[libvirt] [PATCH v2] [TCK] nwfilter: Add test cases for ipset

27 Apr 2012

Add test cases for ipset support.

Since ipset may not be available on all system, the first line of the XML
file containing the test filter has been extended with a specially formatted
XML comment containing a command line test for whether the test case can be
run at all. The format of that line is:



If the tests in this line don't succeed, the test case is skipped.

Also add a test case cleaning up the created ipset. Run this test after all
other tests using alphabetical ordering.

---
  v2:
   - addressed Eric Blake's comments

---
  scripts/nwfilter/nwfilter2vmtest.sh                           |   36 
+++++++--
  scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall        |   39 
++++++++++
  scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall |    1
  scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml             |   25 
++++++
  scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml      |    5 +
  5 files changed, 99 insertions(+), 7 deletions(-)

Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
===================================================================

--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test || 
ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all  ipset='tck_test' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  state='NONE' ipset='tck_test' ipsetflags='src,dst' 
comment='in+NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <all  state='NONE' ipset='tck_test' ipsetflags='src,dst' 
comment='out+NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all  ipset='$IPSETNAME' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all  ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/>
+ </rule>
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh
+++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
@@ -107,6 +107,7 @@ checkExpectedOutput() {
    ifname="$3"
    flags="$4"
    skipregex="$5"
+  skiptest="$6"
    regex="s/${ORIG_IFNAME}/${ifname}/g"

    tmpdir=$(mktmpdir)
@@ -147,6 +148,18 @@ checkExpectedOutput() {
        break
      fi

+    if [ -n "${skiptest}" ]; then
+      # treat all skips as passes
+          passctr=$(($passctr + 1))
+          [ $(($flags & $FLAG_VERBOSE)) -ne 0 ] && \
+              echo "SKIP ${xmlfile} : ${cmd}"
+          [ $(($flags & $FLAG_LIBVIRT_TEST)) -ne 0 ] && \
+              test_result $(($passctr + $failctr)) "" 0
+          [ $(($flags & $FLAG_TAP_TEST)) -ne 0 ] && \
+              tap_pass $(($passctr + $failctr)) "SKIP: ${xmlfile} : 
${skiptest}"
+          break
+    fi
+
          diff -w ${tmpfile} ${tmpfile2} >/dev/null

          if [ $? -ne 0 ]; then
@@ -197,19 +210,27 @@ doTest() {
    flags="$5"
    testnum="$6"
    ctr=0
+  skiptest=""

    if [ ! -r "${xmlfile}" ]; then
      echo "FAIL : Cannot access filter XML file ${xmlfile}."
      return 1
    fi

-  ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+  # Check whether we can run this test at all
+  cmd=$(sed -n '1 s/^<\!--[     ]*#\(.*\)#[     ]*-->/\1/p' ${xmlfile})
+  if [ -n "${cmd}" ]; then
+    eval "${cmd}" 2>/dev/null 1>/dev/null
+    [ $? -ne 0 ] && skiptest="${cmd}"
+  fi
+
+  [ -z "${skiptest}" ] && ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null

    checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" 
"${flags}" \
-      ""
+      "" "${skiptest}"

    checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-      "${vm2name}" "${flags}" ""
+      "${vm2name}" "${flags}" "" "${skiptest}"

    if [ $(($flags & $FLAG_ATTACH)) -ne 0 ]; then

@@ -234,9 +255,9 @@ EOF

      if [ $rc -eq 0 ]; then
        checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \
-        "${flags}" "(PRE|POST)ROUTING"
+        "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
        checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-        "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
+        "${vm2name}" "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
        msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"`
        if [ $? -ne 0 ]; then
          echo "FAIL: Detach of interface failed."
@@ -246,9 +267,9 @@ EOF
          # In case of TAP, run the test anyway so we get to the full number
          # of tests
          checkExpectedOutput "${xmlfile}" "${fwallfile}" 
"${ATTACH_IFNAME}" \
-          "${flags}" "" #"(PRE|POST)ROUTING"
+          "${flags}" "" "${skiptest}" #"(PRE|POST)ROUTING"
          checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
-          "${vm2name}" "${flags}" #"(PRE|POST)ROUTING"
+          "${vm2name}" "${flags}" "${skiptest}" #"(PRE|POST)ROUTING"
        fi

        attachfailctr=$(($attachfailctr + 1))
@@ -357,6 +378,7 @@ createVM() {
<parameter name='C' value='1090'/>
<parameter name='C' value='1100'/>
<parameter name='C' value='1110'/>
+ <parameter name='IPSETNAME' value='tck_test'/>
</filterref>
<target dev='${vmname}'/>
</interface>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
@@ -0,0 +1,39 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set 
tck_test src,dst /* out+NONE */
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set 
tck_test dst,src /* inout */
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target     prot opt source               destination
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            match-set 
tck_test src,dst /* in+NONE */
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state 
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state 
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state 
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            match-set 
tck_test src,dst /* inout */
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target     prot opt source               destination
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set 
tck_test src,dst /* out+NONE */
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            state 
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src
+RETURN     all  --  0.0.0.0/0            0.0.0.0/0            match-set 
tck_test dst,src /* inout */
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           PHYSDEV 
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out 
vnet0
+#ebtables -t nat -L libvirt-O-vnet0 2>/dev/null | grep -v "table:" | 
grep -v "^$"
+#ebtables -t nat -L libvirt-I-vnet0 2>/dev/null | grep -v "table:" | 
grep -v "^$"
+#ebtables -t nat -L PREROUTING | grep vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0
Index: 
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
===================================================================
--- /dev/null
+++ 
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
@@ -0,0 +1 @@
+#ipset destroy tck_test 2>&1 1>/dev/null
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
@@ -0,0 +1,5 @@
+<!-- #ipset help && iptables -t match-set -h# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <!-- used only to cleanup ipset -->
+</filter>

    

[libvirt] [PATCH v2] [TCK] nwfilter: Add test cases for ipset

Stefan Berger