X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=blobdiff_plain;f=test%2Ffwtester.pl;h=af25014efe8f6a61e041f8f5ae3a0bf01b8a113a;hp=7a21fc9ed3e9f70b04a553ab18f0a763a9227c0d;hb=c0c871d8584339d0f13a8749c2900b8539e9f282;hpb=e4e5fcaf206997205c1008fdf862babcf26c877a

diff --git a/test/fwtester.pl b/test/fwtester.pl
index 7a21fc9..af25014 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -14,6 +14,9 @@ my $trace;
 my $outside_iface = 'eth0';
 my $outside_bridge = 'vmbr0';
 
+my $nfvm_iface = 'tapXYZ';
+my $nfvm_bridge = 'vmbr0';
+
 my $debug = 0;
 
 sub print_usage_and_exit {
@@ -131,7 +134,7 @@ sub ruleset_simulate_chain {
 
     add_trace("ENTER chain $chain\n");
     
-    my $counter = 2; # ENTER + LEAVE = 2
+    my $counter = 0;
 
     if ($chain eq 'PVEFW-Drop') {
 	add_trace("LEAVE chain $chain\n");
@@ -224,6 +227,9 @@ sub route_packet {
 	if ($route_state eq 'from-outside') {
 	    $next_route_state = $outside_bridge || die 'internal error';
 	    $next_physdev_in = $outside_iface || die 'internal error';
+	} elsif ($route_state eq 'from-nfvm') {
+	    $next_route_state = $nfvm_bridge || die 'internal error';
+	    $next_physdev_in = $nfvm_iface || die 'internal error';
 	} elsif ($route_state eq 'host') {
 
 	    if ($target->{type} eq 'outside') {
@@ -231,6 +237,11 @@ sub route_packet {
 		$pkg->{iface_out} = $outside_bridge;
 		$chain = 'PVEFW-OUTPUT';
 		$next_route_state = $outside_iface
+	    } elsif ($target->{type} eq 'nfvm') {
+		$pkg->{iface_in} = 'lo';
+		$pkg->{iface_out} = $nfvm_bridge;
+		$chain = 'PVEFW-OUTPUT';
+		$next_route_state = $nfvm_iface
 	    } elsif ($target->{type} eq 'ct') {
 		$pkg->{iface_in} = 'lo';
 		$pkg->{iface_out} = 'venet0';
@@ -261,6 +272,13 @@ sub route_packet {
 		$pkg->{iface_out} = $outside_bridge;
 		$next_route_state = $outside_iface;
 
+	    } elsif ($target->{type} eq 'nfvm') {
+		
+		$chain = 'PVEFW-FORWARD';
+		$pkg->{iface_in} = 'venet0';
+		$pkg->{iface_out} = $nfvm_bridge;
+		$next_route_state = $nfvm_iface;
+
 	    } elsif ($target->{type} eq 'vm') {
 
 		$chain = 'PVEFW-FORWARD';
@@ -321,6 +339,17 @@ sub route_packet {
 		}
 		$next_route_state = $outside_iface;
 
+	    } elsif ($target->{type} eq 'nfvm') {
+
+		$chain = 'PVEFW-FORWARD';
+		$pkg->{iface_in} = $route_state;
+		$pkg->{iface_out} = $nfvm_bridge;
+		# conditionally set physdev_out (same behavior as kernel)
+		if ($route_state eq $nfvm_bridge) {
+		    $pkg->{physdev_out} = $nfvm_iface || die 'internal error';
+		}
+		$next_route_state = $nfvm_iface;
+
 	    } elsif ($target->{type} eq 'ct') {
 
 		$chain = 'PVEFW-FORWARD';
@@ -431,6 +460,9 @@ sub simulate_firewall {
     } elsif ($from eq 'outside') {
 	$from_info->{type} = 'outside';
 	$start_state = 'from-outside';
+    } elsif ($from eq 'nfvm') {
+	$from_info->{type} = 'nfvm';
+	$start_state = 'from-nfvm';
     } elsif ($from =~ m/^ct(\d+)$/) {
 	my $vmid = $1;
 	$from_info = extract_ct_info($vmdata, $vmid);
@@ -457,6 +489,9 @@ sub simulate_firewall {
     } elsif ($to eq 'outside') {
 	$target->{type} = 'outside';
 	$target->{iface} = $outside_iface;
+     } elsif ($to eq 'nfvm') {
+	$target->{type} = 'nfvm';
+	$target->{iface} = $nfvm_iface;
     } elsif ($to =~ m/^ct(\d+)$/) {
 	my $vmid = $1;
 	$target = extract_ct_info($vmdata, $vmid);