[libvirt] [TCK] nwfilter: add tests for reject, drop and accept targets
Stefan Berger
stefanb at linux.vnet.ibm.com
Wed Mar 30 18:29:40 UTC 2011
This patch adds test cases for the reject, drop and accept targets.
Signed-off-by: Stefan Berger <stefanb at linux.vnet.ibm.com>
---
scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall | 61
++++++++++++++
scripts/nwfilter/nwfilterxml2xmlin/target-test.xml | 66
++++++++++++++++
scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml | 18 ++++
3 files changed, 145 insertions(+)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml
@@ -0,0 +1,66 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='accept rule -- dir out'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='drop rule -- dir out'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ dstipaddr='10.1.2.3' dstipmask='255.255.255.255'
+ dscp='2' comment='reject rule -- dir out'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='accept rule -- dir in'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='drop rule -- dir in'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all srcmacaddr='1:2:3:4:5:6'
+ srcipaddr='10.1.2.3' srcipmask='22'
+ dscp='33' comment='reject rule -- dir in'/>
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all comment='accept rule -- dir inout'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <all comment='drop rule -- dir inout'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <all comment='reject rule -- dir inout'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='drop' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='reject' direction='out'>
+ <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='drop' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+ <rule action='reject' direction='in'>
+ <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+ protocolid='ipv4'/>
+ </rule>
+</filter>
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall
@@ -0,0 +1,61 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir out */
+DROP all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */
+REJECT all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */
reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */
+DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* drop rule -- dir in */
+REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept
rule -- dir inout */
+DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop
rule -- dir inout */
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject
rule -- dir inout */ reject-with icmp-port-unreachable
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir out */
+DROP all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02/* drop rule -- dir out */
+REJECT all -- 10.1.2.3 0.0.0.0/0 DSCP match
0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable
+ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir in */
+DROP all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21/* drop rule -- dir in */
+REJECT all -- 10.1.0.0/22 0.0.0.0/0 MAC
01:02:03:04:05:06 DSCP match 0x21/* reject rule -- dir in */ reject-with
icmp-port-unreachable
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* accept
rule -- dir inout */
+DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop
rule -- dir inout */
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject
rule -- dir inout */ reject-with icmp-port-unreachable
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/*
accept rule -- dir out */
+DROP all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */
+REJECT all -- 0.0.0.0/0 10.1.2.3 MAC
01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */
reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */
+DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* drop rule -- dir in */
+REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match
0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept
rule -- dir inout */
+DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop
rule -- dir inout */
+REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject
rule -- dir inout */ reject-with icmp-port-unreachable
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in
vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#iptables -L FORWARD --line-number | grep libvirt
+1 libvirt-in all -- anywhere anywhere
+2 libvirt-out all -- anywhere anywhere
+3 libvirt-in-post all -- anywhere
anywhere
+#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-i vnet0 -j libvirt-I-vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep
-v "^$"
+-o vnet0 -j libvirt-O-vnet0
+#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$"
+-p ARP -s 1:2:3:4:5:6 -j ACCEPT
+-p ARP -s 1:2:3:4:5:6 -j DROP
+-p ARP -s 1:2:3:4:5:6 -j DROP
+#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP
+-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP
+
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml
@@ -0,0 +1,18 @@
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <tcp srcportstart='22' state='NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <tcp dstportstart='80'/>
+ </rule>
+ <rule action='reject' direction='inout'>
+ <tcp/>
+ </rule>
+ <rule action='drop' direction='inout'>
+ <all/>
+ </rule>
+</filter>
More information about the libvir-list
mailing list