From c0c871d8584339d0f13a8749c2900b8539e9f282 Mon Sep 17 00:00:00 2001 From: Dietmar Maurer Date: Wed, 14 May 2014 17:31:11 +0200 Subject: [PATCH] fwtester: add new zone 'nfwm' to simulate a non-firewalled VM --- test/README | 2 ++ test/fwtester.pl | 35 +++++++++++++++++++++++++++++++++++ test/test-basic1/tests | 13 +++++++++++++ 3 files changed, 50 insertions(+) diff --git a/test/README b/test/README index 71801d4..e8d0468 100644 --- a/test/README +++ b/test/README @@ -38,6 +38,8 @@ The following definition exist currently: * ct: An openvz container +* nfvm: Non firewalled VM (vmbr port tapXYZ) + ==Test examples== { from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' } diff --git a/test/fwtester.pl b/test/fwtester.pl index 6a9c408..af25014 100755 --- a/test/fwtester.pl +++ b/test/fwtester.pl @@ -14,6 +14,9 @@ my $trace; my $outside_iface = 'eth0'; my $outside_bridge = 'vmbr0'; +my $nfvm_iface = 'tapXYZ'; +my $nfvm_bridge = 'vmbr0'; + my $debug = 0; sub print_usage_and_exit { @@ -224,6 +227,9 @@ sub route_packet { if ($route_state eq 'from-outside') { $next_route_state = $outside_bridge || die 'internal error'; $next_physdev_in = $outside_iface || die 'internal error'; + } elsif ($route_state eq 'from-nfvm') { + $next_route_state = $nfvm_bridge || die 'internal error'; + $next_physdev_in = $nfvm_iface || die 'internal error'; } elsif ($route_state eq 'host') { if ($target->{type} eq 'outside') { @@ -231,6 +237,11 @@ sub route_packet { $pkg->{iface_out} = $outside_bridge; $chain = 'PVEFW-OUTPUT'; $next_route_state = $outside_iface + } elsif ($target->{type} eq 'nfvm') { + $pkg->{iface_in} = 'lo'; + $pkg->{iface_out} = $nfvm_bridge; + $chain = 'PVEFW-OUTPUT'; + $next_route_state = $nfvm_iface } elsif ($target->{type} eq 'ct') { $pkg->{iface_in} = 'lo'; $pkg->{iface_out} = 'venet0'; @@ -261,6 +272,13 @@ sub route_packet { $pkg->{iface_out} = $outside_bridge; $next_route_state = $outside_iface; + } elsif ($target->{type} eq 'nfvm') { + + $chain = 'PVEFW-FORWARD'; + $pkg->{iface_in} = 'venet0'; + $pkg->{iface_out} = $nfvm_bridge; + $next_route_state = $nfvm_iface; + } elsif ($target->{type} eq 'vm') { $chain = 'PVEFW-FORWARD'; @@ -321,6 +339,17 @@ sub route_packet { } $next_route_state = $outside_iface; + } elsif ($target->{type} eq 'nfvm') { + + $chain = 'PVEFW-FORWARD'; + $pkg->{iface_in} = $route_state; + $pkg->{iface_out} = $nfvm_bridge; + # conditionally set physdev_out (same behavior as kernel) + if ($route_state eq $nfvm_bridge) { + $pkg->{physdev_out} = $nfvm_iface || die 'internal error'; + } + $next_route_state = $nfvm_iface; + } elsif ($target->{type} eq 'ct') { $chain = 'PVEFW-FORWARD'; @@ -431,6 +460,9 @@ sub simulate_firewall { } elsif ($from eq 'outside') { $from_info->{type} = 'outside'; $start_state = 'from-outside'; + } elsif ($from eq 'nfvm') { + $from_info->{type} = 'nfvm'; + $start_state = 'from-nfvm'; } elsif ($from =~ m/^ct(\d+)$/) { my $vmid = $1; $from_info = extract_ct_info($vmdata, $vmid); @@ -457,6 +489,9 @@ sub simulate_firewall { } elsif ($to eq 'outside') { $target->{type} = 'outside'; $target->{iface} = $outside_iface; + } elsif ($to eq 'nfvm') { + $target->{type} = 'nfvm'; + $target->{iface} = $nfvm_iface; } elsif ($to =~ m/^ct(\d+)$/) { my $vmid = $1; $target = extract_ct_info($vmdata, $vmid); diff --git a/test/test-basic1/tests b/test/test-basic1/tests index 477853b..2b762de 100644 --- a/test/test-basic1/tests +++ b/test/test-basic1/tests @@ -38,3 +38,16 @@ { from => 'outside', to => 'host', dport => 100, action => 'REJECT' } { from => 'outside', to => 'host', dport => 101, action => 'DROP' } +{ from => 'nfvm', to => 'host', dport => 22, action => 'ACCEPT' } +{ from => 'nfvm', to => 'host', dport => 80, action => 'DROP' } +{ from => 'nfvm', to => 'outside', dport => 22, action => 'ACCEPT' } +{ from => 'nfvm', to => 'outside', dport => 80, action => 'ACCEPT' } +{ from => 'nfvm', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'nfw2vm'} +{ from => 'nfvm', to => 'vm100', dport => 80, action => 'DROP' } +{ from => 'nfvm', to => 'ct200', dport => 22, action => 'ACCEPT' } +{ from => 'nfvm', to => 'ct200', dport => 80, action => 'DROP' } + +{ from => 'ct200', to => 'nfvm', dport => 80, action => 'ACCEPT' } +{ from => 'vm100', to => 'nfvm', dport => 80, action => 'ACCEPT' } +{ from => 'outside', to => 'nfvm', dport => 80, action => 'ACCEPT' } +{ from => 'host', to => 'nfvm', dport => 80, action => 'ACCEPT' } -- 2.39.2