[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] [TCK] nwfilter: apply filters and check firewall rules



On Thu, Jun 17, 2010 at 10:50:53AM -0400, Stefan Berger wrote:
> Hi!
> 
> This is a patch I previously posted for use in the tests/ directory of 
> libvirt. Now I ported it to the TCK project and extended the script with 
> output in the Test Anything Protocol (TAP) format. It now allows 
> multiple output formats chosen via command line parameter supporting TAP 
> (--tap-test), the output format used in the libvirt tests directory (the 
> '.' and '!') (--libvirt-test) and one where all tests are displayed 
> (--verbose).
> 
> The program basically creates a filter called testcase and two VMs where 
> one of them references the testcase filter and the other a filter called 
> nwfiltertestfilter. The testcase filter is then subsequently modified 
> and the effect on iptables,ebtables and ip6tables verified against 
> expected output for both VMs. The VMs are torn down at the end and the 
> test filters removed.

Thanks for updating this. I've not been able to test it yet because
my infrastructure is in a mess!

> Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
> ===================================================================
> --- /dev/null
> +++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
> @@ -0,0 +1,581 @@
> +#!/bin/bash
> +
> +ORIG_IFNAME="vnet0"
> +ATTACH_IFNAME="attach0"
> +TESTFILTERNAME="nwfiltertestfilter"
> +TESTVM2FWALLDATA="nwfilterxml2fwallout/testvm.fwall.dat"
> +
> +LIBVIRTD=`type -P ${PWD}/../daemon/libvirtd`
> +if [ "x${LIBVIRTD}x" == "xx" ]; then
> +    LIBVIRTD=`type -P libvirtd`
> +fi
> +
> +VIRSH=`type -P ${PWD}/../tools/virsh`
> +if [ "x${VIRSH}x" == "xx" ]; then
> +    VIRSH=`type -P virsh`
> +fi

Since you're not using the Perl framework in this test there's a
couple of things you need to handle manually. The environment
variable $LIBVIRT_TCK_CONFIG  points to the TCK configuration
file. In this file there is a 'uri' parameter that needs to be
used whenever connecting to libvirt. eg  virsh -c $URI

For sake of this test, you can just extract the URI from the
config and do

  if test "$URI" !=  "qemu:///system" ; then
     echo  "1..0 skip  Only valid for QEMU system driver"
     exit 0
  fi

> +
> +    cat >>${tmpfile} <<EOF
> +<interface type='bridge'>
> + <source bridge='${b}'/>
> + <mac address='52:54:00:11:22:33'/>
> + <target dev='${ATTACH_IFNAME}'/>
> + <filterref filter='testcase'/>
> +</interface>
> +EOF

For any filters created, it is best to start them with the name prefix 'tck'

Then as the first thing the test does, it should look to see if  any
filters already exist eg, 

  for name in `virsh nwfilter-list | awk {print $2}`
  do
     case $name in
         tck*)
           if "x$LIBVIRT_TCK_AUTOCLEAN" == "x1"
               virsh nwfilter-undefine $name
            else
               echo "Filter $name already exists, use --force to clean"
          fi
     easc
  done


Likewise for the actual guest domains.

I'll write more feedback when I've had a chance to actually run it

Regards,
Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]