NOTE
: The unittest
command uses namespaces to isolate itself and the
tests it runs from the running firewall. It needs user namespaces
to be enabled.
Run tests as:
./unittest directory-or-conffile...
Any number of files and directories (in which case all .conf files found are tested) can be specified.
The base-name of the directory is used to determine the tool to run with.
e.g. all .conf
files under firehol/
are expected to run as FireHOL
configurations.
We will consider a new test mytest
.
This test consists of a standard mytest.conf
somewhere under the
directory for the program. It may be in any subdirectory.
In addition the following optional scripts may be present, at the same level as the test. If they have their execute bit set, then:
-
mytest.pre.sh
- this is run before the script, e.g. to set up a custom/etc/firehol
directory (the default is empty) or to pre-load extra state for checking. -
mytest.run.sh
- this is used instead of running the script in normalstart
mode, e.g. if we want to test a different command line. It also works well if the expected status is non-zero (maybe we are testing that an error is produced) - we can check the value we want and return 0 if what we wanted to happen, happened. -
mytest.check.sh
- this is used in addition to the standard output checks e.g. if we want to identify specific content in the output logfile.
All the optional scripts are expected to return 0 if they consider
themselves successful. Any other status is treated as an error. A
simple example of all three is the firehol/cmdline/stop-test.conf
setup.
The scripts have access to these environment variables:
conf
- the config file pathpre_sh
- the pre-run script pathrun_sh
- the run script pathpost_sh
- the post-run script pathrunlog
- the logfile where command output should go
FireHOL scripts can use these:
out4
- the iptables outputout6
- the ip6tables outputaud4
- the expected iptables outputaud6
-the expected ip6tables output
FireQOS scripts can use these:
outqdisc
- the tc qdisc outputoutclass
- the tc class outputoutfilter
- the tc filter outputaudqdisc
- the expected tc qdisc outputaudclass
- the expected tc class outputaudfilter
- the expected tc filter output
If any script returns an error the standard output checks are skipped. Otherwise following checks are made:
For FireHOL tests
: The files mytest.out4
and mytest.out6
will be compared to
the output of iptables-save
and ip6tables-save
to check that
the expected firewall has been produced and is running.
Note that the the expectation is the outputs will all have
been processed by `tools/clean-iptables` which imposes some
additional consistency to make diffs easier. The audits
should have similarly been processed.
In particular, specifying IPv6 addresses as e.g. `::10.0.0.1`
will ensure the test output will be identical to the IPv4
equivalent `10.0.0.1`.
For FireQOS tests
: The files mytest.qdisc.out
, mytest.class.out
ands
mytest.filter.out
will be compared to the output
of tc [type] show dev veth0
to check that the expected
traffic control configuration has been produced and is running.
Note the use of `veth0` which is set up automatically and is
the only device which will be checked, so it must be the
interface used in test configurations.
For Link Balancer tests : TODO