]>
Commit | Line | Data |
---|---|---|
f1bafd37 DM |
1 | #!/usr/bin/perl |
2 | ||
3 | use lib '../src'; | |
fdbdbf60 | 4 | |
f1bafd37 DM |
5 | use strict; |
6 | use warnings; | |
fdbdbf60 | 7 | |
f1bafd37 | 8 | use Data::Dumper; |
ec2e28f6 | 9 | use File::Basename; |
fdbdbf60 | 10 | use Getopt::Long; |
680d56ee | 11 | use Net::IP; |
f1bafd37 | 12 | |
fdbdbf60 TL |
13 | use PVE::Corosync; |
14 | use PVE::FirewallSimulator; | |
15 | use PVE::INotify; | |
16 | ||
d1486f38 DM |
17 | my $debug = 0; |
18 | ||
ec2e28f6 DM |
19 | sub print_usage_and_exit { |
20 | die "usage: $0 [--debug] [testfile [testid]]\n"; | |
21 | } | |
22 | ||
23 | if (!GetOptions ('debug' => \$debug)) { | |
24 | print_usage_and_exit(); | |
25 | } | |
26 | ||
6f6a6b3f SR |
27 | # load dummy corosync config to have fw create according rules |
28 | my $corosync_conf_fn = "corosync.conf"; | |
29 | my $raw = PVE::Tools::file_get_contents($corosync_conf_fn); | |
30 | my $local_hostname = PVE::INotify::nodename(); | |
31 | (my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm; | |
32 | my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced); | |
33 | ||
63e8c70e | 34 | PVE::FirewallSimulator::debug($debug); |
fdbdbf60 | 35 | |
ec2e28f6 DM |
36 | my $testfilename = shift; |
37 | my $testid = shift; | |
38 | ||
f1bafd37 | 39 | sub run_tests { |
ec2e28f6 DM |
40 | my ($vmdata, $testdir, $testfile, $testid) = @_; |
41 | ||
42 | $testfile = 'tests' if !$testfile; | |
f1bafd37 | 43 | |
63e8c70e | 44 | |
f1bafd37 DM |
45 | $vmdata->{testdir} = $testdir; |
46 | ||
63e8c70e DM |
47 | my $host_ip = '172.16.1.2'; |
48 | ||
525778d7 | 49 | PVE::Firewall::local_network('172.16.1.0/24'); |
ee06b009 | 50 | |
f1bafd37 | 51 | my ($ruleset, $ipset_ruleset) = |
6f6a6b3f | 52 | PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf); |
f1bafd37 | 53 | |
ec2e28f6 DM |
54 | my $filename = "$testdir/$testfile"; |
55 | my $fh = IO::File->new($filename) || | |
56 | die "unable to open '$filename' - $!\n"; | |
f1bafd37 | 57 | |
ec2e28f6 | 58 | my $testcount = 0; |
f1bafd37 DM |
59 | while (defined(my $line = <$fh>)) { |
60 | next if $line =~ m/^\s*$/; | |
61 | next if $line =~ m/^#.*$/; | |
62 | if ($line =~ m/^\{.*\}\s*$/) { | |
63 | my $test = eval $line; | |
64 | die $@ if $@; | |
ec2e28f6 | 65 | next if defined($testid) && (!defined($test->{id}) || ($testid ne $test->{id})); |
63e8c70e | 66 | PVE::FirewallSimulator::reset_trace(); |
64e0adf4 | 67 | print Dumper($ruleset->{filter}) if $debug; |
ec2e28f6 | 68 | $testcount++; |
1352eaa1 DM |
69 | eval { |
70 | my @test_zones = qw(host outside nfvm vm100 ct200); | |
71 | if (!defined($test->{from}) && !defined($test->{to})) { | |
72 | die "missing zone speification (from, to)\n"; | |
73 | } elsif (!defined($test->{to})) { | |
74 | foreach my $zone (@test_zones) { | |
75 | next if $zone eq $test->{from}; | |
76 | $test->{to} = $zone; | |
63e8c70e | 77 | PVE::FirewallSimulator::add_trace("Set Zone: to => '$zone'\n"); |
64e0adf4 | 78 | PVE::FirewallSimulator::simulate_firewall($ruleset->{filter}, $ipset_ruleset, |
63e8c70e | 79 | $host_ip, $vmdata, $test); |
1352eaa1 DM |
80 | } |
81 | } elsif (!defined($test->{from})) { | |
82 | foreach my $zone (@test_zones) { | |
83 | next if $zone eq $test->{to}; | |
84 | $test->{from} = $zone; | |
63e8c70e | 85 | PVE::FirewallSimulator::add_trace("Set Zone: from => '$zone'\n"); |
64e0adf4 | 86 | PVE::FirewallSimulator::simulate_firewall($ruleset->{filter}, $ipset_ruleset, |
63e8c70e | 87 | $host_ip, $vmdata, $test); |
1352eaa1 DM |
88 | } |
89 | } else { | |
64e0adf4 | 90 | PVE::FirewallSimulator::simulate_firewall($ruleset->{filter}, $ipset_ruleset, |
63e8c70e | 91 | $host_ip, $vmdata, $test); |
1352eaa1 DM |
92 | } |
93 | }; | |
f1bafd37 | 94 | if (my $err = $@) { |
64e0adf4 | 95 | print Dumper($ruleset->{filter}) if !$debug; |
63e8c70e | 96 | print PVE::FirewallSimulator::get_trace() . "\n" if !$debug; |
ec2e28f6 | 97 | print "$filename line $.: $line"; |
f1bafd37 | 98 | print "test failed: $err\n"; |
f1bafd37 DM |
99 | exit(-1); |
100 | } | |
101 | } else { | |
102 | die "parse error"; | |
103 | } | |
104 | } | |
105 | ||
ec2e28f6 DM |
106 | die "no tests found\n" if $testcount <= 0; |
107 | ||
108 | print "PASS: $filename\n"; | |
f1bafd37 DM |
109 | |
110 | return undef; | |
111 | } | |
112 | ||
113 | my $vmdata = { | |
114 | qemu => { | |
115 | 100 => { | |
db990d66 | 116 | net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1", |
66f33d78 DM |
117 | net1 => "e1000=0E:0B:38:B9:B4:21,bridge=vmbr1,firewall=1", |
118 | net2 => "e1000=0E:0B:38:BA:B4:21,bridge=vmbr2,firewall=1", | |
d1486f38 DM |
119 | }, |
120 | 101 => { | |
db990d66 | 121 | net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0,firewall=1", |
d1486f38 DM |
122 | }, |
123 | # on bridge vmbr1 | |
124 | 110 => { | |
db990d66 | 125 | net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1", |
f1bafd37 DM |
126 | }, |
127 | }, | |
e038c485 | 128 | lxc => { |
f1bafd37 | 129 | 200 => { |
e038c485 | 130 | net0 => "name=eth0,hwaddr=0E:18:24:41:2C:43,bridge=vmbr0,firewall=1,ip=10.0.200.1/24", |
f1bafd37 | 131 | }, |
d1486f38 | 132 | 201 => { |
e038c485 | 133 | net0 => "name=eth0,hwaddr=0E:18:24:41:2C:44,bridge=vmbr0,firewall=1,ip=10.0.200.2/24", |
d1486f38 | 134 | }, |
f1bafd37 DM |
135 | }, |
136 | }; | |
137 | ||
ec2e28f6 DM |
138 | if ($testfilename) { |
139 | my $testfile; | |
140 | my $dir; | |
141 | ||
142 | if (-d $testfilename) { | |
143 | $dir = $testfilename; | |
144 | } elsif (-f $testfilename) { | |
145 | $dir = dirname($testfilename); | |
146 | $testfile = basename($testfilename); | |
147 | } else { | |
148 | die "no such file/dir '$testfilename'\n"; | |
149 | } | |
150 | ||
151 | run_tests($vmdata, $dir, $testfile, $testid); | |
152 | ||
153 | } else { | |
154 | foreach my $dir (<test-*>) { | |
155 | next if ! -d $dir; | |
156 | run_tests($vmdata, $dir); | |
157 | } | |
f1bafd37 DM |
158 | } |
159 | ||
160 | print "OK - all tests passed\n"; | |
161 | ||
162 | exit(0); |