Using the virCommand dry run capability, capture iptables rules created by various network XML documents. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> --- tests/Makefile.am | 17 ++- .../networkxml2firewalldata/nat-default-linux.args | 30 ++++ tests/networkxml2firewalldata/nat-default.xml | 10 ++ tests/networkxml2firewalldata/nat-ipv6-linux.args | 44 ++++++ tests/networkxml2firewalldata/nat-ipv6.xml | 15 ++ .../nat-many-ips-linux.args | 58 ++++++++ tests/networkxml2firewalldata/nat-many-ips.xml | 12 ++ .../networkxml2firewalldata/nat-no-dhcp-linux.args | 42 ++++++ tests/networkxml2firewalldata/nat-no-dhcp.xml | 7 + tests/networkxml2firewalldata/nat-tftp-linux.args | 32 ++++ tests/networkxml2firewalldata/nat-tftp.xml | 11 ++ .../route-default-linux.args | 20 +++ tests/networkxml2firewalldata/route-default.xml | 10 ++ tests/networkxml2firewalltest.c | 162 +++++++++++++++++++++ 14 files changed, 468 insertions(+), 2 deletions(-) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.args create mode 100644 tests/networkxml2firewalldata/nat-default.xml create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.args create mode 100644 tests/networkxml2firewalldata/nat-ipv6.xml create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.args create mode 100644 tests/networkxml2firewalldata/nat-many-ips.xml create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.args create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp.xml create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.args create mode 100644 tests/networkxml2firewalldata/nat-tftp.xml create mode 100644 tests/networkxml2firewalldata/route-default-linux.args create mode 100644 tests/networkxml2firewalldata/route-default.xml create mode 100644 tests/networkxml2firewalltest.c diff --git a/tests/Makefile.am b/tests/Makefile.am index a10919d..75e723f 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -87,6 +87,7 @@ EXTRA_DIST = \ networkxml2confdata \ networkxml2xmlupdatein \ networkxml2xmlupdateout \ + networkxml2firewalldata \ nodedevschemadata \ nodedevschematest \ nodeinfodata \ @@ -249,10 +250,16 @@ if WITH_YAJL test_programs += jsontest endif WITH_YAJL -test_programs += networkxml2xmltest networkxml2xmlupdatetest +test_programs += \ + networkxml2xmltest \ + networkxml2xmlupdatetest \ + $(NULL) if WITH_NETWORK -test_programs += networkxml2conftest +test_programs += \ + networkxml2conftest \ + networkxml2firewalltest \ + $(NULL) endif WITH_NETWORK if WITH_STORAGE_SHEEPDOG @@ -655,6 +662,12 @@ networkxml2conftest_SOURCES = \ networkxml2conftest.c \ testutils.c testutils.h networkxml2conftest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS) + +networkxml2firewalltest_SOURCES = \ + networkxml2firewalltest.c \ + testutils.c testutils.h +networkxml2firewalltest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS) + else ! WITH_NETWORK EXTRA_DIST += networkxml2conftest.c endif ! WITH_NETWORK diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args new file mode 100644 index 0000000..0ec2807 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -0,0 +1,30 @@ +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-default.xml b/tests/networkxml2firewalldata/nat-default.xml new file mode 100644 index 0000000..d7241d0 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default.xml @@ -0,0 +1,10 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args new file mode 100644 index 0000000..690a354 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -0,0 +1,44 @@ +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 547 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6.xml b/tests/networkxml2firewalldata/nat-ipv6.xml new file mode 100644 index 0000000..337e71d --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6.xml @@ -0,0 +1,15 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" > + <dhcp> + <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" /> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args new file mode 100644 index 0000000..92c6069 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -0,0 +1,58 @@ +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.128.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.150.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!' \ +--destination 192.168.150.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-many-ips.xml b/tests/networkxml2firewalldata/nat-many-ips.xml new file mode 100644 index 0000000..0c8dcff --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips.xml @@ -0,0 +1,12 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> + <ip address="192.168.128.1" netmask="255.255.255.0"/> + <ip address="192.168.150.1" netmask="255.255.255.0"/> +</network> diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args new file mode 100644 index 0000000..bbfb3eb --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -0,0 +1,42 @@ +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 547 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 --jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-no-dhcp.xml b/tests/networkxml2firewalldata/nat-no-dhcp.xml new file mode 100644 index 0000000..0bccd1d --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp.xml @@ -0,0 +1,7 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward/> + <ip address="192.168.122.1" netmask="255.255.255.0"/> + <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64"/> +</network> diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args new file mode 100644 index 0000000..d6d65c1 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -0,0 +1,32 @@ +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 69 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 --jump MASQUERADE +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 255.255.255.255/32 --jump RETURN +/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ +--destination 224.0.0.0/24 --jump RETURN +/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/nat-tftp.xml b/tests/networkxml2firewalldata/nat-tftp.xml new file mode 100644 index 0000000..17e8e0a --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp.xml @@ -0,0 +1,11 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <tftp root='/some/dir'/> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args new file mode 100644 index 0000000..31e5394 --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 67 --jump ACCEPT +/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ +--destination-port 68 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ +--destination-port 53 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT +/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ +--in-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ +--out-interface virbr0 --jump ACCEPT +/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ +--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill diff --git a/tests/networkxml2firewalldata/route-default.xml b/tests/networkxml2firewalldata/route-default.xml new file mode 100644 index 0000000..3bc7bb9 --- /dev/null +++ b/tests/networkxml2firewalldata/route-default.xml @@ -0,0 +1,10 @@ +<network> + <name>default</name> + <bridge name="virbr0"/> + <forward mode='route'/> + <ip address="192.168.122.1" netmask="255.255.255.0"> + <dhcp> + <range start="192.168.122.2" end="192.168.122.254"/> + </dhcp> + </ip> +</network> diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c new file mode 100644 index 0000000..55cb38a --- /dev/null +++ b/tests/networkxml2firewalltest.c @@ -0,0 +1,162 @@ +/* + * networkxml2firewalltest.c: Test iptables rule generation + * + * Copyright (C) 2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + * + */ + +#include <config.h> + +#if defined (__linux__) + +# include "testutils.h" +# include "network/bridge_driver_platform.h" +# include "virbuffer.h" + +# define __VIR_FIREWALL_PRIV_H_ALLOW__ +# include "virfirewallpriv.h" + +# define __VIR_COMMAND_PRIV_H_ALLOW__ +# include "vircommandpriv.h" + +# define VIR_FROM_THIS VIR_FROM_NONE + +static const char *abs_top_srcdir; + +# ifdef __linux__ +# define RULESTYPE "linux" +# else +# error "test case not ported to this platform" +# endif + +static int testCompareXMLToArgvFiles(const char *xml, + const char *cmdline) +{ + char *expectargv = NULL; + int len; + char *actualargv = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + virNetworkDefPtr def = NULL; + int ret = -1; + + virCommandSetDryRun(&buf, NULL, NULL); + + if (!(def = virNetworkDefParseFile(xml))) + goto cleanup; + + if (networkAddFirewallRules(def) < 0) + goto cleanup; + + if (virBufferError(&buf)) + goto cleanup; + + actualargv = virBufferContentAndReset(&buf); + virCommandSetDryRun(NULL, NULL, NULL); + + len = virtTestLoadFile(cmdline, &expectargv); + if (len < 0) + goto cleanup; + + if (STRNEQ(expectargv, actualargv)) { + virtTestDifference(stderr, expectargv, actualargv); + goto cleanup; + } + + ret = 0; + + cleanup: + virBufferFreeAndReset(&buf); + VIR_FREE(expectargv); + VIR_FREE(actualargv); + virNetworkDefFree(def); + return ret; +} + +struct testInfo { + const char *name; +}; + + +static int +testCompareXMLToIPTablesHelper(const void *data) +{ + int result = -1; + const struct testInfo *info = data; + char *xml = NULL; + char *args = NULL; + + if (virAsprintf(&xml, "%s/networkxml2firewalldata/%s.xml", + abs_srcdir, info->name) < 0 || + virAsprintf(&args, "%s/networkxml2firewalldata/%s-%s.args", + abs_srcdir, info->name, RULESTYPE) < 0) + goto cleanup; + + result = testCompareXMLToArgvFiles(xml, args); + + cleanup: + VIR_FREE(xml); + VIR_FREE(args); + return result; +} + + +static int +mymain(void) +{ + int ret = 0; + + abs_top_srcdir = getenv("abs_top_srcdir"); + if (!abs_top_srcdir) + abs_top_srcdir = abs_srcdir "/.."; + +# define DO_TEST(name) \ + do { \ + static struct testInfo info = { \ + name, \ + }; \ + if (virtTestRun("Network XML-2-iptables " name, \ + testCompareXMLToIPTablesHelper, &info) < 0) \ + ret = -1; \ + } while (0) + + if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { + ret = -1; + goto cleanup; + } + + DO_TEST("nat-default"); + DO_TEST("nat-tftp"); + DO_TEST("nat-many-ips"); + DO_TEST("nat-no-dhcp"); + DO_TEST("nat-ipv6"); + DO_TEST("route-default"); + DO_TEST("route-default"); + + cleanup: + return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIRT_TEST_MAIN(mymain) + +#else /* ! defined (__linux__) */ + +int main(void) +{ + return EXIT_AM_SKIP; +} + +#endif /* ! defined (__linux__) */ -- 1.9.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list