[libvirt] [TCK] nwfilter: add tests for reject, drop and accept targets

Wednesday, 30 March 2011

This patch adds test cases for the reject, drop and accept targets.

Signed-off-by: Stefan Berger <stefanb(a)linux.vnet.ibm.com&gt;

---
 scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall |   61
++++++++++++++
 scripts/nwfilter/nwfilterxml2xmlin/target-test.xml      |   66
++++++++++++++++
 scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml     |   18 ++++
 3 files changed, 145 insertions(+)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml
===================================================================

--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml
@@ -0,0 +1,66 @@
+<filter name='tck-testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out'>
+     <all  srcmacaddr='1:2:3:4:5:6'
+           dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+           dscp='2' comment='accept rule -- dir out'/>
+  </rule>
+  <rule action='drop' direction='out'>
+     <all  srcmacaddr='1:2:3:4:5:6'
+           dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+           dscp='2' comment='drop rule   -- dir out'/>
+  </rule>
+  <rule action='reject' direction='out'>
+     <all  srcmacaddr='1:2:3:4:5:6'
+           dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+           dscp='2' comment='reject rule -- dir out'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <all  srcmacaddr='1:2:3:4:5:6'
+           srcipaddr='10.1.2.3' srcipmask='22'
+           dscp='33' comment='accept rule -- dir in'/>
+  </rule>
+  <rule action='drop' direction='in'>
+     <all  srcmacaddr='1:2:3:4:5:6'
+           srcipaddr='10.1.2.3' srcipmask='22'
+           dscp='33' comment='drop rule   -- dir in'/>
+  </rule>
+  <rule action='reject' direction='in'>
+     <all  srcmacaddr='1:2:3:4:5:6'
+           srcipaddr='10.1.2.3' srcipmask='22'
+           dscp='33' comment='reject rule -- dir in'/>
+  </rule>
+  <rule action='accept' direction='inout'>
+     <all  comment='accept rule -- dir inout'/>
+  </rule>
+  <rule action='drop' direction='in'>
+     <all  comment='drop   rule -- dir inout'/>
+  </rule>
+  <rule action='reject' direction='in'>
+     <all  comment='reject rule -- dir inout'/>
+  </rule>
+  <rule action='accept' direction='out'>
+     <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+     protocolid='arp'/>
+  </rule>
+  <rule action='drop' direction='out'>
+     <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+     protocolid='arp'/>
+  </rule>
+  <rule action='reject' direction='out'>
+     <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+     protocolid='arp'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+     protocolid='ipv4'/>
+  </rule>
+  <rule action='drop' direction='in'>
+     <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+     protocolid='ipv4'/>
+  </rule>
+  <rule action='reject' direction='in'>
+     <mac dstmacaddr='aa:bb:cc:dd:ee:ff'
dstmacmask='ff:ff:ff:ff:ff:ff'
+     protocolid='ipv4'/>
+  </rule>
+</filter>
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall
@@ -0,0 +1,61 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir out */ 
+DROP       all  --  0.0.0.0/0            10.1.2.3            MAC
01:02:03:04:05:06 DSCP match 0x02/* drop rule   -- dir out */ 
+REJECT     all  --  0.0.0.0/0            10.1.2.3            MAC
01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */
reject-with icmp-port-unreachable 
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match
0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */ 
+DROP       all  --  0.0.0.0/0            10.1.0.0/22         DSCP match
0x21/* drop rule   -- dir in */ 
+REJECT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match
0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable 
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           /* accept
rule -- dir inout */ 
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* drop
rule -- dir inout */ 
+REJECT     all  --  0.0.0.0/0            0.0.0.0/0           /* reject
rule -- dir inout */ reject-with icmp-port-unreachable 
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination         
+ACCEPT     all  --  10.1.2.3             0.0.0.0/0           DSCP match
0x02state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir out */ 
+DROP       all  --  10.1.2.3             0.0.0.0/0           DSCP match
0x02/* drop rule   -- dir out */ 
+REJECT     all  --  10.1.2.3             0.0.0.0/0           DSCP match
0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable 
+ACCEPT     all  --  10.1.0.0/22          0.0.0.0/0           MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir in */ 
+DROP       all  --  10.1.0.0/22          0.0.0.0/0           MAC
01:02:03:04:05:06 DSCP match 0x21/* drop rule   -- dir in */ 
+REJECT     all  --  10.1.0.0/22          0.0.0.0/0           MAC
01:02:03:04:05:06 DSCP match 0x21/* reject rule -- dir in */ reject-with
icmp-port-unreachable 
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           /* accept
rule -- dir inout */ 
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* drop
rule -- dir inout */ 
+REJECT     all  --  0.0.0.0/0            0.0.0.0/0           /* reject
rule -- dir inout */ reject-with icmp-port-unreachable 
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination         
+RETURN     all  --  0.0.0.0/0            10.1.2.3            MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir out */ 
+DROP       all  --  0.0.0.0/0            10.1.2.3            MAC
01:02:03:04:05:06 DSCP match 0x02/* drop rule   -- dir out */ 
+REJECT     all  --  0.0.0.0/0            10.1.2.3            MAC
01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */
reject-with icmp-port-unreachable 
+RETURN     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match
0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */ 
+DROP       all  --  0.0.0.0/0            10.1.0.0/22         DSCP match
0x21/* drop rule   -- dir in */ 
+REJECT     all  --  0.0.0.0/0            10.1.0.0/22         DSCP match
0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable 
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0           /* accept
rule -- dir inout */ 
+DROP       all  --  0.0.0.0/0            0.0.0.0/0           /* drop
rule -- dir inout */ 
+REJECT     all  --  0.0.0.0/0            0.0.0.0/0           /* reject
rule -- dir inout */ reject-with icmp-port-unreachable 
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0 
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0 
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV
match --physdev-in vnet0 
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0 
+#iptables -L FORWARD --line-number | grep libvirt
+1    libvirt-in  all  --  anywhere             anywhere            
+2    libvirt-out  all  --  anywhere             anywhere            
+3    libvirt-in-post  all  --  anywhere
anywhere            
+#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v
"^$"
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT 
+-p ARP -s 1:2:3:4:5:6 -j DROP 
+-p ARP -s 1:2:3:4:5:6 -j DROP 
+#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v
"^$"
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT 
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP 
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP 
+
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='in'>
+     <tcp dstportstart='22' state='NONE'/>
+  </rule>
+  <rule action='accept' direction='out'>
+     <tcp srcportstart='22' state='NONE'/>
+  </rule>
+  <rule action='accept' direction='in'>
+     <tcp dstportstart='80'/>
+  </rule>
+  <rule action='reject' direction='inout'>
+     <tcp/>
+  </rule>
+  <rule action='drop' direction='inout'>
+     <all/>
+  </rule>
+</filter>


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [TCK] nwfilter: add tests for reject, drop and accept targets