
probed for the ctdir direction, and so the iptables syntax
generator unconditionally dropped the ctdir args.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-03-09 11:37:32 +00:00
Daniel P. Berrangé
02b8045517 nwfilter: drop support for legacy iptables match syntax
Long ago we adapted to iptables changes by introducing support
for '-m conntrack':

  commit 06844ccbaa
  Author: Stefan Berger <stefanb@us.ibm.com>
  Date:   Tue Aug 6 20:30:46 2013 -0400

    nwfilter: Use -m conntrack rather than -m state

    Since iptables version 1.4.16 '-m state --state NEW' is converted to
    '-m conntrack --ctstate NEW'. Therefore, when encountering this or later
    versions of iptables use '-m conntrack --ctstate'.

Given our supported platform targets, we no longer need to
consider a version of iptables before 1.4.16, so can drop
support for the old syntax.

The test suite updates are triggered because that never
probed for the new syntax, and so unconditionally
generated the old syntax.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-03-09 11:37:12 +00:00
Michal Privoznik
86c691e6de tests: Update IPv4-in-IPv6 addresses
We have couple of tests where the obsolete IPv4-in-IPv6 notation
is used (::10.1.2.3). Change them to the correct format
(::ffff:10.1.2.3).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2022-03-04 15:08:59 +01:00
Peter Krempa
13ffa48d2f nwfilterxml2firewalldata: Use internal wrapping to wrap output files
As with previous commits use virCommandSetDryRun to invoke
virCommandToString so that it returns pre-wrapped string.

Since virCommand is better aware of where the arguments terminate we can
see an improvement where comments are no longer line-wrapped.

The changes to the 'commonRules' strings were done with the following
regex:

 s/ -/ \\\\\\n-/

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2021-04-12 15:55:10 +02:00
Laine Stump
e66451f685 util/tests: enable locking on iptables/ebtables commandlines in unit tests
All the unit tests that use iptables/ip6tables/ebtables have been
written to omit the locking/exclusive use primitive on the generated
commandlines. Even though none of the tests actually execute those
commands (and so it doesn't matter for purposes of the test whether or
not the commands support these options), it still made sense when some
systems had these locking options and some didn't.

We are now at a point where every supported Linux distro has supported
the locking options on these commands for quite a long time, and are
going to make their use non-optional. As a first step, this patch uses
the virFirewallSetLockOverride() function, which is called at the
beginning of all firewall-related tests, to set all the bools
controlling whether or not the locking options are used to true. This
means that all the test cases must be updated to include the proper
locking option in their commandlines.

The change to make actual execs of the commands unconditionally use
the locking option will be in an upcoming patch - this one affects
only the unit tests.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:08 -05:00
Peter Krempa
f4aa549ea8 nwfilterxml2firewall: Fix schema compilance of 'tcp' test case
Fix the 'flags' of the last rule to conform to the RNG schema.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-10-20 09:05:10 +02:00
Daniel P. Berrange
15f42b52fd nwfilter: remove bogus 'protocolid' attribute on arp/rarp fields
Various example XML documents for arp/rarp filtering have a protocolid
XML attribute defined. This is never parsed or output by the libvirt XML
handling code, so shouldn't be present in example XML files either

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-12-07 09:21:04 +00:00
Daniel P. Berrange
8afd34f2d8 tests: redo test argv file line wrapping
Back in

  commit bd6c46fa0c
  Author: Juerg Haefliger <juerg.haefliger@hp.com>
  Date:   Mon Jan 31 06:42:57 2011 -0500

    tests: handle backspace-newline pairs in test input files

all the test argv files were line wrapped so that the args
were less than 80 characters.

The way the line wrapping was done turns out to be quite
undesirable, because it often leaves multiple parameters
on the same line. If we later need to add or remove
individual parameters, then it leaves us having to redo
line wrapping.

This commit changes the line wrapping so that every
single "-param value" is one its own new line. If the
"value" is still too long, then we break on ',' or ':'
or ' ' as needed.

This means that when we come to add / remove parameters
from the test files line, the patch diffs will only
ever show a single line added/removed which will greatly
simplify review work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-11-09 15:50:39 +00:00
Stefan Berger
3a3b3691d1 nwfilter: Add support for icmpv6 filtering
Make use of the ebtables functionality to be able to filter certain
parameters of icmpv6 packets. Extend the XML parser for icmpv6 types,
type ranges, codes, and code ranges. Extend the nwfilter documentation,
schema, and test cases.

Being able to filter icmpv6 types and codes helps extending the DHCP
snooper for IPv6 and filtering at least some parameters of IPv6's NDP
(Neighbor Discovery Protocol) packets. However, the filtering will not
be as good as the filtering of ARP packets since we cannot
check on IP addresses in the payload of the NDP packets.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
2015-01-07 11:41:49 -05:00
Daniel P. Berrange
3ba789ccd5 Add a test suite for nwfilter ebiptables tech driver
Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00