[libvirt] [tck PATCH 0/3] A few network related fixes to get the network suite running
Erik Skultety (3): network: Fix the iptables FORWARD chain name being queried network: Fix the dhcp range output being matched nwfilter: Fix the expected output from ebtables .../networks/networkxml2hostout/tck-testnet-1.dat | 5 +++-- .../networks/networkxml2hostout/tck-testnet-2.dat | 5 +++-- .../networks/networkxml2hostout/tck-testnet-3.dat | 14 ++++++++------ .../nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 12 ++++++------ 4 files changed, 20 insertions(+), 16 deletions(-) -- 2.24.1
libvirt's has been defining private chains within iptables for a while, only putting a target labels inside the master FORWARD chain which broke the networking test suite which wasn't adjusted accordingly. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- .../networks/networkxml2hostout/tck-testnet-1.dat | 3 ++- .../networks/networkxml2hostout/tck-testnet-2.dat | 3 ++- .../networks/networkxml2hostout/tck-testnet-3.dat | 12 +++++++----- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/scripts/networks/networkxml2hostout/tck-testnet-1.dat b/scripts/networks/networkxml2hostout/tck-testnet-1.dat index 3e2ce12..eacd4c4 100644 --- a/scripts/networks/networkxml2hostout/tck-testnet-1.dat +++ b/scripts/networks/networkxml2hostout/tck-testnet-1.dat @@ -4,8 +4,9 @@ RETURN all -- 10.1.2.0/24 255.255.255.255 MASQUERADE tcp -- 10.1.2.0/24 !10.1.2.0/24 masq ports: 1024-65535 MASQUERADE udp -- 10.1.2.0/24 !10.1.2.0/24 masq ports: 1024-65535 MASQUERADE all -- 10.1.2.0/24 !10.1.2.0/24 -#iptables -n -L FORWARD | grep ' 10\.1\.2\.' | sed -e 's/ctstate/state/' +#iptables -n -L LIBVIRT_FWI | grep ' 10\.1\.2\.' | sed -e 's/ctstate/state/' ACCEPT all -- 0.0.0.0/0 10.1.2.0/24 state RELATED,ESTABLISHED +#iptables -n -L LIBVIRT_FWO | grep ' 10\.1\.2\.' ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 #ip -o route show dev tck-testbr | gawk '{print $1" "$7}' 10.1.2.0/24 10.1.2.1 diff --git a/scripts/networks/networkxml2hostout/tck-testnet-2.dat b/scripts/networks/networkxml2hostout/tck-testnet-2.dat index 48b4b28..9c90348 100644 --- a/scripts/networks/networkxml2hostout/tck-testnet-2.dat +++ b/scripts/networks/networkxml2hostout/tck-testnet-2.dat @@ -1,5 +1,6 @@ -#iptables -L FORWARD -n | grep ' 10\.1\.2\.' +#iptables -L LIBVIRT_FWI -n | grep ' 10\.1\.2\.' ACCEPT all -- 0.0.0.0/0 10.1.2.0/24 +#iptables -L LIBVIRT_FWO -n | grep ' 10\.1\.2\.' ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 #iptables -t nat -L -n | grep ' 10\.1\.2\.' #ip -o route show dev tck-testbr | gawk '{print $1" "$7}' diff --git a/scripts/networks/networkxml2hostout/tck-testnet-3.dat b/scripts/networks/networkxml2hostout/tck-testnet-3.dat index fca4f81..77664ba 100644 --- a/scripts/networks/networkxml2hostout/tck-testnet-3.dat +++ b/scripts/networks/networkxml2hostout/tck-testnet-3.dat @@ -4,14 +4,16 @@ RETURN all -- 10.1.2.0/24 255.255.255.255 MASQUERADE tcp -- 10.1.2.0/24 !10.1.2.0/24 masq ports: 1024-65535 MASQUERADE udp -- 10.1.2.0/24 !10.1.2.0/24 masq ports: 1024-65535 MASQUERADE all -- 10.1.2.0/24 !10.1.2.0/24 -#iptables -n -L FORWARD | grep ' 10\.1\.2\.' | sed -e 's/ctstate/state/' +#iptables -n -L LIBVIRT_FWI | grep ' 10\.1\.2\.' | sed -e 's/ctstate/state/' ACCEPT all -- 0.0.0.0/0 10.1.2.0/24 state RELATED,ESTABLISHED -ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 -#ip6tables -n -L FORWARD | grep ' 2001:db8:ac10' +#iptables -n -L LIBVIRT_FWO | grep ' 10\.1\.2\.' +ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 +#ip6tables -n -L LIBVIRT_FWI | grep ' 2001:db8:ac10' ACCEPT all ::/0 2001:db8:ac10:fd01::/64 -ACCEPT all 2001:db8:ac10:fd01::/64 ::/0 ACCEPT all ::/0 2001:db8:ac10:fe01::/64 -ACCEPT all 2001:db8:ac10:fe01::/64 ::/0 +#ip6tables -n -L LIBVIRT_FWO | grep ' 2001:db8:ac10' +ACCEPT all 2001:db8:ac10:fd01::/64 ::/0 +ACCEPT all 2001:db8:ac10:fe01::/64 ::/0 #ps aux | sed -n '/dnsmasq .*tck-testnet/ s|.*\(\/dnsmasq\/tck-testnet.conf\).*|\1|p' | head -1 /dnsmasq/tck-testnet.conf #grep bind-dynamic `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` -- 2.24.1
On Wed, Jan 15, 2020 at 03:23:58PM +0100, Erik Skultety wrote:
libvirt's has been defining private chains within iptables for a while, only putting a target labels inside the master FORWARD chain which broke the networking test suite which wasn't adjusted accordingly.
Opps, my bad :-(
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- .../networks/networkxml2hostout/tck-testnet-1.dat | 3 ++- .../networks/networkxml2hostout/tck-testnet-2.dat | 3 ++- .../networks/networkxml2hostout/tck-testnet-3.dat | 12 +++++++----- 3 files changed, 11 insertions(+), 7 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Since libvirt commit 82fe58ff libvirt has been formatting the network mask to the dnsmasq's dhcp-range config option which broke a few of the networking tests. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- scripts/networks/networkxml2hostout/tck-testnet-1.dat | 2 +- scripts/networks/networkxml2hostout/tck-testnet-2.dat | 2 +- scripts/networks/networkxml2hostout/tck-testnet-3.dat | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/networks/networkxml2hostout/tck-testnet-1.dat b/scripts/networks/networkxml2hostout/tck-testnet-1.dat index eacd4c4..cf6f150 100644 --- a/scripts/networks/networkxml2hostout/tck-testnet-1.dat +++ b/scripts/networks/networkxml2hostout/tck-testnet-1.dat @@ -15,7 +15,7 @@ ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 #grep bind-dynamic `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` bind-dynamic #grep dhcp-range `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` -dhcp-range=10.1.2.2,10.1.2.254 +dhcp-range=10.1.2.2,10.1.2.254,255.255.255.0 #ip link show type bridge | grep tck-testbr | gawk '{print $2}' tck-testbr: #ip -o addr show dev tck-testbr | gawk '{print $4" "$6}' diff --git a/scripts/networks/networkxml2hostout/tck-testnet-2.dat b/scripts/networks/networkxml2hostout/tck-testnet-2.dat index 9c90348..aabd959 100644 --- a/scripts/networks/networkxml2hostout/tck-testnet-2.dat +++ b/scripts/networks/networkxml2hostout/tck-testnet-2.dat @@ -10,7 +10,7 @@ ACCEPT all -- 10.1.2.0/24 0.0.0.0/0 #grep bind-dynamic `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` bind-dynamic #grep dhcp-range `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` -dhcp-range=10.1.2.2,10.1.2.254 +dhcp-range=10.1.2.2,10.1.2.254,255.255.255.0 #ip link show type bridge | grep tck-testbr | gawk '{print $2}' tck-testbr: #ip -o addr show dev tck-testbr | gawk '{print $4" "$6}' diff --git a/scripts/networks/networkxml2hostout/tck-testnet-3.dat b/scripts/networks/networkxml2hostout/tck-testnet-3.dat index 77664ba..cb3dd18 100644 --- a/scripts/networks/networkxml2hostout/tck-testnet-3.dat +++ b/scripts/networks/networkxml2hostout/tck-testnet-3.dat @@ -19,7 +19,7 @@ ACCEPT all 2001:db8:ac10:fe01::/64 ::/0 #grep bind-dynamic `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` bind-dynamic #grep dhcp-range `ps aux | sed -n '0,/dnsmasq .*tck-testnet/ s|.*--conf-file=\(.*tck-testnet.conf\).*|\1|p'` -dhcp-range=10.1.2.2,10.1.2.254 +dhcp-range=10.1.2.2,10.1.2.254,255.255.255.0 dhcp-range=2001:db8:ac10:fe01::1,ra-only dhcp-range=2001:db8:ac10:fd01::1,ra-only #ip link show type bridge | grep tck-testbr | gawk '{print $2}' -- 2.24.1
On Wed, Jan 15, 2020 at 03:23:59PM +0100, Erik Skultety wrote:
Since libvirt commit 82fe58ff libvirt has been formatting the network mask to the dnsmasq's dhcp-range config option which broke a few of the networking tests.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- scripts/networks/networkxml2hostout/tck-testnet-1.dat | 2 +- scripts/networks/networkxml2hostout/tck-testnet-2.dat | 2 +- scripts/networks/networkxml2hostout/tck-testnet-3.dat | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
For some reason, some of the PTP link addresses didn't specify the /128 prefix explicitly which fails the pattern matching in the nwfilter tests. Signed-off-by: Erik Skultety <eskultet@redhat.com> --- .../nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall index 5803759..0e26b6c 100644 --- a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall +++ b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall @@ -4,10 +4,10 @@ -o vnet0 -j libvirt-O-vnet0 #ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | grep -v "^Bridge" | grep -v "^$" -p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT --p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT --p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT --p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto mux -j ACCEPT +-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2/128 --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2/128 --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT +-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2/128 --ip6-proto mux -j ACCEPT #ebtables -t nat -L libvirt-O-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | grep -v "^Bridge" | grep -v "^$" --p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT --p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT --p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto mux -j ACCEPT +-p IPv6 --ip6-src 1::2/128 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT +-p IPv6 --ip6-src 1::2/128 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT +-p IPv6 --ip6-src 1::2/128 --ip6-dst a:b:c::/65 --ip6-proto mux -j ACCEPT -- 2.24.1
On Wed, Jan 15, 2020 at 03:24:00PM +0100, Erik Skultety wrote:
For some reason, some of the PTP link addresses didn't specify the /128 prefix explicitly which fails the pattern matching in the nwfilter tests.
Odd, I wonder if this is a backcompat break in ebtables itself.
Signed-off-by: Erik Skultety <eskultet@redhat.com> --- .../nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On Wed, Jan 15, 2020 at 03:23:57PM +0100, Erik Skultety wrote:
Erik Skultety (3): network: Fix the iptables FORWARD chain name being queried network: Fix the dhcp range output being matched nwfilter: Fix the expected output from ebtables
.../networks/networkxml2hostout/tck-testnet-1.dat | 5 +++-- .../networks/networkxml2hostout/tck-testnet-2.dat | 5 +++-- .../networks/networkxml2hostout/tck-testnet-3.dat | 14 ++++++++------ .../nwfilter/nwfilterxml2fwallout/ipv6-test.fwall | 12 ++++++------ 4 files changed, 20 insertions(+), 16 deletions(-)
ping
participants (2)
-
Daniel P. Berrangé -
Erik Skultety