[pve-firewall.git] / test / fwtester.pl

#!/usr/bin/perl

use lib '../src';
use strict;
use warnings;
use Data::Dumper;
use PVE::FirewallSimulator;
use PVE::INotify;
use PVE::Corosync;
use Getopt::Long;
use File::Basename;
use Net::IP;

my $debug = 0;

sub print_usage_and_exit {
    die "usage: $0 [--debug] [testfile [testid]]\n";
}

if (!GetOptions ('debug' => \$debug)) {
    print_usage_and_exit();
}

# load dummy corosync config to have fw create according rules
my $corosync_conf_fn = "corosync.conf";
my $raw = PVE::Tools::file_get_contents($corosync_conf_fn);
my $local_hostname = PVE::INotify::nodename();
(my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm;
my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced);

PVE::FirewallSimulator::debug($debug);
 
my $testfilename = shift;
my $testid = shift;

sub run_tests {
    my ($vmdata, $testdir, $testfile, $testid) = @_;

    $testfile = 'tests' if !$testfile;


    $vmdata->{testdir} = $testdir;

    my $host_ip = '172.16.1.2';

    PVE::Firewall::local_network('172.16.1.0/24');

    my ($ruleset, $ipset_ruleset) = 
	PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf);

    my $filename = "$testdir/$testfile";
    my $fh = IO::File->new($filename) ||
	die "unable to open '$filename' - $!\n";

    my $testcount = 0;
    while (defined(my $line = <$fh>)) {
	next if $line =~ m/^\s*$/;
	next if $line =~ m/^#.*$/;
	if ($line =~ m/^\{.*\}\s*$/) {
	    my $test = eval $line;
	    die $@ if $@;
	    next if defined($testid) && (!defined($test->{id}) || ($testid ne $test->{id}));
	    PVE::FirewallSimulator::reset_trace();
	    print Dumper($ruleset) if $debug;
	    $testcount++;
	    eval {
		my @test_zones = qw(host outside nfvm vm100 ct200);
		if (!defined($test->{from}) && !defined($test->{to})) {
		    die "missing zone speification (from, to)\n";
		} elsif (!defined($test->{to})) {
		    foreach my $zone (@test_zones) {
			next if $zone eq $test->{from};
			$test->{to} = $zone;
			PVE::FirewallSimulator::add_trace("Set Zone: to => '$zone'\n"); 
			PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
								  $host_ip, $vmdata, $test);
		    }
		} elsif (!defined($test->{from})) {
		    foreach my $zone (@test_zones) {
			next if $zone eq $test->{to};
			$test->{from} = $zone;
			PVE::FirewallSimulator::add_trace("Set Zone: from => '$zone'\n"); 
			PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
								  $host_ip, $vmdata, $test);
		    }
		} else {
		    PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, 
							      $host_ip, $vmdata, $test);
		}
	    };
	    if (my $err = $@) {

		print Dumper($ruleset) if !$debug;

		print PVE::FirewallSimulator::get_trace() . "\n" if !$debug;

		print "$filename line $.: $line";

		print "test failed: $err\n";

		exit(-1);
	    }
	} else {
	    die "parse error";
	}
    }

    die "no tests found\n" if $testcount <= 0;

    print "PASS: $filename\n";

    return undef;
}

my $vmdata = {
    qemu => {
	100 => {
	    net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1",
	    net1 => "e1000=0E:0B:38:B9:B4:21,bridge=vmbr1,firewall=1",
	    net2 => "e1000=0E:0B:38:BA:B4:21,bridge=vmbr2,firewall=1",
	},
	101 => {
	    net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0,firewall=1",
	},
	# on bridge vmbr1
	110 => {
	    net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1",
	},
    },
    lxc => {
	200 => {
	    net0 => "name=eth0,hwaddr=0E:18:24:41:2C:43,bridge=vmbr0,firewall=1,ip=10.0.200.1/24",
	},
	201 => {
	    net0 => "name=eth0,hwaddr=0E:18:24:41:2C:44,bridge=vmbr0,firewall=1,ip=10.0.200.2/24",
	},
    },
};

if ($testfilename) {
    my $testfile;
    my $dir;

    if (-d $testfilename) {
	$dir = $testfilename;
    } elsif (-f $testfilename) {
	$dir = dirname($testfilename);
	$testfile = basename($testfilename);
    } else {
	die "no such file/dir '$testfilename'\n"; 
    }

    run_tests($vmdata, $dir, $testfile, $testid);

} else { 
    foreach my $dir (<test-*>) {
	next if ! -d $dir;
	run_tests($vmdata, $dir);
    }
}

print "OK - all tests passed\n";

exit(0);
Commit	Line	Data
f1bafd37 DM	1	#!/usr/bin/perl
	2
	3	use lib '../src';
	4	use strict;
	5	use warnings;
	6	use Data::Dumper;
63e8c70e	7	use PVE::FirewallSimulator;
6f6a6b3f SR	8	use PVE::INotify;
6f6a6b3f SR	9	use PVE::Corosync;
ec2e28f6 DM	10	use Getopt::Long;
ec2e28f6 DM	11	use File::Basename;
680d56ee	12	use Net::IP;
f1bafd37	13
d1486f38 DM	14	my $debug = 0;
d1486f38 DM	15
ec2e28f6 DM	16	sub print_usage_and_exit {
	17	die "usage: $0 [--debug] [testfile [testid]]\n";
	18	}
	19
	20	if (!GetOptions ('debug' => \$debug)) {
	21	print_usage_and_exit();
	22	}
	23
6f6a6b3f SR	24	# load dummy corosync config to have fw create according rules
	25	my $corosync_conf_fn = "corosync.conf";
	26	my $raw = PVE::Tools::file_get_contents($corosync_conf_fn);
	27	my $local_hostname = PVE::INotify::nodename();
	28	(my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm;
	29	my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced);
	30
63e8c70e DM	31	PVE::FirewallSimulator::debug($debug);
63e8c70e DM	32
ec2e28f6 DM	33	my $testfilename = shift;
	34	my $testid = shift;
	35
f1bafd37	36	sub run_tests {
ec2e28f6 DM	37	my ($vmdata, $testdir, $testfile, $testid) = @_;
	38
	39	$testfile = 'tests' if !$testfile;
f1bafd37	40
63e8c70e	41
f1bafd37 DM	42	$vmdata->{testdir} = $testdir;
f1bafd37 DM	43
63e8c70e DM	44	my $host_ip = '172.16.1.2';
63e8c70e DM	45
525778d7	46	PVE::Firewall::local_network('172.16.1.0/24');
ee06b009	47
f1bafd37	48	my ($ruleset, $ipset_ruleset) =
6f6a6b3f	49	PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf);
f1bafd37	50
ec2e28f6 DM	51	my $filename = "$testdir/$testfile";
	52	my $fh = IO::File->new($filename) \|\|
	53	die "unable to open '$filename' - $!\n";
f1bafd37	54
ec2e28f6	55	my $testcount = 0;
f1bafd37 DM	56	while (defined(my $line = <$fh>)) {
	57	next if $line =~ m/^\s*$/;
	58	next if $line =~ m/^#.*$/;
	59	if ($line =~ m/^\{.\}\s$/) {
	60	my $test = eval $line;
	61	die $@ if $@;
ec2e28f6	62	next if defined($testid) && (!defined($test->{id}) \|\| ($testid ne $test->{id}));
63e8c70e	63	PVE::FirewallSimulator::reset_trace();
d1486f38	64	print Dumper($ruleset) if $debug;
ec2e28f6	65	$testcount++;
1352eaa1 DM	66	eval {
	67	my @test_zones = qw(host outside nfvm vm100 ct200);
	68	if (!defined($test->{from}) && !defined($test->{to})) {
	69	die "missing zone speification (from, to)\n";
	70	} elsif (!defined($test->{to})) {
	71	foreach my $zone (@test_zones) {
	72	next if $zone eq $test->{from};
	73	$test->{to} = $zone;
63e8c70e DM	74	PVE::FirewallSimulator::add_trace("Set Zone: to => '$zone'\n");
	75	PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
	76	$host_ip, $vmdata, $test);
1352eaa1 DM	77	}
	78	} elsif (!defined($test->{from})) {
	79	foreach my $zone (@test_zones) {
	80	next if $zone eq $test->{to};
	81	$test->{from} = $zone;
63e8c70e DM	82	PVE::FirewallSimulator::add_trace("Set Zone: from => '$zone'\n");
	83	PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
	84	$host_ip, $vmdata, $test);
1352eaa1 DM	85	}
1352eaa1 DM	86	} else {
63e8c70e DM	87	PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset,
63e8c70e DM	88	$host_ip, $vmdata, $test);
1352eaa1 DM	89	}
1352eaa1 DM	90	};
f1bafd37 DM	91	if (my $err = $@) {
f1bafd37 DM	92
d1486f38	93	print Dumper($ruleset) if !$debug;
f1bafd37	94
63e8c70e	95	print PVE::FirewallSimulator::get_trace() . "\n" if !$debug;
f1bafd37	96
ec2e28f6	97	print "$filename line $.: $line";
f1bafd37 DM	98
	99	print "test failed: $err\n";
	100
	101	exit(-1);
	102	}
	103	} else {
	104	die "parse error";
	105	}
	106	}
	107
ec2e28f6 DM	108	die "no tests found\n" if $testcount <= 0;
	109
	110	print "PASS: $filename\n";
f1bafd37 DM	111
	112	return undef;
	113	}
	114
	115	my $vmdata = {
	116	qemu => {
	117	100 => {
db990d66	118	net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1",
66f33d78 DM	119	net1 => "e1000=0E:0B:38:B9:B4:21,bridge=vmbr1,firewall=1",
66f33d78 DM	120	net2 => "e1000=0E:0B:38:BA:B4:21,bridge=vmbr2,firewall=1",
d1486f38 DM	121	},
d1486f38 DM	122	101 => {
db990d66	123	net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0,firewall=1",
d1486f38 DM	124	},
	125	# on bridge vmbr1
	126	110 => {
db990d66	127	net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1",
f1bafd37 DM	128	},
f1bafd37 DM	129	},
e038c485	130	lxc => {
f1bafd37	131	200 => {
e038c485	132	net0 => "name=eth0,hwaddr=0E:18:24:41:2C:43,bridge=vmbr0,firewall=1,ip=10.0.200.1/24",
f1bafd37	133	},
d1486f38	134	201 => {
e038c485	135	net0 => "name=eth0,hwaddr=0E:18:24:41:2C:44,bridge=vmbr0,firewall=1,ip=10.0.200.2/24",
d1486f38	136	},
f1bafd37 DM	137	},
	138	};
	139
ec2e28f6 DM	140	if ($testfilename) {
	141	my $testfile;
	142	my $dir;
	143
	144	if (-d $testfilename) {
	145	$dir = $testfilename;
	146	} elsif (-f $testfilename) {
	147	$dir = dirname($testfilename);
	148	$testfile = basename($testfilename);
	149	} else {
	150	die "no such file/dir '$testfilename'\n";
	151	}
	152
	153	run_tests($vmdata, $dir, $testfile, $testid);
	154
	155	} else {
	156	foreach my $dir (<test-*>) {
	157	next if ! -d $dir;
	158	run_tests($vmdata, $dir);
	159	}
f1bafd37 DM	160	}
	161
	162	print "OK - all tests passed\n";
	163
	164	exit(0);