Commit 5185fa52 authored by Laine Stump's avatar Laine Stump

Fix no-mac-broadcast test

This test is supposed to test that the no-mac-broadcast nwfilter
properly blocks all outgoing traffic with the MAC broadcast address as
its destination. When the no-mac-broadcast filter is used by itself,
though, it blocks even DHCP and ARP requests, meaning that the network
connection to the guest isn't even enough to allow the test script to
ssh in to do its work.

This patch solves the problem by temporarily creating a new nwfilter
that precedes the no-mac-broadcast rule with clean-traffic (which will
allow dhcp requests and responses) and allow-arp (as the name
states). This gives us enough network connection to get into the
guest, attempt a broadcast ping, and see that it fails.

(I'm not sure how this test ever reported success in the past. If it
did, it was only because something else was broken).
Signed-off-by: 's avatarLaine Stump <>
Reviewed-by: 's avatarDaniel P. Berrangé <>
parent 8abf11b8
......@@ -34,6 +34,7 @@ use Test::Exception;
use Net::OpenSSH;
use File::Spec::Functions qw(catfile catdir rootdir);
my $nwfilter;
my $tck = Sys::Virt::TCK->new();
my $conn = eval { $tck->setup(); };
BAIL_OUT "failed to setup test harness: $@" if $@;
......@@ -42,13 +43,39 @@ END {
my $networkip = get_network_ip($conn, "default");
my $networkipaddr = $networkip->addr();
my $networkipbroadcast = $networkip->broadcast()->addr();
diag "network ip is $networkip, broadcast address is $networkipbroadcast";
# we are testing the no-mac-broadcast filter, but that filter by
# itself makes for a completely unusable network connection. In order
# to have enough networking to properly run the test, we need to allow
# dhcp and arp broadcast traffic, which is done via the clean-traffic
# and allow-arp filters; the no-mac-broadcast filter then forbids any
# other packets with the broadcast address for destination.
my $nwfilter_xml = <<EOF;
<filter name='tck-test-broadcast'>
<filterref filter='clean-traffic'/>
<filterref filter='allow-arp'/>
<filterref filter='no-mac-broadcast'/>
# define_nwfilter() was missing from perl bindings until libvirt 4.2.0,
# so we go in the back door when it's not there.
$nwfilter = $conn->can("define_nwfilter")
? $conn->define_nwfilter($nwfilter_xml)
: Sys::Virt::NWFilter->_new(connection => $conn, xml => $nwfilter_xml);
# create first domain and start it
my $xml = $tck->generic_domain(name => "tck", fullos => 1,
netmode => "network",
filterref => "no-mac-broadcast")->as_xml();
filterref => "tck-test-broadcast",
filterparams => {
DHCPSERVER => $networkipaddr
my $dom;
ok_domain(sub { $dom = $conn->define_domain($xml) }, "created persistent domain object");
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment