1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-06 17:17:56 +03:00
libvirt/tests/networkxml2firewalltest.c
Laine Stump 397c0f4b01 network: add more firewall test cases
This patch adds some previously missing test cases that test for
proper firewall rule creation when the following are included in the
network definition:

* <forward dev='blah'>
* no forward element (an "isolated" network)
* nat port range when only ipv4 is nat-ed
* nat port range when both ipv4 & ipv6 are nated

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Laine Stump <laine@redhat.com>
2024-06-24 13:51:04 +01:00

227 lines
6.7 KiB
C

/*
* networkxml2firewalltest.c: Test iptables rule generation
*
* Copyright (C) 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
*/
#include <config.h>
#include "testutils.h"
#if defined (__linux__)
# include <gio/gio.h>
# include "network/bridge_driver_platform.h"
# include "virbuffer.h"
# include "virmock.h"
# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
# include "vircommandpriv.h"
# define VIR_FROM_THIS VIR_FROM_NONE
# ifdef __linux__
# define RULESTYPE "linux"
# else
# error "test case not ported to this platform"
# endif
VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync,
GVariant *,
GDBusConnection *, connection,
const gchar *, bus_name,
const gchar *, object_path,
const gchar *, interface_name,
const gchar *, method_name,
GVariant *, parameters,
const GVariantType *, reply_type,
GDBusCallFlags, flags,
gint, timeout_msec,
GCancellable *, cancellable,
GError **, error)
{
if (parameters) {
g_variant_ref_sink(parameters);
g_variant_unref(parameters);
}
VIR_MOCK_REAL_INIT(g_dbus_connection_call_sync);
*error = g_dbus_error_new_for_dbus_error("org.freedesktop.error",
"dbus is disabled");
return NULL;
}
static void
testCommandDryRun(const char *const*args G_GNUC_UNUSED,
const char *const*env G_GNUC_UNUSED,
const char *input G_GNUC_UNUSED,
char **output,
char **error,
int *status,
void *opaque G_GNUC_UNUSED)
{
*status = 0;
/* if arg[1] is -ae then this is an nft command,
* and the caller requested to get the handle
* of the newly added object in stdout
*/
if (STREQ_NULLABLE(args[1], "-ae"))
*output = g_strdup("# handle 5309");
else
*output = g_strdup("");
*error = g_strdup("");
}
static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline,
const char *baseargs,
virFirewallBackend backend)
{
g_autofree char *actualargv = NULL;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
g_autoptr(virNetworkDef) def = NULL;
char *actual;
g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRun, NULL);
if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
return -1;
if (networkAddFirewallRules(def, backend, NULL) < 0)
return -1;
actual = actualargv = virBufferContentAndReset(&buf);
/* The first network to be created populates the
* libvirt global chains. We must skip args for
* that if present
*/
if (STRPREFIX(actual, baseargs))
actual += strlen(baseargs);
if (virTestCompareToFileFull(actual, cmdline, false) < 0)
return -1;
return 0;
}
struct testInfo {
const char *name;
const char *baseargs;
virFirewallBackend backend;
};
static int
testCompareXMLToIPTablesHelper(const void *data)
{
int result = -1;
const struct testInfo *info = data;
g_autofree char *xml = NULL;
g_autofree char *args = NULL;
xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml",
abs_srcdir, info->name);
args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s",
abs_srcdir, info->name, RULESTYPE,
virFirewallBackendTypeToString(info->backend));
result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend);
return result;
}
static int
mymain(void)
{
int ret = 0;
g_autofree char *basefileIptables = NULL;
g_autofree char *basefileNftables = NULL;
g_autofree char *baseargsIptables = NULL;
g_autofree char *baseargsNftables = NULL;
const char *baseargs[VIR_FIREWALL_BACKEND_LAST];
# define DO_TEST_FOR_BACKEND(name, backend) \
do { \
struct testInfo info = { \
name, baseargs[backend], backend \
}; \
g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \
virFirewallBackendTypeToString(backend), \
name); \
if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \
ret = -1; \
} while (0)
# define DO_TEST(name) \
DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \
DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES);
basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir);
if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0)
return EXIT_FAILURE;
baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables;
basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir);
if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0)
return EXIT_FAILURE;
baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables;
DO_TEST("nat-default");
DO_TEST("nat-tftp");
DO_TEST("nat-many-ips");
DO_TEST("nat-no-dhcp");
DO_TEST("nat-ipv6");
DO_TEST("nat-ipv6-masquerade");
DO_TEST("route-default");
DO_TEST("forward-dev");
DO_TEST("isolated");
DO_TEST("forward-dev");
DO_TEST("nat-port-range");
DO_TEST("nat-port-range-ipv6");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
/* NB: virgdbus must be mocked because this test calls
* networkAddFirewallRules(), which will always call
* virFirewallDIsRegistered(), which calls
* virGDBusIsServiceRegistered().
*/
VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virgdbus"),
VIR_TEST_MOCK("virfirewall"))
#else /* ! defined (__linux__) */
int main(void)
{
return EXIT_AM_SKIP;
}
#endif /* ! defined (__linux__) */