[pve-firewall.git] / test / fwtester.pl

#!/usr/bin/perl

use lib '../src';
use strict;
use warnings;
use Data::Dumper;
use PVE::Firewall;
use Getopt::Long;
use File::Basename;

my $mark;
my $trace;

my $outside_iface = 'eth0';
my $outside_bridge = 'vmbr0';

my $debug = 0;

sub print_usage_and_exit {
    die "usage: $0 [--debug] [testfile [testid]]\n";
}

if (!GetOptions ('debug' => \$debug)) {
    print_usage_and_exit();
}

my $testfilename = shift;
my $testid = shift;

sub add_trace {
    my ($text) = @_;

    if ($debug) {
	print $text;
    } else {
	$trace .= $text;
    }
}

sub nf_dev_match {
    my ($devre, $dev) = @_;

    $devre =~ s/\+$/\.\*/;
    return  ($dev =~ m/^${devre}$/) ? 1 : 0;
}

sub rule_match {
    my ($chain, $rule, $pkg) = @_;

    $rule =~ s/^-A $chain // || die "got strange rule: $rule";

    if ($rule =~ s/^-m conntrack\s*//) {
	return undef; # simply ignore
    }

    if ($rule =~ s/^-m addrtype\s*//) {
	return undef; # simply ignore
    }

    if ($rule =~ s/^-i (\S+)\s*//) {
	my $devre = $1;
	die "missing iface_in" if !$pkg->{iface_in};
	return undef if !nf_dev_match($devre, $pkg->{iface_in});
    }
    if ($rule =~ s/^-o (\S+)\s*//) {
	my $devre = $1;
	die "missing iface_out" if !$pkg->{iface_out};
	return undef if !nf_dev_match($devre, $pkg->{iface_out});
    }

    if ($rule =~ s/^-p (tcp|udp)\s*//) {
	die "missing proto" if !$pkg->{proto};
	return undef if $pkg->{proto} ne $1; # no match
    }

    if ($rule =~ s/^--dport (\d+):(\d+)\s*//) {
	die "missing dport" if !$pkg->{dport};
	return undef if ($pkg->{dport} < $1) || ($pkg->{dport} > $2); # no match
    }

    if ($rule =~ s/^--dport (\d+)\s*//) {
	die "missing dport" if !$pkg->{dport};
	return undef if $pkg->{dport} != $1; # no match
    }

    if ($rule =~ s/^-s (\S+)\s*//) {
	die "missing source" if !$pkg->{source};
	return undef if $pkg->{source} ne $1; # no match
    }
    
    if ($rule =~ s/^-d (\S+)\s*//) {
	die "missing destination" if !$pkg->{dest};
	return undef if $pkg->{dest} ne $1; # no match
    }

    if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) {
	die "missing source mac" if !$pkg->{mac_source};
	return undef if $pkg->{mac_source} eq $1; # no match
    }

    if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) {
	my $devre = $1;
	return undef if !$pkg->{physdev_in};
	return undef if !nf_dev_match($devre, $pkg->{physdev_in});
    }

    if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) {
	my $devre = $1;
	return undef if !$pkg->{physdev_out};
	return undef if !nf_dev_match($devre, $pkg->{physdev_out});
    }

    if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
	$mark = $1;
	return undef;
    }

    if ($rule =~ s/^-j (\S+)\s*$//) {
	return (0, $1);
    }

    if ($rule =~ s/^-g (\S+)\s*$//) {
	return (1, $1);
    }

    die "unable to parse rule: $rule";
}

sub ruleset_simulate_chain {
    my ($ruleset, $chain, $pkg) = @_;

    add_trace("ENTER chain $chain\n");
    
    my $counter = 2; # ENTER + LEAVE = 2

    if ($chain eq 'PVEFW-Drop') {
	add_trace("LEAVE chain $chain\n");
	return ('DROP', $counter);
    }
    if ($chain eq 'PVEFW-reject') {
	add_trace("LEAVE chain $chain\n");
	return ('REJECT', $counter);
    }

    if ($chain eq 'PVEFW-tcpflags') {
	add_trace("LEAVE chain $chain\n");
	return (undef, $counter);
    }

    my $rules = $ruleset->{$chain} ||
	die "no such chain '$chain'";

    foreach my $rule (@$rules) {
	$counter++;
	my ($goto, $action) = rule_match($chain, $rule, $pkg);
	if (!defined($action)) {
	    add_trace("SKIP: $rule\n");
	    next;
	}
	add_trace("MATCH: $rule\n");
	
	if ($action eq 'ACCEPT' || $action eq 'DROP' || $action eq 'REJECT') {
	    add_trace("TERMINATE chain $chain: $action\n");
	    return ($action, $counter);
	} elsif ($action eq 'RETURN') {
	    add_trace("RETURN FROM chain $chain\n");
	    last;
	} else {
	    if ($goto) {
		add_trace("LEAVE chain $chain - goto $action\n");
		return ruleset_simulate_chain($ruleset, $action, $pkg)
		#$chain = $action;
		#$rules = $ruleset->{$chain} || die "no such chain '$chain'";
	    } else {
		my ($act, $ctr) = ruleset_simulate_chain($ruleset, $action, $pkg);
		$counter += $ctr;
		return ($act, $counter) if $act;
		add_trace("CONTINUE chain $chain\n");
	    }
	}
    }

    add_trace("LEAVE chain $chain\n");
    if ($chain =~ m/^PVEFW-(INPUT|OUTPUT|FORWARD)$/) {
	return ('ACCEPT', $counter); # default policy
    }

    return (undef, $counter);
}

sub copy_packet {
    my ($pkg) = @_;

    my $res = {};

    while (my ($k,$v) = each %$pkg) {
	$res->{$k} = $v;
    }

    return $res;
}

# Try to simulate packet traversal inside kernel. This invokes iptable
# checks several times.
sub route_packet {
    my ($ruleset, $ipset_ruleset, $pkg, $from_info, $target, $start_state) = @_;

    my $route_state = $start_state;

    my $physdev_in;

    my $ipt_invocation_counter = 0;
    my $rule_check_counter = 0;

    while ($route_state ne $target->{iface}) {

	my $chain;
	my $next_route_state;
	my $next_physdev_in;

	$pkg->{iface_in} = $pkg->{iface_out} = undef;
	$pkg->{physdev_in} = $pkg->{physdev_out} = undef;

	if ($route_state eq 'from-outside') {
	    $next_route_state = $outside_bridge || die 'internal error';
	    $next_physdev_in = $outside_iface || die 'internal error';
	} elsif ($route_state eq 'host') {

	    if ($target->{type} eq 'outside') {
		$pkg->{iface_in} = 'lo';
		$pkg->{iface_out} = $outside_bridge;
		$chain = 'PVEFW-OUTPUT';
		$next_route_state = $outside_iface
	    } elsif ($target->{type} eq 'ct') {
		$pkg->{iface_in} = 'lo';
		$pkg->{iface_out} = 'venet0';
		$chain = 'PVEFW-OUTPUT';
		$next_route_state = 'venet-in';
	    } elsif ($target->{type} eq 'vm') {
		$pkg->{iface_in} = 'lo';
		$pkg->{iface_out} = $target->{bridge} || die 'internal error';
		$chain = 'PVEFW-OUTPUT';
		$next_route_state = 'fwbr-in';
	    } else {
		die "implement me";
	    }

	} elsif ($route_state eq 'venet-out') {

	    if ($target->{type} eq 'host') {

		$chain = 'PVEFW-INPUT';
		$pkg->{iface_in} = 'venet0';
		$pkg->{iface_out} = 'lo';
		$next_route_state = 'host';

	    } elsif ($target->{type} eq 'outside') {
		
		$chain = 'PVEFW-FORWARD';
		$pkg->{iface_in} = 'venet0';
		$pkg->{iface_out} = $outside_bridge;
		$next_route_state = $outside_iface;

	    } elsif ($target->{type} eq 'vm') {

		$chain = 'PVEFW-FORWARD';
		$pkg->{iface_in} = 'venet0';
		$pkg->{iface_out} = $target->{bridge} || die 'internal error';
		$next_route_state = 'fwbr-in';

	    } elsif ($target->{type} eq 'ct') {

		$chain = 'PVEFW-FORWARD';
		$pkg->{iface_in} = 'venet0';
		$pkg->{iface_out} = 'venet0';
		$next_route_state = 'venet-in';

	    } else {
		die "implement me";
	    }

	} elsif ($route_state eq 'fwbr-out') {

	    $chain = 'PVEFW-FORWARD';
	    $next_route_state = $from_info->{bridge} || die 'internal error';
	    $next_physdev_in = $from_info->{fwpr} || die 'internal error';
	    $pkg->{iface_in} = $from_info->{fwbr} || die 'internal error';
	    $pkg->{iface_out} = $from_info->{fwbr} || die 'internal error';
	    $pkg->{physdev_in} = $from_info->{tapdev} || die 'internal error';
	    $pkg->{physdev_out} = $from_info->{fwln} || die 'internal error';
	
	} elsif ($route_state eq 'fwbr-in') {

	    $chain = 'PVEFW-FORWARD';
	    $next_route_state = $target->{tapdev};
	    $pkg->{iface_in} = $target->{fwbr} || die 'internal error';
	    $pkg->{iface_out} = $target->{fwbr} || die 'internal error';
	    $pkg->{physdev_in} = $target->{fwln} || die 'internal error';
	    $pkg->{physdev_out} = $target->{tapdev} || die 'internal error';

	} elsif ($route_state =~ m/^vmbr\d+$/) {
	    
	    die "missing physdev_in - internal error?" if !$physdev_in;
	    $pkg->{physdev_in} = $physdev_in;

	    if ($target->{type} eq 'host') {

		$chain = 'PVEFW-INPUT';
		$pkg->{iface_in} = $route_state;
		$pkg->{iface_out} = 'lo';
		$next_route_state = 'host';

	    } elsif ($target->{type} eq 'outside') {

		$chain = 'PVEFW-FORWARD';
		$pkg->{iface_in} = $route_state;
		$pkg->{iface_out} = $outside_bridge;
		# conditionally set physdev_out (same behavior as kernel)
		if ($route_state eq $outside_bridge) {
		    $pkg->{physdev_out} = $outside_iface || die 'internal error';
		}
		$next_route_state = $outside_iface;

	    } elsif ($target->{type} eq 'ct') {

		$chain = 'PVEFW-FORWARD';
		$pkg->{iface_in} = $route_state;
		$pkg->{iface_out} = 'venet0';
		$next_route_state = 'venet-in';

	    } elsif ($target->{type} eq 'vm') {

		$chain = 'PVEFW-FORWARD';
		$pkg->{iface_in} = $route_state;
		$pkg->{iface_out} = $target->{bridge};
		# conditionally set physdev_out (same behavior as kernel)
		if ($route_state eq $target->{bridge}) {
		    $pkg->{physdev_out} = $target->{fwpr} || die 'internal error';
		}
		$next_route_state = 'fwbr-in';

	    } else {
		die "implement me";
	    }

	} else {
	    die "implement me $route_state";
	}

	die "internal error" if !defined($next_route_state);

	if ($chain) {
	    add_trace("IPT check at $route_state (chain $chain)\n");
	    add_trace(Dumper($pkg));
	    $ipt_invocation_counter++;
	    my ($res, $ctr) = ruleset_simulate_chain($ruleset, $chain, $pkg);
	    $rule_check_counter += $ctr;
	    return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT';
	} 

	$route_state = $next_route_state;

	$physdev_in = $next_physdev_in;
    }

    return ('ACCEPT', $ipt_invocation_counter, $rule_check_counter);
}

sub extract_ct_info {
    my ($vmdata, $vmid) = @_;

    my $info = { type => 'ct', vmid => $vmid };

    my $conf = $vmdata->{openvz}->{$vmid} || die "no such CT '$vmid'";
    if ($conf->{ip_address}) {
	$info->{ip_address} = $conf->{ip_address}->{value};
    } else {
	die "implement me";
    }
    return $info;
}

sub extract_vm_info {
    my ($vmdata, $vmid) = @_;

    my $info = { type => 'vm', vmid => $vmid };

    my $conf = $vmdata->{qemu}->{$vmid} || die "no such VM '$vmid'";
    my $net = PVE::QemuServer::parse_net($conf->{net0});
    $info->{macaddr} = $net->{macaddr} || die "unable to get mac address";
    $info->{bridge} = $net->{bridge} || die "unable to get bridge";
    $info->{fwbr} = "fwbr${vmid}i0";
    $info->{tapdev} = "tap${vmid}i0";
    $info->{fwln} = "fwln${vmid}i0";
    $info->{fwpr} = "fwpr${vmid}p0";

    return $info;
}

sub simulate_firewall {
    my ($ruleset, $ipset_ruleset, $vmdata, $test) = @_;

    my $from = delete $test->{from} || die "missing 'from' field";
    my $to = delete $test->{to} || die "missing 'to' field";
    my $action = delete $test->{action} || die "missing 'action'";
    
    my $testid = delete $test->{id};
    
    die "from/to needs to be different" if $from eq $to;

    my $pkg = {
	proto => 'tcp',
	sport => undef,
	dport => undef,
	source => undef,
	dest => undef,
    };

    while (my ($k,$v) = each %$test) {
	die "unknown attribute '$k'\n" if !exists($pkg->{$k});
	$pkg->{$k} = $v;
    }

    my $from_info = {};

    my $start_state;

    if ($from eq 'host') {
	$from_info->{type} = 'host';
	$start_state = 'host';
    } elsif ($from eq 'outside') {
	$from_info->{type} = 'outside';
	$start_state = 'from-outside';
    } elsif ($from =~ m/^ct(\d+)$/) {
	my $vmid = $1;
	$from_info = extract_ct_info($vmdata, $vmid);
	if ($from_info->{ip_address}) {
	    $pkg->{source} = $from_info->{ip_address};
	    $start_state = 'venet-out';
	} else {
	    die "implement me";
	}
    } elsif ($from =~ m/^vm(\d+)$/) {
	my $vmid = $1;
	$from_info = extract_vm_info($vmdata, $vmid);
	$start_state = 'fwbr-out'; 
	$pkg->{mac_source} = $from_info->{macaddr};
    } else {
	die "implement me";
    }

    my $target;

    if ($to eq 'host') {
	$target->{type} = 'host';
	$target->{iface} = 'host';
    } elsif ($to eq 'outside') {
	$target->{type} = 'outside';
	$target->{iface} = $outside_iface;
    } elsif ($to =~ m/^ct(\d+)$/) {
	my $vmid = $1;
	$target = extract_ct_info($vmdata, $vmid);
	$target->{iface} = 'venet-in';

	if ($target->{ip_address}) {
	    $pkg->{dest} = $target->{ip_address};
	} else {
	    die "implement me";
	}
   } elsif ($to =~ m/^vm(\d+)$/) {
	my $vmid = $1;
	$target = extract_vm_info($vmdata, $vmid);
	$target->{iface} = $target->{tapdev};
    } else {
	die "implement me";
    }

    my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg, 
				       $from_info, $target, $start_state);

    add_trace("IPT statistics: invocation = $ic, checks = $rc\n");
 
    die "test failed ($res != $action)\n" if $action ne $res;

    return undef; 
}

sub run_tests {
    my ($vmdata, $testdir, $testfile, $testid) = @_;

    $testfile = 'tests' if !$testfile;

    $vmdata->{testdir} = $testdir;

    my ($ruleset, $ipset_ruleset) = 
	PVE::Firewall::compile(undef, undef, $vmdata);

    my $filename = "$testdir/$testfile";
    my $fh = IO::File->new($filename) ||
	die "unable to open '$filename' - $!\n";

    my $testcount = 0;
    while (defined(my $line = <$fh>)) {
	next if $line =~ m/^\s*$/;
	next if $line =~ m/^#.*$/;
	if ($line =~ m/^\{.*\}\s*$/) {
	    my $test = eval $line;
	    die $@ if $@;
	    next if defined($testid) && (!defined($test->{id}) || ($testid ne $test->{id}));
	    $trace = '';
	    print Dumper($ruleset) if $debug;
	    $testcount++;
	    eval { simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test); };
	    if (my $err = $@) {

		print Dumper($ruleset) if !$debug;

		print "$trace\n" if !$debug;

		print "$filename line $.: $line";

		print "test failed: $err\n";

		exit(-1);
	    }
	} else {
	    die "parse error";
	}
    }

    die "no tests found\n" if $testcount <= 0;

    print "PASS: $filename\n";

    return undef;
}

my $vmdata = {
    qemu => {
	100 => {
	    net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0",
	},
	101 => {
	    net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0",
	},
	# on bridge vmbr1
	110 => {
	    net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1",
	},
    },
    openvz => {
	200 => {
	    ip_address => { value => '10.0.200.1' },
	},
	201 => {
	    ip_address => { value => '10.0.200.2' },
	},
    },
};

if ($testfilename) {
    my $testfile;
    my $dir;

    if (-d $testfilename) {
	$dir = $testfilename;
    } elsif (-f $testfilename) {
	$dir = dirname($testfilename);
	$testfile = basename($testfilename);
    } else {
	die "no such file/dir '$testfilename'\n"; 
    }

    run_tests($vmdata, $dir, $testfile, $testid);

} else { 
    foreach my $dir (<test-*>) {
	next if ! -d $dir;
	run_tests($vmdata, $dir);
    }
}

print "OK - all tests passed\n";

exit(0);
Commit	Line	Data
f1bafd37 DM	1	#!/usr/bin/perl
	2
	3	use lib '../src';
	4	use strict;
	5	use warnings;
	6	use Data::Dumper;
	7	use PVE::Firewall;
ec2e28f6 DM	8	use Getopt::Long;
ec2e28f6 DM	9	use File::Basename;
f1bafd37 DM	10
	11	my $mark;
	12	my $trace;
	13
31dc73f1 DM	14	my $outside_iface = 'eth0';
	15	my $outside_bridge = 'vmbr0';
	16
d1486f38 DM	17	my $debug = 0;
d1486f38 DM	18
ec2e28f6 DM	19	sub print_usage_and_exit {
	20	die "usage: $0 [--debug] [testfile [testid]]\n";
	21	}
	22
	23	if (!GetOptions ('debug' => \$debug)) {
	24	print_usage_and_exit();
	25	}
	26
	27	my $testfilename = shift;
	28	my $testid = shift;
	29
d1486f38 DM	30	sub add_trace {
	31	my ($text) = @_;
	32
	33	if ($debug) {
	34	print $text;
	35	} else {
	36	$trace .= $text;
	37	}
	38	}
	39
e4e5fcaf DM	40	sub nf_dev_match {
	41	my ($devre, $dev) = @_;
	42
	43	$devre =~ s/\+$/\.\*/;
	44	return ($dev =~ m/^${devre}$/) ? 1 : 0;
	45	}
	46
f1bafd37 DM	47	sub rule_match {
	48	my ($chain, $rule, $pkg) = @_;
	49
	50	$rule =~ s/^-A $chain // \|\| die "got strange rule: $rule";
	51
	52	if ($rule =~ s/^-m conntrack\s*//) {
	53	return undef; # simply ignore
	54	}
	55
	56	if ($rule =~ s/^-m addrtype\s*//) {
	57	return undef; # simply ignore
	58	}
	59
	60	if ($rule =~ s/^-i (\S+)\s*//) {
e4e5fcaf	61	my $devre = $1;
f1bafd37	62	die "missing iface_in" if !$pkg->{iface_in};
e4e5fcaf	63	return undef if !nf_dev_match($devre, $pkg->{iface_in});
f1bafd37 DM	64	}
f1bafd37 DM	65	if ($rule =~ s/^-o (\S+)\s*//) {
e4e5fcaf	66	my $devre = $1;
f1bafd37	67	die "missing iface_out" if !$pkg->{iface_out};
e4e5fcaf	68	return undef if !nf_dev_match($devre, $pkg->{iface_out});
f1bafd37 DM	69	}
	70
	71	if ($rule =~ s/^-p (tcp\|udp)\s*//) {
	72	die "missing proto" if !$pkg->{proto};
	73	return undef if $pkg->{proto} ne $1; # no match
	74	}
	75
	76	if ($rule =~ s/^--dport (\d+):(\d+)\s*//) {
	77	die "missing dport" if !$pkg->{dport};
	78	return undef if ($pkg->{dport} < $1) \|\| ($pkg->{dport} > $2); # no match
	79	}
	80
	81	if ($rule =~ s/^--dport (\d+)\s*//) {
	82	die "missing dport" if !$pkg->{dport};
	83	return undef if $pkg->{dport} != $1; # no match
	84	}
	85
	86	if ($rule =~ s/^-s (\S+)\s*//) {
	87	die "missing source" if !$pkg->{source};
	88	return undef if $pkg->{source} ne $1; # no match
	89	}
	90
	91	if ($rule =~ s/^-d (\S+)\s*//) {
	92	die "missing destination" if !$pkg->{dest};
	93	return undef if $pkg->{dest} ne $1; # no match
	94	}
	95
	96	if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) {
	97	die "missing source mac" if !$pkg->{mac_source};
	98	return undef if $pkg->{mac_source} eq $1; # no match
	99	}
	100
	101	if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) {
	102	my $devre = $1;
f1bafd37	103	return undef if !$pkg->{physdev_in};
e4e5fcaf	104	return undef if !nf_dev_match($devre, $pkg->{physdev_in});
f1bafd37 DM	105	}
	106
	107	if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) {
	108	my $devre = $1;
f1bafd37	109	return undef if !$pkg->{physdev_out};
e4e5fcaf	110	return undef if !nf_dev_match($devre, $pkg->{physdev_out});
f1bafd37 DM	111	}
	112
	113	if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
	114	$mark = $1;
	115	return undef;
	116	}
	117
	118	if ($rule =~ s/^-j (\S+)\s*$//) {
	119	return (0, $1);
	120	}
	121
	122	if ($rule =~ s/^-g (\S+)\s*$//) {
	123	return (1, $1);
	124	}
	125
	126	die "unable to parse rule: $rule";
	127	}
	128
	129	sub ruleset_simulate_chain {
	130	my ($ruleset, $chain, $pkg) = @_;
	131
d1486f38	132	add_trace("ENTER chain $chain\n");
f1bafd37	133
111cce51 DM	134	my $counter = 2; # ENTER + LEAVE = 2
111cce51 DM	135
f1bafd37	136	if ($chain eq 'PVEFW-Drop') {
d1486f38	137	add_trace("LEAVE chain $chain\n");
111cce51	138	return ('DROP', $counter);
f1bafd37 DM	139	}
f1bafd37 DM	140	if ($chain eq 'PVEFW-reject') {
d1486f38	141	add_trace("LEAVE chain $chain\n");
111cce51	142	return ('REJECT', $counter);
f1bafd37 DM	143	}
	144
	145	if ($chain eq 'PVEFW-tcpflags') {
d1486f38	146	add_trace("LEAVE chain $chain\n");
111cce51	147	return (undef, $counter);
f1bafd37 DM	148	}
	149
	150	my $rules = $ruleset->{$chain} \|\|
	151	die "no such chain '$chain'";
	152
	153	foreach my $rule (@$rules) {
111cce51	154	$counter++;
f1bafd37 DM	155	my ($goto, $action) = rule_match($chain, $rule, $pkg);
f1bafd37 DM	156	if (!defined($action)) {
d1486f38	157	add_trace("SKIP: $rule\n");
f1bafd37 DM	158	next;
f1bafd37 DM	159	}
d1486f38	160	add_trace("MATCH: $rule\n");
f1bafd37 DM	161
f1bafd37 DM	162	if ($action eq 'ACCEPT' \|\| $action eq 'DROP' \|\| $action eq 'REJECT') {
d1486f38	163	add_trace("TERMINATE chain $chain: $action\n");
111cce51	164	return ($action, $counter);
f1bafd37	165	} elsif ($action eq 'RETURN') {
d1486f38	166	add_trace("RETURN FROM chain $chain\n");
f1bafd37 DM	167	last;
	168	} else {
	169	if ($goto) {
d1486f38	170	add_trace("LEAVE chain $chain - goto $action\n");
f1bafd37 DM	171	return ruleset_simulate_chain($ruleset, $action, $pkg)
	172	#$chain = $action;
	173	#$rules = $ruleset->{$chain} \|\| die "no such chain '$chain'";
	174	} else {
111cce51 DM	175	my ($act, $ctr) = ruleset_simulate_chain($ruleset, $action, $pkg);
	176	$counter += $ctr;
	177	return ($act, $counter) if $act;
d1486f38	178	add_trace("CONTINUE chain $chain\n");
f1bafd37 DM	179	}
	180	}
	181	}
	182
d1486f38	183	add_trace("LEAVE chain $chain\n");
f1bafd37	184	if ($chain =~ m/^PVEFW-(INPUT\|OUTPUT\|FORWARD)$/) {
111cce51	185	return ('ACCEPT', $counter); # default policy
f1bafd37 DM	186	}
f1bafd37 DM	187
111cce51	188	return (undef, $counter);
f1bafd37 DM	189	}
	190
	191	sub copy_packet {
	192	my ($pkg) = @_;
	193
	194	my $res = {};
	195
	196	while (my ($k,$v) = each %$pkg) {
	197	$res->{$k} = $v;
	198	}
	199
	200	return $res;
	201	}
	202
d1486f38 DM	203	# Try to simulate packet traversal inside kernel. This invokes iptable
	204	# checks several times.
	205	sub route_packet {
	206	my ($ruleset, $ipset_ruleset, $pkg, $from_info, $target, $start_state) = @_;
	207
	208	my $route_state = $start_state;
	209
	210	my $physdev_in;
	211
111cce51 DM	212	my $ipt_invocation_counter = 0;
	213	my $rule_check_counter = 0;
	214
d1486f38 DM	215	while ($route_state ne $target->{iface}) {
	216
	217	my $chain;
	218	my $next_route_state;
	219	my $next_physdev_in;
	220
	221	$pkg->{iface_in} = $pkg->{iface_out} = undef;
	222	$pkg->{physdev_in} = $pkg->{physdev_out} = undef;
	223
31dc73f1 DM	224	if ($route_state eq 'from-outside') {
	225	$next_route_state = $outside_bridge \|\| die 'internal error';
	226	$next_physdev_in = $outside_iface \|\| die 'internal error';
	227	} elsif ($route_state eq 'host') {
d1486f38	228
31dc73f1 DM	229	if ($target->{type} eq 'outside') {
	230	$pkg->{iface_in} = 'lo';
	231	$pkg->{iface_out} = $outside_bridge;
	232	$chain = 'PVEFW-OUTPUT';
	233	$next_route_state = $outside_iface
	234	} elsif ($target->{type} eq 'ct') {
d1486f38 DM	235	$pkg->{iface_in} = 'lo';
	236	$pkg->{iface_out} = 'venet0';
	237	$chain = 'PVEFW-OUTPUT';
	238	$next_route_state = 'venet-in';
	239	} elsif ($target->{type} eq 'vm') {
	240	$pkg->{iface_in} = 'lo';
	241	$pkg->{iface_out} = $target->{bridge} \|\| die 'internal error';
	242	$chain = 'PVEFW-OUTPUT';
	243	$next_route_state = 'fwbr-in';
	244	} else {
	245	die "implement me";
	246	}
	247
	248	} elsif ($route_state eq 'venet-out') {
	249
	250	if ($target->{type} eq 'host') {
	251
	252	$chain = 'PVEFW-INPUT';
	253	$pkg->{iface_in} = 'venet0';
	254	$pkg->{iface_out} = 'lo';
	255	$next_route_state = 'host';
	256
31dc73f1 DM	257	} elsif ($target->{type} eq 'outside') {
	258
	259	$chain = 'PVEFW-FORWARD';
	260	$pkg->{iface_in} = 'venet0';
	261	$pkg->{iface_out} = $outside_bridge;
	262	$next_route_state = $outside_iface;
	263
d1486f38 DM	264	} elsif ($target->{type} eq 'vm') {
	265
	266	$chain = 'PVEFW-FORWARD';
	267	$pkg->{iface_in} = 'venet0';
	268	$pkg->{iface_out} = $target->{bridge} \|\| die 'internal error';
	269	$next_route_state = 'fwbr-in';
	270
	271	} elsif ($target->{type} eq 'ct') {
	272
	273	$chain = 'PVEFW-FORWARD';
	274	$pkg->{iface_in} = 'venet0';
	275	$pkg->{iface_out} = 'venet0';
	276	$next_route_state = 'venet-in';
	277
	278	} else {
	279	die "implement me";
	280	}
	281
	282	} elsif ($route_state eq 'fwbr-out') {
	283
	284	$chain = 'PVEFW-FORWARD';
	285	$next_route_state = $from_info->{bridge} \|\| die 'internal error';
	286	$next_physdev_in = $from_info->{fwpr} \|\| die 'internal error';
	287	$pkg->{iface_in} = $from_info->{fwbr} \|\| die 'internal error';
	288	$pkg->{iface_out} = $from_info->{fwbr} \|\| die 'internal error';
	289	$pkg->{physdev_in} = $from_info->{tapdev} \|\| die 'internal error';
	290	$pkg->{physdev_out} = $from_info->{fwln} \|\| die 'internal error';
	291
	292	} elsif ($route_state eq 'fwbr-in') {
	293
	294	$chain = 'PVEFW-FORWARD';
	295	$next_route_state = $target->{tapdev};
	296	$pkg->{iface_in} = $target->{fwbr} \|\| die 'internal error';
	297	$pkg->{iface_out} = $target->{fwbr} \|\| die 'internal error';
	298	$pkg->{physdev_in} = $target->{fwln} \|\| die 'internal error';
	299	$pkg->{physdev_out} = $target->{tapdev} \|\| die 'internal error';
	300
	301	} elsif ($route_state =~ m/^vmbr\d+$/) {
	302
	303	die "missing physdev_in - internal error?" if !$physdev_in;
eb5faed9	304	$pkg->{physdev_in} = $physdev_in;
d1486f38 DM	305
	306	if ($target->{type} eq 'host') {
	307
	308	$chain = 'PVEFW-INPUT';
	309	$pkg->{iface_in} = $route_state;
	310	$pkg->{iface_out} = 'lo';
	311	$next_route_state = 'host';
	312
31dc73f1 DM	313	} elsif ($target->{type} eq 'outside') {
	314
	315	$chain = 'PVEFW-FORWARD';
	316	$pkg->{iface_in} = $route_state;
	317	$pkg->{iface_out} = $outside_bridge;
31dc73f1 DM	318	# conditionally set physdev_out (same behavior as kernel)
	319	if ($route_state eq $outside_bridge) {
	320	$pkg->{physdev_out} = $outside_iface \|\| die 'internal error';
	321	}
	322	$next_route_state = $outside_iface;
	323
d1486f38 DM	324	} elsif ($target->{type} eq 'ct') {
	325
	326	$chain = 'PVEFW-FORWARD';
	327	$pkg->{iface_in} = $route_state;
	328	$pkg->{iface_out} = 'venet0';
	329	$next_route_state = 'venet-in';
	330
	331	} elsif ($target->{type} eq 'vm') {
	332
	333	$chain = 'PVEFW-FORWARD';
31dc73f1 DM	334	$pkg->{iface_in} = $route_state;
31dc73f1 DM	335	$pkg->{iface_out} = $target->{bridge};
31dc73f1	336	# conditionally set physdev_out (same behavior as kernel)
d1486f38	337	if ($route_state eq $target->{bridge}) {
d1486f38	338	$pkg->{physdev_out} = $target->{fwpr} \|\| die 'internal error';
d1486f38 DM	339	}
	340	$next_route_state = 'fwbr-in';
	341
	342	} else {
	343	die "implement me";
	344	}
	345
	346	} else {
	347	die "implement me $route_state";
	348	}
	349
	350	die "internal error" if !defined($next_route_state);
	351
	352	if ($chain) {
	353	add_trace("IPT check at $route_state (chain $chain)\n");
	354	add_trace(Dumper($pkg));
111cce51 DM	355	$ipt_invocation_counter++;
	356	my ($res, $ctr) = ruleset_simulate_chain($ruleset, $chain, $pkg);
	357	$rule_check_counter += $ctr;
	358	return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT';
d1486f38 DM	359	}
	360
	361	$route_state = $next_route_state;
	362
	363	$physdev_in = $next_physdev_in;
	364	}
	365
111cce51	366	return ('ACCEPT', $ipt_invocation_counter, $rule_check_counter);
d1486f38 DM	367	}
	368
	369	sub extract_ct_info {
	370	my ($vmdata, $vmid) = @_;
	371
	372	my $info = { type => 'ct', vmid => $vmid };
	373
	374	my $conf = $vmdata->{openvz}->{$vmid} \|\| die "no such CT '$vmid'";
	375	if ($conf->{ip_address}) {
	376	$info->{ip_address} = $conf->{ip_address}->{value};
	377	} else {
	378	die "implement me";
	379	}
	380	return $info;
	381	}
	382
	383	sub extract_vm_info {
	384	my ($vmdata, $vmid) = @_;
	385
	386	my $info = { type => 'vm', vmid => $vmid };
	387
	388	my $conf = $vmdata->{qemu}->{$vmid} \|\| die "no such VM '$vmid'";
	389	my $net = PVE::QemuServer::parse_net($conf->{net0});
	390	$info->{macaddr} = $net->{macaddr} \|\| die "unable to get mac address";
	391	$info->{bridge} = $net->{bridge} \|\| die "unable to get bridge";
	392	$info->{fwbr} = "fwbr${vmid}i0";
	393	$info->{tapdev} = "tap${vmid}i0";
	394	$info->{fwln} = "fwln${vmid}i0";
	395	$info->{fwpr} = "fwpr${vmid}p0";
	396
	397	return $info;
	398	}
f1bafd37 DM	399
	400	sub simulate_firewall {
	401	my ($ruleset, $ipset_ruleset, $vmdata, $test) = @_;
	402
	403	my $from = delete $test->{from} \|\| die "missing 'from' field";
	404	my $to = delete $test->{to} \|\| die "missing 'to' field";
	405	my $action = delete $test->{action} \|\| die "missing 'action'";
8215a0da DM	406
	407	my $testid = delete $test->{id};
	408
f1bafd37 DM	409	die "from/to needs to be different" if $from eq $to;
	410
	411	my $pkg = {
f1bafd37	412	proto => 'tcp',
8215a0da DM	413	sport => undef,
	414	dport => undef,
	415	source => undef,
	416	dest => undef,
f1bafd37 DM	417	};
	418
	419	while (my ($k,$v) = each %$test) {
8215a0da	420	die "unknown attribute '$k'\n" if !exists($pkg->{$k});
f1bafd37 DM	421	$pkg->{$k} = $v;
	422	}
	423
d1486f38 DM	424	my $from_info = {};
	425
	426	my $start_state;
f1bafd37 DM	427
f1bafd37 DM	428	if ($from eq 'host') {
d1486f38 DM	429	$from_info->{type} = 'host';
d1486f38 DM	430	$start_state = 'host';
31dc73f1 DM	431	} elsif ($from eq 'outside') {
	432	$from_info->{type} = 'outside';
	433	$start_state = 'from-outside';
f1bafd37 DM	434	} elsif ($from =~ m/^ct(\d+)$/) {
f1bafd37 DM	435	my $vmid = $1;
d1486f38 DM	436	$from_info = extract_ct_info($vmdata, $vmid);
	437	if ($from_info->{ip_address}) {
	438	$pkg->{source} = $from_info->{ip_address};
	439	$start_state = 'venet-out';
f1bafd37 DM	440	} else {
	441	die "implement me";
	442	}
f1bafd37 DM	443	} elsif ($from =~ m/^vm(\d+)$/) {
f1bafd37 DM	444	my $vmid = $1;
d1486f38 DM	445	$from_info = extract_vm_info($vmdata, $vmid);
	446	$start_state = 'fwbr-out';
	447	$pkg->{mac_source} = $from_info->{macaddr};
f1bafd37 DM	448	} else {
	449	die "implement me";
	450	}
	451
d1486f38 DM	452	my $target;
d1486f38 DM	453
f1bafd37	454	if ($to eq 'host') {
d1486f38 DM	455	$target->{type} = 'host';
d1486f38 DM	456	$target->{iface} = 'host';
31dc73f1 DM	457	} elsif ($to eq 'outside') {
	458	$target->{type} = 'outside';
	459	$target->{iface} = $outside_iface;
f1bafd37 DM	460	} elsif ($to =~ m/^ct(\d+)$/) {
f1bafd37 DM	461	my $vmid = $1;
d1486f38 DM	462	$target = extract_ct_info($vmdata, $vmid);
	463	$target->{iface} = 'venet-in';
	464
	465	if ($target->{ip_address}) {
	466	$pkg->{dest} = $target->{ip_address};
f1bafd37 DM	467	} else {
	468	die "implement me";
	469	}
f1bafd37 DM	470	} elsif ($to =~ m/^vm(\d+)$/) {
f1bafd37 DM	471	my $vmid = $1;
d1486f38 DM	472	$target = extract_vm_info($vmdata, $vmid);
d1486f38 DM	473	$target->{iface} = $target->{tapdev};
f1bafd37 DM	474	} else {
	475	die "implement me";
	476	}
	477
111cce51 DM	478	my ($res, $ic, $rc) = route_packet($ruleset, $ipset_ruleset, $pkg,
111cce51 DM	479	$from_info, $target, $start_state);
f1bafd37	480
111cce51 DM	481	add_trace("IPT statistics: invocation = $ic, checks = $rc\n");
111cce51 DM	482
d1486f38	483	die "test failed ($res != $action)\n" if $action ne $res;
f1bafd37	484
d1486f38	485	return undef;
f1bafd37 DM	486	}
	487
	488	sub run_tests {
ec2e28f6 DM	489	my ($vmdata, $testdir, $testfile, $testid) = @_;
	490
	491	$testfile = 'tests' if !$testfile;
f1bafd37 DM	492
	493	$vmdata->{testdir} = $testdir;
	494
	495	my ($ruleset, $ipset_ruleset) =
	496	PVE::Firewall::compile(undef, undef, $vmdata);
	497
ec2e28f6 DM	498	my $filename = "$testdir/$testfile";
	499	my $fh = IO::File->new($filename) \|\|
	500	die "unable to open '$filename' - $!\n";
f1bafd37	501
ec2e28f6	502	my $testcount = 0;
f1bafd37 DM	503	while (defined(my $line = <$fh>)) {
	504	next if $line =~ m/^\s*$/;
	505	next if $line =~ m/^#.*$/;
	506	if ($line =~ m/^\{.\}\s$/) {
	507	my $test = eval $line;
	508	die $@ if $@;
ec2e28f6	509	next if defined($testid) && (!defined($test->{id}) \|\| ($testid ne $test->{id}));
f1bafd37	510	$trace = '';
d1486f38	511	print Dumper($ruleset) if $debug;
ec2e28f6	512	$testcount++;
f1bafd37 DM	513	eval { simulate_firewall($ruleset, $ipset_ruleset, $vmdata, $test); };
	514	if (my $err = $@) {
	515
d1486f38	516	print Dumper($ruleset) if !$debug;
f1bafd37	517
d1486f38	518	print "$trace\n" if !$debug;
f1bafd37	519
ec2e28f6	520	print "$filename line $.: $line";
f1bafd37 DM	521
	522	print "test failed: $err\n";
	523
	524	exit(-1);
	525	}
	526	} else {
	527	die "parse error";
	528	}
	529	}
	530
ec2e28f6 DM	531	die "no tests found\n" if $testcount <= 0;
	532
	533	print "PASS: $filename\n";
f1bafd37 DM	534
	535	return undef;
	536	}
	537
	538	my $vmdata = {
	539	qemu => {
	540	100 => {
d1486f38 DM	541	net0 => "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0",
	542	},
	543	101 => {
	544	net0 => "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0",
	545	},
	546	# on bridge vmbr1
	547	110 => {
	548	net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1",
f1bafd37 DM	549	},
	550	},
	551	openvz => {
	552	200 => {
	553	ip_address => { value => '10.0.200.1' },
	554	},
d1486f38 DM	555	201 => {
	556	ip_address => { value => '10.0.200.2' },
	557	},
f1bafd37 DM	558	},
	559	};
	560
ec2e28f6 DM	561	if ($testfilename) {
	562	my $testfile;
	563	my $dir;
	564
	565	if (-d $testfilename) {
	566	$dir = $testfilename;
	567	} elsif (-f $testfilename) {
	568	$dir = dirname($testfilename);
	569	$testfile = basename($testfilename);
	570	} else {
	571	die "no such file/dir '$testfilename'\n";
	572	}
	573
	574	run_tests($vmdata, $dir, $testfile, $testid);
	575
	576	} else {
	577	foreach my $dir (<test-*>) {
	578	next if ! -d $dir;
	579	run_tests($vmdata, $dir);
	580	}
f1bafd37 DM	581	}
	582
	583	print "OK - all tests passed\n";
	584
	585	exit(0);