11:56 a.m.
It's surprising that nobody ever noticed in the past that this test
was either failing, or wasn't testing what it intended to test.
An extra bonus to fixing the test is that we are now testing
virNWFilterDefineXML(), and while writing it I discovered that
define_nwfilter() has been missing from the perl bindings since the
very beginning (libvirt-0.8.0, nearly 7 years ago!). (Since nobody
complained before now, I guess anyone using nwfilter via perl was only
using pre-define filter rules).
Laine Stump (2):
cleanup all nwfilters beginning with ^tck
Fix no-mac-broadcast test
lib/Sys/Virt/TCK.pm | 16 ++++++++++++++++
scripts/nwfilter/230-no-mac-broadcast.t | 29 ++++++++++++++++++++++++++++-
2 files changed, 44 insertions(+), 1 deletion(-)
--
2.14.3
11:56 a.m.
New subject: [libvirt] [tck PATCH 1/2] cleanup all nwfilters beginning with ^tck
Just as we do with domains, network, etc, do a pre-test check for any
existing nwfilters that start with "tck" (the test will be aborted in
that case unless "--force" is added to the commandline), and remove
same during the cleanup at the end.
Signed-off-by: Laine Stump <laine(a)laine.org>
---
lib/Sys/Virt/TCK.pm | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/lib/Sys/Virt/TCK.pm b/lib/Sys/Virt/TCK.pm
index f9d9f30..e7ff71b 100644
--- a/lib/Sys/Virt/TCK.pm
+++ b/lib/Sys/Virt/TCK.pm
@@ -130,6 +130,11 @@ sub sanity_check {
die "there is/are " . int(@nets) . " pre-existing inactive
network(s) in this driver";
}
+ my @nwfilters = grep { $_->get_name =~ /^tck/ } $conn->list_nwfilters;
+ if (@nwfilters) {
+ die "there is/are " . int(@nwfilters) . " pre-existing nwfilter(s)
in this driver";
+ }
+
my @pools = grep { $_->get_name =~ /^tck/ } $conn->list_storage_pools;
if (@pools) {
die "there is/are " . int(@pools) . " pre-existing active
storage_pool(s) in this driver";
@@ -188,6 +193,16 @@ sub reset_networks {
}
}
+sub reset_nwfilters {
+ my $self = shift;
+ my $conn = shift;
+
+ my @nwfilters = grep { $_->get_name =~ /^tck/ } $conn->list_nwfilters;
+ foreach my $nwfilter (@nwfilters) {
+ $nwfilter->undefine;
+ }
+}
+
sub reset_storage_pools {
my $self = shift;
my $conn = shift;
@@ -217,6 +232,7 @@ sub reset {
$self->reset_domains($conn);
$self->reset_networks($conn);
+ $self->reset_nwfilters($conn);
$self->reset_storage_pools($conn);
}
--
2.14.3
11:59 a.m.
New subject: [libvirt] [tck PATCH 1/2] cleanup all nwfilters beginning with ^tck
On Tue, Mar 06, 2018 at 12:56:46PM -0500, Laine Stump wrote:
Just as we do with domains, network, etc, do a pre-test check for
any
existing nwfilters that start with "tck" (the test will be aborted in
that case unless "--force" is added to the commandline), and remove
same during the cleanup at the end.
Signed-off-by: Laine Stump <laine(a)laine.org>
---
lib/Sys/Virt/TCK.pm | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
11:56 a.m.
New subject: [libvirt] [tck PATCH 2/2] Fix no-mac-broadcast test
This test is supposed to test that the no-mac-broadcast nwfilter
properly blocks all outgoing traffic with the MAC broadcast address as
its destination. When the no-mac-broadcast filter is used by itself,
though, it blocks even DHCP and ARP requests, meaning that the network
connection to the guest isn't even enough to allow the test script to
ssh in to do its work.
This patch solves the problem by temporarily creating a new nwfilter
that precedes the no-mac-broadcast rule with clean-traffic (which will
allow dhcp requests and responses) and allow-arp (as the name
states). This gives us enough network connection to get into the
guest, attempt a broadcast ping, and see that it fails.
(I'm not sure how this test ever reported success in the past. If it
did, it was only because something else was broken).
Signed-off-by: Laine Stump <laine(a)laine.org>
---
scripts/nwfilter/230-no-mac-broadcast.t | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/scripts/nwfilter/230-no-mac-broadcast.t
b/scripts/nwfilter/230-no-mac-broadcast.t
index 08695ae..ee2d43f 100644
--- a/scripts/nwfilter/230-no-mac-broadcast.t
+++ b/scripts/nwfilter/230-no-mac-broadcast.t
@@ -34,6 +34,7 @@ use Test::Exception;
use Net::OpenSSH;
use File::Spec::Functions qw(catfile catdir rootdir);
+my $nwfilter;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
@@ -42,13 +43,39 @@ END {
}
my $networkip = get_network_ip($conn, "default");
+my $networkipaddr = $networkip->addr();
my $networkipbroadcast = $networkip->broadcast()->addr();
diag "network ip is $networkip, broadcast address is $networkipbroadcast";
+# we are testing the no-mac-broadcast filter, but that filter by
+# itself makes for a completely unusable network connection. In order
+# to have enough networking to properly run the test, we need to allow
+# dhcp and arp broadcast traffic, which is done via the clean-traffic
+# and allow-arp filters; the no-mac-broadcast filter then forbids any
+# other packets with the broadcast address for destination.
+#
+my $nwfilter_xml = <<EOF;
+<filter name='tck-test-broadcast'>
+ <filterref filter='clean-traffic'/>
+ <filterref filter='allow-arp'/>
+ <filterref filter='no-mac-broadcast'/>
+</filter>
+EOF
+
+# define_nwfilter() was missing from perl bindings until libvirt 4.2.0,
+# so we go in the back door when it's not there.
+$nwfilter = $conn->can("define_nwfilter")
+ ? $conn->define_nwfilter($nwfilter_xml)
+ : Sys::Virt::NWFilter->_new(connection => $conn, xml => $nwfilter_xml);
+
# create first domain and start it
my $xml = $tck->generic_domain(name => "tck", fullos => 1,
netmode => "network",
- filterref =>
"no-mac-broadcast")->as_xml();
+ filterref => "tck-test-broadcast",
+ filterparams => {
+ CTRL_IP_LEARNING => "dhcp",
+ DHCPSERVER => $networkipaddr
+ })->as_xml();
my $dom;
ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain
object");
--
2.14.3
noon
New subject: [libvirt] [tck PATCH 2/2] Fix no-mac-broadcast test
On Tue, Mar 06, 2018 at 12:56:47PM -0500, Laine Stump wrote:
This test is supposed to test that the no-mac-broadcast nwfilter
properly blocks all outgoing traffic with the MAC broadcast address as
its destination. When the no-mac-broadcast filter is used by itself,
though, it blocks even DHCP and ARP requests, meaning that the network
connection to the guest isn't even enough to allow the test script to
ssh in to do its work.
This patch solves the problem by temporarily creating a new nwfilter
that precedes the no-mac-broadcast rule with clean-traffic (which will
allow dhcp requests and responses) and allow-arp (as the name
states). This gives us enough network connection to get into the
guest, attempt a broadcast ping, and see that it fails.
(I'm not sure how this test ever reported success in the past. If it
did, it was only because something else was broken).
Signed-off-by: Laine Stump <laine(a)laine.org>
---
scripts/nwfilter/230-no-mac-broadcast.t | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
Reviewed-by: Daniel P. Berrangé <berrange(a)redhat.com>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
2453
days inactive
2453
days old
4 comments
2 participants
participants (2)
-
Daniel P. Berrangé -
Laine Stump