From e038c48552bcd841cd9f7caf94570991f0b9d30f Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Wed, 12 Aug 2015 11:59:18 +0200
Subject: [PATCH] adopt regresion tests for lxc containers

Removed OpenVZ venet code.
---
 src/PVE/FirewallSimulator.pm | 90 ++++++++----------------------------
 test/fwtester.pl             |  6 +--
 test/test-group1/200.fw      |  2 +-
 3 files changed, 24 insertions(+), 74 deletions(-)

diff --git a/src/PVE/FirewallSimulator.pm b/src/PVE/FirewallSimulator.pm
index 4042ace..73d3bd3 100644
--- a/src/PVE/FirewallSimulator.pm
+++ b/src/PVE/FirewallSimulator.pm
@@ -6,6 +6,8 @@ use Data::Dumper;
 use PVE::Firewall;
 use File::Basename;
 use Net::IP;
+use PVE::LXC;
+use PVE::QemuServer;
 
 my $mark;
 my $trace;
@@ -346,12 +348,7 @@ sub route_packet {
 		$pkg->{iface_out} = $target->{bridge} || die 'internal error';
 		$chain = 'PVEFW-OUTPUT';
 		$next_route_state = $target->{iface} || die 'internal error';
-	    } elsif ($target->{type} eq 'ct') {
-		$pkg->{iface_in} = 'lo';
-		$pkg->{iface_out} = 'venet0';
-		$chain = 'PVEFW-OUTPUT';
-		$next_route_state = 'venet-in';
-	    } elsif ($target->{type} eq 'vm') {
+	    } elsif ($target->{type} eq 'vm' || $target->{type} eq 'ct') {
 		$pkg->{iface_in} = 'lo';
 		$pkg->{iface_out} = $target->{bridge} || die 'internal error';
 		$chain = 'PVEFW-OUTPUT';
@@ -360,40 +357,6 @@ sub route_packet {
 		die "implement me";
 	    }
 
-	} elsif ($route_state eq 'venet-out') {
-
-	    if ($target->{type} eq 'host') {
-
-		$chain = 'PVEFW-INPUT';
-		$pkg->{iface_in} = 'venet0';
-		$pkg->{iface_out} = 'lo';
-		$next_route_state = 'host';
-
-	    } elsif ($target->{type} eq 'bport') {
-		
-		$chain = 'PVEFW-FORWARD';
-		$pkg->{iface_in} = 'venet0';
-		$pkg->{iface_out} = $target->{bridge} || die 'internal error';
-		$next_route_state = $target->{iface} || die 'internal error';
-
-	    } elsif ($target->{type} eq 'vm') {
-
-		$chain = 'PVEFW-FORWARD';
-		$pkg->{iface_in} = 'venet0';
-		$pkg->{iface_out} = $target->{bridge} || die 'internal error';
-		$next_route_state = 'fwbr-in';
-
-	    } elsif ($target->{type} eq 'ct') {
-
-		$chain = 'PVEFW-FORWARD';
-		$pkg->{iface_in} = 'venet0';
-		$pkg->{iface_out} = 'venet0';
-		$next_route_state = 'venet-in';
-
-	    } else {
-		die "implement me";
-	    }
-
 	} elsif ($route_state eq 'fwbr-out') {
 
 	    $chain = 'PVEFW-FORWARD';
@@ -436,14 +399,7 @@ sub route_packet {
 		}
 		$next_route_state = $target->{iface};
 
-	    } elsif ($target->{type} eq 'ct') {
-
-		$chain = 'PVEFW-FORWARD';
-		$pkg->{iface_in} = $route_state;
-		$pkg->{iface_out} = 'venet0';
-		$next_route_state = 'venet-in';
-
-	    } elsif ($target->{type} eq 'vm') {
+	    } elsif ($target->{type} eq 'vm' || $target->{type} eq 'ct') {
 
 		$chain = 'PVEFW-FORWARD';
 		$pkg->{iface_in} = $route_state;
@@ -482,16 +438,20 @@ sub route_packet {
 }
 
 sub extract_ct_info {
-    my ($vmdata, $vmid) = @_;
+    my ($vmdata, $vmid, $netnum) = @_;
 
     my $info = { type => 'ct', vmid => $vmid };
 
-    my $conf = $vmdata->{openvz}->{$vmid} || die "no such CT '$vmid'";
-    if ($conf->{ip_address}) {
-	$info->{ip_address} = $conf->{ip_address}->{value};
-    } else {
-	die "implement me";
-    }
+    my $conf = $vmdata->{lxc}->{$vmid} || die "no such CT '$vmid'";
+    my $net = PVE::LXC::parse_lxc_network($conf->{"net$netnum"});
+    $info->{macaddr} = $net->{hwaddr} || die "unable to get mac address";
+    $info->{bridge} = $net->{bridge} || die "unable to get bridge";
+    $info->{fwbr} = "fwbr${vmid}i$netnum";
+    $info->{tapdev} = "veth${vmid}i$netnum";
+    $info->{fwln} = "fwln${vmid}i$netnum";
+    $info->{fwpr} = "fwpr${vmid}p$netnum";
+    $info->{ip_address} = $net->{ip} || die "unable to get ip address";
+
     return $info;
 }
 
@@ -567,13 +527,9 @@ sub simulate_firewall {
 	$start_state = 'from-bport';
     } elsif ($from =~ m/^ct(\d+)$/) {
 	my $vmid = $1;
-	$from_info = extract_ct_info($vmdata, $vmid);
-	if ($from_info->{ip_address}) {
-	    $pkg->{source} = $from_info->{ip_address} if !defined($pkg->{source});
-	    $start_state = 'venet-out';
-	} else {
-	    die "implement me";
-	}
+	$from_info = extract_ct_info($vmdata, $vmid, 0);
+	$start_state = 'fwbr-out'; 
+	$pkg->{mac_source} = $from_info->{macaddr};
     } elsif ($from =~ m/^vm(\d+)(i(\d))?$/) {
 	my $vmid = $1;
 	my $netnum = $3 || 0;
@@ -604,14 +560,8 @@ sub simulate_firewall {
 	$target->{iface} = 'tapXYZ';
     } elsif ($to =~ m/^ct(\d+)$/) {
 	my $vmid = $1;
-	$target = extract_ct_info($vmdata, $vmid);
-	$target->{iface} = 'venet-in';
-
-	if ($target->{ip_address}) {
-	    $pkg->{dest} = $target->{ip_address};
-	} else {
-	    die "implement me";
-	}
+	$target = extract_ct_info($vmdata, $vmid, 0);
+	$target->{iface} = $target->{tapdev};
    } elsif ($to =~ m/^vm(\d+)$/) {
 	my $vmid = $1;
 	$target = extract_vm_info($vmdata, $vmid, 0);
diff --git a/test/fwtester.pl b/test/fwtester.pl
index 8b66b3c..2700ef3 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -118,12 +118,12 @@ my $vmdata = {
 	    net0 => "e1000=0E:0B:38:B8:B4:21,bridge=vmbr1,firewall=1",
 	},
     },
-    openvz => {
+    lxc => {
 	200 => {
-	    ip_address => { value => '10.0.200.1' },
+	    net0 => "name=eth0,hwaddr=0E:18:24:41:2C:43,bridge=vmbr0,firewall=1,ip=10.0.200.1/24",
 	},
 	201 => {
-	    ip_address => { value => '10.0.200.2' },
+	    net0 => "name=eth0,hwaddr=0E:18:24:41:2C:44,bridge=vmbr0,firewall=1,ip=10.0.200.2/24",
 	},
     },
 };
diff --git a/test/test-group1/200.fw b/test/test-group1/200.fw
index 0353856..77b308b 100644
--- a/test/test-group1/200.fw
+++ b/test/test-group1/200.fw
@@ -8,4 +8,4 @@ IN ACCEPT -source 192.168.2.1 -p tcp -dport 22
 IN ACCEPT -source 192.168.2.1 -p tcp -dport 80
 IN ACCEPT -source 127.0.0.1 -p tcp -dport 80
 
-GROUP group3 -i venet
\ No newline at end of file
+GROUP group3 -i net0
\ No newline at end of file
-- 
2.39.2