1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-21 22:03:49 +03:00
libvirt/tests/nwfilterebiptablestest.c
Laine Stump 0a867cd895 util/tests: enable locking on iptables/ebtables commandlines by default
iptables and ip6tables have had a "-w" commandline option to grab a
systemwide lock that prevents two iptables invocations from modifying
the iptables chains since 2013 (upstream commit 93587a04 in
iptables-1.4.20).  Similarly, ebtables has had a "--concurrent"
commandline option for the same purpose since 2011 (in the upstream
ebtables commit f9b4bcb93, which was present in ebtables-2.0.10.4).

Libvirt added code to conditionally use the commandline option for
iptables/ip6tables in upstream commit ba95426d6f (libvirt-1.2.0,
November 2013), and for ebtables in upstream commit dc33e6e4a5
(libvirt-1.2.11, November 2014) (the latter actually *re*-added the
locking for iptables/ip6tables, as it had accidentally been removed
during a refactor of firewall code in the interim).

I say "conditionally" because a check was made during firewall module
initialization that tried executing a test command with the
-w/--concurrent option, and only continued using it for actual
commands if that test command completed successfully. At the time the
code was added this was a reasonable thing to do, as it had been less
than a year since introduction of -w to iptables, so many distros
supported by libvirt were still using iptables (and possibly even
ebtables) versions too old to have the new commandline options.

It is now 2020, and as far as I can discern from repology.org (and
manually examining a RHEL7.9 system), every version of every distro
that is supported by libvirt now uses new enough versions of both
iptables and ebtables that they all have support for -w/--concurrent.
That means we can finally remove the conditional code and simply
always use them.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-11-24 14:21:29 -05:00

554 lines
22 KiB
C

/*
* nwfilterebiptablestest.c: Test {eb,ip,ip6}tables rule generation
*
* Copyright (C) 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*
*/
#include <config.h>
#include "testutils.h"
#include "nwfilter/nwfilter_ebiptables_driver.h"
#include "virbuffer.h"
#include "virfirewall.h"
#define LIBVIRT_VIRFIREWALLPRIV_H_ALLOW
#include "virfirewallpriv.h"
#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
#include "vircommandpriv.h"
#define VIR_FROM_THIS VIR_FROM_NONE
#define VIR_NWFILTER_NEW_RULES_TEARDOWN \
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
"iptables -w -F FP-vnet0\n" \
"iptables -w -X FP-vnet0\n" \
"iptables -w -F FJ-vnet0\n" \
"iptables -w -X FJ-vnet0\n" \
"iptables -w -F HJ-vnet0\n" \
"iptables -w -X HJ-vnet0\n" \
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
"ip6tables -w -F FP-vnet0\n" \
"ip6tables -w -X FP-vnet0\n" \
"ip6tables -w -F FJ-vnet0\n" \
"ip6tables -w -X FJ-vnet0\n" \
"ip6tables -w -F HJ-vnet0\n" \
"ip6tables -w -X HJ-vnet0\n" \
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
"ebtables --concurrent -t nat -L libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -L libvirt-P-vnet0\n" \
"ebtables --concurrent -t nat -F libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -X libvirt-J-vnet0\n" \
"ebtables --concurrent -t nat -F libvirt-P-vnet0\n" \
"ebtables --concurrent -t nat -X libvirt-P-vnet0\n"
static int
testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.allTeardown("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesTearOldRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"iptables -w -E FP-vnet0 FO-vnet0\n"
"iptables -w -E FJ-vnet0 FI-vnet0\n"
"iptables -w -E HJ-vnet0 HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ip6tables -w -E FP-vnet0 FO-vnet0\n"
"ip6tables -w -E FJ-vnet0 FI-vnet0\n"
"ip6tables -w -E HJ-vnet0 HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.tearOldRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-P-vnet0\n";
char *actual = NULL;
int ret = -1;
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.removeBasicRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesTearNewRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN;
char *actual = NULL;
int ret = -1;
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.tearNewRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
char *actual = NULL;
int ret = -1;
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.applyBasicRules("vnet0", &mac) < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
const char *servers[] = { "192.168.122.1", "10.0.0.1", "10.0.0.2" };
virNWFilterVarValue val = {
.valType = NWFILTER_VALUE_TYPE_ARRAY,
.u = {
.array = {
.values = (char **)servers,
.nValues = 3,
}
}
};
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static int
testNWFilterEBIPTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED)
{
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
const char *expected =
VIR_NWFILTER_NEW_RULES_TEARDOWN
"iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"iptables -w -F FO-vnet0\n"
"iptables -w -X FO-vnet0\n"
"iptables -w -F FI-vnet0\n"
"iptables -w -X FI-vnet0\n"
"iptables -w -F HI-vnet0\n"
"iptables -w -X HI-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
"ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
"ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
"ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
"ip6tables -w -F FO-vnet0\n"
"ip6tables -w -X FO-vnet0\n"
"ip6tables -w -F FI-vnet0\n"
"ip6tables -w -X FI-vnet0\n"
"ip6tables -w -F HI-vnet0\n"
"ip6tables -w -X HI-vnet0\n"
"ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
"ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
"ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
"ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
char *actual = NULL;
int ret = -1;
virCommandSetDryRun(&buf, NULL, NULL);
if (ebiptables_driver.applyDropAllRules("vnet0") < 0)
goto cleanup;
actual = virBufferContentAndReset(&buf);
virTestClearCommandPath(actual);
if (STRNEQ_NULLABLE(actual, expected)) {
virTestDifference(stderr, expected, actual);
goto cleanup;
}
ret = 0;
cleanup:
virCommandSetDryRun(NULL, NULL, NULL);
VIR_FREE(actual);
return ret;
}
static bool
hasNetfilterTools(void)
{
return virFileIsExecutable(IPTABLES_PATH) &&
virFileIsExecutable(IP6TABLES_PATH) &&
virFileIsExecutable(EBTABLES_PATH);
}
static int
mymain(void)
{
int ret = 0;
if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
if (!hasNetfilterTools()) {
fprintf(stderr, "iptables/ip6tables/ebtables tools not present");
return EXIT_AM_SKIP;
}
return EXIT_FAILURE;
}
if (virTestRun("ebiptablesAllTeardown",
testNWFilterEBIPTablesAllTeardown,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesTearOldRules",
testNWFilterEBIPTablesTearOldRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesRemoveBasicRules",
testNWFilterEBIPTablesRemoveBasicRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesTearNewRules",
testNWFilterEBIPTablesTearNewRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesApplyBasicRules",
testNWFilterEBIPTablesApplyBasicRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesApplyDHCPOnlyRules",
testNWFilterEBIPTablesApplyDHCPOnlyRules,
NULL) < 0)
ret = -1;
if (virTestRun("ebiptablesApplyDropAllRules",
testNWFilterEBIPTablesApplyDropAllRules,
NULL) < 0)
ret = -1;
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
}
VIR_TEST_MAIN(mymain)