| 1 | = A simple simulator to test our iptables rule generation = |
| 2 | |
| 3 | == Invocation == |
| 4 | |
| 5 | # ./fwtester.pl |
| 6 | |
| 7 | This scans for subdirectory named test-* an invokes fwtester.pl for each |
| 8 | subdirectory with: |
| 9 | |
| 10 | # ./fwtester.pl test-<name>/tests |
| 11 | |
| 12 | == Test directory contents == |
| 13 | |
| 14 | Each test directory can contain the following files: |
| 15 | |
| 16 | * cluster.fw Cluster wide firewall config |
| 17 | * host.fw Host firewall config |
| 18 | * <VMID>.fw Firewall config for VMs |
| 19 | * tests Test descriptions |
| 20 | |
| 21 | == Test description == |
| 22 | |
| 23 | The test description file can contain one or more tests using the following |
| 24 | syntax: |
| 25 | |
| 26 | { from => '<zone>' , to => '<zone>', action => '<DROP|RECECT|ACCEPT>', [ source => '<ip>',] [ dest => '<ip>',] [ proto => '<tcp|udp>',] [ dport => <port>,], [ sport => <port>,] } |
| 27 | |
| 28 | The following <zone> definition exist currently: |
| 29 | |
| 30 | * host: The host itself |
| 31 | * outside: The outside world (alias for 'vmbr0/eth0') |
| 32 | * vm<ID>: A qemu virtual machine |
| 33 | * ct<ID>: An openvz container |
| 34 | * nfvm: Non firewalled VM (alias for 'vmbr0/tapXYZ') |
| 35 | * vmbr<\d+>/<bport>: Unmanaged bridge port |
| 36 | |
| 37 | |
| 38 | == Test examples == |
| 39 | |
| 40 | { from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' } |
| 41 | { from => 'vm101', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'vm2vm'} |
| 42 | |
| 43 | You can assign an 'id' to each test, so that you can run them separately: |
| 44 | |
| 45 | ./fwtester.pl -d test-basic1/tests vm2vm |