2014-03-14 11:53:06 +00:00
/*
* nwfilterebiptablestest . c : Test { eb , ip , ip6 } tables rule generation
*
* Copyright ( C ) 2014 Red Hat , Inc .
*
* This library is free software ; you can redistribute it and / or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation ; either
* version 2.1 of the License , or ( at your option ) any later version .
*
* This library is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
* Lesser General Public License for more details .
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library . If not , see
* < http : //www.gnu.org/licenses/>.
*
*/
# include <config.h>
# include "testutils.h"
# include "nwfilter/nwfilter_ebiptables_driver.h"
# include "virbuffer.h"
2014-12-22 16:57:21 -05:00
# include "virfirewall.h"
2014-03-14 11:53:06 +00:00
2018-12-13 14:53:50 +00:00
# define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW
2014-03-14 11:53:06 +00:00
# include "virfirewallpriv.h"
2018-12-13 14:53:50 +00:00
# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
2014-03-14 11:53:06 +00:00
# include "vircommandpriv.h"
# define VIR_FROM_THIS VIR_FROM_NONE
2014-04-30 12:51:38 -04:00
# define VIR_NWFILTER_NEW_RULES_TEARDOWN \
2020-11-16 19:20:53 -05:00
" iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0 \n " \
" iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0 \n " \
" iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0 \n " \
" iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0 \n " \
" iptables -w -F FP-vnet0 \n " \
" iptables -w -X FP-vnet0 \n " \
" iptables -w -F FJ-vnet0 \n " \
" iptables -w -X FJ-vnet0 \n " \
" iptables -w -F HJ-vnet0 \n " \
" iptables -w -X HJ-vnet0 \n " \
" ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0 \n " \
" ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0 \n " \
" ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0 \n " \
" ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0 \n " \
" ip6tables -w -F FP-vnet0 \n " \
" ip6tables -w -X FP-vnet0 \n " \
" ip6tables -w -F FJ-vnet0 \n " \
" ip6tables -w -X FJ-vnet0 \n " \
" ip6tables -w -F HJ-vnet0 \n " \
" ip6tables -w -X HJ-vnet0 \n " \
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0 \n " \
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0 \n " \
" ebtables --concurrent -t nat -L libvirt-J-vnet0 \n " \
" ebtables --concurrent -t nat -L libvirt-P-vnet0 \n " \
" ebtables --concurrent -t nat -F libvirt-J-vnet0 \n " \
" ebtables --concurrent -t nat -X libvirt-J-vnet0 \n " \
" ebtables --concurrent -t nat -F libvirt-P-vnet0 \n " \
" ebtables --concurrent -t nat -X libvirt-P-vnet0 \n "
2014-04-30 12:51:38 -04:00
2014-03-14 11:53:06 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesAllTeardown ( const void * opaque G_GNUC_UNUSED )
2014-03-14 11:53:06 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 11:53:06 +00:00
const char * expected =
2014-04-30 12:51:38 -04:00
VIR_NWFILTER_NEW_RULES_TEARDOWN
2020-11-16 19:20:53 -05:00
" iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" iptables -w -F FO-vnet0 \n "
" iptables -w -X FO-vnet0 \n "
" iptables -w -F FI-vnet0 \n "
" iptables -w -X FI-vnet0 \n "
" iptables -w -F HI-vnet0 \n "
" iptables -w -X HI-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" ip6tables -w -F FO-vnet0 \n "
" ip6tables -w -X FO-vnet0 \n "
" ip6tables -w -F FI-vnet0 \n "
" ip6tables -w -X FI-vnet0 \n "
" ip6tables -w -F HI-vnet0 \n "
" ip6tables -w -X HI-vnet0 \n "
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-O-vnet0 \n " ;
2014-03-14 11:53:06 +00:00
char * actual = NULL ;
int ret = - 1 ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 11:53:06 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 11:53:06 +00:00
if ( ebiptables_driver . allTeardown ( " vnet0 " ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 11:53:06 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2014-03-14 12:05:00 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesTearOldRules ( const void * opaque G_GNUC_UNUSED )
2014-03-14 12:05:00 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 12:05:00 +00:00
const char * expected =
2020-11-16 19:20:53 -05:00
" iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" iptables -w -F FO-vnet0 \n "
" iptables -w -X FO-vnet0 \n "
" iptables -w -F FI-vnet0 \n "
" iptables -w -X FI-vnet0 \n "
" iptables -w -F HI-vnet0 \n "
" iptables -w -X HI-vnet0 \n "
" iptables -w -E FP-vnet0 FO-vnet0 \n "
" iptables -w -E FJ-vnet0 FI-vnet0 \n "
" iptables -w -E HJ-vnet0 HI-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" ip6tables -w -F FO-vnet0 \n "
" ip6tables -w -X FO-vnet0 \n "
" ip6tables -w -F FI-vnet0 \n "
" ip6tables -w -X FI-vnet0 \n "
" ip6tables -w -F HI-vnet0 \n "
" ip6tables -w -X HI-vnet0 \n "
" ip6tables -w -E FP-vnet0 FO-vnet0 \n "
" ip6tables -w -E FJ-vnet0 FI-vnet0 \n "
" ip6tables -w -E HJ-vnet0 HI-vnet0 \n "
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0 \n " ;
2014-03-14 12:05:00 +00:00
char * actual = NULL ;
int ret = - 1 ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 12:05:00 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 12:05:00 +00:00
if ( ebiptables_driver . tearOldRules ( " vnet0 " ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 12:05:00 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2014-03-14 12:14:13 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesRemoveBasicRules ( const void * opaque G_GNUC_UNUSED )
2014-03-14 12:14:13 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 12:14:13 +00:00
const char * expected =
2020-11-16 19:20:53 -05:00
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-P-vnet0 \n " ;
2014-03-14 12:14:13 +00:00
char * actual = NULL ;
int ret = - 1 ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 12:14:13 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 12:14:13 +00:00
if ( ebiptables_driver . removeBasicRules ( " vnet0 " ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 12:14:13 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2014-03-14 12:48:33 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesTearNewRules ( const void * opaque G_GNUC_UNUSED )
2014-03-14 12:48:33 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 12:48:33 +00:00
const char * expected =
2014-04-30 12:51:38 -04:00
VIR_NWFILTER_NEW_RULES_TEARDOWN ;
2014-03-14 12:48:33 +00:00
char * actual = NULL ;
int ret = - 1 ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 12:48:33 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 12:48:33 +00:00
if ( ebiptables_driver . tearNewRules ( " vnet0 " ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 12:48:33 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2014-03-14 12:58:18 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesApplyBasicRules ( const void * opaque G_GNUC_UNUSED )
2014-03-14 12:58:18 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 12:58:18 +00:00
const char * expected =
2014-04-30 12:51:38 -04:00
VIR_NWFILTER_NEW_RULES_TEARDOWN
2020-11-16 19:20:53 -05:00
" iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" iptables -w -F FO-vnet0 \n "
" iptables -w -X FO-vnet0 \n "
" iptables -w -F FI-vnet0 \n "
" iptables -w -X FI-vnet0 \n "
" iptables -w -F HI-vnet0 \n "
" iptables -w -X HI-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" ip6tables -w -F FO-vnet0 \n "
" ip6tables -w -X FO-vnet0 \n "
" ip6tables -w -F FI-vnet0 \n "
" ip6tables -w -X FI-vnet0 \n "
" ip6tables -w -F HI-vnet0 \n "
" ip6tables -w -X HI-vnet0 \n "
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -N libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP \n "
" ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0 \n " ;
2014-03-14 12:58:18 +00:00
char * actual = NULL ;
int ret = - 1 ;
virMacAddr mac = { . addr = { 0x10 , 0x20 , 0x30 , 0x40 , 0x50 , 0x60 } } ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 12:58:18 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 12:58:18 +00:00
if ( ebiptables_driver . applyBasicRules ( " vnet0 " , & mac ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 12:58:18 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2014-03-14 16:25:12 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesApplyDHCPOnlyRules ( const void * opaque G_GNUC_UNUSED )
2014-03-14 16:25:12 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 16:25:12 +00:00
const char * expected =
2014-04-30 12:51:38 -04:00
VIR_NWFILTER_NEW_RULES_TEARDOWN
2020-11-16 19:20:53 -05:00
" iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" iptables -w -F FO-vnet0 \n "
" iptables -w -X FO-vnet0 \n "
" iptables -w -F FI-vnet0 \n "
" iptables -w -X FI-vnet0 \n "
" iptables -w -F HI-vnet0 \n "
" iptables -w -X HI-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" ip6tables -w -F FO-vnet0 \n "
" ip6tables -w -X FO-vnet0 \n "
" ip6tables -w -F FI-vnet0 \n "
" ip6tables -w -X FI-vnet0 \n "
" ip6tables -w -F HI-vnet0 \n "
" ip6tables -w -X HI-vnet0 \n "
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -N libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -N libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP \n "
" ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0 \n " ;
2014-03-14 16:25:12 +00:00
char * actual = NULL ;
int ret = - 1 ;
virMacAddr mac = { . addr = { 0x10 , 0x20 , 0x30 , 0x40 , 0x50 , 0x60 } } ;
const char * servers [ ] = { " 192.168.122.1 " , " 10.0.0.1 " , " 10.0.0.2 " } ;
virNWFilterVarValue val = {
. valType = NWFILTER_VALUE_TYPE_ARRAY ,
. u = {
. array = {
. values = ( char * * ) servers ,
. nValues = 3 ,
}
}
} ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 16:25:12 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 16:25:12 +00:00
if ( ebiptables_driver . applyDHCPOnlyRules ( " vnet0 " , & mac , & val , false ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 16:25:12 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2014-03-14 16:27:39 +00:00
static int
2019-10-14 14:45:03 +02:00
testNWFilterEBIPTablesApplyDropAllRules ( const void * opaque G_GNUC_UNUSED )
2014-03-14 16:27:39 +00:00
{
2020-07-02 19:35:41 -04:00
g_auto ( virBuffer ) buf = VIR_BUFFER_INITIALIZER ;
2014-03-14 16:27:39 +00:00
const char * expected =
2014-04-30 12:51:38 -04:00
VIR_NWFILTER_NEW_RULES_TEARDOWN
2020-11-16 19:20:53 -05:00
" iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" iptables -w -F FO-vnet0 \n "
" iptables -w -X FO-vnet0 \n "
" iptables -w -F FI-vnet0 \n "
" iptables -w -X FI-vnet0 \n "
" iptables -w -F HI-vnet0 \n "
" iptables -w -X HI-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0 \n "
" ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0 \n "
" ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0 \n "
" ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT \n "
" ip6tables -w -F FO-vnet0 \n "
" ip6tables -w -X FO-vnet0 \n "
" ip6tables -w -F FI-vnet0 \n "
" ip6tables -w -X FI-vnet0 \n "
" ip6tables -w -F HI-vnet0 \n "
" ip6tables -w -X HI-vnet0 \n "
" ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -L libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -F libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -X libvirt-O-vnet0 \n "
" ebtables --concurrent -t nat -N libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -N libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP \n "
" ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP \n "
" ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0 \n "
" ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0 \n "
" ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0 \n " ;
2014-03-14 16:27:39 +00:00
char * actual = NULL ;
int ret = - 1 ;
2021-04-01 17:54:09 +02:00
g_autoptr ( virCommandDryRunToken ) dryRunToken = virCommandDryRunTokenNew ( ) ;
2014-03-14 16:27:39 +00:00
2021-04-06 11:21:21 +02:00
virCommandSetDryRun ( dryRunToken , & buf , false , true , NULL , NULL ) ;
2014-03-14 16:27:39 +00:00
if ( ebiptables_driver . applyDropAllRules ( " vnet0 " ) < 0 )
goto cleanup ;
actual = virBufferContentAndReset ( & buf ) ;
if ( STRNEQ_NULLABLE ( actual , expected ) ) {
2016-05-26 17:01:51 +02:00
virTestDifference ( stderr , expected , actual ) ;
2014-03-14 16:27:39 +00:00
goto cleanup ;
}
ret = 0 ;
cleanup :
VIR_FREE ( actual ) ;
return ret ;
}
2017-04-07 15:11:14 +01:00
static bool
hasNetfilterTools ( void )
{
return virFileIsExecutable ( IPTABLES_PATH ) & &
virFileIsExecutable ( IP6TABLES_PATH ) & &
virFileIsExecutable ( EBTABLES_PATH ) ;
}
2014-03-14 16:27:39 +00:00
2014-03-14 11:53:06 +00:00
static int
mymain ( void )
{
int ret = 0 ;
if ( virFirewallSetBackend ( VIR_FIREWALL_BACKEND_DIRECT ) < 0 ) {
2017-04-07 15:11:14 +01:00
if ( ! hasNetfilterTools ( ) ) {
fprintf ( stderr , " iptables/ip6tables/ebtables tools not present " ) ;
return EXIT_AM_SKIP ;
}
2019-11-12 17:46:29 -03:00
return EXIT_FAILURE ;
2014-03-14 11:53:06 +00:00
}
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesAllTeardown " ,
testNWFilterEBIPTablesAllTeardown ,
NULL ) < 0 )
2014-03-14 11:53:06 +00:00
ret = - 1 ;
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesTearOldRules " ,
testNWFilterEBIPTablesTearOldRules ,
NULL ) < 0 )
2014-03-14 12:05:00 +00:00
ret = - 1 ;
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesRemoveBasicRules " ,
testNWFilterEBIPTablesRemoveBasicRules ,
NULL ) < 0 )
2014-03-14 12:14:13 +00:00
ret = - 1 ;
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesTearNewRules " ,
testNWFilterEBIPTablesTearNewRules ,
NULL ) < 0 )
2014-03-14 12:48:33 +00:00
ret = - 1 ;
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesApplyBasicRules " ,
testNWFilterEBIPTablesApplyBasicRules ,
NULL ) < 0 )
2014-03-14 12:58:18 +00:00
ret = - 1 ;
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesApplyDHCPOnlyRules " ,
testNWFilterEBIPTablesApplyDHCPOnlyRules ,
NULL ) < 0 )
2014-03-14 16:25:12 +00:00
ret = - 1 ;
2016-05-26 17:01:50 +02:00
if ( virTestRun ( " ebiptablesApplyDropAllRules " ,
testNWFilterEBIPTablesApplyDropAllRules ,
NULL ) < 0 )
2014-03-14 16:27:39 +00:00
ret = - 1 ;
2014-03-14 11:53:06 +00:00
return ret = = 0 ? EXIT_SUCCESS : EXIT_FAILURE ;
}
2017-03-29 16:45:42 +02:00
VIR_TEST_MAIN ( mymain )