projects / pve-firewall.git / blame
| Commit | Line | Data |
|---|---|---|
| bee67bf1 DM |
1 | =A simple simulator to test our iptables rules= |
| 2 | ||
| 3 | ==Invovation== | |
| 4 | ||
| 5 | # ./fwtester.pl | |
| 6 | ||
| 7 | This scans for subdirectory named test-* an invokes fwtester.pl | |
| 8 | for each subdirectory with: | |
| 9 | ||
| 10 | # ./fwtester.pl test-<name>/tests | |
| 11 | ||
| 12 | ==Test directory contents== | |
| 13 | ||
| 14 | Each test directory can contain the following files: | |
| 15 | ||
| 16 | *cluster.fw Cluster wide firewall config | |
| 17 | ||
| 18 | *host.fw Host firewall config | |
| 19 | ||
| 20 | *<VMID>.fw Firewall config for VMs | |
| 21 | ||
| 22 | *tests Test descriptions | |
| 23 | ||
| 24 | ==Test description== | |
| 25 | ||
| 26 | The test description file can contain one or more tests using | |
| 27 | the following syntax: | |
| 28 | ||
| 29 | { from => '<zone>' , to => '<zone>', action => '<DROP|RECECT|ACCEPT>', [ source => '<ip>',] [ dest => '<ip>',] [ proto => '<tcp|udp>',] [ dport => <port>,], [ sport => <port>,] } | |
| 30 | ||
| 31 | The following <zone> definition exist currently: | |
| 32 | ||
| 47ece390 | 33 | * host: The host itself |
| bee67bf1 | 34 | |
| 47ece390 | 35 | * outside: The outside world (alias for 'vmbr0/eth0') |
| bee67bf1 | 36 | |
| 47ece390 | 37 | * vm<ID>: A qemu virtual machine |
| bee67bf1 | 38 | |
| 47ece390 | 39 | * ct<ID>: An openvz container |
| bee67bf1 | 40 | |
| 47ece390 | 41 | * nfvm: Non firewalled VM (alias for 'vmbr0/tapXYZ') |
| c0c871d8 | 42 | |
| 47ece390 DM |
43 | * vmbr<\d+>/<bport>: Unmanaged bridge port |
| 44 | ||
| 45 | ||
| bee67bf1 DM |
46 | ==Test examples== |
| 47 | ||
| 48 | { from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' } | |
| 49 | { from => 'vm101', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'vm2vm'} | |
| 50 | ||
| 51 | You can assign an 'id' to each test, so that you can run them separately: | |
| 52 | ||
| 53 | ./fwtester.pl -d test-basic1/tests vm2vm | |
| 54 |