X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=test%2Ffwtester.pl;h=0399bbe2599de9f616f1f90ee2ffdc084ff02286;hp=832d35eea66a2557a3ff684f81039029c46a107c;hb=31dc73f1fd74613a6f06b86665c7fec6b1286cdd;hpb=d1486f380e40990a84770bfb8cd1c95b1d2eb302

diff --git a/test/fwtester.pl b/test/fwtester.pl
index 832d35e..0399bbe 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -9,6 +9,9 @@ use PVE::Firewall;
 my $mark;
 my $trace;
 
+my $outside_iface = 'eth0';
+my $outside_bridge = 'vmbr0';
+
 my $debug = 0;
 
 sub add_trace {
@@ -192,9 +195,17 @@ sub route_packet {
 	$pkg->{iface_in} = $pkg->{iface_out} = undef;
 	$pkg->{physdev_in} = $pkg->{physdev_out} = undef;
 
-	if ($route_state eq 'host') {
+	if ($route_state eq 'from-outside') {
+	    $next_route_state = $outside_bridge || die 'internal error';
+	    $next_physdev_in = $outside_iface || die 'internal error';
+	} elsif ($route_state eq 'host') {
 
-	    if ($target->{type} eq 'ct') {
+	    if ($target->{type} eq 'outside') {
+		$pkg->{iface_in} = 'lo';
+		$pkg->{iface_out} = $outside_bridge;
+		$chain = 'PVEFW-OUTPUT';
+		$next_route_state = $outside_iface
+	    } elsif ($target->{type} eq 'ct') {
 		$pkg->{iface_in} = 'lo';
 		$pkg->{iface_out} = 'venet0';
 		$chain = 'PVEFW-OUTPUT';
@@ -217,6 +228,13 @@ sub route_packet {
 		$pkg->{iface_out} = 'lo';
 		$next_route_state = 'host';
 
+	    } elsif ($target->{type} eq 'outside') {
+		
+		$chain = 'PVEFW-FORWARD';
+		$pkg->{iface_in} = 'venet0';
+		$pkg->{iface_out} = $outside_bridge;
+		$next_route_state = $outside_iface;
+
 	    } elsif ($target->{type} eq 'vm') {
 
 		$chain = 'PVEFW-FORWARD';
@@ -265,6 +283,24 @@ sub route_packet {
 		$pkg->{iface_out} = 'lo';
 		$next_route_state = 'host';
 
+		if ($route_state eq $outside_bridge) {
+
+		} else {
+
+		}
+
+	    } elsif ($target->{type} eq 'outside') {
+
+		$chain = 'PVEFW-FORWARD';
+		$pkg->{iface_in} = $route_state;
+		$pkg->{iface_out} = $outside_bridge;
+		$pkg->{physdev_in} = $physdev_in;
+		# conditionally set physdev_out (same behavior as kernel)
+		if ($route_state eq $outside_bridge) {
+		    $pkg->{physdev_out} = $outside_iface || die 'internal error';
+		}
+		$next_route_state = $outside_iface;
+
 	    } elsif ($target->{type} eq 'ct') {
 
 		$chain = 'PVEFW-FORWARD';
@@ -275,16 +311,12 @@ sub route_packet {
 	    } elsif ($target->{type} eq 'vm') {
 
 		$chain = 'PVEFW-FORWARD';
+		$pkg->{iface_in} = $route_state;
+		$pkg->{iface_out} = $target->{bridge};
+		$pkg->{physdev_in} = $physdev_in;
+		# conditionally set physdev_out (same behavior as kernel)
 		if ($route_state eq $target->{bridge}) {
-		    $pkg->{iface_in} = $route_state;
-		    $pkg->{iface_out} = $route_state;
-		    $pkg->{physdev_in} = $physdev_in;
 		    $pkg->{physdev_out} = $target->{fwpr} || die 'internal error';
-		} else {
-		    $pkg->{iface_in} = $route_state;
-		    $pkg->{iface_out} = $route_state;
-		    $pkg->{physdev_in} = $physdev_in;
-		    # do not set physdev_out (same behavior as kernel)
 		}
 		$next_route_state = 'fwbr-in';
 
@@ -372,6 +404,9 @@ sub simulate_firewall {
     if ($from eq 'host') {
 	$from_info->{type} = 'host';
 	$start_state = 'host';
+    } elsif ($from eq 'outside') {
+	$from_info->{type} = 'outside';
+	$start_state = 'from-outside';
     } elsif ($from =~ m/^ct(\d+)$/) {
 	my $vmid = $1;
 	$from_info = extract_ct_info($vmdata, $vmid);
@@ -395,6 +430,9 @@ sub simulate_firewall {
     if ($to eq 'host') {
 	$target->{type} = 'host';
 	$target->{iface} = 'host';
+    } elsif ($to eq 'outside') {
+	$target->{type} = 'outside';
+	$target->{iface} = $outside_iface;
     } elsif ($to =~ m/^ct(\d+)$/) {
 	my $vmid = $1;
 	$target = extract_ct_info($vmdata, $vmid);