]>
Commit | Line | Data |
---|---|---|
f1bafd37 DM |
1 | #!/usr/bin/perl |
2 | ||
3 | use lib '../src'; | |
4 | use strict; | |
5 | use warnings; | |
6 | use Data::Dumper; | |
63e8c70e | 7 | use PVE::FirewallSimulator; |
6f6a6b3f SR |
8 | use PVE::INotify; |
9 | use PVE::Corosync; | |
ec2e28f6 DM |
10 | use Getopt::Long; |
11 | use File::Basename; | |
680d56ee | 12 | use Net::IP; |
f1bafd37 | 13 | |
d1486f38 DM |
14 | my $debug = 0; |
15 | ||
ec2e28f6 DM |
16 | sub print_usage_and_exit { |
17 | die "usage: $0 [--debug] [testfile [testid]]\n"; | |
18 | } | |
19 | ||
20 | if (!GetOptions ('debug' => \$debug)) { | |
21 | print_usage_and_exit(); | |
22 | } | |
23 | ||
6f6a6b3f SR |
24 | # load dummy corosync config to have fw create according rules |
25 | my $corosync_conf_fn = "corosync.conf"; | |
26 | my $raw = PVE::Tools::file_get_contents($corosync_conf_fn); | |
27 | my $local_hostname = PVE::INotify::nodename(); | |
28 | (my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm; | |
29 | my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced); | |
30 | ||
63e8c70e DM |
31 | PVE::FirewallSimulator::debug($debug); |
32 | ||
ec2e28f6 DM |
33 | my $testfilename = shift; |
34 | my $testid = shift; | |
35 | ||
f1bafd37 | 36 | sub run_tests { |
ec2e28f6 DM |
37 | my ($vmdata, $testdir, $testfile, $testid) = @_; |
38 | ||
39 | $testfile = 'tests' if !$testfile; | |
f1bafd37 | 40 | |
63e8c70e | 41 | |
f1bafd37 DM |
42 | $vmdata->{testdir} = $testdir; |
43 | ||
63e8c70e DM |
44 | my $host_ip = '172.16.1.2'; |
45 | ||
525778d7 | 46 | PVE::Firewall::local_network('172.16.1.0/24'); |
ee06b009 | 47 | |
f1bafd37 | 48 | my ($ruleset, $ipset_ruleset) = |
6f6a6b3f | 49 | PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf); |
f1bafd37 | 50 | |
ec2e28f6 DM |
51 | my $filename = "$testdir/$testfile"; |
52 | my $fh = IO::File->new($filename) || | |
53 | die "unable to open '$filename' - $!\n"; | |
f1bafd37 | 54 | |
ec2e28f6 | 55 | my $testcount = 0; |
f1bafd37 DM |
56 | while (defined(my $line = <$fh>)) { |
57 | next if $line =~ m/^\s*$/; | |
58 | next if $line =~ m/^#.*$/; | |
59 | if ($line =~ m/^\{.*\}\s*$/) { | |
60 | my $test = eval $line; | |
61 | die $@ if $@; | |
ec2e28f6 | 62 | next if defined($testid) && (!defined($test->{id}) || ($testid ne $test->{id})); |
63e8c70e | 63 | PVE::FirewallSimulator::reset_trace(); |
d1486f38 | 64 | print Dumper($ruleset) if $debug; |
ec2e28f6 | 65 | $testcount++; |
1352eaa1 DM |
66 | eval { |
67 | my @test_zones = qw(host outside nfvm vm100 ct200); | |
68 | if (!defined($test->{from}) && !defined($test->{to})) { | |
69 | die "missing zone speification (from, to)\n"; | |
70 | } elsif (!defined($test->{to})) { | |
71 | foreach my $zone (@test_zones) { | |
72 | next if $zone eq $test->{from}; | |
73 | $test->{to} = $zone; | |
63e8c70e DM |
74 | PVE::FirewallSimulator::add_trace("Set Zone: to => '$zone'\n"); |
75 | PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, | |
76 | $host_ip, $vmdata, $test); | |
1352eaa1 DM |
77 | } |
78 | } elsif (!defined($test->{from})) { | |
79 | foreach my $zone (@test_zones) { | |
80 | next if $zone eq $test->{to}; | |
81 | $test->{from} = $zone; | |
63e8c70e DM |
82 | PVE::FirewallSimulator::add_trace("Set Zone: from => '$zone'\n"); |
83 | PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, | |
84 | $host_ip, $vmdata, $test); | |
1352eaa1 DM |
85 | } |
86 | } else { | |
63e8c70e DM |
87 | PVE::FirewallSimulator::simulate_firewall($ruleset, $ipset_ruleset, |
88 | $host_ip, $vmdata, $test); | |
1352eaa1 DM |
89 | } |
90 | }; | |
f1bafd37 DM |
91 | if (my $err = $@) { |
92 | ||
d1486f38 | 93 | print Dumper($ruleset) if !$debug; |
f1bafd37 | 94 | |
63e8c70e | 95 | print PVE::FirewallSimulator::get_trace() . "\n" if !$debug; |
f1bafd37 | 96 | |
ec2e28f6 | 97 | print "$filename line $.: $line"; |
f1bafd37 DM |
98 | |
99 | print "test failed: $err\n"; | |
100 | ||
101 | exit(-1); | |
102 | } | |
103 | } else { | |
104 | die "parse error"; | |
105 | } | |
106 | } | |
107 | ||
ec2e28f6 DM |
108 | die "no tests found\n" if $testcount <= 0; |
109 | ||
110 | print "PASS: $filename\n"; | |
f1bafd37 DM |
111 | |
112 | return undef; | |
113 | } | |
114 | ||
115 | my $vmdata = { | |
116 | qemu => { | |
117 | 100 => { | |
db990d66 | 118 | net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1", |
66f33d78 DM |
119 | net1 => "e1000=0E:0B:38:B9:B4:21,bridge=vmbr1,firewall=1", |
120 | net2 => "e1000=0E:0B:38:BA:B4:21,bridge=vmbr2,firewall=1", | |
d1486f38 DM |
121 | }, |
122 | 101 => { | |
db990d66 | 123 | net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0,firewall=1", |
d1486f38 DM |
124 | }, |
125 | # on bridge vmbr1 | |
126 | 110 => { | |
db990d66 | 127 | net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1", |
f1bafd37 DM |
128 | }, |
129 | }, | |
e038c485 | 130 | lxc => { |
f1bafd37 | 131 | 200 => { |
e038c485 | 132 | net0 => "name=eth0,hwaddr=0E:18:24:41:2C:43,bridge=vmbr0,firewall=1,ip=10.0.200.1/24", |
f1bafd37 | 133 | }, |
d1486f38 | 134 | 201 => { |
e038c485 | 135 | net0 => "name=eth0,hwaddr=0E:18:24:41:2C:44,bridge=vmbr0,firewall=1,ip=10.0.200.2/24", |
d1486f38 | 136 | }, |
f1bafd37 DM |
137 | }, |
138 | }; | |
139 | ||
ec2e28f6 DM |
140 | if ($testfilename) { |
141 | my $testfile; | |
142 | my $dir; | |
143 | ||
144 | if (-d $testfilename) { | |
145 | $dir = $testfilename; | |
146 | } elsif (-f $testfilename) { | |
147 | $dir = dirname($testfilename); | |
148 | $testfile = basename($testfilename); | |
149 | } else { | |
150 | die "no such file/dir '$testfilename'\n"; | |
151 | } | |
152 | ||
153 | run_tests($vmdata, $dir, $testfile, $testid); | |
154 | ||
155 | } else { | |
156 | foreach my $dir (<test-*>) { | |
157 | next if ! -d $dir; | |
158 | run_tests($vmdata, $dir); | |
159 | } | |
f1bafd37 DM |
160 | } |
161 | ||
162 | print "OK - all tests passed\n"; | |
163 | ||
164 | exit(0); |