1:53 p.m.
This patch adds new test cases to the existing nwfilter test program and
adds a test script that must be run while a VM is running. This test
script verifies that input network filter XML creates expected
user-defined tables and rules on ebtables, iptables & ip6tables layer
and verifies their content against expected content. The idea is that
these tools always return exactly the same output when displaying the
content of a user-defined table so that the diff tool can be used for
simple text comparison. All supported protocols have at least one test
case.
This test program is not run automatically since it requires a running
VM.
For all tests to pass the previously posted ICMP fix patch must be applied.
Signed-off-by: Stefan Berger <stefanb(a)us.ibm.com>
---
tests/nwfiltervmtest.sh | 186 ++++++++++++++++++
tests/nwfilterxml2fwallout/ah-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/ah-test.fwall | 19 +
tests/nwfilterxml2fwallout/all-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/all-test.fwall | 19 +
tests/nwfilterxml2fwallout/arp-test.fwall | 9
tests/nwfilterxml2fwallout/esp-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/esp-test.fwall | 19 +
tests/nwfilterxml2fwallout/icmp-direction-test.fwall | 16 +
tests/nwfilterxml2fwallout/icmp-direction2-test.fwall | 16 +
tests/nwfilterxml2fwallout/icmp-direction3-test.fwall | 16 +
tests/nwfilterxml2fwallout/icmp-test.fwall | 16 +
tests/nwfilterxml2fwallout/icmpv6-test.fwall | 16 +
tests/nwfilterxml2fwallout/igmp-test.fwall | 19 +
tests/nwfilterxml2fwallout/ip-test.fwall | 12 +
tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall | 12 +
tests/nwfilterxml2fwallout/ipv6-test.fwall | 14 +
tests/nwfilterxml2fwallout/mac-test.fwall | 12 +
tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/sctp-ipv6-test.xml | 19 +
tests/nwfilterxml2fwallout/sctp-test.fwall | 19 +
tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/tcp-test.fwall | 19 +
tests/nwfilterxml2fwallout/udp-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/udp-ipv6-test.xml | 19 +
tests/nwfilterxml2fwallout/udp-test.fwall | 19 +
tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall | 19 +
tests/nwfilterxml2fwallout/udplite-test.fwall | 19 +
tests/nwfilterxml2xmlin/icmp-direction-test.xml | 15 +
tests/nwfilterxml2xmlin/icmp-direction2-test.xml | 15 +
tests/nwfilterxml2xmlin/icmp-direction3-test.xml | 10
tests/nwfilterxml2xmlin/ipt-no-macspoof-test.xml | 14 +
tests/nwfilterxml2xmlout/icmp-direction-test.xml | 12 +
tests/nwfilterxml2xmlout/icmp-direction2-test.xml | 12 +
tests/nwfilterxml2xmlout/icmp-direction3-test.xml | 9
tests/nwfilterxml2xmlout/ipt-no-macspoof-test.xml | 9
tests/nwfilterxml2xmltest.c | 4
37 files changed, 748 insertions(+)
Index: libvirt-acl/tests/nwfiltervmtest.sh
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfiltervmtest.sh
@@ -0,0 +1,186 @@
+#!/bin/sh
+
+VIRSH=virsh
+ORIG_IFNAME="vnet0"
+
+function usage() {
+ local cmd="$0"
+ echo "Usage: ${cmd} [--help|-h|-?] [--ifname|-i <interfacename>"
+ cat <<EOF
+
+Options:
+ --help,-h,-? : Display this help screen.
+ --ifname, -i : Name of the backend interface of the VM. Default 'vnet0'
+
+Run this program while a KVM VM is running (preferably as only VM on the
+system) and one of its interfaces uses a filter called 'testcase'. The name
+of the interface of the VM is anticipated to be 'vnet0' unless set by the
+'--ifname' option. The following interface description fulfills this
+requirement:
+
+ <interface type='bridge'>
+ <source bridge='virbr0'/>
+ <target dev='vnet0'/>
+ <filterref filter='testcase'/>
+ </interface>
+
+The individual tests are validated using string comparison where the output
+of ebtables, iptables and ip6tables is compared against expected output. As
+long as the output of those tools is the same, the tests should all pass.
+The tests were developed on Fedore Core 12.
+
+Known problems: None of the running VMs' names may have spaces.
+EOF
+}
+
+
+function doTest() {
+ local xmlfile="$1"
+ local fwallfile="$2"
+ local ifname="$3"
+ local cmd line tmpfile tmpfile2
+ local linenums ctr=0
+ local regex="s/${ORIG_IFNAME}/${ifname}/g"
+
+ if [ ! -r "${xmlfile}" ]; then
+ echo "FAIL : Cannot access filter XML file ${xmlfile}."
+ return 1
+ fi
+
+ tmpfile=`mktemp`
+ tmpfile2=`mktemp`
+
+ ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+
+ exec 4<&0
+
+ exec < ${fwallfile}
+
+ read line
+ while [ ! -z "${line}" ]; do
+ cmd=`echo ${line##\#} | sed ${regex}`
+
+ exec ${cmd} | grep -v "^Bridge" | grep -v "^$" > ${tmpfile}
+
+ rm ${tmpfile2}
+ touch ${tmpfile2}
+
+ while [ 1 ]; do
+ read
+
+ line="${REPLY}"
+
+ if [ "${line:0:1}" == "#" -o -z "${line}" ]; then
+
+ diff ${tmpfile} ${tmpfile2} > /dev/null
+
+ if [ $? -ne 0 ]; then
+ echo "FAIL ${xmlfile} : ${cmd}"
+ diff ${tmpfile} ${tmpfile2}
+ else
+ echo "PASS ${xmlfile} : ${cmd}"
+ fi
+
+ break;
+
+ fi
+ echo "${line}" | sed ${regex} >> ${tmpfile2}
+ done
+ done
+
+ exec 0<&4
+ exec 4<&-
+
+ rm -rf "${tmpfile}" "${tmpfile2}"
+}
+
+
+function runTests() {
+ local ifname="$1"
+ local xmldir="$2"
+ local fwalldir="$3"
+ local fwallfiles f
+
+ pushd ${PWD} > /dev/null
+ cd ${fwalldir}
+ fwallfiles=`ls *.fwall`
+ popd > /dev/null
+
+ for fil in ${fwallfiles}; do
+ f=${fil%%.fwall}
+ doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}"
"${ifname}"
+ done
+}
+
+
+function checkVM() {
+ local vmname="$1"
+ local ifname="$2"
+ local nwfilter="$3"
+ local f i c
+
+ c=`virsh dumpxml ${vmname} | grep -c "<interface"`
+ if [ ${c} -ne 1 ]; then
+ echo "VM '${vmname}' has multiple interfaces. I cannot tell for sure
"
+ echo "whether this VM has the correct interface name '${ifname}' and
"
+ echo "reference the filter '${nwfilter}'. Cowardly skipping this
VM..."
+ return 1
+ fi
+
+ f=`${VIRSH} dumpxml ${vmname} | \
+ tr -d "\n" | \
+ sed "s/.*filterref filter='\([a-zA-Z0-9_]\+\)'.*/\1/"`
+ i=`${VIRSH} dumpxml ${vmname} | \
+ tr -d "\n" | \
+ sed "s/.*\<interface.*target
dev='\([a-zA-Z0-9_]\+\)'.*<\/interface>.*/\1/"`
+
+ if [ "${i}" == "${ifname}" -a "${f}" ==
"${nwfilter}" ]; then
+ return 0
+ fi
+
+ return 1
+}
+
+
+function main() {
+ local prgname="$0"
+ local ifname="${ORIG_IFNAME}"
+ local xmldir="nwfilterxml2xmlin"
+ local fwalldir="nwfilterxml2fwallout"
+ local found=0 vms
+ local filtername="testcase"
+
+ while [ $# -ne 0 ]; do
+ case "$1" in
+ --help|-h|-\?) usage ${prgname}; exit 0;;
+ --ifname|-i) shift 1; ifname="$1";;
+ *) usage ${prgname}; exit 1;;
+ esac
+ shift 1
+ done
+
+ vms=`${VIRSH} list | grep running | gawk '{print $2}'`
+ if [ -z ${vms} ]; then
+ echo "Error: Need a running VM."
+ exit 1;
+ fi
+
+ for vm in ${vms}; do
+ checkVM "${vm}" "${ifname}" "${filtername}"
+ if [ $? -eq 0 ]; then
+ found=1;
+ break;
+ fi
+ done
+
+ if [ ${found} -eq 0 ]; then
+ echo "Error: Suitable VM seems not to be running. Check the help screen";
+ echo "to (--help) to read about requirements to the running VM.";
+ exit 1;
+ fi
+
+ runTests "${ifname}" "${xmldir}" "${fwalldir}"
+}
+
+main $*
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/arp-test.fwall
@@ -0,0 +1,9 @@
+#ebtables -t nat -L libvirt-I-vnet0
+-p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 12 --arp-ptype
0x22 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 --arp-op Request --arp-htype 255 --arp-ptype 0xff -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 --arp-op 11 --arp-htype 256 --arp-ptype 0x100 -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 --arp-op 65535 --arp-htype 65535 --arp-ptype 0xffff -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/mac-test.fwall
@@ -0,0 +1,12 @@
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT
+#ebtables -t nat -L libvirt-O-vnet0
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT
+-p 0x600 -d aa:bb:cc:dd:ee:ff -j ACCEPT
+-d aa:bb:cc:dd:ee:ff -j ACCEPT
+-p 0xffff -d aa:bb:cc:dd:ee:ff -j ACCEPT
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ip-test.fwall
@@ -0,0 +1,12 @@
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0
+-p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3
--ip-proto udp --ip-sport 20:22 --ip-dport 100:101 -j ACCEPT
+-p IPv4 --ip-src 10.1.0.0/17 --ip-dst 10.1.2.0/24 --ip-tos 0x3F --ip-proto udp -j ACCEPT
+-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.3 -j ACCEPT
+#ebtables -t nat -L libvirt-O-vnet0
+-p IPv4 --ip-src 10.1.2.2/31 --ip-dst 10.1.2.0/25 --ip-proto 255 -j ACCEPT
+-p IPv4 --ip-src 10.1.2.3 --ip-dst 10.1.2.2/31 -j ACCEPT
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ipv6-test.fwall
@@ -0,0 +1,14 @@
+#ebtables -t nat -L PREROUTING
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src
::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto
udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT
+-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst
1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101
--ip6-dport 20:22 -j ACCEPT
+-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst
1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport
255:256 -j ACCEPT
+-p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst
1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT
+#ebtables -t nat -L libvirt-O-vnet0
+-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst
a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101
-j ACCEPT
+-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst
a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535
-j ACCEPT
+-p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst
a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
+RETURN sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111
+ACCEPT sctp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
+ACCEPT sctp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
+RETURN tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535
dpts:255:256
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21tcp spts:20:21 dpts:100:1111
+ACCEPT tcp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3ftcp spts:255:256 dpt:65535
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
+ACCEPT tcp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3ftcp spt:65535
dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp
spts:100:1111 dpts:20:21
+RETURN udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535
dpts:255:256
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111
+ACCEPT udp -- 10.1.2.3 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x21udp
spts:100:1111 dpts:20:21
+ACCEPT udp -- 0.0.0.0/0 10.1.2.3 DSCP match 0x3fudp spt:65535
dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/tcp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN tcp ::/0 a:b:c::/128 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
+RETURN tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535
dpts:255:256
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT tcp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21tcp spts:20:21 dpts:100:1111
+ACCEPT tcp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3ftcp spts:255:256 dpt:65535
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT tcp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT tcp ::/0 a:b:c::/128 DSCP match 0x21tcp
spts:100:1111 dpts:20:21
+ACCEPT tcp ::/0 ::10.1.2.3/128 DSCP match 0x3ftcp spt:65535
dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/all-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+ACCEPT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11 state NEW,ESTABLISHED
+RETURN icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21icmp type 255 code 255
+ACCEPT icmp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02icmp type 12 code 11
+ACCEPT icmp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/igmp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT 2 -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT 2 -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT 2 -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+ACCEPT 2 -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmpv6-test.fwall
@@ -0,0 +1,16 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11 state NEW,ESTABLISHED
+RETURN icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmpv6 a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21ipv6-icmp type 255 code 255
+ACCEPT icmpv6 ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmpv6 f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02ipv6-icmp type 12 code 11
+ACCEPT icmpv6 ::/0 ::10.1.2.3/128 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.xml
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21
+RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111
+ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21
+ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.xml
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
+RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111
+ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
+ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ah-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN ah ::/0 a:b:c::/128 DSCP match 0x21
+RETURN ah ::/0 ::10.1.2.3/128 DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT ah a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
+ACCEPT ah a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT ah ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT ah f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT ah ::/0 a:b:c::/128 DSCP match 0x21
+ACCEPT ah ::/0 ::10.1.2.3/128 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ah-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT ah -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT ah -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT ah -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+ACCEPT ah -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/all-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN all ::/0 a:b:c::/128 DSCP match 0x21
+RETURN all ::/0 ::10.1.2.3/128 DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
+ACCEPT all a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT all ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT all ::/0 a:b:c::/128 DSCP match 0x21
+ACCEPT all ::/0 ::10.1.2.3/128 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/esp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN esp ::/0 a:b:c::/128 DSCP match 0x21
+RETURN esp ::/0 ::10.1.2.3/128 DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT esp a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
+ACCEPT esp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT esp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT esp f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT esp ::/0 a:b:c::/128 DSCP match 0x21
+ACCEPT esp ::/0 ::10.1.2.3/128 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/esp-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT esp -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT esp -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT esp -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+ACCEPT esp -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/sctp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
+RETURN sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT sctp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT sctp a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21sctp spts:20:21 dpts:100:1111
+ACCEPT sctp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fsctp spts:255:256 dpt:65535
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT sctp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT sctp ::/0 a:b:c::/128 DSCP match 0x21sctp
spts:100:1111 dpts:20:21
+ACCEPT sctp ::/0 ::10.1.2.3/128 DSCP match 0x3fsctp
spt:65535 dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udp-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21
+RETURN udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp a:b:c::d:e:f/128 ::/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT udp ::/0 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21udp spts:20:21 dpts:100:1111
+ACCEPT udp ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x3fudp spts:255:256 dpt:65535
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udp ::/0 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT udp ::/0 ::/0 DSCP match 0x21udp
spts:100:1111 dpts:20:21
+ACCEPT udp ::/0 ::10.1.2.3/128 DSCP match 0x3fudp spt:65535
dpts:255:256
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-ipv6-test.fwall
@@ -0,0 +1,19 @@
+#ip6tables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN udplite ::/0 a:b:c::/128 DSCP match 0x21
+RETURN udplite ::/0 ::10.1.2.3/128 DSCP match 0x21
+#ip6tables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udplite a:b:c::d:e:f/128 f:e:d::c:b:a/127 DSCP match 0x02state
ESTABLISHED
+ACCEPT udplite a:b:c::/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT udplite ::10.1.2.3/128 ::/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#ip6tables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udplite f:e:d::c:b:a/127 a:b:c::d:e:f/128 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT udplite ::/0 a:b:c::/128 DSCP match 0x21
+ACCEPT udplite ::/0 ::10.1.2.3/128 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/udplite-test.fwall
@@ -0,0 +1,19 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02state NEW,ESTABLISHED
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+RETURN udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udplite-- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state
ESTABLISHED
+ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+ACCEPT udplite-- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP
match 0x21
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT udplite-- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP
match 0x02
+ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+ACCEPT udplite-- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/ipt-no-macspoof-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/ipt-no-macspoof-test.xml
@@ -0,0 +1,14 @@
+<filter name='testcase'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='drop' direction='inout'>
+ <!-- should use $MAC for MAC address, but tests would depend on VM's
+ MAC address -->
+ <all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
+ </rule>
+
+ <rule action='drop' direction='in'>
+ <!-- not accepting incoming traffic from a certain MAC address -->
+ <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
+ </rule>
+
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmltest.c
===================================================================
--- libvirt-acl.orig/tests/nwfilterxml2xmltest.c
+++ libvirt-acl/tests/nwfilterxml2xmltest.c
@@ -114,6 +114,10 @@ mymain(int argc, char **argv)
DO_TEST("ref-test");
DO_TEST("ref-rule-test");
+ DO_TEST("ipt-no-macspoof-test");
+ DO_TEST("icmp-direction-test");
+ DO_TEST("icmp-direction2-test");
+ DO_TEST("icmp-direction3-test");
return (ret==0 ? EXIT_SUCCESS : EXIT_FAILURE);
}
Index: libvirt-acl/tests/nwfilterxml2xmlout/ipt-no-macspoof-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/ipt-no-macspoof-test.xml
@@ -0,0 +1,9 @@
+<filter name='testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='drop' direction='inout' priority='500'>
+ <all match='no' srcmacaddr='12:34:56:78:9a:bc'/>
+ </rule>
+ <rule action='drop' direction='in' priority='500'>
+ <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/ipt-no-macspoof-test.fwall
@@ -0,0 +1,12 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! 12:34:56:78:9A:BC
+DROP all -- 0.0.0.0/0 0.0.0.0/0 MAC ! AA:AA:AA:AA:AA:AA
+#iptables -L HI-vnet0
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction-test.xml
@@ -0,0 +1,15 @@
+<filter name='testcase'>
+ <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
+ <!-- allow incoming ICMP Echo Reply -->
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <!-- allow outgoing ICMP Echo Request -->
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <!-- drop all other ICMP traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+ <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid>
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 state
NEW,ESTABLISHED
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction2-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction2-test.xml
@@ -0,0 +1,15 @@
+<filter name='testcase'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <!-- allow incoming ICMP Echo Request -->
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <!-- allow outgoing ICMP Echo Reply -->
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <!-- drop all other ICMP traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction2-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction2-test.xml
@@ -0,0 +1,12 @@
+<filter name='testcase' chain='root'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <rule action='accept' direction='in' priority='500'>
+ <icmp type='8'/>
+ </rule>
+ <rule action='accept' direction='out' priority='500'>
+ <icmp type='0'/>
+ </rule>
+ <rule action='drop' direction='inout' priority='600'>
+ <icmp/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction2-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 state
NEW,ESTABLISHED
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
+DROP icmp -- 0.0.0.0/0 0.0.0.0/0
+
Index: libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction3-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlin/icmp-direction3-test.xml
@@ -0,0 +1,10 @@
+<filter name='testcase'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <icmp/>
+ </rule>
+ <!-- drop all other traffic -->
+ <rule action='drop' direction='inout' priority='600'>
+ <all/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction3-test.xml
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2xmlout/icmp-direction3-test.xml
@@ -0,0 +1,9 @@
+<filter name='testcase' chain='root'>
+ <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <icmp/>
+ </rule>
+ <rule action='drop' direction='inout' priority='600'>
+ <all/>
+ </rule>
+</filter>
Index: libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall
===================================================================
--- /dev/null
+++ libvirt-acl/tests/nwfilterxml2fwallout/icmp-direction3-test.fwall
@@ -0,0 +1,16 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN icmp -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
+DROP all -- 0.0.0.0/0 0.0.0.0/0
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
+DROP all -- 0.0.0.0/0 0.0.0.0/0
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
+DROP all -- 0.0.0.0/0 0.0.0.0/0
+
Index: libvirt-acl/tests/Makefile.am
===================================================================
--- libvirt-acl.orig/tests/Makefile.am
+++ libvirt-acl/tests/Makefile.am
@@ -74,7 +74,9 @@ EXTRA_DIST = \
xml2vmxdata \
nwfilterxml2xmlout \
nwfilterxml2xmlin \
+ nwfilterxml2fwallout \
nwfilterschematest \
+ nwfiltervmtest.sh \
$(patsubst %,qemuhelpdata/%,$(qemuhelpdata))
noinst_PROGRAMS = virshtest conftest \
2:59 p.m.
On 04/07/2010 12:53 PM, Stefan Berger wrote:
+++ libvirt-acl/tests/nwfiltervmtest.sh
@@ -0,0 +1,186 @@
+#!/bin/sh
Not all sh understand...
+function doTest() {
+ local xmlfile="$1"
...local. If this is a bash test, you need to update the #!.
Otherwise, you have to give up on local variables.
+ local fwallfile="$2"
+ local ifname="$3"
+ local cmd line tmpfile tmpfile2
+ local linenums ctr=0
+ local regex="s/${ORIG_IFNAME}/${ifname}/g"
+
+ if [ ! -r "${xmlfile}" ]; then
+ echo "FAIL : Cannot access filter XML file ${xmlfile}."
+ return 1
+ fi
+
+ tmpfile=`mktemp`
+ tmpfile2=`mktemp`
Not all systems have mktemp; is it worth adding fallback code in that case?
+
+ ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+
+ exec 4<&0
+
+ exec < ${fwallfile}
+
+ read line
+ while [ ! -z "${line}" ]; do
Depending on the content of line, this is unsafe in some implementations
of test(1). Better would be:
while [ "x$line" != x ]; do
+ cmd=`echo ${line##\#} | sed ${regex}`
Another bash-ism, that would need a rewrite if you want to be portable
to generic sh. Or we decide to change the #!, and be done with the issue.
+
+ exec ${cmd} | grep -v "^Bridge" | grep -v "^$" > ${tmpfile}
+
+ rm ${tmpfile2}
+ touch ${tmpfile2}
+
+ while [ 1 ]; do
I think that looks better as:
while :; do
+ read
+
+ line="${REPLY}"
+
+ if [ "${line:0:1}" == "#" -o -z "${line}" ]; then
More bash-isms. And [ cond1 -o cond2 ] ought to fail 'make
syntax-check' (if it didn't, then our syntax check regex is a bit
suspect). Of course, if you assume bash, then it is portable, but if
you are portable to any sh, this needs to use [ cond1 ] || [ cond2 ]
+
+ diff ${tmpfile} ${tmpfile2} > /dev/null
+
+ if [ $? -ne 0 ]; then
+ echo "FAIL ${xmlfile} : ${cmd}"
+ diff ${tmpfile} ${tmpfile2}
+ else
+ echo "PASS ${xmlfile} : ${cmd}"
+ fi
+
+ break;
+
+ fi
+ echo "${line}" | sed ${regex} >> ${tmpfile2}
+ done
+ done
+
+ exec 0<&4
+ exec 4<&-
+
+ rm -rf "${tmpfile}" "${tmpfile2}"
+}
+
+
+function runTests() {
+ local ifname="$1"
+ local xmldir="$2"
+ local fwalldir="$3"
+ local fwallfiles f
+
+ pushd ${PWD} > /dev/null
+ cd ${fwalldir}
+ fwallfiles=`ls *.fwall`
+ popd > /dev/null
pushd/popd is another bash-ism.
+
+ for fil in ${fwallfiles}; do
+ f=${fil%%.fwall}
Another bash-ism.
+ doTest "${xmldir}/${f}.xml"
"${fwalldir}/${fil}" "${ifname}"
+ done
+}
+
+
+function checkVM() {
+ local vmname="$1"
+ local ifname="$2"
+ local nwfilter="$3"
+ local f i c
+
+ c=`virsh dumpxml ${vmname} | grep -c "<interface"`
+ if [ ${c} -ne 1 ]; then
+ echo "VM '${vmname}' has multiple interfaces. I cannot tell for sure
"
+ echo "whether this VM has the correct interface name '${ifname}' and
"
+ echo "reference the filter '${nwfilter}'. Cowardly skipping this
VM..."
+ return 1
+ fi
+
+ f=`${VIRSH} dumpxml ${vmname} | \
+ tr -d "\n" | \
+ sed "s/.*filterref filter='\([a-zA-Z0-9_]\+\)'.*/\1/"`
That would fail on Solaris sed, where sed requires that a trailing
newline be present in the input. Plus, "\n" is not necessarily portable
shell (it is unclear whether the \ would be literally preserved). I
would have used:
{ $VIRSH dumpxml $vmname | tr -d '\n'; echo; } | \
sed ...
+ i=`${VIRSH} dumpxml ${vmname} | \
+ tr -d "\n" | \
+ sed "s/.*\<interface.*target
dev='\([a-zA-Z0-9_]\+\)'.*<\/interface>.*/\1/"`
+
+ if [ "${i}" == "${ifname}" -a "${f}" ==
"${nwfilter}" ]; then
Another abuse of [ -a ] that 'make syntax-check' should have caught.
+ return 0
+ fi
+
+ return 1
+}
+
+
+function main() {
+ local prgname="$0"
Some shells corrupt $0 in the context of shell functions.
+ local ifname="${ORIG_IFNAME}"
+ local xmldir="nwfilterxml2xmlin"
+ local fwalldir="nwfilterxml2fwallout"
+ local found=0 vms
+ local filtername="testcase"
+
+ while [ $# -ne 0 ]; do
+ case "$1" in
+ --help|-h|-\?) usage ${prgname}; exit 0;;
+ --ifname|-i) shift 1; ifname="$1";;
+ *) usage ${prgname}; exit 1;;
+ esac
+ shift 1
+ done
+
+ vms=`${VIRSH} list | grep running | gawk '{print $2}'`
+ if [ -z ${vms} ]; then
+ echo "Error: Need a running VM."
+ exit 1;
+ fi
+
+ for vm in ${vms}; do
+ checkVM "${vm}" "${ifname}" "${filtername}"
+ if [ $? -eq 0 ]; then
+ found=1;
+ break;
+ fi
+ done
+
+ if [ ${found} -eq 0 ]; then
+ echo "Error: Suitable VM seems not to be running. Check the help screen";
+ echo "to (--help) to read about requirements to the running VM.";
+ exit 1;
+ fi
+
+ runTests "${ifname}" "${xmldir}" "${fwalldir}"
+}
+
+main $*
Would that be safer as:
main "$@"
My review stops here - shell is my area of expertise, but my Linux
network filtering knowledge is sparse.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
4:02 p.m.
Eric Blake <eblake(a)redhat.com> wrote on 04/07/2010 03:59:55 PM:
I'll make it a bash-only script.
On 04/07/2010 12:53 PM, Stefan Berger wrote:
> +++ libvirt-acl/tests/nwfiltervmtest.sh
> @@ -0,0 +1,186 @@
> +#!/bin/sh
Not all sh understand...
> +function doTest() {
> + local xmlfile="$1"
...local. If this is a bash test, you need to update the #!.
Otherwise, you have to give up on local variables.
I'll change this to be a bash script. No point in making the test program
portable across shells.
> + local fwallfile="$2"
> + local ifname="$3"
> + local cmd line tmpfile tmpfile2
> + local linenums ctr=0
> + local regex="s/${ORIG_IFNAME}/${ifname}/g"
> +
> + if [ ! -r "${xmlfile}" ]; then
> + echo "FAIL : Cannot access filter XML file ${xmlfile}."
> + return 1
> + fi
> +
> + tmpfile=`mktemp`
> + tmpfile2=`mktemp`
Not all systems have mktemp; is it worth adding fallback code in that
case?
Hm, two hardcoded files like '/tmp/nwfiltervmtest1' and
'/tmp/nwfiltervmtest2' could actually be a replacement, no?
> +
> + ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
> +
> + exec 4<&0
> +
> + exec < ${fwallfile}
> +
> + read line
> + while [ ! -z "${line}" ]; do
Depending on the content of line, this is unsafe in some implementations
of test(1). Better would be:
while [ "x$line" != x ]; do
Ok, I'll change that.
> + cmd=`echo ${line##\#} | sed ${regex}`
Another bash-ism, that would need a rewrite if you want to be portable
to generic sh. Or we decide to change the #!, and be done with the
issue.
> +
> + exec ${cmd} | grep -v "^Bridge" | grep -v "^$" >
${tmpfile}
> +
> + rm ${tmpfile2}
> + touch ${tmpfile2}
> +
> + while [ 1 ]; do
I think that looks better as:
while :; do
hurts my eyes :-)
> + read
> +
> + line="${REPLY}"
> +
> + if [ "${line:0:1}" == "#" -o -z "${line}" ];
then
More bash-isms. And [ cond1 -o cond2 ] ought to fail 'make
syntax-check' (if it didn't, then our syntax check regex is a bit
suspect). Of course, if you assume bash, then it is portable, but if
you are portable to any sh, this needs to use [ cond1 ] || [ cond2 ]
Ok, will fix that anyway.
> +
> + diff ${tmpfile} ${tmpfile2} > /dev/null
> +
> + if [ $? -ne 0 ]; then
> + echo "FAIL ${xmlfile} : ${cmd}"
> + diff ${tmpfile} ${tmpfile2}
> + else
> + echo "PASS ${xmlfile} : ${cmd}"
> + fi
> +
> + break;
> +
> + fi
> + echo "${line}" | sed ${regex} >> ${tmpfile2}
> + done
> + done
> +
> + exec 0<&4
> + exec 4<&-
> +
> + rm -rf "${tmpfile}" "${tmpfile2}"
> +}
> +
> +
> +function runTests() {
> + local ifname="$1"
> + local xmldir="$2"
> + local fwalldir="$3"
> + local fwallfiles f
> +
> + pushd ${PWD} > /dev/null
> + cd ${fwalldir}
> + fwallfiles=`ls *.fwall`
> + popd > /dev/null
pushd/popd is another bash-ism.
> +
> + for fil in ${fwallfiles}; do
> + f=${fil%%.fwall}
Another bash-ism.
> + doTest "${xmldir}/${f}.xml" "${fwalldir}/${fil}"
"${ifname}"
> + done
> +}
> +
> +
> +function checkVM() {
> + local vmname="$1"
> + local ifname="$2"
> + local nwfilter="$3"
> + local f i c
> +
> + c=`virsh dumpxml ${vmname} | grep -c "<interface"`
> + if [ ${c} -ne 1 ]; then
> + echo "VM '${vmname}' has multiple interfaces. I cannot tell for
sure "
> + echo "whether this VM has the correct interface name
'${ifname}'
and "
> + echo "reference the filter '${nwfilter}'.
Cowardly skipping this
VM..."
> + return 1
> + fi
> +
> + f=`${VIRSH} dumpxml ${vmname} | \
> + tr -d "\n" | \
> + sed "s/.*filterref filter='\([a-zA-Z0-9_]\+\)'.*/\1/"`
That would fail on Solaris sed, where sed requires that a trailing
newline be present in the input. Plus, "\n" is not necessarily portable
shell (it is unclear whether the \ would be literally preserved). I
would have used:
{ $VIRSH dumpxml $vmname | tr -d '\n'; echo; } | \
sed ...
Good to know... will change even though the tests would not succeed on
Solaris.
I'll do a check using 'uname' to fail early on anything else than
'Linux'.
> + i=`${VIRSH} dumpxml ${vmname} | \
> + tr -d "\n" | \
> + sed "s/.*\<interface.*target dev='\([a-zA-Z0-9_]\+\)'.*<\/
interface>.*/\1/"`
> +
> + if [ "${i}" == "${ifname}" -a "${f}" ==
"${nwfilter}" ]; then
Another abuse of [ -a ] that 'make syntax-check' should have caught.
I doesn't.
> + return 0
> + fi
> +
> + return 1
> +}
> +
> +
> +function main() {
> + local prgname="$0"
Some shells corrupt $0 in the context of shell functions.
Will change to bash, which will hopefully solve this issue.
> + local ifname="${ORIG_IFNAME}"
> + local xmldir="nwfilterxml2xmlin"
> + local fwalldir="nwfilterxml2fwallout"
> + local found=0 vms
> + local filtername="testcase"
> +
> + while [ $# -ne 0 ]; do
> + case "$1" in
> + --help|-h|-\?) usage ${prgname}; exit 0;;
> + --ifname|-i) shift 1; ifname="$1";;
> + *) usage ${prgname}; exit 1;;
> + esac
> + shift 1
> + done
> +
> + vms=`${VIRSH} list | grep running | gawk '{print $2}'`
> + if [ -z ${vms} ]; then
> + echo "Error: Need a running VM."
> + exit 1;
> + fi
> +
> + for vm in ${vms}; do
> + checkVM "${vm}" "${ifname}" "${filtername}"
> + if [ $? -eq 0 ]; then
> + found=1;
> + break;
> + fi
> + done
> +
> + if [ ${found} -eq 0 ]; then
> + echo "Error: Suitable VM seems not to be running. Check the
help screen";
> + echo "to (--help) to read about requirements to the running VM.";
> + exit 1;
> + fi
> +
> + runTests "${ifname}" "${xmldir}" "${fwalldir}"
> +}
> +
> +main $*
Would that be safer as:
main "$@"
My review stops here - shell is my area of expertise, but my Linux
network filtering knowledge is sparse.
Ok. Thanks for the review. Will adapt and re-post.
Stefan
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
[attachment "signature.asc" deleted by Stefan Berger/Watson/IBM]
4:15 p.m.
On 04/07/2010 03:02 PM, Stefan Berger wrote:
> If this is a bash test, you need to update the #!.
> Otherwise, you have to give up on local variables.
I'll change this to be a bash script. No point in making the test program
portable across shells.
>> + tmpfile=`mktemp`
>> + tmpfile2=`mktemp`
>
> Not all systems have mktemp; is it worth adding fallback code in that
case?
Hm, two hardcoded files like '/tmp/nwfiltervmtest1' and
'/tmp/nwfiltervmtest2' could actually be a replacement, no?
Yeah, but names that obvious are prone to DoS attacks. If you are
assuming bash, you can at least use $RANDOM to get past the worst of the
security hole in being that blatant. Or, as long as we are assuming
bash and linux, you could just skip the test if mktemp doesn't exist.
>> + while [ ! -z "${line}" ]; do
>
> Depending on the content of line, this is unsafe in some implementations
> of test(1). Better would be:
>
> while [ "x$line" != x ]; do
>
Ok, I'll change that.
No need - if you change this to be #!/bin/bash, then you are guaranteed
that [ ! -z "${line}" ] does the right thing, for all $line.
>> + while [ 1 ]; do
>
> I think that looks better as:
>
> while :; do
hurts my eyes :-)
They are equivalent, so I don't care (I'm just used to writing shell
script in as few characters as possible, such as a=$b rather than
a="${b}", both of which are semantically equivalent but one is 4 bytes
longer to type).
>> + f=`${VIRSH} dumpxml ${vmname} | \
>> + tr -d "\n" | \
>> + sed "s/.*filterref filter='\([a-zA-Z0-9_]\+\)'.*/\1/"`
>
> That would fail on Solaris sed, where sed requires that a trailing
> newline be present in the input. Plus, "\n" is not necessarily portable
> shell (it is unclear whether the \ would be literally preserved). I
> would have used:
>
> { $VIRSH dumpxml $vmname | tr -d '\n'; echo; } | \
> sed ...
Good to know... will change even though the tests would not succeed on
Solaris.
I'll do a check using 'uname' to fail early on anything else than
'Linux'.
Once you've gone so far as to assume Linux, you can get away with a lot
of other assumptions (sed is decent, /bin/bash exists, ...). Then
again, I know that busybox prides itself on minimalistic POSIX
compliance, so it may be that busybox sed behaves like Solaris sed in
requiring text files (I don't know that for sure, though, as I seldom
target busybox).
>
>> + i=`${VIRSH} dumpxml ${vmname} | \
>> + tr -d "\n" | \
>> + sed "s/.*\<interface.*target
dev='\([a-zA-Z0-9_]\+\)'.*<\/
> interface>.*/\1/"`
>> +
>> + if [ "${i}" == "${ifname}" -a "${f}" ==
"${nwfilter}" ]; then
>
> Another abuse of [ -a ] that 'make syntax-check' should have caught.
I doesn't.
Huh. I guess I'll have to look into that.
>> +function main() {
>> + local prgname="$0"
>
> Some shells corrupt $0 in the context of shell functions.
Will change to bash, which will hopefully solve this issue.
Yeah, bash is immune to this particular problem. IIRC, it was zsh and
some proprietary /bin/sh.
> My review stops here - shell is my area of expertise, but my
Linux
> network filtering knowledge is sparse.
Ok. Thanks for the review. Will adapt and re-post.
Well, one of the joys of open source is that you can have multiple
reviewers, each with different angles of expertise, with a cumulative
review better than any one person could give.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
6:46 p.m.
Eric Blake <eblake(a)redhat.com> wrote on 04/07/2010 05:15:12 PM:
On 04/07/2010 03:02 PM, Stefan Berger wrote:
>> If this is a bash test, you need to update the #!.
>> Otherwise, you have to give up on local variables.
>
> I'll change this to be a bash script. No point in making the test
program
> portable across shells.
>
>>> + tmpfile=`mktemp`
>>> + tmpfile2=`mktemp`
>>
>> Not all systems have mktemp; is it worth adding fallback code in that
> case?
>
> Hm, two hardcoded files like '/tmp/nwfiltervmtest1' and
> '/tmp/nwfiltervmtest2' could actually be a replacement, no?
Yeah, but names that obvious are prone to DoS attacks. If you are
assuming bash, you can at least use $RANDOM to get past the worst of the
security hole in being that blatant. Or, as long as we are assuming
bash and linux, you could just skip the test if mktemp doesn't exist.
Alright, alright. I'll write a function that simulates mktemp if not
available using the ${RANDOM} suffix.
Though I hope nobody will DoS attack this test suite program :-)
>> My review stops here - shell is my area of expertise, but my Linux
>> network filtering knowledge is sparse.
>
> Ok. Thanks for the review. Will adapt and re-post.
Well, one of the joys of open source is that you can have multiple
reviewers, each with different angles of expertise, with a cumulative
review better than any one person could give.
Yeah, definitely a good thing.
Stefan
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
[attachment "signature.asc" deleted by Stefan Berger/Watson/IBM]
3:23 a.m.
On Wed, Apr 07, 2010 at 02:53:28PM -0400, Stefan Berger wrote:
This patch adds new test cases to the existing nwfilter test program
and
adds a test script that must be run while a VM is running. This test
script verifies that input network filter XML creates expected
user-defined tables and rules on ebtables, iptables & ip6tables layer
and verifies their content against expected content. The idea is that
these tools always return exactly the same output when displaying the
content of a user-defined table so that the diff tool can be used for
simple text comparison. All supported protocols have at least one test
case.
This test program is not run automatically since it requires a running
VM.
I think this test should really be part of the libvirt-TCK, since that
provides you the framework for running real VMs & interacting with the
host OS.
The tests in libvirt/tests should all be unit tests which don't interact
with the host system state
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
5342
days inactive
5343
days old
5 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Stefan Berger