add tests for host interface match

[pve-firewall.git] / test / fwtester.pl

diff --git a/test/fwtester.pl b/test/fwtester.pl
index 9aa3c480627b88471012f615ccee9a44abdd9f70..7a21fc9ed3e9f70b04a553ab18f0a763a9227c0d 100755 (executable)
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -37,6 +37,13 @@ sub add_trace {
     }
 }
 
+sub nf_dev_match {
+    my ($devre, $dev) = @_;
+
+    $devre =~ s/\+$/\.\*/;
+    return  ($dev =~ m/^${devre}$/) ? 1 : 0;
+}
+
 sub rule_match {
     my ($chain, $rule, $pkg) = @_;
 
@@ -51,12 +58,14 @@ sub rule_match {
     }
 
     if ($rule =~ s/^-i (\S+)\s*//) {
+       my $devre = $1;
        die "missing iface_in" if !$pkg->{iface_in};
-       return undef if $pkg->{iface_in} ne $1; # no match
+       return undef if !nf_dev_match($devre, $pkg->{iface_in});
     }
     if ($rule =~ s/^-o (\S+)\s*//) {
+       my $devre = $1;
        die "missing iface_out" if !$pkg->{iface_out};
-       return undef if $pkg->{iface_out} ne $1; # no match
+       return undef if !nf_dev_match($devre, $pkg->{iface_out});
     }
 
     if ($rule =~ s/^-p (tcp|udp)\s*//) {
@@ -91,16 +100,14 @@ sub rule_match {
 
     if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-in (\S+)\s*//) {
        my $devre = $1;
-       $devre =~ s/\+/\.\*/;
        return undef if !$pkg->{physdev_in};
-       return undef if $pkg->{physdev_in} !~ m/^${devre}$/;
+       return undef if !nf_dev_match($devre, $pkg->{physdev_in});
     }
 
     if ($rule =~ s/^-m physdev --physdev-is-bridged --physdev-out (\S+)\s*//) {
        my $devre = $1;
-       $devre =~ s/\+/\.\*/;
        return undef if !$pkg->{physdev_out};
-       return undef if $pkg->{physdev_out} !~ m/^${devre}$/;
+       return undef if !nf_dev_match($devre, $pkg->{physdev_out});
     }
 
     if ($rule =~ s/^-j MARK --set-mark (\d+)\s*$//) {
@@ -294,6 +301,7 @@ sub route_packet {
        } elsif ($route_state =~ m/^vmbr\d+$/) {
            
            die "missing physdev_in - internal error?" if !$physdev_in;
+           $pkg->{physdev_in} = $physdev_in;
 
            if ($target->{type} eq 'host') {
 
@@ -307,7 +315,6 @@ sub route_packet {
                $chain = 'PVEFW-FORWARD';
                $pkg->{iface_in} = $route_state;
                $pkg->{iface_out} = $outside_bridge;
-               $pkg->{physdev_in} = $physdev_in;
                # conditionally set physdev_out (same behavior as kernel)
                if ($route_state eq $outside_bridge) {
                    $pkg->{physdev_out} = $outside_iface || die 'internal error';
@@ -326,7 +333,6 @@ sub route_packet {
                $chain = 'PVEFW-FORWARD';
                $pkg->{iface_in} = $route_state;
                $pkg->{iface_out} = $target->{bridge};
-               $pkg->{physdev_in} = $physdev_in;
                # conditionally set physdev_out (same behavior as kernel)
                if ($route_state eq $target->{bridge}) {
                    $pkg->{physdev_out} = $target->{fwpr} || die 'internal error';