[PATCH v2] [TCK] nwfilter: Add test cases for ipset

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Add test cases for ipset support.

Since ipset may not be available on all system, the first line of the XML
file containing the test filter has been extended with a specially formatted
XML comment containing a command line test for whether the test case can be
run at all. The format of that line is:

<!-- #<command line test># -->

If the tests in this line don't succeed, the test case is skipped.

Also add a test case cleaning up the created ipset. Run this test after all
other tests using alphabetical ordering.

---
 v2:
  - addressed Eric Blake's comments

---
scripts/nwfilter/nwfilter2vmtest.sh | 36 +++++++-- scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall | 39 ++++++++++
 scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall |    1
scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml | 25 ++++++
 scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml      |    5 +
 5 files changed, 99 insertions(+), 7 deletions(-)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test || ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all  ipset='tck_test' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='in+NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='out+NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  ipset='$IPSETNAME' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all  ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/>
+ </rule>
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh
+++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
@@ -107,6 +107,7 @@ checkExpectedOutput() {
   ifname="$3"
   flags="$4"
   skipregex="$5"
+  skiptest="$6"
   regex="s/${ORIG_IFNAME}/${ifname}/g"

   tmpdir=$(mktmpdir)
@@ -147,6 +148,18 @@ checkExpectedOutput() {
       break
     fi

+    if [ -n "${skiptest}" ]; then
+      # treat all skips as passes
+          passctr=$(($passctr + 1))
+          [ $(($flags & $FLAG_VERBOSE)) -ne 0 ] && \
+              echo "SKIP ${xmlfile} : ${cmd}"
+          [ $(($flags & $FLAG_LIBVIRT_TEST)) -ne 0 ] && \
+              test_result $(($passctr + $failctr)) "" 0
+          [ $(($flags & $FLAG_TAP_TEST)) -ne 0 ] && \
+ tap_pass $(($passctr + $failctr)) "SKIP: ${xmlfile} : ${skiptest}"
+          break
+    fi
+
         diff -w ${tmpfile} ${tmpfile2} >/dev/null

         if [ $? -ne 0 ]; then
@@ -197,19 +210,27 @@ doTest() {
   flags="$5"
   testnum="$6"
   ctr=0
+  skiptest=""

   if [ ! -r "${xmlfile}" ]; then
     echo "FAIL : Cannot access filter XML file ${xmlfile}."
     return 1
   fi

-  ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+  # Check whether we can run this test at all
+  cmd=$(sed -n '1 s/^<\!--[     ]*#\(.*\)#[     ]*-->/\1/p' ${xmlfile})
+  if [ -n "${cmd}" ]; then
+    eval "${cmd}" 2>/dev/null 1>/dev/null
+    [ $? -ne 0 ] && skiptest="${cmd}"
+  fi
+
+  [ -z "${skiptest}" ] && ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null

checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \
-      ""
+      "" "${skiptest}"

   checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-      "${vm2name}" "${flags}" ""
+      "${vm2name}" "${flags}" "" "${skiptest}"

   if [ $(($flags & $FLAG_ATTACH)) -ne 0 ]; then

@@ -234,9 +255,9 @@ EOF

     if [ $rc -eq 0 ]; then
       checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \
-        "${flags}" "(PRE|POST)ROUTING"
+        "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
       checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-        "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
+        "${vm2name}" "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
       msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"`
       if [ $? -ne 0 ]; then
         echo "FAIL: Detach of interface failed."
@@ -246,9 +267,9 @@ EOF
         # In case of TAP, run the test anyway so we get to the full number
         # of tests
checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \
-          "${flags}" "" #"(PRE|POST)ROUTING"
+          "${flags}" "" "${skiptest}" #"(PRE|POST)ROUTING"
         checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-          "${vm2name}" "${flags}" #"(PRE|POST)ROUTING"
+          "${vm2name}" "${flags}" "${skiptest}" #"(PRE|POST)ROUTING"
       fi

       attachfailctr=$(($attachfailctr + 1))
@@ -357,6 +378,7 @@ createVM() {
<parameter name='C' value='1090'/>
<parameter name='C' value='1100'/>
<parameter name='C' value='1110'/>
+ <parameter name='IPSETNAME' value='tck_test'/>
</filterref>
<target dev='${vmname}'/>
</interface>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
@@ -0,0 +1,39 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* out+NONE */ +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test dst,src /* inout */
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* in+NONE */ +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* inout */
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* out+NONE */ +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test dst,src /* inout */
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ebtables -t nat -L libvirt-O-vnet0 2>/dev/null | grep -v "table:" | grep -v "^$" +#ebtables -t nat -L libvirt-I-vnet0 2>/dev/null | grep -v "table:" | grep -v "^$"
+#ebtables -t nat -L PREROUTING | grep vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
@@ -0,0 +1 @@
+#ipset destroy tck_test 2>&1 1>/dev/null
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
@@ -0,0 +1,5 @@
+<!-- #ipset help && iptables -t match-set -h# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <!-- used only to cleanup ipset -->
+</filter>

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]