/* * networkxml2firewalltest.c: Test iptables rule generation * * Copyright (C) 2014 Red Hat, Inc. * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library. If not, see * . * */ #include #include "testutils.h" #if defined (__linux__) # include # include "network/bridge_driver_platform.h" # include "virbuffer.h" # include "virmock.h" # define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW # include "vircommandpriv.h" # define VIR_FROM_THIS VIR_FROM_NONE # ifdef __linux__ # define RULESTYPE "linux" # else # error "test case not ported to this platform" # endif VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync, GVariant *, GDBusConnection *, connection, const gchar *, bus_name, const gchar *, object_path, const gchar *, interface_name, const gchar *, method_name, GVariant *, parameters, const GVariantType *, reply_type, GDBusCallFlags, flags, gint, timeout_msec, GCancellable *, cancellable, GError **, error) { if (parameters) { g_variant_ref_sink(parameters); g_variant_unref(parameters); } VIR_MOCK_REAL_INIT(g_dbus_connection_call_sync); *error = g_dbus_error_new_for_dbus_error("org.freedesktop.error", "dbus is disabled"); return NULL; } static void testCommandDryRun(const char *const*args G_GNUC_UNUSED, const char *const*env G_GNUC_UNUSED, const char *input G_GNUC_UNUSED, char **output, char **error, int *status, void *opaque G_GNUC_UNUSED) { *status = 0; /* if arg[1] is -ae then this is an nft command, * and the caller requested to get the handle * of the newly added object in stdout */ if (STREQ_NULLABLE(args[1], "-ae")) *output = g_strdup("# handle 5309"); else *output = g_strdup(""); *error = g_strdup(""); } static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, const char *baseargs, virFirewallBackend backend) { g_autofree char *actualargv = NULL; g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; g_autoptr(virNetworkDef) def = NULL; char *actual; g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew(); virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRun, NULL); if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; if (networkAddFirewallRules(def, backend, NULL) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); /* The first network to be created populates the * libvirt global chains. We must skip args for * that if present */ if (STRPREFIX(actual, baseargs)) actual += strlen(baseargs); if (virTestCompareToFileFull(actual, cmdline, false) < 0) return -1; return 0; } struct testInfo { const char *name; const char *baseargs; virFirewallBackend backend; }; static int testCompareXMLToIPTablesHelper(const void *data) { int result = -1; const struct testInfo *info = data; g_autofree char *xml = NULL; g_autofree char *args = NULL; xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", abs_srcdir, info->name, RULESTYPE, virFirewallBackendTypeToString(info->backend)); result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend); return result; } static int mymain(void) { int ret = 0; g_autofree char *basefileIptables = NULL; g_autofree char *basefileNftables = NULL; g_autofree char *baseargsIptables = NULL; g_autofree char *baseargsNftables = NULL; const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; # define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info = { \ name, baseargs[backend], backend \ }; \ g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \ virFirewallBackendTypeToString(backend), \ name); \ if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret = -1; \ } while (0) # define DO_TEST(name) \ DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir); if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) return EXIT_FAILURE; baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables; basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir); if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) return EXIT_FAILURE; baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables; DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); DO_TEST("nat-no-dhcp"); DO_TEST("nat-ipv6"); DO_TEST("nat-ipv6-masquerade"); DO_TEST("route-default"); return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; } /* NB: virgdbus must be mocked because this test calls * networkAddFirewallRules(), which will always call * virFirewallDIsRegistered(), which calls * virGDBusIsServiceRegistered(). */ VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virgdbus"), VIR_TEST_MOCK("virfirewall")) #else /* ! defined (__linux__) */ int main(void) { return EXIT_AM_SKIP; } #endif /* ! defined (__linux__) */