mirror of
git://git.proxmox.com/git/pve-firewall.git
synced 2025-01-17 06:03:55 +03:00
29e5ce1536
For now without integer to full-name, and vice versa, mapping of ICMP types. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
= A simple simulator to test our iptables rule generation =
== Invocation ==
# ./fwtester.pl
This scans for subdirectory named test-* an invokes fwtester.pl for each
subdirectory with:
# ./fwtester.pl test-<name>/tests
== Test directory contents ==
Each test directory can contain the following files:
* cluster.fw Cluster wide firewall config
* host.fw Host firewall config
* <VMID>.fw Firewall config for VMs
* tests Test descriptions
== Test description ==
The test description file can contain one or more tests using the following
syntax:
{ from => '<zone>' , to => '<zone>', action => '<DROP|RECECT|ACCEPT>', [ source => '<ip>',] [ dest => '<ip>',] [ proto => '<tcp|udp>',] [ dport => <port>,], [ sport => <port>,] }
The following <zone> definition exist currently:
* host: The host itself
* outside: The outside world (alias for 'vmbr0/eth0')
* vm<ID>: A qemu virtual machine
* ct<ID>: An openvz container
* nfvm: Non firewalled VM (alias for 'vmbr0/tapXYZ')
* vmbr<\d+>/<bport>: Unmanaged bridge port
== Test examples ==
{ from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' }
{ from => 'vm101', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'vm2vm'}
You can assign an 'id' to each test, so that you can run them separately:
./fwtester.pl -d test-basic1/tests vm2vm