[pve-devel] [PATCH firewall 4/7] Update and add tests for corosync firewall changes

Stefan Reiter s.reiter at proxmox.com
Mon Jul 22 15:21:52 CEST 2019


Since corosync rules are now only created when a corosync.conf file is
present, a static corosync.conf has been added and will be loaded for
testing.

New test rules have been introduced to check corosync rules relating to
different rings/links.

Includes hostnames in config to trigger resolving codepaths.

Signed-off-by: Stefan Reiter <s.reiter at proxmox.com>
(cherry picked from commit 6f6a6b3f8259c06fe9f7f14490caa5275996b5c6)
---
 test/corosync.conf             | 52 ++++++++++++++++++++++++++++++++++
 test/fwtester.pl               | 11 ++++++-
 test/test-default-rules1/tests |  4 +++
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 test/corosync.conf

diff --git a/test/corosync.conf b/test/corosync.conf
new file mode 100644
index 0000000..480e484
--- /dev/null
+++ b/test/corosync.conf
@@ -0,0 +1,52 @@
+logging {
+  debug: off
+  to_syslog: yes
+}
+
+nodelist {
+  node {
+    name: prox1
+    nodeid: 1
+    quorum_votes: 1
+    ring0_addr: 172.16.1.11
+    ring1_addr: 172.16.2.11
+    ring2_addr: hostname1
+  }
+  node {
+    name: prox2
+    nodeid: 1
+    quorum_votes: 1
+    ring0_addr: 172.16.1.12
+    ring1_addr: 172.16.2.12
+    ring2_addr: hostname2
+  }
+  node {
+    name: prox3
+    nodeid: 1
+    quorum_votes: 1
+    ring0_addr: 172.16.1.3
+    ring1_addr: 172.16.2.3
+    ring2_addr: hostname3
+  }
+  node {
+    name: proxself
+    nodeid: 1
+    quorum_votes: 1
+    ring0_addr: 172.16.1.2
+    ring1_addr: 172.16.2.2
+    ring2_addr: proxself
+  }
+}
+
+quorum {
+  provider: corosync_votequorum
+}
+
+totem {
+  cluster_name: cloud
+  config_version: 1
+  ip_version: ipv4
+  secauth: on
+  version: 2
+}
+
diff --git a/test/fwtester.pl b/test/fwtester.pl
index 2700ef3..e9ed6d1 100755
--- a/test/fwtester.pl
+++ b/test/fwtester.pl
@@ -5,6 +5,8 @@ use strict;
 use warnings;
 use Data::Dumper;
 use PVE::FirewallSimulator;
+use PVE::INotify;
+use PVE::Corosync;
 use Getopt::Long;
 use File::Basename;
 use Net::IP;
@@ -19,6 +21,13 @@ if (!GetOptions ('debug' => \$debug)) {
     print_usage_and_exit();
 }
 
+# load dummy corosync config to have fw create according rules
+my $corosync_conf_fn = "corosync.conf";
+my $raw = PVE::Tools::file_get_contents($corosync_conf_fn);
+my $local_hostname = PVE::INotify::nodename();
+(my $raw_replaced = $raw) =~ s/proxself$/$local_hostname\n/gm;
+my $corosync_conf = PVE::Corosync::parse_conf($corosync_conf_fn, $raw_replaced);
+
 PVE::FirewallSimulator::debug($debug);
  
 my $testfilename = shift;
@@ -37,7 +46,7 @@ sub run_tests {
     PVE::Firewall::local_network('172.16.1.0/24');
 
     my ($ruleset, $ipset_ruleset) = 
-	PVE::Firewall::compile(undef, undef, $vmdata, 1);
+	PVE::Firewall::compile(undef, undef, $vmdata, $corosync_conf);
 
     my $filename = "$testdir/$testfile";
     my $fh = IO::File->new($filename) ||
diff --git a/test/test-default-rules1/tests b/test/test-default-rules1/tests
index 4aaf7c4..409fd7c 100644
--- a/test/test-default-rules1/tests
+++ b/test/test-default-rules1/tests
@@ -14,6 +14,8 @@
 { from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
 { from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
 { from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
+{ from => 'host', to => 'outside', source => '172.16.2.2', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'ACCEPT' }
+{ from => 'host', to => 'outside', dest => '172.16.2.3', proto => 'udp', dport => 5404, action => 'DROP' }
 
 
 # traffic from other node
@@ -30,6 +32,8 @@
 { from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
 { from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
 { from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
+{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.2.2', proto => 'udp', dport => 5404, action => 'ACCEPT' }
+{ from => 'outside', to => 'host', source => '172.16.2.11', dest => '172.16.1.2', proto => 'udp', dport => 5404, action => 'DROP' }
 
 
 { from => 'host', to => 'ct200', action => 'DROP' }
-- 
2.20.1





More information about the pve-devel mailing list