[libvirt] [PATCH v2] [TCK] nwfilter: Add test cases for ipset
Stefan Berger
stefanb at linux.vnet.ibm.com
Fri Apr 27 11:25:50 UTC 2012
Add test cases for ipset support.
Since ipset may not be available on all system, the first line of the XML
file containing the test filter has been extended with a specially formatted
XML comment containing a command line test for whether the test case can be
run at all. The format of that line is:
<!-- #<command line test># -->
If the tests in this line don't succeed, the test case is skipped.
Also add a test case cleaning up the created ipset. Run this test after all
other tests using alphabetical ordering.
---
v2:
- addressed Eric Blake's comments
---
scripts/nwfilter/nwfilter2vmtest.sh | 36
+++++++--
scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall | 39
++++++++++
scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall | 1
scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml | 25
++++++
scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml | 5 +
5 files changed, 99 insertions(+), 7 deletions(-)
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/ipset-test.xml
@@ -0,0 +1,25 @@
+<!-- #ipset help && iptables -t match-set -h && ipset list tck_test ||
ipset create tck_test hash:ip# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <rule action='accept' direction='out'>
+ <all ipset='tck_test' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='in+NONE'/>
+ </rule>
+ <rule action='accept' direction='out'>
+ <all state='NONE' ipset='tck_test' ipsetflags='src,dst'
comment='out+NONE'/>
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,DST,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='tck_test' ipsetflags='SRC,dSt,SRC' />
+ </rule>
+ <rule action='accept' direction='in'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst' />
+ </rule>
+ <rule action='accept' direction='inout'>
+ <all ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/>
+ </rule>
+</filter>
Index: libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
===================================================================
--- libvirt-tck.orig/scripts/nwfilter/nwfilter2vmtest.sh
+++ libvirt-tck/scripts/nwfilter/nwfilter2vmtest.sh
@@ -107,6 +107,7 @@ checkExpectedOutput() {
ifname="$3"
flags="$4"
skipregex="$5"
+ skiptest="$6"
regex="s/${ORIG_IFNAME}/${ifname}/g"
tmpdir=$(mktmpdir)
@@ -147,6 +148,18 @@ checkExpectedOutput() {
break
fi
+ if [ -n "${skiptest}" ]; then
+ # treat all skips as passes
+ passctr=$(($passctr + 1))
+ [ $(($flags & $FLAG_VERBOSE)) -ne 0 ] && \
+ echo "SKIP ${xmlfile} : ${cmd}"
+ [ $(($flags & $FLAG_LIBVIRT_TEST)) -ne 0 ] && \
+ test_result $(($passctr + $failctr)) "" 0
+ [ $(($flags & $FLAG_TAP_TEST)) -ne 0 ] && \
+ tap_pass $(($passctr + $failctr)) "SKIP: ${xmlfile} :
${skiptest}"
+ break
+ fi
+
diff -w ${tmpfile} ${tmpfile2} >/dev/null
if [ $? -ne 0 ]; then
@@ -197,19 +210,27 @@ doTest() {
flags="$5"
testnum="$6"
ctr=0
+ skiptest=""
if [ ! -r "${xmlfile}" ]; then
echo "FAIL : Cannot access filter XML file ${xmlfile}."
return 1
fi
- ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
+ # Check whether we can run this test at all
+ cmd=$(sed -n '1 s/^<\!--[ ]*#\(.*\)#[ ]*-->/\1/p' ${xmlfile})
+ if [ -n "${cmd}" ]; then
+ eval "${cmd}" 2>/dev/null 1>/dev/null
+ [ $? -ne 0 ] && skiptest="${cmd}"
+ fi
+
+ [ -z "${skiptest}" ] && ${VIRSH} nwfilter-define "${xmlfile}" > /dev/null
checkExpectedOutput "${xmlfile}" "${fwallfile}" "${vm1name}"
"${flags}" \
- ""
+ "" "${skiptest}"
checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
- "${vm2name}" "${flags}" ""
+ "${vm2name}" "${flags}" "" "${skiptest}"
if [ $(($flags & $FLAG_ATTACH)) -ne 0 ]; then
@@ -234,9 +255,9 @@ EOF
if [ $rc -eq 0 ]; then
checkExpectedOutput "${xmlfile}" "${fwallfile}" "${ATTACH_IFNAME}" \
- "${flags}" "(PRE|POST)ROUTING"
+ "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
- "${vm2name}" "${flags}" "(PRE|POST)ROUTING"
+ "${vm2name}" "${flags}" "(PRE|POST)ROUTING" "${skiptest}"
msg=`${VIRSH} detach-device "${vm1name}" "${tmpfile}"`
if [ $? -ne 0 ]; then
echo "FAIL: Detach of interface failed."
@@ -246,9 +267,9 @@ EOF
# In case of TAP, run the test anyway so we get to the full number
# of tests
checkExpectedOutput "${xmlfile}" "${fwallfile}"
"${ATTACH_IFNAME}" \
- "${flags}" "" #"(PRE|POST)ROUTING"
+ "${flags}" "" "${skiptest}" #"(PRE|POST)ROUTING"
checkExpectedOutput "${TESTFILTERNAME}" "${TESTVM2FWALLDATA}" \
- "${vm2name}" "${flags}" #"(PRE|POST)ROUTING"
+ "${vm2name}" "${flags}" "${skiptest}" #"(PRE|POST)ROUTING"
fi
attachfailctr=$(($attachfailctr + 1))
@@ -357,6 +378,7 @@ createVM() {
<parameter name='C' value='1090'/>
<parameter name='C' value='1100'/>
<parameter name='C' value='1110'/>
+ <parameter name='IPSETNAME' value='tck_test'/>
</filterref>
<target dev='${vmname}'/>
</interface>
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/ipset-test.fwall
@@ -0,0 +1,39 @@
+#iptables -L FI-vnet0 -n
+Chain FI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set
tck_test src,dst /* out+NONE */
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set
tck_test dst,src /* inout */
+#iptables -L FO-vnet0 -n
+Chain FO-vnet0 (1 references)
+target prot opt source destination
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set
tck_test src,dst /* in+NONE */
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst,src
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set
tck_test src,dst /* inout */
+#iptables -L HI-vnet0 -n
+Chain HI-vnet0 (1 references)
+target prot opt source destination
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,ESTABLISHED ctdir REPLY match-set tck_test src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set
tck_test src,dst /* out+NONE */
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src,dst
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 state
ESTABLISHED ctdir ORIGINAL match-set tck_test dst,src
+RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set
tck_test dst,src /* inout */
+#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " "
+HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in -n | grep vnet0 | tr -s " "
+FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0
+#iptables -L libvirt-in-post -n | grep vnet0
+ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV
match --physdev-in vnet0
+#iptables -L libvirt-out -n | grep vnet0 | tr -s " "
+FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out
vnet0
+#ebtables -t nat -L libvirt-O-vnet0 2>/dev/null | grep -v "table:" |
grep -v "^$"
+#ebtables -t nat -L libvirt-I-vnet0 2>/dev/null | grep -v "table:" |
grep -v "^$"
+#ebtables -t nat -L PREROUTING | grep vnet0
+#ebtables -t nat -L POSTROUTING | grep vnet0
Index:
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
===================================================================
--- /dev/null
+++
libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/zzz-ipset-cleanup.fwall
@@ -0,0 +1 @@
+#ipset destroy tck_test 2>&1 1>/dev/null
Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
===================================================================
--- /dev/null
+++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/zzz-ipset-cleanup.xml
@@ -0,0 +1,5 @@
+<!-- #ipset help && iptables -t match-set -h# -->
+<filter name='tck-testcase' chain='root'>
+ <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+ <!-- used only to cleanup ipset -->
+</filter>
More information about the libvir-list
mailing list