7:20 a.m.
Add test cases for the ipset extension.
Since ipset may not be available on all system, the first line of the XML
file containing the test filter has been extended with a specially formatted
XML comment containing a command line test for whether the test case can be
run at all. The format of that line is:
<!-- #<command line test># -->
If the tests in this line don't succeed, the test case is skipped.
Also add a test case cleaning up the created ipset. Run this test after all
other tests using alphabetical ordering.
---
scripts/nwfilter/nwfilter2vmtest.sh | 36 +++++++--
scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall | 39 ++++++++++
scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall | 1
scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml | 25 ++++++
scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml | 5 +
5 files changed, 99 insertions(+), 7 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test ||
ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all ipset='tck_test' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='in+NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='out+NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst'
comment='inout'/>
+ </rule>
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh
+++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
@@ -107,6 +107,7 @@ checkExpectedOutput() {
ifname="$3"
flags="$4"
skipregex="$5"
+ skiptest="$6"
regex="s/${ORIG_IFNAME}/${ifname}/g"
tmpdir=$(mktmpdir)
@@ -147,6 +148,18 @@ checkExpectedOutput() {
break
fi
+ if [ -n "${skiptest}" ]; then
+ # treat all skips as passes
+ passctr=$(($passctr + 1))
+ [ $(($flags & $FLAG_VERBOSE)) -ne 0 ] && \
+ echo "SKIP ${xmlfile} : ${cmd}"
+ [ $(($flags & $FLAG_LIBVIRT_TEST)) -ne 0 ] && \
+ test_result $(($passctr + $failctr)) "" 0
+ [ $(($flags & $FLAG_TAP_TEST)) -ne 0 ] && \
+ tap_pass $(($passctr + $failctr)) "SKIP: ${xmlfile} :
${skiptest}"
+ break
+ fi
+
diff -w ${tmpfile} ${tmpfile2} >/dev/null
if [ $? -ne 0 ]; then
@@ -197,19 +210,27 @@ doTest() {
flags="$5"
testnum="$6"
ctr=0
+ skiptest=""
if [ ! -r "${xmlfile}" ]; then
echo "FAIL : Cannot access filter XML file ${xmlfile}."
return 1
fi
- ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+ # Check whether we can run this test at all
+ cmd=`sed -n '1,1 s/^<\!--[ ^I]*#\(.*\)#[ ^I]*-->/\1/p' ${xmlfile}`
+ if [ -n "${cmd}" ]; then
+ eval "${cmd}" 2>&1 1>/dev/null
+ [ $? -ne 0 ] && skiptest="${cmd}"
+ fi
+
+ [ -z "${skiptest}" ] && ${VIRSH} nwfilter-define
"${xmlfile}" > /dev/null
checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${vm1name}" "${flags}" \
- ""
+ "" "${skiptest}"
checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
- "${vm2name}" "${flags}" ""
+ "${vm2name}" "${flags}" "" "${skiptest}"
if [ $(($flags & $FLAG_ATTACH)) -ne 0 ]; then
@@ -234,9 +255,9 @@ EOF
if [ $rc -eq 0 ]; then
checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${ATTACH_IFNAME}" \
- "${flags}" "(PRE|POST)ROUTING"
+ "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}"
\
- "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
+ "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
"${skiptest}"
msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"`
if [ $? -ne 0 ]; then
echo "FAIL: Detach of interface failed."
@@ -246,9 +267,9 @@ EOF
# In case of TAP, run the test anyway so we get to the full number
# of tests
checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${ATTACH_IFNAME}" \
- "${flags}" "" #"(PRE|POST)ROUTING"
+ "${flags}" "" "${skiptest}"
#"(PRE|POST)ROUTING"
checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}"
\
- "${vm2name}" "${flags}" #"(PRE|POST)ROUTING"
+ "${vm2name}" "${flags}" "${skiptest}"
#"(PRE|POST)ROUTING"
fi
attachfailctr=$(($attachfailctr + 1))
@@ -357,6 +378,7 @@ createVM() {
<parameter name='C' value='1090'/>
<parameter name='C' value='1100'/>
<parameter name='C' value='1110'/>
+ <parameter name='IPSETNAME' value='tck_test'/>
</filterref>
<target dev='${vmname}'/>
</interface>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
@@ -0,0 +1,39 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst
/* out+NONE */
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test dst,src
/* inout */
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst
/* in+NONE */
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst,src
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst,src
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst
/* inout */
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED ctdir
REPLY match-set tck_test src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test src,dst
/* out+NONE */
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED ctdir
ORIGINAL match-set tck_test dst,src
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set tck_test dst,src
/* inout */
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0
+#ebtables -t nat -L libvirt-O-vnet0 2>/dev/null | grep -v "table:" | grep -v
"^$"
+#ebtables -t nat -L libvirt-I-vnet0 2>/dev/null | grep -v "table:" | grep -v
"^$"
+#ebtables -t nat -L PREROUTING | grep vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
@@ -0,0 +1 @@
+#ipset destroy tck_test 2>&1 1>/dev/null
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
@@ -0,0 +1,5 @@
+<!-- #ipset help && iptables -t match-set -h# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <!-- used only to cleanup ipset -->
+</filter>
4:13 p.m.
On 04/23/2012 06:20 AM, Stefan Berger wrote:
Add test cases for the ipset extension.
Since ipset may not be available on all system, the first line of the XML
file containing the test filter has been extended with a specially formatted
XML comment containing a command line test for whether the test case can be
run at all. The format of that line is:
<!-- #<command line test># -->
If the tests in this line don't succeed, the test case is skipped.
Seems like a slick idea.
- ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+ # Check whether we can run this test at all
+ cmd=`sed -n '1,1 s/^<\!--[ ^I]*#\(.*\)#[ ^I]*-->/\1/p' ${xmlfile}`
Use $(), not `` (since we're already using $(()), we don't have to worry
about Solaris /bin/sh, but might as well stick to the preferred POSIX
shell interface).
1,1 as a sed address selection is redundant; you could shorten it to 1.
In sed, ^I does NOT mean tab, but the two characters ^ and I. Use a
literal tab instead (and to avoid space-tab warnings, list the bracket
expression as [tab-space], as in '[ ]*').
+ if [ -n "${cmd}" ]; then
+ eval "${cmd}" 2>&1 1>/dev/null
This says output any errors from command to our stdout, and to ignore
normal output of $cmd. Is that what you meant, or did you want to
ignore both output and errors from $cmd, in which case you should swap
the redirection operators?
Otherwise, it looks okay to me.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
6:12 a.m.
On 04/26/2012 05:13 PM, Eric Blake wrote:
On 04/23/2012 06:20 AM, Stefan Berger wrote:
> + if [ -n "${cmd}" ]; then
> + eval "${cmd}" 2>&1 1>/dev/null
This says output any errors from command to our stdout, and to ignore
normal output of $cmd. Is that what you meant, or did you want to
ignore both output and errors from $cmd, in which case you should swap
the redirection operators?
The intention was to not get any output from running those test
commands. Above unfortunately only solved this for stdout but not for
suppressing stderr, so 'ipset: command not found' was still printed. Now
I changed this line to
eval "${cmd}" 2>/dev/null 1>/dev/null
and everything is quiet. Not quite sure why the previous notation didn't
work... I will post a V2. For this patch to go in I'll also need an ACK
for the somewhat longer patch for ipset support:
http://www.redhat.com/archives/libvir-list/2012-April/msg01226.html
Stefan
7:33 a.m.
On 04/27/2012 05:12 AM, Stefan Berger wrote:
On 04/26/2012 05:13 PM, Eric Blake wrote:
> On 04/23/2012 06:20 AM, Stefan Berger wrote:
>
>
>> + if [ -n "${cmd}" ]; then
>> + eval "${cmd}" 2>&1 1>/dev/null
> This says output any errors from command to our stdout, and to ignore
> normal output of $cmd. Is that what you meant, or did you want to
> ignore both output and errors from $cmd, in which case you should swap
> the redirection operators?
The intention was to not get any output from running those test
commands. Above unfortunately only solved this for stdout but not for
suppressing stderr, so 'ipset: command not found' was still printed. Now
I changed this line to
eval "${cmd}" 2>/dev/null 1>/dev/null
and everything is quiet. Not quite sure why the previous notation didn't
work...
Using '2>&1 1>/dev/null' says:
start with stdout (1) and stderr (2) inherited from the parent
change fd 2 to be copied from the current fd 1 (the parents stdout)
change fd 1 to be /dev/null
now the child discards output, and sends errors into the parent's stdout
Using '2>/dev/null 1>/dev/null' says:
start with stdout and stderr inherited from the parent
change fd 2 to be /dev/null
change fd 1 to be /dev/null
now the child discards everything
Swapping the order, and using '>/dev/null 2>&1' says:
start with stdout (1) and stderr (2) inherited from the parent
change fd 1 to be /dev/null
change fd 2 to be copied from the current fd 1 (/dev/null)
now the child discards everything
In other words, all you did wrong was forgetting that redirections are
honored left-to-right.
I will post a V2. For this patch to go in I'll also need an ACK
for the somewhat longer patch for ipset support:
http://www.redhat.com/archives/libvir-list/2012-April/msg01226.html
Yep, on my list to review.
--
Eric Blake eblake(a)redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
4591
days inactive
4595
days old
3 comments
2 participants
participants (2)
-
Eric Blake -
Stefan Berger