Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.
New test rules have been introduced to check corosync rules relating to
different rings/links.
Includes hostnames in config to trigger resolving codepaths.
Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
--- /dev/null
+logging {
+ debug: off
+ to_syslog: yes
+}
+
+nodelist {
+ node {
+ name: prox1
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.11
+ ring1_addr: 172.16.2.11
+ ring2_addr: hostname1
+ }
+ node {
+ name: prox2
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.12
+ ring1_addr: 172.16.2.12
+ ring2_addr: hostname2
+ }
+ node {
+ name: prox3
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.3
+ ring1_addr: 172.16.2.3
+ ring2_addr: hostname3
+ }
+ node {
+ name: proxself
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.2
+ ring1_addr: 172.16.2.2
+ ring2_addr: proxself
+ }
+}
+
+quorum {
+ provider: corosync_votequorum
+}
+
+totem {
+ cluster_name: cloud
+ config_version: 1
+ ip_version: ipv4
+ secauth: on
+ version: 2
+}
+
use warnings;
use Data::Dumper;
use PVE::FirewallSimulator;
use warnings;
use Data::Dumper;
use PVE::FirewallSimulator;
+use PVE::INotify;
+use PVE::Corosync;
use Getopt::Long;
use File::Basename;
use Net::IP;
use Getopt::Long;
use File::Basename;
use Net::IP;
print_usage_and_exit();
}
print_usage_and_exit();
}
+# load dummy corosync config to have fw create according rules
+my $corosync_conf_fn = "corosync.conf";
+my $raw = PVE::Tools::file_get_contents($corosync_conf_fn);
+my $local_hostname = PVE::INotify::nodename();
+(my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm;
+my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced);
+
PVE::FirewallSimulator::debug($debug);
my $testfilename = shift;
PVE::FirewallSimulator::debug($debug);
my $testfilename = shift;
PVE::Firewall::local_network('172.16.1.0/24');
my ($ruleset, $ipset_ruleset) =
PVE::Firewall::local_network('172.16.1.0/24');
my ($ruleset, $ipset_ruleset) =
- PVE::Firewall::compile(undef, undef, $vmdata, 1);
+ PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf);
my $filename = "$testdir/$testfile";
my $fh = IO::File->new($filename) ||
my $filename = "$testdir/$testfile";
my $fh = IO::File->new($filename) ||
{ from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
{ from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
+{ from => 'host', to => 'outside', source => '172.16.2.2', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'ACCEPT' }
+{ from => 'host', to => 'outside', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'DROP' }
# traffic from other node
# traffic from other node
{ from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
{ from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
+{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.2.2', proto => 'udp', dport => 5404, action => 'ACCEPT' }
+{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.1.2', proto => 'udp', dport => 5404, action => 'DROP' }
{ from => 'host', to => 'ct200', action => 'DROP' }
{ from => 'host', to => 'ct200', action => 'DROP' }