]>
git.proxmox.com Git - pve-firewall.git/blob - test/fwtester.pl
17 sub print_usage_and_exit
{
18 die "usage: $0 [--debug] [testfile [testid]]\n";
21 if (!GetOptions
('debug' => \
$debug)) {
22 print_usage_and_exit
();
25 my $testfilename = shift;
39 my ($devre, $dev) = @_;
41 $devre =~ s/\+$/\.\*/;
42 return ($dev =~ m/^${devre}$/) ?
1 : 0;
46 my ($ipsetname, $ipset, $ipaddr) = @_;
48 my $ip = Net
::IP-
>new($ipaddr);
50 foreach my $entry (@$ipset) {
51 next if $entry =~ m/^create/; # simply ignore
52 if ($entry =~ m/add \S+ (\S+)$/) {
53 my $test = Net
::IP-
>new($1);
54 if ($test->overlaps($ip)) {
55 add_trace
("IPSET $ipsetname match $ipaddr\n");
67 my ($ipset_ruleset, $chain, $rule, $pkg) = @_;
69 $rule =~ s/^-A $chain // || die "got strange rule: $rule";
71 while (length($rule)) {
73 if ($rule =~ s/^-m conntrack\s*//) {
74 return undef; # simply ignore
77 if ($rule =~ s/^-m addrtype\s*//) {
78 return undef; # simply ignore
81 if ($rule =~ s/^-i (\S+)\s*//) {
83 die "missing iface_in" if !$pkg->{iface_in
};
84 return undef if !nf_dev_match
($devre, $pkg->{iface_in
});
88 if ($rule =~ s/^-o (\S+)\s*//) {
90 die "missing iface_out" if !$pkg->{iface_out
};
91 return undef if !nf_dev_match
($devre, $pkg->{iface_out
});
95 if ($rule =~ s/^-p (tcp|udp)\s*//) {
96 die "missing proto" if !$pkg->{proto
};
97 return undef if $pkg->{proto
} ne $1; # no match
101 if ($rule =~ s/^--dport (\d+):(\d+)\s*//) {
102 die "missing dport" if !$pkg->{dport
};
103 return undef if ($pkg->{dport
} < $1) || ($pkg->{dport
} > $2); # no match
107 if ($rule =~ s/^--dport (\d+)\s*//) {
108 die "missing dport" if !$pkg->{dport
};
109 return undef if $pkg->{dport
} != $1; # no match
113 if ($rule =~ s/^-s (\S+)\s*//) {
114 die "missing source" if !$pkg->{source
};
115 my $ip = Net
::IP-
>new($1);
116 return undef if !$ip->overlaps(Net
::IP-
>new($pkg->{source
})); # no match
120 if ($rule =~ s/^-d (\S+)\s*//) {
121 die "missing destination" if !$pkg->{dest
};
122 my $ip = Net
::IP-
>new($1);
123 return undef if !$ip->overlaps(Net
::IP-
>new($pkg->{dest
})); # no match
127 if ($rule =~ s/^-m set --match-set (\S+) src\s*//) {
128 die "missing source" if !$pkg->{source
};
129 my $ipset = $ipset_ruleset->{$1};
130 die "no such ip set '$1'" if !$ipset;
131 return undef if !ipset_match
($1, $ipset, $pkg->{source
});
135 if ($rule =~ s/^-m set --match-set (\S+) dst\s*//) {
136 die "missing destination" if !$pkg->{dest
};
137 my $ipset = $ipset_ruleset->{$1};
138 die "no such ip set '$1'" if !$ipset;
139 return undef if !ipset_match
($1, $ipset, $pkg->{dest
});
143 if ($rule =~ s/^-m mac ! --mac-source (\S+)\s*//) {
144 die "missing source mac" if !$pkg->{mac_source
};
145 return undef if $pkg->{mac_source
} eq $1; # no match
149 if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) {
151 return undef if !$pkg->{physdev_in
};
152 return undef if !nf_dev_match
($devre, $pkg->{physdev_in
});
156 if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) {
158 return undef if !$pkg->{physdev_out
};
159 return undef if !nf_dev_match
($devre, $pkg->{physdev_out
});
163 if ($rule =~ s/^-m mark --mark (\d+)\s*//) {
164 return undef if !defined($mark) || $mark != $1;
170 if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
175 if ($rule =~ s/^-j (\S+)\s*$//) {
179 if ($rule =~ s/^-g (\S+)\s*$//) {
183 if ($rule =~ s/^-j NFLOG --nflog-prefix \"[^\"]+\"$//) {
190 die "unable to parse rule: $rule";
193 sub ruleset_simulate_chain
{
194 my ($ruleset, $ipset_ruleset, $chain, $pkg) = @_;
196 add_trace
("ENTER chain $chain\n");
200 if ($chain eq 'PVEFW-Drop') {
201 add_trace
("LEAVE chain $chain\n");
202 return ('DROP', $counter);
204 if ($chain eq 'PVEFW-reject') {
205 add_trace
("LEAVE chain $chain\n");
206 return ('REJECT', $counter);
209 if ($chain eq 'PVEFW-tcpflags') {
210 add_trace
("LEAVE chain $chain\n");
211 return (undef, $counter);
214 my $rules = $ruleset->{$chain} ||
215 die "no such chain '$chain'";
217 foreach my $rule (@$rules) {
219 my ($goto, $action) = rule_match
($ipset_ruleset, $chain, $rule, $pkg);
220 if (!defined($action)) {
221 add_trace
("SKIP: $rule\n");
224 add_trace
("MATCH: $rule\n");
226 if ($action eq 'ACCEPT' || $action eq 'DROP' || $action eq 'REJECT') {
227 add_trace
("TERMINATE chain $chain: $action\n");
228 return ($action, $counter);
229 } elsif ($action eq 'RETURN') {
230 add_trace
("RETURN FROM chain $chain\n");
234 add_trace
("LEAVE chain $chain - goto $action\n");
235 return ruleset_simulate_chain
($ruleset, $ipset_ruleset, $action, $pkg)
237 #$rules = $ruleset->{$chain} || die "no such chain '$chain'";
239 my ($act, $ctr) = ruleset_simulate_chain
($ruleset, $ipset_ruleset, $action, $pkg);
241 return ($act, $counter) if $act;
242 add_trace
("CONTINUE chain $chain\n");
247 add_trace
("LEAVE chain $chain\n");
248 if ($chain =~ m/^PVEFW-(INPUT|OUTPUT|FORWARD)$/) {
249 return ('ACCEPT', $counter); # default policy
252 return (undef, $counter);
260 while (my ($k,$v) = each %$pkg) {
267 # Try to simulate packet traversal inside kernel. This invokes iptable
268 # checks several times.
270 my ($ruleset, $ipset_ruleset, $pkg, $from_info, $target, $start_state) = @_;
272 my $route_state = $start_state;
276 my $ipt_invocation_counter = 0;
277 my $rule_check_counter = 0;
279 while ($route_state ne $target->{iface
}) {
282 my $next_route_state;
285 $pkg->{iface_in
} = $pkg->{iface_out
} = undef;
286 $pkg->{physdev_in
} = $pkg->{physdev_out
} = undef;
288 if ($route_state eq 'from-bport') {
289 $next_route_state = $from_info->{bridge
} || die 'internal error';
290 $next_physdev_in = $from_info->{iface
} || die 'internal error';
291 } elsif ($route_state eq 'host') {
293 if ($target->{type
} eq 'bport') {
294 $pkg->{iface_in
} = 'lo';
295 $pkg->{iface_out
} = $target->{bridge
} || die 'internal error';
296 $chain = 'PVEFW-OUTPUT';
297 $next_route_state = $target->{iface
} || die 'internal error';
298 } elsif ($target->{type
} eq 'ct') {
299 $pkg->{iface_in
} = 'lo';
300 $pkg->{iface_out
} = 'venet0';
301 $chain = 'PVEFW-OUTPUT';
302 $next_route_state = 'venet-in';
303 } elsif ($target->{type
} eq 'vm') {
304 $pkg->{iface_in
} = 'lo';
305 $pkg->{iface_out
} = $target->{bridge
} || die 'internal error';
306 $chain = 'PVEFW-OUTPUT';
307 $next_route_state = 'fwbr-in';
312 } elsif ($route_state eq 'venet-out') {
314 if ($target->{type
} eq 'host') {
316 $chain = 'PVEFW-INPUT';
317 $pkg->{iface_in
} = 'venet0';
318 $pkg->{iface_out
} = 'lo';
319 $next_route_state = 'host';
321 } elsif ($target->{type
} eq 'bport') {
323 $chain = 'PVEFW-FORWARD';
324 $pkg->{iface_in
} = 'venet0';
325 $pkg->{iface_out
} = $target->{bridge
} || die 'internal error';
326 $next_route_state = $target->{iface
} || die 'internal error';
328 } elsif ($target->{type
} eq 'vm') {
330 $chain = 'PVEFW-FORWARD';
331 $pkg->{iface_in
} = 'venet0';
332 $pkg->{iface_out
} = $target->{bridge
} || die 'internal error';
333 $next_route_state = 'fwbr-in';
335 } elsif ($target->{type
} eq 'ct') {
337 $chain = 'PVEFW-FORWARD';
338 $pkg->{iface_in
} = 'venet0';
339 $pkg->{iface_out
} = 'venet0';
340 $next_route_state = 'venet-in';
346 } elsif ($route_state eq 'fwbr-out') {
348 $chain = 'PVEFW-FORWARD';
349 $next_route_state = $from_info->{bridge
} || die 'internal error';
350 $next_physdev_in = $from_info->{fwpr
} || die 'internal error';
351 $pkg->{iface_in
} = $from_info->{fwbr
} || die 'internal error';
352 $pkg->{iface_out
} = $from_info->{fwbr
} || die 'internal error';
353 $pkg->{physdev_in
} = $from_info->{tapdev
} || die 'internal error';
354 $pkg->{physdev_out
} = $from_info->{fwln
} || die 'internal error';
356 } elsif ($route_state eq 'fwbr-in') {
358 $chain = 'PVEFW-FORWARD';
359 $next_route_state = $target->{tapdev
};
360 $pkg->{iface_in
} = $target->{fwbr
} || die 'internal error';
361 $pkg->{iface_out
} = $target->{fwbr
} || die 'internal error';
362 $pkg->{physdev_in
} = $target->{fwln
} || die 'internal error';
363 $pkg->{physdev_out
} = $target->{tapdev
} || die 'internal error';
365 } elsif ($route_state =~ m/^vmbr\d+$/) {
367 die "missing physdev_in - internal error?" if !$physdev_in;
368 $pkg->{physdev_in
} = $physdev_in;
370 if ($target->{type
} eq 'host') {
372 $chain = 'PVEFW-INPUT';
373 $pkg->{iface_in
} = $route_state;
374 $pkg->{iface_out
} = 'lo';
375 $next_route_state = 'host';
377 } elsif ($target->{type
} eq 'bport') {
379 $chain = 'PVEFW-FORWARD';
380 $pkg->{iface_in
} = $route_state;
381 $pkg->{iface_out
} = $target->{bridge
} || die 'internal error';
382 # conditionally set physdev_out (same behavior as kernel)
383 if ($route_state eq $target->{bridge
}) {
384 $pkg->{physdev_out
} = $target->{iface
} || die 'internal error';
386 $next_route_state = $target->{iface
};
388 } elsif ($target->{type
} eq 'ct') {
390 $chain = 'PVEFW-FORWARD';
391 $pkg->{iface_in
} = $route_state;
392 $pkg->{iface_out
} = 'venet0';
393 $next_route_state = 'venet-in';
395 } elsif ($target->{type
} eq 'vm') {
397 $chain = 'PVEFW-FORWARD';
398 $pkg->{iface_in
} = $route_state;
399 $pkg->{iface_out
} = $target->{bridge
};
400 # conditionally set physdev_out (same behavior as kernel)
401 if ($route_state eq $target->{bridge
}) {
402 $pkg->{physdev_out
} = $target->{fwpr
} || die 'internal error';
404 $next_route_state = 'fwbr-in';
411 die "implement me $route_state";
414 die "internal error" if !defined($next_route_state);
417 add_trace
("IPT check at $route_state (chain $chain)\n");
418 add_trace
(Dumper
($pkg));
419 $ipt_invocation_counter++;
420 my ($res, $ctr) = ruleset_simulate_chain
($ruleset, $ipset_ruleset, $chain, $pkg);
421 $rule_check_counter += $ctr;
422 return ($res, $ipt_invocation_counter, $rule_check_counter) if $res ne 'ACCEPT';
425 $route_state = $next_route_state;
427 $physdev_in = $next_physdev_in;
430 return ('ACCEPT', $ipt_invocation_counter, $rule_check_counter);
433 sub extract_ct_info
{
434 my ($vmdata, $vmid) = @_;
436 my $info = { type
=> 'ct', vmid
=> $vmid };
438 my $conf = $vmdata->{openvz
}->{$vmid} || die "no such CT '$vmid'";
439 if ($conf->{ip_address
}) {
440 $info->{ip_address
} = $conf->{ip_address
}->{value
};
447 sub extract_vm_info
{
448 my ($vmdata, $vmid) = @_;
450 my $info = { type
=> 'vm', vmid
=> $vmid };
452 my $conf = $vmdata->{qemu
}->{$vmid} || die "no such VM '$vmid'";
453 my $net = PVE
::QemuServer
::parse_net
($conf->{net0
});
454 $info->{macaddr
} = $net->{macaddr
} || die "unable to get mac address";
455 $info->{bridge
} = $net->{bridge
} || die "unable to get bridge";
456 $info->{fwbr
} = "fwbr${vmid}i0";
457 $info->{tapdev
} = "tap${vmid}i0";
458 $info->{fwln
} = "fwln${vmid}i0";
459 $info->{fwpr
} = "fwpr${vmid}p0";
464 sub simulate_firewall
{
465 my ($ruleset, $ipset_ruleset, $vmdata, $test) = @_;
467 my $from = $test->{from
} || die "missing 'from' field";
468 my $to = $test->{to
} || die "missing 'to' field";
469 my $action = $test->{action
} || die "missing 'action'";
471 my $testid = $test->{id
};
473 die "from/to needs to be different" if $from eq $to;
483 while (my ($k,$v) = each %$test) {
484 next if $k eq 'from';
486 next if $k eq 'action';
488 die "unknown attribute '$k'\n" if !exists($pkg->{$k});
496 if ($from eq 'host') {
497 $from_info->{type
} = 'host';
498 $start_state = 'host';
499 } elsif ($from =~ m
|^(vmbr\d
+)/(\S
+)$|) {
500 $from_info->{type
} = 'bport';
501 $from_info->{bridge
} = $1;
502 $from_info->{iface
} = $2;
503 $start_state = 'from-bport';
504 } elsif ($from eq 'outside') {
505 $from_info->{type
} = 'bport';
506 $from_info->{bridge
} = 'vmbr0';
507 $from_info->{iface
} = 'eth0';
508 $start_state = 'from-bport';
509 } elsif ($from eq 'nfvm') {
510 $from_info->{type
} = 'bport';
511 $from_info->{bridge
} = 'vmbr0';
512 $from_info->{iface
} = 'tapXYZ';
513 $start_state = 'from-bport';
514 } elsif ($from =~ m/^ct(\d+)$/) {
516 $from_info = extract_ct_info
($vmdata, $vmid);
517 if ($from_info->{ip_address
}) {
518 $pkg->{source
} = $from_info->{ip_address
} if !defined($pkg->{source
});
519 $start_state = 'venet-out';
523 } elsif ($from =~ m/^vm(\d+)$/) {
525 $from_info = extract_vm_info
($vmdata, $vmid);
526 $start_state = 'fwbr-out';
527 $pkg->{mac_source
} = $from_info->{macaddr
};
529 die "unable to parse \"from => '$from'\"\n";
532 $pkg->{source
} = '100.200.3.4' if !defined($pkg->{source
});
537 $target->{type
} = 'host';
538 $target->{iface
} = 'host';
539 } elsif ($to =~ m
|^(vmbr\d
+)/(\S
+)$|) {
540 $target->{type
} = 'bport';
541 $target->{bridge
} = $1;
542 $target->{iface
} = $2;
543 } elsif ($to eq 'outside') {
544 $target->{type
} = 'bport';
545 $target->{bridge
} = 'vmbr0';
546 $target->{iface
} = 'eth0';
547 } elsif ($to eq 'nfvm') {
548 $target->{type
} = 'bport';
549 $target->{bridge
} = 'vmbr0';
550 $target->{iface
} = 'tapXYZ';
551 } elsif ($to =~ m/^ct(\d+)$/) {
553 $target = extract_ct_info
($vmdata, $vmid);
554 $target->{iface
} = 'venet-in';
556 if ($target->{ip_address
}) {
557 $pkg->{dest
} = $target->{ip_address
};
561 } elsif ($to =~ m/^vm(\d+)$/) {
563 $target = extract_vm_info
($vmdata, $vmid);
564 $target->{iface
} = $target->{tapdev
};
566 die "unable to parse \"to => '$to'\"\n";
569 my ($res, $ic, $rc) = route_packet
($ruleset, $ipset_ruleset, $pkg,
570 $from_info, $target, $start_state);
572 add_trace
("IPT statistics: invocation = $ic, checks = $rc\n");
574 die "test failed ($res != $action)\n" if $action ne $res;
580 my ($vmdata, $testdir, $testfile, $testid) = @_;
582 $testfile = 'tests' if !$testfile;
584 $vmdata->{testdir
} = $testdir;
586 my ($ruleset, $ipset_ruleset) =
587 PVE
::Firewall
::compile
(undef, undef, $vmdata);
589 my $filename = "$testdir/$testfile";
590 my $fh = IO
::File-
>new($filename) ||
591 die "unable to open '$filename' - $!\n";
594 while (defined(my $line = <$fh>)) {
595 next if $line =~ m/^\s*$/;
596 next if $line =~ m/^#.*$/;
597 if ($line =~ m/^\{.*\}\s*$/) {
598 my $test = eval $line;
600 next if defined($testid) && (!defined($test->{id
}) || ($testid ne $test->{id
}));
602 print Dumper
($ruleset) if $debug;
605 my @test_zones = qw(host outside nfvm vm100 ct200);
606 if (!defined($test->{from
}) && !defined($test->{to
})) {
607 die "missing zone speification (from, to)\n";
608 } elsif (!defined($test->{to
})) {
609 foreach my $zone (@test_zones) {
610 next if $zone eq $test->{from
};
612 add_trace
("Set Zone: to => '$zone'\n");
613 simulate_firewall
($ruleset, $ipset_ruleset, $vmdata, $test);
615 } elsif (!defined($test->{from
})) {
616 foreach my $zone (@test_zones) {
617 next if $zone eq $test->{to
};
618 $test->{from
} = $zone;
619 add_trace
("Set Zone: from => '$zone'\n");
620 simulate_firewall
($ruleset, $ipset_ruleset, $vmdata, $test);
623 simulate_firewall
($ruleset, $ipset_ruleset, $vmdata, $test);
628 print Dumper
($ruleset) if !$debug;
630 print "$trace\n" if !$debug;
632 print "$filename line $.: $line";
634 print "test failed: $err\n";
643 die "no tests found\n" if $testcount <= 0;
645 print "PASS: $filename\n";
653 net0
=> "e1000=0E:0B:38:B8:B3:21,bridge=vmbr0,firewall=1",
656 net0
=> "e1000=0E:0B:38:B8:B3:22,bridge=vmbr0,firewall=1",
660 net0
=> "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1",
665 ip_address
=> { value
=> '10.0.200.1' },
668 ip_address
=> { value
=> '10.0.200.2' },
677 if (-d
$testfilename) {
678 $dir = $testfilename;
679 } elsif (-f
$testfilename) {
680 $dir = dirname
($testfilename);
681 $testfile = basename
($testfilename);
683 die "no such file/dir '$testfilename'\n";
686 run_tests
($vmdata, $dir, $testfile, $testid);
689 foreach my $dir (<test-
*>) {
691 run_tests
($vmdata, $dir);
695 print "OK - all tests passed\n";