From 31dc73f1fd74613a6f06b86665c7fec6b1286cdd Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 14 May 2014 11:38:49 +0200 Subject: [PATCH] fwtester: implement new 'outside' zone To simulate traffic from/to outside world (vmbr0/eth0) --- test/fwtester.pl | 58 +++++++++++++++++++++++++++++++++------- test/test-basic1/100.fw | 1 + test/test-basic1/200.fw | 1 + test/test-basic1/host.fw | 1 + test/test-basic1/tests | 14 ++++++++++ 5 files changed, 65 insertions(+), 10 deletions(-) diff --git a/test/fwtester.pl b/test/fwtester.pl index 832d35e..0399bbe 100755 --- a/test/fwtester.pl +++ b/test/fwtester.pl @@ -9,6 +9,9 @@ use PVE::Firewall; my $mark; my $trace; +my $outside_iface = 'eth0'; +my $outside_bridge = 'vmbr0'; + my $debug = 0; sub add_trace { @@ -192,9 +195,17 @@ sub route_packet { $pkg->{iface_in} = $pkg->{iface_out} = undef; $pkg->{physdev_in} = $pkg->{physdev_out} = undef; - if ($route_state eq 'host') { + if ($route_state eq 'from-outside') { + $next_route_state = $outside_bridge || die 'internal error'; + $next_physdev_in = $outside_iface || die 'internal error'; + } elsif ($route_state eq 'host') { - if ($target->{type} eq 'ct') { + if ($target->{type} eq 'outside') { + $pkg->{iface_in} = 'lo'; + $pkg->{iface_out} = $outside_bridge; + $chain = 'PVEFW-OUTPUT'; + $next_route_state = $outside_iface + } elsif ($target->{type} eq 'ct') { $pkg->{iface_in} = 'lo'; $pkg->{iface_out} = 'venet0'; $chain = 'PVEFW-OUTPUT'; @@ -217,6 +228,13 @@ sub route_packet { $pkg->{iface_out} = 'lo'; $next_route_state = 'host'; + } elsif ($target->{type} eq 'outside') { + + $chain = 'PVEFW-FORWARD'; + $pkg->{iface_in} = 'venet0'; + $pkg->{iface_out} = $outside_bridge; + $next_route_state = $outside_iface; + } elsif ($target->{type} eq 'vm') { $chain = 'PVEFW-FORWARD'; @@ -265,6 +283,24 @@ sub route_packet { $pkg->{iface_out} = 'lo'; $next_route_state = 'host'; + if ($route_state eq $outside_bridge) { + + } else { + + } + + } elsif ($target->{type} eq 'outside') { + + $chain = 'PVEFW-FORWARD'; + $pkg->{iface_in} = $route_state; + $pkg->{iface_out} = $outside_bridge; + $pkg->{physdev_in} = $physdev_in; + # conditionally set physdev_out (same behavior as kernel) + if ($route_state eq $outside_bridge) { + $pkg->{physdev_out} = $outside_iface || die 'internal error'; + } + $next_route_state = $outside_iface; + } elsif ($target->{type} eq 'ct') { $chain = 'PVEFW-FORWARD'; @@ -275,16 +311,12 @@ sub route_packet { } elsif ($target->{type} eq 'vm') { $chain = 'PVEFW-FORWARD'; + $pkg->{iface_in} = $route_state; + $pkg->{iface_out} = $target->{bridge}; + $pkg->{physdev_in} = $physdev_in; + # conditionally set physdev_out (same behavior as kernel) if ($route_state eq $target->{bridge}) { - $pkg->{iface_in} = $route_state; - $pkg->{iface_out} = $route_state; - $pkg->{physdev_in} = $physdev_in; $pkg->{physdev_out} = $target->{fwpr} || die 'internal error'; - } else { - $pkg->{iface_in} = $route_state; - $pkg->{iface_out} = $route_state; - $pkg->{physdev_in} = $physdev_in; - # do not set physdev_out (same behavior as kernel) } $next_route_state = 'fwbr-in'; @@ -372,6 +404,9 @@ sub simulate_firewall { if ($from eq 'host') { $from_info->{type} = 'host'; $start_state = 'host'; + } elsif ($from eq 'outside') { + $from_info->{type} = 'outside'; + $start_state = 'from-outside'; } elsif ($from =~ m/^ct(\d+)$/) { my $vmid = $1; $from_info = extract_ct_info($vmdata, $vmid); @@ -395,6 +430,9 @@ sub simulate_firewall { if ($to eq 'host') { $target->{type} = 'host'; $target->{iface} = 'host'; + } elsif ($to eq 'outside') { + $target->{type} = 'outside'; + $target->{iface} = $outside_iface; } elsif ($to =~ m/^ct(\d+)$/) { my $vmid = $1; $target = extract_ct_info($vmdata, $vmid); diff --git a/test/test-basic1/100.fw b/test/test-basic1/100.fw index b68a777..efd738a 100644 --- a/test/test-basic1/100.fw +++ b/test/test-basic1/100.fw @@ -5,3 +5,4 @@ enable: 1 [RULES] IN ACCEPT - - - tcp 443 +OUT REJECT - - - tcp 81 diff --git a/test/test-basic1/200.fw b/test/test-basic1/200.fw index b15ae56..46189b2 100644 --- a/test/test-basic1/200.fw +++ b/test/test-basic1/200.fw @@ -5,3 +5,4 @@ enable: 1 [RULES] IN ACCEPT - - - tcp 22 +OUT REJECT - - - tcp 81 diff --git a/test/test-basic1/host.fw b/test/test-basic1/host.fw index 43c4399..269c116 100644 --- a/test/test-basic1/host.fw +++ b/test/test-basic1/host.fw @@ -4,5 +4,6 @@ enable: 1 [RULES] +OUT REJECT - - - tcp 81 #IN ACCEPT tesitif - - tcp 22 IN ACCEPT - - - tcp 22 diff --git a/test/test-basic1/tests b/test/test-basic1/tests index 5066fe5..232037b 100644 --- a/test/test-basic1/tests +++ b/test/test-basic1/tests @@ -23,4 +23,18 @@ { from => 'vm110', to => 'vm100', dport => 22, action => 'DROP' } { from => 'vm110', to => 'vm100', dport => 443, action => 'ACCEPT' } +{ from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' } +{ from => 'outside', to => 'ct200', dport => 23, action => 'DROP' } +{ from => 'outside', to => 'vm100', dport => 22, action => 'DROP' } +{ from => 'outside', to => 'vm100', dport => 443, action => 'ACCEPT' } +{ from => 'outside', to => 'host', dport => 22, action => 'ACCEPT' } +{ from => 'outside', to => 'host', dport => 23, action => 'DROP' } + +{ from => 'host' , to => 'outside', dport => 80, action => 'ACCEPT' } +{ from => 'host' , to => 'outside', dport => 81, action => 'REJECT' } +{ from => 'vm100' , to => 'outside', dport => 80, action => 'ACCEPT' } +{ from => 'vm100' , to => 'outside', dport => 81, action => 'REJECT' } +{ from => 'ct200' , to => 'outside', dport => 80, action => 'ACCEPT' } +{ from => 'ct200' , to => 'outside', dport => 81, action => 'REJECT' } + -- 2.39.2