10:38 a.m.
Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
tests/Makefile.am | 17 ++-
.../networkxml2firewalldata/nat-default-linux.args | 30 ++++
tests/networkxml2firewalldata/nat-default.xml | 10 ++
tests/networkxml2firewalldata/nat-ipv6-linux.args | 44 ++++++
tests/networkxml2firewalldata/nat-ipv6.xml | 15 ++
.../nat-many-ips-linux.args | 58 ++++++++
tests/networkxml2firewalldata/nat-many-ips.xml | 12 ++
.../networkxml2firewalldata/nat-no-dhcp-linux.args | 42 ++++++
tests/networkxml2firewalldata/nat-no-dhcp.xml | 7 +
tests/networkxml2firewalldata/nat-tftp-linux.args | 32 ++++
tests/networkxml2firewalldata/nat-tftp.xml | 11 ++
.../route-default-linux.args | 20 +++
tests/networkxml2firewalldata/route-default.xml | 10 ++
tests/networkxml2firewalltest.c | 162 +++++++++++++++++++++
14 files changed, 468 insertions(+), 2 deletions(-)
create mode 100644 tests/networkxml2firewalldata/nat-default-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-default.xml
create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-ipv6.xml
create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-many-ips.xml
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp.xml
create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.args
create mode 100644 tests/networkxml2firewalldata/nat-tftp.xml
create mode 100644 tests/networkxml2firewalldata/route-default-linux.args
create mode 100644 tests/networkxml2firewalldata/route-default.xml
create mode 100644 tests/networkxml2firewalltest.c
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a10919d..75e723f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -87,6 +87,7 @@ EXTRA_DIST = \
networkxml2confdata \
networkxml2xmlupdatein \
networkxml2xmlupdateout \
+ networkxml2firewalldata \
nodedevschemadata \
nodedevschematest \
nodeinfodata \
@@ -249,10 +250,16 @@ if WITH_YAJL
test_programs += jsontest
endif WITH_YAJL
-test_programs += networkxml2xmltest networkxml2xmlupdatetest
+test_programs += \
+ networkxml2xmltest \
+ networkxml2xmlupdatetest \
+ $(NULL)
if WITH_NETWORK
-test_programs += networkxml2conftest
+test_programs += \
+ networkxml2conftest \
+ networkxml2firewalltest \
+ $(NULL)
endif WITH_NETWORK
if WITH_STORAGE_SHEEPDOG
@@ -655,6 +662,12 @@ networkxml2conftest_SOURCES = \
networkxml2conftest.c \
testutils.c testutils.h
networkxml2conftest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
+networkxml2firewalltest_SOURCES = \
+ networkxml2firewalltest.c \
+ testutils.c testutils.h
+networkxml2firewalltest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
else ! WITH_NETWORK
EXTRA_DIST += networkxml2conftest.c
endif ! WITH_NETWORK
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args
b/tests/networkxml2firewalldata/nat-default-linux.args
new file mode 100644
index 0000000..0ec2807
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -0,0 +1,30 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-default.xml
b/tests/networkxml2firewalldata/nat-default.xml
new file mode 100644
index 0000000..d7241d0
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default.xml
@@ -0,0 +1,10 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args
b/tests/networkxml2firewalldata/nat-ipv6-linux.args
new file mode 100644
index 0000000..690a354
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -0,0 +1,44 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-ipv6.xml
b/tests/networkxml2firewalldata/nat-ipv6.xml
new file mode 100644
index 0000000..337e71d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6.xml
@@ -0,0 +1,15 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+ <ip family="ipv6" address="2001:db8:ca2:2::1"
prefix="64" >
+ <dhcp>
+ <range start="2001:db8:ca2:2:1::10"
end="2001:db8:ca2:2:1::ff" />
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args
b/tests/networkxml2firewalldata/nat-many-ips-linux.args
new file mode 100644
index 0000000..92c6069
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -0,0 +1,58 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.128.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!'
\
+--destination 192.168.128.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.150.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!'
\
+--destination 192.168.150.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-many-ips.xml
b/tests/networkxml2firewalldata/nat-many-ips.xml
new file mode 100644
index 0000000..0c8dcff
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips.xml
@@ -0,0 +1,12 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+ <ip address="192.168.128.1" netmask="255.255.255.0"/>
+ <ip address="192.168.150.1" netmask="255.255.255.0"/>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
new file mode 100644
index 0000000..bbfb3eb
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -0,0 +1,42 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp.xml
b/tests/networkxml2firewalldata/nat-no-dhcp.xml
new file mode 100644
index 0000000..0bccd1d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp.xml
@@ -0,0 +1,7 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0"/>
+ <ip family="ipv6" address="2001:db8:ca2:2::1"
prefix="64"/>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args
b/tests/networkxml2firewalldata/nat-tftp-linux.args
new file mode 100644
index 0000000..d6d65c1
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -0,0 +1,32 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 69 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!'
\
+--destination 192.168.122.0/24 --jump MASQUERADE
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports
1024-65535
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+/usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-tftp.xml
b/tests/networkxml2firewalldata/nat-tftp.xml
new file mode 100644
index 0000000..17e8e0a
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp.xml
@@ -0,0 +1,11 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <tftp root='/some/dir'/>
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/route-default-linux.args
b/tests/networkxml2firewalldata/route-default-linux.args
new file mode 100644
index 0000000..31e5394
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -0,0 +1,20 @@
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp
\
+--destination-port 68 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+/usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --jump ACCEPT
+/usr/sbin/iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill
diff --git a/tests/networkxml2firewalldata/route-default.xml
b/tests/networkxml2firewalldata/route-default.xml
new file mode 100644
index 0000000..3bc7bb9
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default.xml
@@ -0,0 +1,10 @@
+<network>
+ <name>default</name>
+ <bridge name="virbr0"/>
+ <forward mode='route'/>
+ <ip address="192.168.122.1" netmask="255.255.255.0">
+ <dhcp>
+ <range start="192.168.122.2" end="192.168.122.254"/>
+ </dhcp>
+ </ip>
+</network>
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
new file mode 100644
index 0000000..55cb38a
--- /dev/null
+++ b/tests/networkxml2firewalltest.c
@@ -0,0 +1,162 @@
+/*
+ * networkxml2firewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>;.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "network/bridge_driver_platform.h"
+# include "virbuffer.h"
+
+# define __VIR_FIREWALL_PRIV_H_ALLOW__
+# include "virfirewallpriv.h"
+
+# define __VIR_COMMAND_PRIV_H_ALLOW__
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+static const char *abs_top_srcdir;
+
+# ifdef __linux__
+# define RULESTYPE "linux"
+# else
+# error "test case not ported to this platform"
+# endif
+
+static int testCompareXMLToArgvFiles(const char *xml,
+ const char *cmdline)
+{
+ char *expectargv = NULL;
+ int len;
+ char *actualargv = NULL;
+ virBuffer buf = VIR_BUFFER_INITIALIZER;
+ virNetworkDefPtr def = NULL;
+ int ret = -1;
+
+ virCommandSetDryRun(&buf, NULL, NULL);
+
+ if (!(def = virNetworkDefParseFile(xml)))
+ goto cleanup;
+
+ if (networkAddFirewallRules(def) < 0)
+ goto cleanup;
+
+ if (virBufferError(&buf))
+ goto cleanup;
+
+ actualargv = virBufferContentAndReset(&buf);
+ virCommandSetDryRun(NULL, NULL, NULL);
+
+ len = virtTestLoadFile(cmdline, &expectargv);
+ if (len < 0)
+ goto cleanup;
+
+ if (STRNEQ(expectargv, actualargv)) {
+ virtTestDifference(stderr, expectargv, actualargv);
+ goto cleanup;
+ }
+
+ ret = 0;
+
+ cleanup:
+ virBufferFreeAndReset(&buf);
+ VIR_FREE(expectargv);
+ VIR_FREE(actualargv);
+ virNetworkDefFree(def);
+ return ret;
+}
+
+struct testInfo {
+ const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+ int result = -1;
+ const struct testInfo *info = data;
+ char *xml = NULL;
+ char *args = NULL;
+
+ if (virAsprintf(&xml, "%s/networkxml2firewalldata/%s.xml",
+ abs_srcdir, info->name) < 0 ||
+ virAsprintf(&args, "%s/networkxml2firewalldata/%s-%s.args",
+ abs_srcdir, info->name, RULESTYPE) < 0)
+ goto cleanup;
+
+ result = testCompareXMLToArgvFiles(xml, args);
+
+ cleanup:
+ VIR_FREE(xml);
+ VIR_FREE(args);
+ return result;
+}
+
+
+static int
+mymain(void)
+{
+ int ret = 0;
+
+ abs_top_srcdir = getenv("abs_top_srcdir");
+ if (!abs_top_srcdir)
+ abs_top_srcdir = abs_srcdir "/..";
+
+# define DO_TEST(name) \
+ do { \
+ static struct testInfo info = { \
+ name, \
+ }; \
+ if (virtTestRun("Network XML-2-iptables " name, \
+ testCompareXMLToIPTablesHelper, &info) < 0) \
+ ret = -1; \
+ } while (0)
+
+ if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+ ret = -1;
+ goto cleanup;
+ }
+
+ DO_TEST("nat-default");
+ DO_TEST("nat-tftp");
+ DO_TEST("nat-many-ips");
+ DO_TEST("nat-no-dhcp");
+ DO_TEST("nat-ipv6");
+ DO_TEST("route-default");
+ DO_TEST("route-default");
+
+ cleanup:
+ return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+ return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
--
1.9.0