External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-05 05:45:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
0dffca8f95
libvirt/tests/nwfilterebiptablestest.c
Peter Krempa 0dffca8f95 virCommandSetDryRun: Rework resetting of the dry run data 
While virCommandSetDryRun is used in tests only, there were some cases
when error paths would not call the function with NULL arguments to
reset the dry run infrastructure.

Introduce virCommandDryRunToken type which must be allocated via
virCommandDryRunTokenNew and passed to virCommandSetDryRun.

This way we can use automatic variable cleaning to trigger the cleanup
of virCommandSetDryRun parameters and also the use of the token variable
ensures that all callers of virCommandSetDryRun clean up after
themselves and also that the token isn't left unused in the code.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
2021-04-12 15:55:10 +02:00

554 lines
23 KiB
C
Raw Blame History

/*
* nwfilterebiptablestest.c: Test {eb,ip,ip6}tables rule generation
*
* Copyright (C) 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
*/
#include <config.h>
#include "testutils.h"
#include "nwfilter/nwfilter_ebiptables_driver.h"
#include "virbuffer.h"
#include "virfirewall.h"
#define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW
#include "virfirewallpriv.h"
#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
#include "vircommandpriv.h"
#define VIR_FROM_THIS VIR_FROM_NONE
#define VIR_NWFILTER_NEW_RULES_TEARDOWN \
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
"iptables -w -F FP-vnet0\n" \
"iptables -w -X FP-vnet0\n" \
"iptables -w -F FJ-vnet0\n" \
"iptables -w -X FJ-vnet0\n" \
"iptables -w -F HJ-vnet0\n" \
"iptables -w -X HJ-vnet0\n" \
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
"ip6tables -w -F FP-vnet0\n" \
"ip6tables -w -X FP-vnet0\n" \
"ip6tables -w -F FJ-vnet0\n" \
"ip6tables -w -X FJ-vnet0\n" \
"ip6tables -w -F HJ-vnet0\n" \
"ip6tables -w -X HJ-vnet0\n" \
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
"ebtables --concurrent -t nat -L libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -L libvirt-P-vnet0\n" \
"ebtables --concurrent -t nat -F libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -X libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -F libvirt-P-vnet0\n" \
"ebtables --concurrent -t nat -X libvirt-P-vnet0\n"
static int
testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.allTeardown("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesTearOldRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"iptables -w -E FP-vnet0 FO-vnet0\n"
"iptables -w -E FJ-vnet0 FI-vnet0\n"
"iptables -w -E HJ-vnet0 HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ip6tables -w -E FP-vnet0 FO-vnet0\n"
"ip6tables -w -E FJ-vnet0 FI-vnet0\n"
"ip6tables -w -E HJ-vnet0 HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.tearOldRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-P-vnet0\n";
char *actual = NULL;
int ret = -1;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.removeBasicRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesTearNewRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN;
char *actual = NULL;
int ret = -1;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.tearNewRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
char *actual = NULL;
int ret = -1;
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.applyBasicRules("vnet0", &mac) < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
const char *servers[] = { "192.168.122.1", "10.0.0.1", "10.0.0.2" };
virNWFilterVarValue val = {
.valType = NWFILTER_VALUE_TYPE_ARRAY,
.u = {
.array = {
.values = (char **)servers,
.nValues = 3,
}
}
};
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, NULL, NULL);
if (ebiptables_driver.applyDropAllRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
VIR_FREE(actual);
return ret;
}
static bool
hasNetfilterTools(void)
{
return virFileIsExecutable(IPTABLES_PATH) &&
virFileIsExecutable(IP6TABLES_PATH) &&
virFileIsExecutable(EBTABLES_PATH);
}
static int
mymain(void)
{
int ret = 0;
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
if (!hasNetfilterTools()) {
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
return EXIT_AM_SKIP;
}
return EXIT_FAILURE;
}
if (virTestRun("ebiptablesAllTeardown",
testNWFilterEBIPTablesAllTeardown,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesTearOldRules",
testNWFilterEBIPTablesTearOldRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesRemoveBasicRules",
testNWFilterEBIPTablesRemoveBasicRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesTearNewRules",
testNWFilterEBIPTablesTearNewRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesApplyBasicRules",
testNWFilterEBIPTablesApplyBasicRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesApplyDHCPOnlyRules",
testNWFilterEBIPTablesApplyDHCPOnlyRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesApplyDropAllRules",
testNWFilterEBIPTablesApplyDropAllRules,
NULL) < 0)
ret = -1;
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
VIR_TEST_MAIN(mymain)
Reference in New Issue View Git Blame Copy Permalink