mirror of
https://git.proxmox.com/git/pve-firewall
synced 2025-08-06 18:39:57 +00:00
29e5ce1536
For now without integer to full-name, and vice versa, mapping of ICMP types. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> |
||
|---|---|---|
| .. | ||
| test-basic1 | ||
| test-default-rules1 | ||
| test-errors1 | ||
| test-errors2 | ||
| test-errors3 | ||
| test-errors4 | ||
| test-group1 | ||
| test-ipset1 | ||
| test-ipset2 | ||
| test-unconfigured | ||
| test-vm-aliases1 | ||
| test-vm-ipfilter1 | ||
| test-vm-ipfilter2 | ||
| corosync.conf | ||
| fwtester.pl | ||
| Makefile | ||
| README | ||
= A simple simulator to test our iptables rule generation =
== Invocation ==
# ./fwtester.pl
This scans for subdirectory named test-* an invokes fwtester.pl for each
subdirectory with:
# ./fwtester.pl test-<name>/tests
== Test directory contents ==
Each test directory can contain the following files:
* cluster.fw Cluster wide firewall config
* host.fw Host firewall config
* <VMID>.fw Firewall config for VMs
* tests Test descriptions
== Test description ==
The test description file can contain one or more tests using the following
syntax:
{ from => '<zone>' , to => '<zone>', action => '<DROP|RECECT|ACCEPT>', [ source => '<ip>',] [ dest => '<ip>',] [ proto => '<tcp|udp>',] [ dport => <port>,], [ sport => <port>,] }
The following <zone> definition exist currently:
* host: The host itself
* outside: The outside world (alias for 'vmbr0/eth0')
* vm<ID>: A qemu virtual machine
* ct<ID>: An openvz container
* nfvm: Non firewalled VM (alias for 'vmbr0/tapXYZ')
* vmbr<\d+>/<bport>: Unmanaged bridge port
== Test examples ==
{ from => 'outside', to => 'ct200', dport => 22, action => 'ACCEPT' }
{ from => 'vm101', to => 'vm100', dport => 443, action => 'ACCEPT', id => 'vm2vm'}
You can assign an 'id' to each test, so that you can run them separately:
./fwtester.pl -d test-basic1/tests vm2vm