[libvirt] [PATCH 2/2] [TCK] nwfilter: Add test cases for ipset

Monday, 23 April 2012

Add test cases for the ipset extension.

Since ipset may not be available on all system, the first line of the XML
file containing the test filter has been extended with a specially formatted
XML comment containing a command line test for whether the test case can be
run at all. The format of that line is:



If the tests in this line don't succeed, the test case is skipped.

Also add a test case cleaning up the created ipset. Run this test after all
other tests using alphabetical ordering.

---
 scripts/nwfilter/nwfilter2vmtest.sh                           |   36 +++++++--
 scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall        |   39 ++++++++++
 scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall |    1 
 scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml             |   25 ++++++
 scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml      |    5 +
 5 files changed, 99 insertions(+), 7 deletions(-)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
===================================================================

--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test ||
ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out'>
+     <all  ipset='tck_test' ipsetflags='src,dst' />
+  </rule>
+  <rule action='accept' direction='in'>
+     <all  state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='in+NONE'/>
+  </rule>
+  <rule action='accept' direction='out'>
+     <all  state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='out+NONE'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <all  ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+  </rule>
+  <rule action='accept' direction='in'>
+     <all  ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+  </rule>
+  <rule action='accept' direction='in'>
+     <all  ipset='$IPSETNAME' ipsetflags='src,dst' />
+  </rule>
+  <rule action='accept' direction='inout'>
+     <all  ipset='$IPSETNAME' ipsetflags='src,dst'
comment='inout'/>
+  </rule>
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh
+++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
@@ -107,6 +107,7 @@ checkExpectedOutput() {
   ifname="$3"
   flags="$4"
   skipregex="$5"
+  skiptest="$6"
   regex="s/${ORIG_IFNAME}/${ifname}/g"
 
   tmpdir=$(mktmpdir)
@@ -147,6 +148,18 @@ checkExpectedOutput() {
 	  break
 	fi
 
+	if [ -n "${skiptest}" ]; then
+	  # treat all skips as passes
+          passctr=$(($passctr + 1))
+          [ $(($flags & $FLAG_VERBOSE)) -ne 0 ] && \
+              echo "SKIP ${xmlfile} : ${cmd}"
+          [ $(($flags & $FLAG_LIBVIRT_TEST)) -ne 0 ] && \
+              test_result $(($passctr + $failctr)) "" 0
+          [ $(($flags & $FLAG_TAP_TEST)) -ne 0 ] && \
+              tap_pass $(($passctr + $failctr)) "SKIP: ${xmlfile} :
${skiptest}"
+          break
+	fi
+
         diff -w ${tmpfile} ${tmpfile2} >/dev/null
 
         if [ $? -ne 0 ]; then
@@ -197,19 +210,27 @@ doTest() {
   flags="$5"
   testnum="$6"
   ctr=0
+  skiptest=""
 
   if [ ! -r "${xmlfile}" ]; then
     echo "FAIL : Cannot access filter XML file ${xmlfile}."
     return 1
   fi
 
-  ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+  # Check whether we can run this test at all
+  cmd=`sed -n '1,1 s/^<\!--[ ^I]*#\(.*\)#[ ^I]*-->/\1/p' ${xmlfile}`
+  if [ -n "${cmd}" ]; then
+    eval "${cmd}" 2>&1 1>/dev/null
+    [ $? -ne 0 ] && skiptest="${cmd}"
+  fi
+
+  [ -z "${skiptest}" ] && ${VIRSH} nwfilter-define
"${xmlfile}" > /dev/null
 
   checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${vm1name}" "${flags}" \
-  	""
+  	"" "${skiptest}"
 
   checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-  	"${vm2name}" "${flags}" ""
+  	"${vm2name}" "${flags}" "" "${skiptest}"
 
   if [ $(($flags & $FLAG_ATTACH)) -ne 0 ]; then
 
@@ -234,9 +255,9 @@ EOF
 
     if [ $rc -eq 0 ]; then
       checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${ATTACH_IFNAME}" \
-        "${flags}" "(PRE|POST)ROUTING"
+        "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
       checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}"
\
-        "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
+        "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
"${skiptest}"
       msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"`
       if [ $? -ne 0 ]; then
         echo "FAIL: Detach of interface failed."
@@ -246,9 +267,9 @@ EOF
         # In case of TAP, run the test anyway so we get to the full number
         # of tests
         checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${ATTACH_IFNAME}" \
-          "${flags}" "" #"(PRE|POST)ROUTING"
+          "${flags}" "" "${skiptest}"
#"(PRE|POST)ROUTING"
         checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}"
\
-          "${vm2name}" "${flags}" #"(PRE|POST)ROUTING"
+          "${vm2name}" "${flags}" "${skiptest}"
#"(PRE|POST)ROUTING"
       fi
 
       attachfailctr=$(($attachfailctr + 1))
@@ -357,6 +378,7 @@ createVM() {
           <parameter name='C' value='1090'/>
           <parameter name='C' value='1100'/>
           <parameter name='C' value='1110'/>
+          <parameter name='IPSETNAME' value='tck_test'/>
         </filterref>
         <target dev='${vmname}'/>
       </interface>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
@@ -0,0 +1,39 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set tck_test src,dst
/* out+NONE */
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set tck_test dst,src
/* inout */
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            match-set tck_test src,dst
/* in+NONE */
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst,src
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst,src
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            match-set tck_test src,dst
/* inout */
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set tck_test src,dst
/* out+NONE */
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set tck_test dst,src
/* inout */
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in
vnet0 
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 
+#ebtables -t nat -L libvirt-O-vnet0 2>/dev/null | grep -v "table:" | grep -v
"^$"
+#ebtables -t nat -L libvirt-I-vnet0 2>/dev/null | grep -v "table:" | grep -v
"^$"
+#ebtables -t nat -L PREROUTING | grep vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
@@ -0,0 +1 @@
+#ipset destroy tck_test 2>&1 1>/dev/null
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
@@ -0,0 +1,5 @@
+<!-- #ipset help && iptables -t match-set -h# -->
+<filter name='tck-testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <!-- used only to cleanup ipset -->
+</filter>


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH 2/2] [TCK] nwfilter: Add test cases for ipset