[pve-devel] [PATCH firewall 4/7] Update and add tests for corosync firewall changes
Stefan Reiter
s.reiter at proxmox.com
Mon Jul 22 15:21:52 CEST 2019
Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.
New test rules have been introduced to check corosync rules relating to
different rings/links.
Includes hostnames in config to trigger resolving codepaths.
Signed-off-by: Stefan Reiter <s.reiter at proxmox.com>
(cherry picked from commit 6f6a6b3f8259c06fe9f7f14490caa5275996b5c6)
---
test/corosync.conf | 52 ++++++++++++++++++++++++++++++++++
test/fwtester.pl | 11 ++++++-
test/test-default-rules1/tests | 4 +++
3 files changed, 66 insertions(+), 1 deletion(-)
create mode 100644 test/corosync.conf
diff --git a/test/corosync.conf b/test/corosync.conf
new file mode 100644
index 0000000..480e484
--- /dev/null
+++ b/test/corosync.conf
@@ -0,0 +1,52 @@
+logging {
+ debug: off
+ to_syslog: yes
+}
+
+nodelist {
+ node {
+ name: prox1
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.11
+ ring1_addr: 172.16.2.11
+ ring2_addr: hostname1
+ }
+ node {
+ name: prox2
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.12
+ ring1_addr: 172.16.2.12
+ ring2_addr: hostname2
+ }
+ node {
+ name: prox3
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.3
+ ring1_addr: 172.16.2.3
+ ring2_addr: hostname3
+ }
+ node {
+ name: proxself
+ nodeid: 1
+ quorum_votes: 1
+ ring0_addr: 172.16.1.2
+ ring1_addr: 172.16.2.2
+ ring2_addr: proxself
+ }
+}
+
+quorum {
+ provider: corosync_votequorum
+}
+
+totem {
+ cluster_name: cloud
+ config_version: 1
+ ip_version: ipv4
+ secauth: on
+ version: 2
+}
+
diff --git a/test/fwtester.pl b/test/fwtester.pl
index 2700ef3..e9ed6d1 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -5,6 +5,8 @@ use strict;
use warnings;
use Data::Dumper;
use PVE::FirewallSimulator;
+use PVE::INotify;
+use PVE::Corosync;
use Getopt::Long;
use File::Basename;
use Net::IP;
@@ -19,6 +21,13 @@ if (!GetOptions ('debug' => \$debug)) {
print_usage_and_exit();
}
+# load dummy corosync config to have fw create according rules
+my $corosync_conf_fn = "corosync.conf";
+my $raw = PVE::Tools::file_get_contents($corosync_conf_fn);
+my $local_hostname = PVE::INotify::nodename();
+(my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm;
+my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced);
+
PVE::FirewallSimulator::debug($debug);
my $testfilename = shift;
@@ -37,7 +46,7 @@ sub run_tests {
PVE::Firewall::local_network('172.16.1.0/24');
my ($ruleset, $ipset_ruleset) =
- PVE::Firewall::compile(undef, undef, $vmdata, 1);
+ PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf);
my $filename = "$testdir/$testfile";
my $fh = IO::File->new($filename) ||
diff --git a/test/test-default-rules1/tests b/test/test-default-rules1/tests
index 4aaf7c4..409fd7c 100644
--- a/test/test-default-rules1/tests
+++ b/test/test-default-rules1/tests
@@ -14,6 +14,8 @@
{ from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
+{ from => 'host', to => 'outside', source => '172.16.2.2', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'ACCEPT' }
+{ from => 'host', to => 'outside', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'DROP' }
# traffic from other node
@@ -30,6 +32,8 @@
{ from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
+{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.2.2', proto => 'udp', dport => 5404, action => 'ACCEPT' }
+{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.1.2', proto => 'udp', dport => 5404, action => 'DROP' }
{ from => 'host', to => 'ct200', action => 'DROP' }
--
2.20.1
More information about the pve-devel
mailing list