From 6f6a6b3f8259c06fe9f7f14490caa5275996b5c6 Mon Sep 17 00:00:00 2001 From: Stefan Reiter Date: Mon, 1 Jul 2019 17:22:16 +0200 Subject: [PATCH] Update and add tests for corosync firewall changes Since corosync rules are now only created when a corosync.conf file is present, a static corosync.conf has been added and will be loaded for testing. New test rules have been introduced to check corosync rules relating to different rings/links. Includes hostnames in config to trigger resolving codepaths. Signed-off-by: Stefan Reiter --- test/corosync.conf | 52 ++++++++++++++++++++++++++++++++++ test/fwtester.pl | 11 ++++++- test/test-default-rules1/tests | 4 +++ 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 test/corosync.conf diff --git a/test/corosync.conf b/test/corosync.conf new file mode 100644 index 0000000..75385ec --- /dev/null +++ b/test/corosync.conf @@ -0,0 +1,52 @@ +logging { + debug: off + to_syslog: yes +} + +nodelist { + node { + name: prox1 + nodeid: 1 + quorum_votes: 1 + ring0_addr: 172.16.1.11 + ring1_addr: 172.16.2.11 + ring2_addr: hostname1 + } + node { + name: prox2 + nodeid: 1 + quorum_votes: 1 + ring0_addr: 172.16.1.12 + ring1_addr: 172.16.2.12 + ring2_addr: hostname2 + } + node { + name: prox3 + nodeid: 1 + quorum_votes: 1 + ring0_addr: 172.16.1.3 + ring1_addr: 172.16.2.3 + ring2_addr: hostname3 + } + node { + name: proxself + nodeid: 1 + quorum_votes: 1 + ring0_addr: 172.16.1.2 + ring1_addr: 172.16.2.2 + ring2_addr: proxself + } +} + +quorum { + provider: corosync_votequorum +} + +totem { + cluster_name: cloud + config_version: 1 + ip_version: ipv4 + secauth: on + version: 2 +} + diff --git a/test/fwtester.pl b/test/fwtester.pl index 2700ef3..e9ed6d1 100755 --- a/test/fwtester.pl +++ b/test/fwtester.pl @@ -5,6 +5,8 @@ use strict; use warnings; use Data::Dumper; use PVE::FirewallSimulator; +use PVE::INotify; +use PVE::Corosync; use Getopt::Long; use File::Basename; use Net::IP; @@ -19,6 +21,13 @@ if (!GetOptions ('debug' => \$debug)) { print_usage_and_exit(); } +# load dummy corosync config to have fw create according rules +my $corosync_conf_fn = "corosync.conf"; +my $raw = PVE::Tools::file_get_contents($corosync_conf_fn); +my $local_hostname = PVE::INotify::nodename(); +(my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm; +my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced); + PVE::FirewallSimulator::debug($debug); my $testfilename = shift; @@ -37,7 +46,7 @@ sub run_tests { PVE::Firewall::local_network('172.16.1.0/24'); my ($ruleset, $ipset_ruleset) = - PVE::Firewall::compile(undef, undef, $vmdata, 1); + PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf); my $filename = "$testdir/$testfile"; my $fh = IO::File->new($filename) || diff --git a/test/test-default-rules1/tests b/test/test-default-rules1/tests index 4aaf7c4..409fd7c 100644 --- a/test/test-default-rules1/tests +++ b/test/test-default-rules1/tests @@ -14,6 +14,8 @@ { from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' } { from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' } { from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' } +{ from => 'host', to => 'outside', source => '172.16.2.2', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'ACCEPT' } +{ from => 'host', to => 'outside', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'DROP' } # traffic from other node @@ -30,6 +32,8 @@ { from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' } { from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' } { from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' } +{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.2.2', proto => 'udp', dport => 5404, action => 'ACCEPT' } +{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.1.2', proto => 'udp', dport => 5404, action => 'DROP' } { from => 'host', to => 'ct200', action => 'DROP' } -- 2.39.2