]>
Commit | Line | Data |
---|---|---|
f1bafd37 DM |
1 | #!/usr/bin/perl |
2 | ||
3 | use lib '../src'; | |
4 | use strict; | |
5 | use warnings; | |
6 | use Data::Dumper; | |
7 | use PVE::Firewall; | |
ec2e28f6 DM |
8 | use Getopt::Long; |
9 | use File::Basename; | |
680d56ee | 10 | use Net::IP; |
f1bafd37 DM |
11 | |
12 | my $mark; | |
13 | my $trace; | |
14 | ||
d1486f38 DM |
15 | my $debug = 0; |
16 | ||
ec2e28f6 DM |
17 | sub print_usage_and_exit { |
18 | die "usage: $0 [--debug] [testfile [testid]]\n"; | |
19 | } | |
20 | ||
21 | if (!GetOptions ('debug' => \$debug)) { | |
22 | print_usage_and_exit(); | |
23 | } | |
24 | ||
25 | my $testfilename = shift; | |
26 | my $testid = shift; | |
27 | ||
d1486f38 DM |
28 | sub add_trace { |
29 | my ($text) = @_; | |
30 | ||
31 | if ($debug) { | |
32 | print $text; | |
33 | } else { | |
34 | $trace .= $text; | |
35 | } | |
36 | } | |
37 | ||
e4e5fcaf DM |
38 | sub nf_dev_match { |
39 | my ($devre, $dev) = @_; | |
40 | ||
41 | $devre =~ s/\+$/\.\*/; | |
42 | return ($dev =~ m/^${devre}$/) ? 1 : 0; | |
43 | } | |
44 | ||
292e0ad9 DM |
45 | sub ipset_match { |
46 | my ($ipsetname, $ipset, $ipaddr) = @_; | |
47 | ||
48 | my $ip = Net::IP->new($ipaddr); | |
49 | ||
50 | foreach my $entry (@$ipset) { | |
51 | next if $entry =~ m/^create/; # simply ignore | |
52 | if ($entry =~ m/add \S+ (\S+)$/) { | |
53 | my $test = Net::IP->new($1); | |
54 | if ($test->overlaps($ip)) { | |
55 | add_trace("IPSET $ipsetname match $ipaddr\n"); | |
56 | return 1; | |
57 | } | |
58 | } else { | |
59 | die "implement me"; | |
60 | } | |
61 | } | |
62 | ||
63 | return 0; | |
64 | } | |
65 | ||
f1bafd37 | 66 | sub rule_match { |
292e0ad9 | 67 | my ($ipset_ruleset, $chain, $rule, $pkg) = @_; |
f1bafd37 DM |
68 | |
69 | $rule =~ s/^-A $chain // || die "got strange rule: $rule"; | |
70 | ||
680d56ee DM |
71 | while (length($rule)) { |
72 | ||
832cd14c DM |
73 | if ($rule =~ s/^-m conntrack --ctstate (\S+)\s*//) { |
74 | my $cstate = $1; | |
75 | ||
76 | return undef if $cstate eq 'INVALID'; # no match | |
77 | return undef if $cstate eq 'RELATED,ESTABLISHED'; # no match | |
78 | ||
79 | next if $cstate =~ m/NEW/; | |
80 | ||
81 | die "please implement cstate test '$cstate'"; | |
680d56ee DM |
82 | } |
83 | ||
4a9ce6d3 DM |
84 | if ($rule =~ s/^-m addrtype --src-type (\S+)\s*//) { |
85 | my $atype = $1; | |
86 | die "missing srctype" if !$pkg->{srctype}; | |
87 | return undef if $atype ne $pkg->{srctype}; | |
88 | } | |
89 | ||
90 | if ($rule =~ s/^-m addrtype --dst-type (\S+)\s*//) { | |
91 | my $atype = $1; | |
92 | die "missing dsttype" if !$pkg->{dsttype}; | |
93 | return undef if $atype ne $pkg->{dsttype}; | |
680d56ee DM |
94 | } |
95 | ||
96 | if ($rule =~ s/^-i (\S+)\s*//) { | |
97 | my $devre = $1; | |
98 | die "missing iface_in" if !$pkg->{iface_in}; | |
99 | return undef if !nf_dev_match($devre, $pkg->{iface_in}); | |
100 | next; | |
101 | } | |
102 | ||
103 | if ($rule =~ s/^-o (\S+)\s*//) { | |
104 | my $devre = $1; | |
105 | die "missing iface_out" if !$pkg->{iface_out}; | |
106 | return undef if !nf_dev_match($devre, $pkg->{iface_out}); | |
107 | next; | |
108 | } | |
109 | ||
110 | if ($rule =~ s/^-p (tcp|udp)\s*//) { | |
111 | die "missing proto" if !$pkg->{proto}; | |
112 | return undef if $pkg->{proto} ne $1; # no match | |
113 | next; | |
114 | } | |
115 | ||
116 | if ($rule =~ s/^--dport (\d+):(\d+)\s*//) { | |
117 | die "missing dport" if !$pkg->{dport}; | |
118 | return undef if ($pkg->{dport} < $1) || ($pkg->{dport} > $2); # no match | |
119 | next; | |
120 | } | |
121 | ||
122 | if ($rule =~ s/^--dport (\d+)\s*//) { | |
123 | die "missing dport" if !$pkg->{dport}; | |
124 | return undef if $pkg->{dport} != $1; # no match | |
125 | next; | |
126 | } | |
127 | ||
128 | if ($rule =~ s/^-s (\S+)\s*//) { | |
129 | die "missing source" if !$pkg->{source}; | |
130 | my $ip = Net::IP->new($1); | |
131 | return undef if !$ip->overlaps(Net::IP->new($pkg->{source})); # no match | |
132 | next; | |
133 | } | |
f1bafd37 | 134 | |
680d56ee DM |
135 | if ($rule =~ s/^-d (\S+)\s*//) { |
136 | die "missing destination" if !$pkg->{dest}; | |
137 | my $ip = Net::IP->new($1); | |
138 | return undef if !$ip->overlaps(Net::IP->new($pkg->{dest})); # no match | |
139 | next; | |
140 | } | |
141 | ||
292e0ad9 DM |
142 | if ($rule =~ s/^-m set --match-set (\S+) src\s*//) { |
143 | die "missing source" if !$pkg->{source}; | |
144 | my $ipset = $ipset_ruleset->{$1}; | |
145 | die "no such ip set '$1'" if !$ipset; | |
146 | return undef if !ipset_match($1, $ipset, $pkg->{source}); | |
147 | next; | |
148 | } | |
149 | ||
150 | if ($rule =~ s/^-m set --match-set (\S+) dst\s*//) { | |
151 | die "missing destination" if !$pkg->{dest}; | |
152 | my $ipset = $ipset_ruleset->{$1}; | |
153 | die "no such ip set '$1'" if !$ipset; | |
154 | return undef if !ipset_match($1, $ipset, $pkg->{dest}); | |
155 | next; | |
156 | } | |
157 | ||
680d56ee DM |
158 | if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) { |
159 | die "missing source mac" if !$pkg->{mac_source}; | |
160 | return undef if $pkg->{mac_source} eq $1; # no match | |
161 | next; | |
162 | } | |
163 | ||
164 | if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) { | |
165 | my $devre = $1; | |
166 | return undef if !$pkg->{physdev_in}; | |
167 | return undef if !nf_dev_match($devre, $pkg->{physdev_in}); | |
168 | next; | |
169 | } | |
170 | ||
171 | if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) { | |
172 | my $devre = $1; | |
173 | return undef if !$pkg->{physdev_out}; | |
174 | return undef if !nf_dev_match($devre, $pkg->{physdev_out}); | |
175 | next; | |
176 | } | |
177 | ||
178 | if ($rule =~ s/^-m mark --mark (\d+)\s*//) { | |
179 | return undef if !defined($mark) || $mark != $1; | |
180 | next; | |
181 | } | |
182 | ||
183 | # final actions | |
292e0ad9 | 184 | |
680d56ee DM |
185 | if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) { |
186 | $mark = $1; | |
187 | return undef; | |
188 | } | |
189 | ||
190 | if ($rule =~ s/^-j (\S+)\s*$//) { | |
191 | return (0, $1); | |
192 | } | |
193 | ||
194 | if ($rule =~ s/^-g (\S+)\s*$//) { | |
195 | return (1, $1); | |
196 | } | |
197 | ||
292e0ad9 DM |
198 | if ($rule =~ s/^-j NFLOG --nflog-prefix \"[^\"]+\"$//) { |
199 | return undef; | |
200 | } | |
201 | ||
680d56ee | 202 | last; |
f1bafd37 DM |
203 | } |
204 | ||
205 | die "unable to parse rule: $rule"; | |
206 | } | |
207 | ||
208 | sub ruleset_simulate_chain { | |
292e0ad9 | 209 | my ($ruleset, $ipset_ruleset, $chain, $pkg) = @_; |
f1bafd37 | 210 | |
d1486f38 | 211 | add_trace("ENTER chain $chain\n"); |
f1bafd37 | 212 | |
6a84e461 | 213 | my $counter = 0; |
111cce51 | 214 | |
f1bafd37 | 215 | if ($chain eq 'PVEFW-Drop') { |
d1486f38 | 216 | add_trace("LEAVE chain $chain\n"); |
111cce51 | 217 | return ('DROP', $counter); |
f1bafd37 DM |
218 | } |
219 | if ($chain eq 'PVEFW-reject') { | |
d1486f38 | 220 | add_trace("LEAVE chain $chain\n"); |
111cce51 | 221 | return ('REJECT', $counter); |
f1bafd37 DM |
222 | } |
223 | ||
224 | if ($chain eq 'PVEFW-tcpflags') { | |
d1486f38 | 225 | add_trace("LEAVE chain $chain\n"); |
111cce51 | 226 | return (undef, $counter); |
f1bafd37 DM |
227 | } |
228 | ||
229 | my $rules = $ruleset->{$chain} || | |
230 | die "no such chain '$chain'"; | |
231 | ||
232 | foreach my $rule (@$rules) { | |
111cce51 | 233 | $counter++; |
292e0ad9 | 234 | my ($goto, $action) = rule_match($ipset_ruleset, $chain, $rule, $pkg); |
f1bafd37 | 235 | if (!defined($action)) { |
d1486f38 | 236 | add_trace("SKIP: $rule\n"); |
f1bafd37 DM |
237 | next; |
238 | } | |
d1486f38 | 239 | add_trace("MATCH: $rule\n"); |
f1bafd37 DM |
240 | |
241 | if ($action eq 'ACCEPT' || $action eq 'DROP' || $action eq 'REJECT') { | |
d1486f38 | 242 | add_trace("TERMINATE chain $chain: $action\n"); |
111cce51 | 243 | return ($action, $counter); |
f1bafd37 | 244 | } elsif ($action eq 'RETURN') { |
d1486f38 | 245 | add_trace("RETURN FROM chain $chain\n"); |
f1bafd37 DM |
246 | last; |
247 | } else { | |
248 | if ($goto) { | |
d1486f38 | 249 | add_trace("LEAVE chain $chain - goto $action\n"); |
292e0ad9 | 250 | return ruleset_simulate_chain($ruleset, $ipset_ruleset, $action, $pkg) |
f1bafd37 DM |
251 | #$chain = $action; |
252 | #$rules = $ruleset->{$chain} || die "no such chain '$chain'"; | |
253 | } else { | |
292e0ad9 | 254 | my ($act, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $action, $pkg); |
111cce51 DM |
255 | $counter += $ctr; |
256 | return ($act, $counter) if $act; | |
d1486f38 | 257 | add_trace("CONTINUE chain $chain\n"); |
f1bafd37 DM |
258 | } |
259 | } | |
260 | } | |
261 | ||
d1486f38 | 262 | add_trace("LEAVE chain $chain\n"); |
f1bafd37 | 263 | if ($chain =~ m/^PVEFW-(INPUT|OUTPUT|FORWARD)$/) { |
111cce51 | 264 | return ('ACCEPT', $counter); # default policy |
f1bafd37 DM |
265 | } |
266 | ||
111cce51 | 267 | return (undef, $counter); |
f1bafd37 DM |
268 | } |
269 | ||
270 | sub copy_packet { | |
271 | my ($pkg) = @_; | |
272 | ||
273 | my $res = {}; | |
274 | ||
275 | while (my ($k,$v) = each %$pkg) { | |
276 | $res->{$k} = $v; | |
277 | } | |
278 | ||
279 | return $res; | |
280 | } | |
281 | ||
d1486f38 DM |
282 | # Try to simulate packet traversal inside kernel. This invokes iptable |
283 | # checks several times. | |
284 | sub route_packet { | |
285 | my ($ruleset, $ipset_ruleset, $pkg, $from_info, $target, $start_state) = @_; | |
286 | ||
287 | my $route_state = $start_state; | |
288 | ||
289 | my $physdev_in; | |
290 | ||
111cce51 DM |
291 | my $ipt_invocation_counter = 0; |
292 | my $rule_check_counter = 0; | |
293 | ||
d1486f38 DM |
294 | while ($route_state ne $target->{iface}) { |
295 | ||
296 | my $chain; | |
297 | my $next_route_state; | |
298 | my $next_physdev_in; | |
299 | ||
300 | $pkg->{iface_in} = $pkg->{iface_out} = undef; | |
301 | $pkg->{physdev_in} = $pkg->{physdev_out} = undef; | |
302 | ||
47ece390 DM |
303 | if ($route_state eq 'from-bport') { |
304 | $next_route_state = $from_info->{bridge} || die 'internal error'; | |
305 | $next_physdev_in = $from_info->{iface} || die 'internal error'; | |
31dc73f1 | 306 | } elsif ($route_state eq 'host') { |
d1486f38 | 307 | |
47ece390 | 308 | if ($target->{type} eq 'bport') { |
c0c871d8 | 309 | $pkg->{iface_in} = 'lo'; |
47ece390 | 310 | $pkg->{iface_out} = $target->{bridge} || die 'internal error'; |
c0c871d8 | 311 | $chain = 'PVEFW-OUTPUT'; |
47ece390 | 312 | $next_route_state = $target->{iface} || die 'internal error'; |
31dc73f1 | 313 | } elsif ($target->{type} eq 'ct') { |
d1486f38 DM |
314 | $pkg->{iface_in} = 'lo'; |
315 | $pkg->{iface_out} = 'venet0'; | |
316 | $chain = 'PVEFW-OUTPUT'; | |
317 | $next_route_state = 'venet-in'; | |
318 | } elsif ($target->{type} eq 'vm') { | |
319 | $pkg->{iface_in} = 'lo'; | |
320 | $pkg->{iface_out} = $target->{bridge} || die 'internal error'; | |
321 | $chain = 'PVEFW-OUTPUT'; | |
322 | $next_route_state = 'fwbr-in'; | |
323 | } else { | |
324 | die "implement me"; | |
325 | } | |
326 | ||
327 | } elsif ($route_state eq 'venet-out') { | |
328 | ||
329 | if ($target->{type} eq 'host') { | |
330 | ||
331 | $chain = 'PVEFW-INPUT'; | |
332 | $pkg->{iface_in} = 'venet0'; | |
333 | $pkg->{iface_out} = 'lo'; | |
334 | $next_route_state = 'host'; | |
335 | ||
47ece390 | 336 | } elsif ($target->{type} eq 'bport') { |
c0c871d8 DM |
337 | |
338 | $chain = 'PVEFW-FORWARD'; | |
339 | $pkg->{iface_in} = 'venet0'; | |
47ece390 DM |
340 | $pkg->{iface_out} = $target->{bridge} || die 'internal error'; |
341 | $next_route_state = $target->{iface} || die 'internal error'; | |
c0c871d8 | 342 | |
d1486f38 DM |
343 | } elsif ($target->{type} eq 'vm') { |
344 | ||
345 | $chain = 'PVEFW-FORWARD'; | |
346 | $pkg->{iface_in} = 'venet0'; | |
347 | $pkg->{iface_out} = $target->{bridge} || die 'internal error'; | |
348 | $next_route_state = 'fwbr-in'; | |
349 | ||
350 | } elsif ($target->{type} eq 'ct') { | |
351 | ||
352 | $chain = 'PVEFW-FORWARD'; | |
353 | $pkg->{iface_in} = 'venet0'; | |
354 | $pkg->{iface_out} = 'venet0'; | |
355 | $next_route_state = 'venet-in'; | |
356 | ||
357 | } else { | |
358 | die "implement me"; | |
359 | } | |
360 | ||
361 | } elsif ($route_state eq 'fwbr-out') { | |
362 | ||
363 | $chain = 'PVEFW-FORWARD'; | |
364 | $next_route_state = $from_info->{bridge} || die 'internal error'; | |
365 | $next_physdev_in = $from_info->{fwpr} || die 'internal error'; | |
366 | $pkg->{iface_in} = $from_info->{fwbr} || die 'internal error'; | |
367 | $pkg->{iface_out} = $from_info->{fwbr} || die 'internal error'; | |
368 | $pkg->{physdev_in} = $from_info->{tapdev} || die 'internal error'; | |
369 | $pkg->{physdev_out} = $from_info->{fwln} || die 'internal error'; | |
370 | ||
371 | } elsif ($route_state eq 'fwbr-in') { | |
372 | ||
373 | $chain = 'PVEFW-FORWARD'; | |
374 | $next_route_state = $target->{tapdev}; | |
375 | $pkg->{iface_in} = $target->{fwbr} || die 'internal error'; | |
376 | $pkg->{iface_out} = $target->{fwbr} || die 'internal error'; | |
377 | $pkg->{physdev_in} = $target->{fwln} || die 'internal error'; | |
378 | $pkg->{physdev_out} = $target->{tapdev} || die 'internal error'; | |
379 | ||
380 | } elsif ($route_state =~ m/^vmbr\d+$/) { | |
381 | ||
382 | die "missing physdev_in - internal error?" if !$physdev_in; | |
eb5faed9 | 383 | $pkg->{physdev_in} = $physdev_in; |
d1486f38 DM |
384 | |
385 | if ($target->{type} eq 'host') { | |
386 | ||
387 | $chain = 'PVEFW-INPUT'; | |
388 | $pkg->{iface_in} = $route_state; | |
389 | $pkg->{iface_out} = 'lo'; | |
390 | $next_route_state = 'host'; | |
391 | ||
47ece390 | 392 | } elsif ($target->{type} eq 'bport') { |
31dc73f1 DM |
393 | |
394 | $chain = 'PVEFW-FORWARD'; | |
395 | $pkg->{iface_in} = $route_state; | |
47ece390 | 396 | $pkg->{iface_out} = $target->{bridge} || die 'internal error'; |
c0c871d8 | 397 | # conditionally set physdev_out (same behavior as kernel) |
47ece390 DM |
398 | if ($route_state eq $target->{bridge}) { |
399 | $pkg->{physdev_out} = $target->{iface} || die 'internal error'; | |
c0c871d8 | 400 | } |
47ece390 | 401 | $next_route_state = $target->{iface}; |
c0c871d8 | 402 | |
d1486f38 DM |
403 | } elsif ($target->{type} eq 'ct') { |
404 | ||
405 | $chain = 'PVEFW-FORWARD'; | |
406 | $pkg->{iface_in} = $route_state; | |
407 | $pkg->{iface_out} = 'venet0'; | |
408 | $next_route_state = 'venet-in'; | |
409 | ||
410 | } elsif ($target->{type} eq 'vm') { | |
411 | ||
412 | $chain = 'PVEFW-FORWARD'; | |
31dc73f1 DM |
413 | $pkg->{iface_in} = $route_state; |
414 | $pkg->{iface_out} = $target->{bridge}; | |
31dc73f1 | 415 | # conditionally set physdev_out (same behavior as kernel) |
d1486f38 | 416 | if ($route_state eq $target->{bridge}) { |
d1486f38 | 417 | $pkg->{physdev_out} = $target->{fwpr} || die 'internal error'; |
d1486f38 DM |
418 | } |
419 | $next_route_state = 'fwbr-in'; | |
420 | ||
421 | } else { | |
422 | die "implement me"; | |
423 | } | |
424 | ||
425 | } else { | |
426 | die "implement me $route_state"; | |
427 | } | |
428 | ||
429 | die "internal error" if !defined($next_route_state); | |
430 | ||
431 | if ($chain) { | |
432 | add_trace("IPT check at $route_state (chain $chain)\n"); | |
433 | add_trace(Dumper($pkg)); | |
111cce51 | 434 | $ipt_invocation_counter++; |
292e0ad9 | 435 | my ($res, $ctr) = ruleset_simulate_chain($ruleset, $ipset_ruleset, $chain, $pkg); |
111cce51 DM |
436 | $rule_check_counter += $ctr; |
437 | return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT'; | |
d1486f38 DM |
438 | } |
439 | ||
440 | $route_state = $next_route_state; | |
441 | ||
442 | $physdev_in = $next_physdev_in; | |
443 | } | |
444 | ||
111cce51 | 445 | return ('ACCEPT', $ipt_invocation_counter, $rule_check_counter); |
d1486f38 DM |
446 | } |
447 | ||
448 | sub extract_ct_info { | |
449 | my ($vmdata, $vmid) = @_; | |
450 | ||
451 | my $info = { type => 'ct', vmid => $vmid }; | |
452 | ||
453 | my $conf = $vmdata->{openvz}->{$vmid} || die "no such CT '$vmid'"; | |
454 | if ($conf->{ip_address}) { | |
455 | $info->{ip_address} = $conf->{ip_address}->{value}; | |
456 | } else { | |
457 | die "implement me"; | |
458 | } | |
459 | return $info; | |
460 | } | |
461 | ||
462 | sub extract_vm_info { | |
463 | my ($vmdata, $vmid) = @_; | |
464 | ||
465 | my $info = { type => 'vm', vmid => $vmid }; | |
466 | ||
467 | my $conf = $vmdata->{qemu}->{$vmid} || die "no such VM '$vmid'"; | |
468 | my $net = PVE::QemuServer::parse_net($conf->{net0}); | |
469 | $info->{macaddr} = $net->{macaddr} || die "unable to get mac address"; | |
470 | $info->{bridge} = $net->{bridge} || die "unable to get bridge"; | |
471 | $info->{fwbr} = "fwbr${vmid}i0"; | |
472 | $info->{tapdev} = "tap${vmid}i0"; | |
473 | $info->{fwln} = "fwln${vmid}i0"; | |
474 | $info->{fwpr} = "fwpr${vmid}p0"; | |
475 | ||
476 | return $info; | |
477 | } | |
f1bafd37 DM |
478 | |
479 | sub simulate_firewall { | |
480 | my ($ruleset, $ipset_ruleset, $vmdata, $test) = @_; | |
481 | ||
1352eaa1 DM |
482 | my $from = $test->{from} || die "missing 'from' field"; |
483 | my $to = $test->{to} || die "missing 'to' field"; | |
484 | my $action = $test->{action} || die "missing 'action'"; | |
8215a0da | 485 | |
1352eaa1 | 486 | my $testid = $test->{id}; |
8215a0da | 487 | |
f1bafd37 DM |
488 | die "from/to needs to be different" if $from eq $to; |
489 | ||
490 | my $pkg = { | |
f1bafd37 | 491 | proto => 'tcp', |
8215a0da DM |
492 | sport => undef, |
493 | dport => undef, | |
494 | source => undef, | |
495 | dest => undef, | |
4a9ce6d3 DM |
496 | srctype => 'UNICAST', |
497 | dsttype => 'UNICAST', | |
f1bafd37 DM |
498 | }; |
499 | ||
500 | while (my ($k,$v) = each %$test) { | |
1352eaa1 DM |
501 | next if $k eq 'from'; |
502 | next if $k eq 'to'; | |
503 | next if $k eq 'action'; | |
504 | next if $k eq 'id'; | |
8215a0da | 505 | die "unknown attribute '$k'\n" if !exists($pkg->{$k}); |
f1bafd37 DM |
506 | $pkg->{$k} = $v; |
507 | } | |
508 | ||
d1486f38 DM |
509 | my $from_info = {}; |
510 | ||
511 | my $start_state; | |
f1bafd37 | 512 | |
ee06b009 | 513 | my $host_ip = '172.16.1.2'; |
832cd14c | 514 | |
f1bafd37 | 515 | if ($from eq 'host') { |
d1486f38 DM |
516 | $from_info->{type} = 'host'; |
517 | $start_state = 'host'; | |
832cd14c | 518 | $pkg->{source} = $host_ip if !defined($pkg->{source}); |
47ece390 DM |
519 | } elsif ($from =~ m|^(vmbr\d+)/(\S+)$|) { |
520 | $from_info->{type} = 'bport'; | |
521 | $from_info->{bridge} = $1; | |
522 | $from_info->{iface} = $2; | |
523 | $start_state = 'from-bport'; | |
31dc73f1 | 524 | } elsif ($from eq 'outside') { |
47ece390 DM |
525 | $from_info->{type} = 'bport'; |
526 | $from_info->{bridge} = 'vmbr0'; | |
527 | $from_info->{iface} = 'eth0'; | |
528 | $start_state = 'from-bport'; | |
c0c871d8 | 529 | } elsif ($from eq 'nfvm') { |
47ece390 DM |
530 | $from_info->{type} = 'bport'; |
531 | $from_info->{bridge} = 'vmbr0'; | |
532 | $from_info->{iface} = 'tapXYZ'; | |
533 | $start_state = 'from-bport'; | |
f1bafd37 DM |
534 | } elsif ($from =~ m/^ct(\d+)$/) { |
535 | my $vmid = $1; | |
d1486f38 DM |
536 | $from_info = extract_ct_info($vmdata, $vmid); |
537 | if ($from_info->{ip_address}) { | |
1352eaa1 | 538 | $pkg->{source} = $from_info->{ip_address} if !defined($pkg->{source}); |
d1486f38 | 539 | $start_state = 'venet-out'; |
f1bafd37 DM |
540 | } else { |
541 | die "implement me"; | |
542 | } | |
f1bafd37 DM |
543 | } elsif ($from =~ m/^vm(\d+)$/) { |
544 | my $vmid = $1; | |
d1486f38 DM |
545 | $from_info = extract_vm_info($vmdata, $vmid); |
546 | $start_state = 'fwbr-out'; | |
547 | $pkg->{mac_source} = $from_info->{macaddr}; | |
f1bafd37 | 548 | } else { |
49e9d9a5 | 549 | die "unable to parse \"from => '$from'\"\n"; |
f1bafd37 DM |
550 | } |
551 | ||
d1486f38 DM |
552 | my $target; |
553 | ||
f1bafd37 | 554 | if ($to eq 'host') { |
d1486f38 DM |
555 | $target->{type} = 'host'; |
556 | $target->{iface} = 'host'; | |
832cd14c | 557 | $pkg->{dest} = $host_ip if !defined($pkg->{dest}); |
47ece390 DM |
558 | } elsif ($to =~ m|^(vmbr\d+)/(\S+)$|) { |
559 | $target->{type} = 'bport'; | |
560 | $target->{bridge} = $1; | |
561 | $target->{iface} = $2; | |
31dc73f1 | 562 | } elsif ($to eq 'outside') { |
47ece390 DM |
563 | $target->{type} = 'bport'; |
564 | $target->{bridge} = 'vmbr0'; | |
565 | $target->{iface} = 'eth0'; | |
c0c871d8 | 566 | } elsif ($to eq 'nfvm') { |
47ece390 DM |
567 | $target->{type} = 'bport'; |
568 | $target->{bridge} = 'vmbr0'; | |
569 | $target->{iface} = 'tapXYZ'; | |
f1bafd37 DM |
570 | } elsif ($to =~ m/^ct(\d+)$/) { |
571 | my $vmid = $1; | |
d1486f38 DM |
572 | $target = extract_ct_info($vmdata, $vmid); |
573 | $target->{iface} = 'venet-in'; | |
574 | ||
575 | if ($target->{ip_address}) { | |
576 | $pkg->{dest} = $target->{ip_address}; | |
f1bafd37 DM |
577 | } else { |
578 | die "implement me"; | |
579 | } | |
f1bafd37 DM |
580 | } elsif ($to =~ m/^vm(\d+)$/) { |
581 | my $vmid = $1; | |
d1486f38 DM |
582 | $target = extract_vm_info($vmdata, $vmid); |
583 | $target->{iface} = $target->{tapdev}; | |
f1bafd37 | 584 | } else { |
49e9d9a5 | 585 | die "unable to parse \"to => '$to'\"\n"; |
f1bafd37 DM |
586 | } |
587 | ||
832cd14c DM |
588 | $pkg->{source} = '100.100.1.2' if !defined($pkg->{source}); |
589 | $pkg->{dest} = '100.200.3.4' if !defined($pkg->{dest}); | |
590 | ||
111cce51 DM |
591 | my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg, |
592 | $from_info, $target, $start_state); | |
f1bafd37 | 593 | |
111cce51 DM |
594 | add_trace("IPT statistics: invocation = $ic, checks = $rc\n"); |
595 | ||
d1486f38 | 596 | die "test failed ($res != $action)\n" if $action ne $res; |
f1bafd37 | 597 | |
d1486f38 | 598 | return undef; |
f1bafd37 DM |
599 | } |
600 | ||
601 | sub run_tests { | |
ec2e28f6 DM |
602 | my ($vmdata, $testdir, $testfile, $testid) = @_; |
603 | ||
604 | $testfile = 'tests' if !$testfile; | |
f1bafd37 DM |
605 | |
606 | $vmdata->{testdir} = $testdir; | |
607 | ||
ee06b009 DM |
608 | PVE::Firewall::cluster_network('172.16.1.0/24'); |
609 | ||
f1bafd37 DM |
610 | my ($ruleset, $ipset_ruleset) = |
611 | PVE::Firewall::compile(undef, undef, $vmdata); | |
612 | ||
ec2e28f6 DM |
613 | my $filename = "$testdir/$testfile"; |
614 | my $fh = IO::File->new($filename) || | |
615 | die "unable to open '$filename' - $!\n"; | |
f1bafd37 | 616 | |
ec2e28f6 | 617 | my $testcount = 0; |
f1bafd37 DM |
618 | while (defined(my $line = <$fh>)) { |
619 | next if $line =~ m/^\s*$/; | |
620 | next if $line =~ m/^#.*$/; | |
621 | if ($line =~ m/^\{.*\}\s*$/) { | |
622 | my $test = eval $line; | |
623 | die $@ if $@; | |
ec2e28f6 | 624 | next if defined($testid) && (!defined($test->{id}) || ($testid ne $test->{id})); |
f1bafd37 | 625 | $trace = ''; |
d1486f38 | 626 | print Dumper($ruleset) if $debug; |
ec2e28f6 | 627 | $testcount++; |
1352eaa1 DM |
628 | eval { |
629 | my @test_zones = qw(host outside nfvm vm100 ct200); | |
630 | if (!defined($test->{from}) && !defined($test->{to})) { | |
631 | die "missing zone speification (from, to)\n"; | |
632 | } elsif (!defined($test->{to})) { | |
633 | foreach my $zone (@test_zones) { | |
634 | next if $zone eq $test->{from}; | |
635 | $test->{to} = $zone; | |
636 | add_trace("Set Zone: to => '$zone'\n"); | |
637 | simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test); | |
638 | } | |
639 | } elsif (!defined($test->{from})) { | |
640 | foreach my $zone (@test_zones) { | |
641 | next if $zone eq $test->{to}; | |
642 | $test->{from} = $zone; | |
643 | add_trace("Set Zone: from => '$zone'\n"); | |
644 | simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test); | |
645 | } | |
646 | } else { | |
647 | simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test); | |
648 | } | |
649 | }; | |
f1bafd37 DM |
650 | if (my $err = $@) { |
651 | ||
d1486f38 | 652 | print Dumper($ruleset) if !$debug; |
f1bafd37 | 653 | |
d1486f38 | 654 | print "$trace\n" if !$debug; |
f1bafd37 | 655 | |
ec2e28f6 | 656 | print "$filename line $.: $line"; |
f1bafd37 DM |
657 | |
658 | print "test failed: $err\n"; | |
659 | ||
660 | exit(-1); | |
661 | } | |
662 | } else { | |
663 | die "parse error"; | |
664 | } | |
665 | } | |
666 | ||
ec2e28f6 DM |
667 | die "no tests found\n" if $testcount <= 0; |
668 | ||
669 | print "PASS: $filename\n"; | |
f1bafd37 DM |
670 | |
671 | return undef; | |
672 | } | |
673 | ||
674 | my $vmdata = { | |
675 | qemu => { | |
676 | 100 => { | |
db990d66 | 677 | net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1", |
d1486f38 DM |
678 | }, |
679 | 101 => { | |
db990d66 | 680 | net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0,firewall=1", |
d1486f38 DM |
681 | }, |
682 | # on bridge vmbr1 | |
683 | 110 => { | |
db990d66 | 684 | net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1", |
f1bafd37 DM |
685 | }, |
686 | }, | |
687 | openvz => { | |
688 | 200 => { | |
689 | ip_address => { value => '10.0.200.1' }, | |
690 | }, | |
d1486f38 DM |
691 | 201 => { |
692 | ip_address => { value => '10.0.200.2' }, | |
693 | }, | |
f1bafd37 DM |
694 | }, |
695 | }; | |
696 | ||
ec2e28f6 DM |
697 | if ($testfilename) { |
698 | my $testfile; | |
699 | my $dir; | |
700 | ||
701 | if (-d $testfilename) { | |
702 | $dir = $testfilename; | |
703 | } elsif (-f $testfilename) { | |
704 | $dir = dirname($testfilename); | |
705 | $testfile = basename($testfilename); | |
706 | } else { | |
707 | die "no such file/dir '$testfilename'\n"; | |
708 | } | |
709 | ||
710 | run_tests($vmdata, $dir, $testfile, $testid); | |
711 | ||
712 | } else { | |
713 | foreach my $dir (<test-*>) { | |
714 | next if ! -d $dir; | |
715 | run_tests($vmdata, $dir); | |
716 | } | |
f1bafd37 DM |
717 | } |
718 | ||
719 | print "OK - all tests passed\n"; | |
720 | ||
721 | exit(0); |