Commit Graph

5 Commits

Author SHA1 Message Date
Daniel P. Berrangé
02b8045517 nwfilter: drop support for legacy iptables match syntax
Long ago we adapted to iptables changes by introducing support
for '-m conntrack':

  commit 06844ccbaa
  Author: Stefan Berger <stefanb@us.ibm.com>
  Date:   Tue Aug 6 20:30:46 2013 -0400

    nwfilter: Use -m conntrack rather than -m state

    Since iptables version 1.4.16 '-m state --state NEW' is converted to
    '-m conntrack --ctstate NEW'. Therefore, when encountering this or later
    versions of iptables use '-m conntrack --ctstate'.

Given our supported platform targets, we no longer need to
consider a version of iptables before 1.4.16, so can drop
support for the old syntax.

The test suite updates are triggered because that never
probed for the new syntax, and so unconditionally
generated the old syntax.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-03-09 11:37:12 +00:00
Michal Privoznik
86c691e6de tests: Update IPv4-in-IPv6 addresses
We have couple of tests where the obsolete IPv4-in-IPv6 notation
is used (::10.1.2.3). Change them to the correct format
(::ffff:10.1.2.3).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2022-03-04 15:08:59 +01:00
Laine Stump
e66451f685 util/tests: enable locking on iptables/ebtables commandlines in unit tests
All the unit tests that use iptables/ip6tables/ebtables have been
written to omit the locking/exclusive use primitive on the generated
commandlines. Even though none of the tests actually execute those
commands (and so it doesn't matter for purposes of the test whether or
not the commands support these options), it still made sense when some
systems had these locking options and some didn't.

We are now at a point where every supported Linux distro has supported
the locking options on these commands for quite a long time, and are
going to make their use non-optional. As a first step, this patch uses
the virFirewallSetLockOverride() function, which is called at the
beginning of all firewall-related tests, to set all the bools
controlling whether or not the locking options are used to true. This
means that all the test cases must be updated to include the proper
locking option in their commandlines.

The change to make actual execs of the commands unconditionally use
the locking option will be in an upcoming patch - this one affects
only the unit tests.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:08 -05:00
Daniel P. Berrange
8afd34f2d8 tests: redo test argv file line wrapping
Back in

  commit bd6c46fa0c
  Author: Juerg Haefliger <juerg.haefliger@hp.com>
  Date:   Mon Jan 31 06:42:57 2011 -0500

    tests: handle backspace-newline pairs in test input files

all the test argv files were line wrapped so that the args
were less than 80 characters.

The way the line wrapping was done turns out to be quite
undesirable, because it often leaves multiple parameters
on the same line. If we later need to add or remove
individual parameters, then it leaves us having to redo
line wrapping.

This commit changes the line wrapping so that every
single "-param value" is one its own new line. If the
"value" is still too long, then we break on ',' or ':'
or ' ' as needed.

This means that when we come to add / remove parameters
from the test files line, the patch diffs will only
ever show a single line added/removed which will greatly
simplify review work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2015-11-09 15:50:39 +00:00
Daniel P. Berrange
3ba789ccd5 Add a test suite for nwfilter ebiptables tech driver
Create a nwfilterxml2firewalltest to exercise the
ebiptables_driver.applyNewRules method with a variety of
different XML input files. The XML input files are taken
from the libvirt-tck nwfilter tests. While the nwfilter
tests verify the final state of the iptables chains, this
test verifies the set of commands invoked to create the
chains.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2014-04-25 15:44:10 +01:00