[libvirt] [PATCH 2/2] [TCK] nwfilter: Add test cases for ipset
Add test cases for the ipset extension. Since ipset may not be available on all system, the first line of the XML file containing the test filter has been extended with a specially formatted XML comment containing a command line test for whether the test case can be run at all. The format of that line is: <!-- #<command line test># --> If the tests in this line don't succeed, the test case is skipped. Also add a test case cleaning up the created ipset. Run this test after all other tests using alphabetical ordering. --- scripts/nwfilter/nwfilter2vmtest.sh | 36 +++++++-- scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall | 39 ++++++++++ scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall | 1 scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml | 25 ++++++ scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml | 5 + 5 files changed, 99 insertions(+), 7 deletions(-) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml @@ -0,0 +1,25 @@ +<!-- #ipset help && iptables -t match-set -h && ipset list tck_test || ipset create tck_test hash:ip# --> +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all ipset='tck_test' ipsetflags='src,dst' /> + </rule> + <rule action='accept' direction='in'> + <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='in+NONE'/> + </rule> + <rule action='accept' direction='out'> + <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='out+NONE'/> + </rule> + <rule action='accept' direction='in'> + <all ipset='tck_test' ipsetflags='SRC,DST,SRC' /> + </rule> + <rule action='accept' direction='in'> + <all ipset='tck_test' ipsetflags='SRC,dSt,SRC' /> + </rule> + <rule action='accept' direction='in'> + <all ipset='$IPSETNAME' ipsetflags='src,dst' /> + </rule> + <rule action='accept' direction='inout'> + <all ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh =================================================================== --- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh @@ -107,6 +107,7 @@ checkExpectedOutput() { ifname="$3" flags="$4" skipregex="$5" + skiptest="$6" regex="s/${ORIG_IFNAME}/${ifname}/g" tmpdir=$(mktmpdir) @@ -147,6 +148,18 @@ checkExpectedOutput() { break fi + if [ -n "${skiptest}" ]; then + # treat all skips as passes + passctr=$(($passctr + 1)) + [ $(($flags & $FLAG_VERBOSE)) -ne 0 ] && \ + echo "SKIP ${xmlfile} : ${cmd}" + [ $(($flags & $FLAG_LIBVIRT_TEST)) -ne 0 ] && \ + test_result $(($passctr + $failctr)) "" 0 + [ $(($flags & $FLAG_TAP_TEST)) -ne 0 ] && \ + tap_pass $(($passctr + $failctr)) "SKIP: ${xmlfile} : ${skiptest}" + break + fi + diff -w ${tmpfile} ${tmpfile2} >/dev/null if [ $? -ne 0 ]; then @@ -197,19 +210,27 @@ doTest() { flags="$5" testnum="$6" ctr=0 + skiptest="" if [ ! -r "${xmlfile}" ]; then echo "FAIL : Cannot access filter XML file ${xmlfile}." return 1 fi - ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + # Check whether we can run this test at all + cmd=`sed -n '1,1 s/^<\!--[ ^I]*#\(.*\)#[ ^I]*-->/\1/p' ${xmlfile}` + if [ -n "${cmd}" ]; then + eval "${cmd}" 2>&1 1>/dev/null + [ $? -ne 0 ] && skiptest="${cmd}" + fi + + [ -z "${skiptest}" ] && ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}" "${flags}" \ - "" + "" "${skiptest}" checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ - "${vm2name}" "${flags}" "" + "${vm2name}" "${flags}" "" "${skiptest}" if [ $(($flags & $FLAG_ATTACH)) -ne 0 ]; then @@ -234,9 +255,9 @@ EOF if [ $rc -eq 0 ]; then checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ - "${flags}" "(PRE|POST)ROUTING" + "${flags}" "(PRE|POST)ROUTING" "${skiptest}" checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ - "${vm2name}" "${flags}" "(PRE|POST)ROUTING" + "${vm2name}" "${flags}" "(PRE|POST)ROUTING" "${skiptest}" msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"` if [ $? -ne 0 ]; then echo "FAIL: Detach of interface failed." @@ -246,9 +267,9 @@ EOF # In case of TAP, run the test anyway so we get to the full number # of tests checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \ - "${flags}" "" #"(PRE|POST)ROUTING" + "${flags}" "" "${skiptest}" #"(PRE|POST)ROUTING" checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \ - "${vm2name}" "${flags}" #"(PRE|POST)ROUTING" + "${vm2name}" "${flags}" "${skiptest}" #"(PRE|POST)ROUTING" fi attachfailctr=$(($attachfailctr + 1)) @@ -357,6 +378,7 @@ createVM() { <parameter name='C' value='1090'/> <parameter name='C' value='1100'/> <parameter name='C' value='1110'/> + <parameter name='IPSETNAME' value='tck_test'/> </filterref> <target dev='${vmname}'/> </interface> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall @@ -0,0 +1,39 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* out+NONE */ +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test dst,src /* inout */ +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* in+NONE */ +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* inout */ +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst /* out+NONE */ +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst +RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src +RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test dst,src /* inout */ +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#ebtables -t nat -L libvirt-O-vnet0 2>/dev/null | grep -v "table:" | grep -v "^$" +#ebtables -t nat -L libvirt-I-vnet0 2>/dev/null | grep -v "table:" | grep -v "^$" +#ebtables -t nat -L PREROUTING | grep vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall @@ -0,0 +1 @@ +#ipset destroy tck_test 2>&1 1>/dev/null Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml @@ -0,0 +1,5 @@ +<!-- #ipset help && iptables -t match-set -h# --> +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <!-- used only to cleanup ipset --> +</filter>
On 04/23/2012 06:20 AM, Stefan Berger wrote:
Add test cases for the ipset extension.
Since ipset may not be available on all system, the first line of the XML file containing the test filter has been extended with a specially formatted XML comment containing a command line test for whether the test case can be run at all. The format of that line is:
<!-- #<command line test># -->
If the tests in this line don't succeed, the test case is skipped.
Seems like a slick idea.
- ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null + # Check whether we can run this test at all + cmd=`sed -n '1,1 s/^<\!--[ ^I]*#\(.*\)#[ ^I]*-->/\1/p' ${xmlfile}`
Use $(), not `` (since we're already using $(()), we don't have to worry about Solaris /bin/sh, but might as well stick to the preferred POSIX shell interface). 1,1 as a sed address selection is redundant; you could shorten it to 1. In sed, ^I does NOT mean tab, but the two characters ^ and I. Use a literal tab instead (and to avoid space-tab warnings, list the bracket expression as [tab-space], as in '[ ]*').
+ if [ -n "${cmd}" ]; then + eval "${cmd}" 2>&1 1>/dev/null
This says output any errors from command to our stdout, and to ignore normal output of $cmd. Is that what you meant, or did you want to ignore both output and errors from $cmd, in which case you should swap the redirection operators? Otherwise, it looks okay to me. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On 04/26/2012 05:13 PM, Eric Blake wrote:
On 04/23/2012 06:20 AM, Stefan Berger wrote:
+ if [ -n "${cmd}" ]; then + eval "${cmd}" 2>&1 1>/dev/null This says output any errors from command to our stdout, and to ignore normal output of $cmd. Is that what you meant, or did you want to ignore both output and errors from $cmd, in which case you should swap the redirection operators?
The intention was to not get any output from running those test commands. Above unfortunately only solved this for stdout but not for suppressing stderr, so 'ipset: command not found' was still printed. Now I changed this line to eval "${cmd}" 2>/dev/null 1>/dev/null and everything is quiet. Not quite sure why the previous notation didn't work... I will post a V2. For this patch to go in I'll also need an ACK for the somewhat longer patch for ipset support: http://www.redhat.com/archives/libvir-list/2012-April/msg01226.html Stefan
On 04/27/2012 05:12 AM, Stefan Berger wrote:
On 04/26/2012 05:13 PM, Eric Blake wrote:
On 04/23/2012 06:20 AM, Stefan Berger wrote:
+ if [ -n "${cmd}" ]; then + eval "${cmd}" 2>&1 1>/dev/null This says output any errors from command to our stdout, and to ignore normal output of $cmd. Is that what you meant, or did you want to ignore both output and errors from $cmd, in which case you should swap the redirection operators?
The intention was to not get any output from running those test commands. Above unfortunately only solved this for stdout but not for suppressing stderr, so 'ipset: command not found' was still printed. Now I changed this line to
eval "${cmd}" 2>/dev/null 1>/dev/null
and everything is quiet. Not quite sure why the previous notation didn't work...
Using '2>&1 1>/dev/null' says: start with stdout (1) and stderr (2) inherited from the parent change fd 2 to be copied from the current fd 1 (the parents stdout) change fd 1 to be /dev/null now the child discards output, and sends errors into the parent's stdout Using '2>/dev/null 1>/dev/null' says: start with stdout and stderr inherited from the parent change fd 2 to be /dev/null change fd 1 to be /dev/null now the child discards everything Swapping the order, and using '>/dev/null 2>&1' says: start with stdout (1) and stderr (2) inherited from the parent change fd 1 to be /dev/null change fd 2 to be copied from the current fd 1 (/dev/null) now the child discards everything In other words, all you did wrong was forgetting that redirections are honored left-to-right.
I will post a V2. For this patch to go in I'll also need an ACK for the somewhat longer patch for ipset support:
http://www.redhat.com/archives/libvir-list/2012-April/msg01226.html
Yep, on my list to review. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
participants (2)
-
Eric Blake -
Stefan Berger