Commit | Line | Data |
---|---|---|
e7b37bc3 | 1 | = A simple simulator to test our iptables rule generation = |
bee67bf1 | 2 | |
e7b37bc3 | 3 | == Invocation == |
bee67bf1 DM |
4 | |
5 | # ./fwtester.pl | |
6 | ||
e7b37bc3 TL |
7 | This scans for subdirectory named test-* an invokes fwtester.pl for each |
8 | subdirectory with: | |
bee67bf1 | 9 | |
e7b37bc3 | 10 | # ./fwtester.pl test-<name>/tests |
bee67bf1 | 11 | |
e7b37bc3 | 12 | == Test directory contents == |
bee67bf1 DM |
13 | |
14 | Each test directory can contain the following files: | |
15 | ||
e7b37bc3 TL |
16 | * cluster.fw Cluster wide firewall config |
17 | * host.fw Host firewall config | |
18 | * <VMID>.fw Firewall config for VMs | |
19 | * tests Test descriptions | |
bee67bf1 | 20 | |
e7b37bc3 | 21 | == Test description == |
bee67bf1 | 22 | |
e7b37bc3 TL |
23 | The test description file can contain one or more tests using the following |
24 | syntax: | |
bee67bf1 DM |
25 | |
26 | { from => '<zone>' , to => '<zone>', action => '<DROP|RECECT|ACCEPT>', [ source => '<ip>',] [ dest => '<ip>',] [ proto => '<tcp|udp>',] [ dport => <port>,], [ sport => <port>,] } | |
27 | ||
28 | The following <zone> definition exist currently: | |
29 | ||
e7b37bc3 TL |
30 | * host: The host itself |
31 | * outside: The outside world (alias for 'vmbr0/eth0') | |
32 | * vm<ID>: A qemu virtual machine | |
33 | * ct<ID>: An openvz container | |
34 | * nfvm: Non firewalled VM (alias for 'vmbr0/tapXYZ') | |
35 | * vmbr<\d+>/<bport>: Unmanaged bridge port | |
bee67bf1 | 36 | |
bee67bf1 | 37 | |
e7b37bc3 | 38 | == Test examples == |
bee67bf1 DM |
39 | |
40 | { from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' } | |
41 | { from => 'vm101', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'vm2vm'} | |
42 | ||
43 | You can assign an 'id' to each test, so that you can run them separately: | |
44 | ||
45 | ./fwtester.pl -d test-basic1/tests vm2vm |