[PATCH 14/26] Add test for converting network XML to iptables rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 tests/Makefile.am                                  |  17 ++-
 .../networkxml2firewalldata/nat-default-linux.args |  30 ++++
 tests/networkxml2firewalldata/nat-default.xml      |  10 ++
 tests/networkxml2firewalldata/nat-ipv6-linux.args  |  44 ++++++
 tests/networkxml2firewalldata/nat-ipv6.xml         |  15 ++
 .../nat-many-ips-linux.args                        |  58 ++++++++
 tests/networkxml2firewalldata/nat-many-ips.xml     |  12 ++
 .../networkxml2firewalldata/nat-no-dhcp-linux.args |  42 ++++++
 tests/networkxml2firewalldata/nat-no-dhcp.xml      |   7 +
 tests/networkxml2firewalldata/nat-tftp-linux.args  |  32 ++++
 tests/networkxml2firewalldata/nat-tftp.xml         |  11 ++
 .../route-default-linux.args                       |  20 +++
 tests/networkxml2firewalldata/route-default.xml    |  10 ++
 tests/networkxml2firewalltest.c                    | 162 +++++++++++++++++++++
 14 files changed, 468 insertions(+), 2 deletions(-)
 create mode 100644 tests/networkxml2firewalldata/nat-default-linux.args
 create mode 100644 tests/networkxml2firewalldata/nat-default.xml
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.args
 create mode 100644 tests/networkxml2firewalldata/nat-ipv6.xml
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.args
 create mode 100644 tests/networkxml2firewalldata/nat-many-ips.xml
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.args
 create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp.xml
 create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.args
 create mode 100644 tests/networkxml2firewalldata/nat-tftp.xml
 create mode 100644 tests/networkxml2firewalldata/route-default-linux.args
 create mode 100644 tests/networkxml2firewalldata/route-default.xml
 create mode 100644 tests/networkxml2firewalltest.c

diff --git a/tests/Makefile.am b/tests/Makefile.am
index a10919d..75e723f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -87,6 +87,7 @@ EXTRA_DIST =		\
 	networkxml2confdata \
 	networkxml2xmlupdatein \
 	networkxml2xmlupdateout \
+	networkxml2firewalldata \
 	nodedevschemadata \
 	nodedevschematest \
 	nodeinfodata     \
@@ -249,10 +250,16 @@ if WITH_YAJL
 test_programs += jsontest
 endif WITH_YAJL
 
-test_programs += networkxml2xmltest networkxml2xmlupdatetest
+test_programs += \
+		networkxml2xmltest \
+		networkxml2xmlupdatetest \
+		$(NULL)
 
 if WITH_NETWORK
-test_programs += networkxml2conftest
+test_programs += \
+		networkxml2conftest \
+		networkxml2firewalltest \
+		$(NULL)
 endif WITH_NETWORK
 
 if WITH_STORAGE_SHEEPDOG
@@ -655,6 +662,12 @@ networkxml2conftest_SOURCES = \
 	networkxml2conftest.c \
 	testutils.c testutils.h
 networkxml2conftest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
+networkxml2firewalltest_SOURCES = \
+	networkxml2firewalltest.c \
+	testutils.c testutils.h
+networkxml2firewalltest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
 else ! WITH_NETWORK
 EXTRA_DIST += networkxml2conftest.c
 endif !	WITH_NETWORK
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
new file mode 100644
index 0000000..0ec2807
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -0,0 +1,30 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-default.xml b/tests/networkxml2firewalldata/nat-default.xml
new file mode 100644
index 0000000..d7241d0
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default.xml
@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
new file mode 100644
index 0000000..690a354
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -0,0 +1,44 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-ipv6.xml b/tests/networkxml2firewalldata/nat-ipv6.xml
new file mode 100644
index 0000000..337e71d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6.xml
@@ -0,0 +1,15 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
+    <dhcp>
+      <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
new file mode 100644
index 0000000..92c6069
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -0,0 +1,58 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.128.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!' \
+--destination 192.168.128.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.150.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!' \
+--destination 192.168.150.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-many-ips.xml b/tests/networkxml2firewalldata/nat-many-ips.xml
new file mode 100644
index 0000000..0c8dcff
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips.xml
@@ -0,0 +1,12 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip address="192.168.128.1" netmask="255.255.255.0"/>
+  <ip address="192.168.150.1" netmask="255.255.255.0"/>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
new file mode 100644
index 0000000..bbfb3eb
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -0,0 +1,42 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp.xml b/tests/networkxml2firewalldata/nat-no-dhcp.xml
new file mode 100644
index 0000000..0bccd1d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp.xml
@@ -0,0 +1,7 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0"/>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64"/>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
new file mode 100644
index 0000000..d6d65c1
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -0,0 +1,32 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 69 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-tftp.xml b/tests/networkxml2firewalldata/nat-tftp.xml
new file mode 100644
index 0000000..17e8e0a
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp.xml
@@ -0,0 +1,11 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <tftp root='/some/dir'/>
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
new file mode 100644
index 0000000..31e5394
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/route-default.xml b/tests/networkxml2firewalldata/route-default.xml
new file mode 100644
index 0000000..3bc7bb9
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default.xml
@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward mode='route'/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
new file mode 100644
index 0000000..55cb38a
--- /dev/null
+++ b/tests/networkxml2firewalltest.c
@@ -0,0 +1,162 @@
+/*
+ * networkxml2firewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "network/bridge_driver_platform.h"
+# include "virbuffer.h"
+
+# define __VIR_FIREWALL_PRIV_H_ALLOW__
+# include "virfirewallpriv.h"
+
+# define __VIR_COMMAND_PRIV_H_ALLOW__
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+static const char *abs_top_srcdir;
+
+# ifdef __linux__
+#  define RULESTYPE "linux"
+# else
+#  error "test case not ported to this platform"
+# endif
+
+static int testCompareXMLToArgvFiles(const char *xml,
+                                     const char *cmdline)
+{
+    char *expectargv = NULL;
+    int len;
+    char *actualargv = NULL;
+    virBuffer buf = VIR_BUFFER_INITIALIZER;
+    virNetworkDefPtr def = NULL;
+    int ret = -1;
+
+    virCommandSetDryRun(&buf, NULL, NULL);
+
+    if (!(def = virNetworkDefParseFile(xml)))
+        goto cleanup;
+
+    if (networkAddFirewallRules(def) < 0)
+        goto cleanup;
+
+    if (virBufferError(&buf))
+        goto cleanup;
+
+    actualargv = virBufferContentAndReset(&buf);
+    virCommandSetDryRun(NULL, NULL, NULL);
+
+    len = virtTestLoadFile(cmdline, &expectargv);
+    if (len < 0)
+        goto cleanup;
+
+    if (STRNEQ(expectargv, actualargv)) {
+        virtTestDifference(stderr, expectargv, actualargv);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+ cleanup:
+    virBufferFreeAndReset(&buf);
+    VIR_FREE(expectargv);
+    VIR_FREE(actualargv);
+    virNetworkDefFree(def);
+    return ret;
+}
+
+struct testInfo {
+    const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+    int result = -1;
+    const struct testInfo *info = data;
+    char *xml = NULL;
+    char *args = NULL;
+
+    if (virAsprintf(&xml, "%s/networkxml2firewalldata/%s.xml",
+                    abs_srcdir, info->name) < 0 ||
+        virAsprintf(&args, "%s/networkxml2firewalldata/%s-%s.args",
+                    abs_srcdir, info->name, RULESTYPE) < 0)
+        goto cleanup;
+
+    result = testCompareXMLToArgvFiles(xml, args);
+
+ cleanup:
+    VIR_FREE(xml);
+    VIR_FREE(args);
+    return result;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+    abs_top_srcdir = getenv("abs_top_srcdir");
+    if (!abs_top_srcdir)
+        abs_top_srcdir = abs_srcdir "/..";
+
+# define DO_TEST(name)                                                  \
+    do {                                                                \
+        static struct testInfo info = {                                 \
+            name,                                                       \
+        };                                                              \
+        if (virtTestRun("Network XML-2-iptables " name,                 \
+                        testCompareXMLToIPTablesHelper, &info) < 0)     \
+            ret = -1;                                                   \
+    } while (0)
+
+    if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+        ret = -1;
+        goto cleanup;
+    }
+
+    DO_TEST("nat-default");
+    DO_TEST("nat-tftp");
+    DO_TEST("nat-many-ips");
+    DO_TEST("nat-no-dhcp");
+    DO_TEST("nat-ipv6");
+    DO_TEST("route-default");
+    DO_TEST("route-default");
+
+ cleanup:
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+    return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
-- 
1.9.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]