From nobody Sun May  5 09:28:41 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1548338800441243.62793323830033;
 Thu, 24 Jan 2019 06:06:40 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
 [10.5.11.11])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 201903D966;
	Thu, 24 Jan 2019 14:06:38 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 350C7600C1;
	Thu, 24 Jan 2019 14:06:37 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9C1693F602;
	Thu, 24 Jan 2019 14:06:36 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0OE64vr007559 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 24 Jan 2019 09:06:04 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id B8DDF5D756; Thu, 24 Jan 2019 14:06:04 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-112-61.ams2.redhat.com
	[10.36.112.61])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 60DA55D75C;
	Thu, 24 Jan 2019 14:06:03 +0000 (UTC)
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 24 Jan 2019 14:05:56 +0000
Message-Id: <20190124140559.21088-2-berrange@redhat.com>
In-Reply-To: <20190124140559.21088-1-berrange@redhat.com>
References: <20190124140559.21088-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Cc: Laine Stump <laine@laine.org>
Subject: [libvirt] [PATCH v3 1/4] network: add platform driver callbacks
	around firewall reload
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]);
 Thu, 24 Jan 2019 14:06:39 +0000 (UTC)

Allow the platform driver impls to run logic before and after the
firewall reload process.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/network/bridge_driver.c          | 13 ++++++++-----
 src/network/bridge_driver_linux.c    | 11 +++++++++++
 src/network/bridge_driver_nop.c      | 11 +++++++++++
 src/network/bridge_driver_platform.h |  3 +++
 4 files changed, 33 insertions(+), 5 deletions(-)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index aed80c04d5..fb4eb00c1d 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -163,7 +163,7 @@ static int
 networkShutdownNetworkExternal(virNetworkObjPtr obj);
=20
 static void
-networkReloadFirewallRules(virNetworkDriverStatePtr driver);
+networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup);
=20
 static void
 networkRefreshDaemons(virNetworkDriverStatePtr driver);
@@ -551,7 +551,7 @@ firewalld_dbus_filter_bridge(DBusConnection *connection=
 ATTRIBUTE_UNUSED,
                                "Reloaded"))
     {
         VIR_DEBUG("Reload in bridge_driver because of firewalld.");
-        networkReloadFirewallRules(driver);
+        networkReloadFirewallRules(driver, false);
     }
=20
     return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
@@ -751,7 +751,7 @@ networkStateInitialize(bool privileged,
     virNetworkObjListPrune(network_driver->networks,
                            VIR_CONNECT_LIST_NETWORKS_INACTIVE |
                            VIR_CONNECT_LIST_NETWORKS_TRANSIENT);
-    networkReloadFirewallRules(network_driver);
+    networkReloadFirewallRules(network_driver, true);
     networkRefreshDaemons(network_driver);
=20
     network_driver->networkEventState =3D virObjectEventStateNew();
@@ -827,7 +827,7 @@ networkStateReload(void)
     virNetworkObjLoadAllConfigs(network_driver->networks,
                                 network_driver->networkConfigDir,
                                 network_driver->networkAutostartDir);
-    networkReloadFirewallRules(network_driver);
+    networkReloadFirewallRules(network_driver, false);
     networkRefreshDaemons(network_driver);
     virNetworkObjListForEach(network_driver->networks,
                              networkAutostartConfig,
@@ -2179,12 +2179,15 @@ networkReloadFirewallRulesHelper(virNetworkObjPtr o=
bj,
=20
=20
 static void
-networkReloadFirewallRules(virNetworkDriverStatePtr driver)
+networkReloadFirewallRules(virNetworkDriverStatePtr driver, bool startup)
 {
     VIR_INFO("Reloading iptables rules");
+    if (networkPreReloadFirewallRules(startup) < 0)
+        return;
     virNetworkObjListForEach(driver->networks,
                              networkReloadFirewallRulesHelper,
                              NULL);
+    networkPostReloadFirewallRules(startup);
 }
=20
=20
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_=
linux.c
index dd08222653..1e107ee422 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -34,6 +34,17 @@ VIR_LOG_INIT("network.bridge_driver_linux");
=20
 #define PROC_NET_ROUTE "/proc/net/route"
=20
+int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+
+void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+{
+}
+
+
 /* XXX: This function can be a lot more exhaustive, there are certainly
  *      other scenarios where we can ruin host network connectivity.
  * XXX: Using a proper library is preferred over parsing /proc
diff --git a/src/network/bridge_driver_nop.c b/src/network/bridge_driver_no=
p.c
index ce529a60a1..a0e57012f9 100644
--- a/src/network/bridge_driver_nop.c
+++ b/src/network/bridge_driver_nop.c
@@ -19,6 +19,17 @@
=20
 #include <config.h>
=20
+int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+
+void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+{
+}
+
+
 int networkCheckRouteCollision(virNetworkDefPtr def ATTRIBUTE_UNUSED)
 {
     return 0;
diff --git a/src/network/bridge_driver_platform.h b/src/network/bridge_driv=
er_platform.h
index 8f05ea2b47..baeb22bc3e 100644
--- a/src/network/bridge_driver_platform.h
+++ b/src/network/bridge_driver_platform.h
@@ -58,6 +58,9 @@ struct _virNetworkDriverState {
 typedef struct _virNetworkDriverState virNetworkDriverState;
 typedef virNetworkDriverState *virNetworkDriverStatePtr;
=20
+int networkPreReloadFirewallRules(bool startup);
+void networkPostReloadFirewallRules(bool startup);
+
 int networkCheckRouteCollision(virNetworkDefPtr def);
=20
 int networkAddFirewallRules(virNetworkDefPtr def);
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sun May  5 09:28:41 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1548338809505497.2470071829807;
 Thu, 24 Jan 2019 06:06:49 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 2B2E72DC373;
	Thu, 24 Jan 2019 14:06:47 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id C8CE51724D;
	Thu, 24 Jan 2019 14:06:46 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 52172180BAAC;
	Thu, 24 Jan 2019 14:06:46 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0OE66NB007575 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 24 Jan 2019 09:06:06 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 7CCA85D75C; Thu, 24 Jan 2019 14:06:06 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-112-61.ams2.redhat.com
	[10.36.112.61])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 1ED8C5D738;
	Thu, 24 Jan 2019 14:06:04 +0000 (UTC)
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 24 Jan 2019 14:05:57 +0000
Message-Id: <20190124140559.21088-3-berrange@redhat.com>
In-Reply-To: <20190124140559.21088-1-berrange@redhat.com>
References: <20190124140559.21088-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Cc: Laine Stump <laine@laine.org>
Subject: [libvirt] [PATCH v3 2/4] util: pass layer into firewall query
	callback
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]);
 Thu, 24 Jan 2019 14:06:48 +0000 (UTC)

Some of the query callbacks want to know the firewall layer that was
being used for triggering the query to avoid duplicating that data.

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/nwfilter/nwfilter_ebiptables_driver.c | 17 ++++++++++-------
 src/util/virfirewall.c                    |  2 +-
 src/util/virfirewall.h                    |  1 +
 tests/virfirewalltest.c                   |  3 ++-
 4 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil=
ter_ebiptables_driver.c
index 75ec1962b6..32bbf6d05c 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -2701,6 +2701,7 @@ ebtablesCreateTmpSubChainFW(virFirewallPtr fw,
=20
 static int
 ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
+                             virFirewallLayer layer,
                              const char *const *lines,
                              void *opaque)
 {
@@ -2717,14 +2718,14 @@ ebtablesRemoveSubChainsQuery(virFirewallPtr fw,
             if (tmp[0] =3D=3D chainprefixes[j] &&
                 tmp[1] =3D=3D '-') {
                 VIR_DEBUG("Processing chain '%s'", tmp);
-                virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                virFirewallAddRuleFull(fw, layer,
                                        false, ebtablesRemoveSubChainsQuery,
                                        (void *)chainprefixes,
                                         "-t", "nat", "-L", tmp, NULL);
-                virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                virFirewallAddRuleFull(fw, layer,
                                        true, NULL, NULL,
                                        "-t", "nat", "-F", tmp, NULL);
-                virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                virFirewallAddRuleFull(fw, layer,
                                        true, NULL, NULL,
                                        "-t", "nat", "-X", tmp, NULL);
             }
@@ -2802,6 +2803,7 @@ ebtablesRenameTmpRootChainFW(virFirewallPtr fw,
=20
 static int
 ebtablesRenameTmpSubAndRootChainsQuery(virFirewallPtr fw,
+                                       virFirewallLayer layer,
                                        const char *const *lines,
                                        void *opaque ATTRIBUTE_UNUSED)
 {
@@ -2826,17 +2828,17 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewallP=
tr fw,
         else
             newchain[0] =3D CHAINPREFIX_HOST_OUT;
         VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain);
-        virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+        virFirewallAddRuleFull(fw, layer,
                                false, ebtablesRenameTmpSubAndRootChainsQue=
ry,
                                NULL,
                                "-t", "nat", "-L", tmp, NULL);
-        virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+        virFirewallAddRuleFull(fw, layer,
                                true, NULL, NULL,
                                "-t", "nat", "-F", newchain, NULL);
-        virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+        virFirewallAddRuleFull(fw, layer,
                                true, NULL, NULL,
                                "-t", "nat", "-X", newchain, NULL);
-        virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
+        virFirewallAddRule(fw, layer,
                            "-t", "nat", "-E", tmp, newchain, NULL);
     }
=20
@@ -3758,6 +3760,7 @@ ebiptablesDriverProbeCtdir(void)
=20
 static int
 ebiptablesDriverProbeStateMatchQuery(virFirewallPtr fw ATTRIBUTE_UNUSED,
+                                     virFirewallLayer layer ATTRIBUTE_UNUS=
ED,
                                      const char *const *lines,
                                      void *opaque)
 {
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 5a0cf95a44..0ed54d6228 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -824,7 +824,7 @@ virFirewallApplyRule(virFirewallPtr firewall,
             return -1;
=20
         VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output);
-        if (rule->queryCB(firewall, (const char *const *)lines, rule->quer=
yOpaque) < 0)
+        if (rule->queryCB(firewall, rule->layer, (const char *const *)line=
s, rule->queryOpaque) < 0)
             return -1;
=20
         if (firewall->err =3D=3D ENOMEM) {
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index a1c45e0427..2a6fc30eb7 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -56,6 +56,7 @@ void virFirewallFree(virFirewallPtr firewall);
          virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_A=
RGS__)
=20
 typedef int (*virFirewallQueryCallback)(virFirewallPtr firewall,
+                                        virFirewallLayer layer,
                                         const char *const *lines,
                                         void *opaque);
=20
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
index 63b9ced820..5fde25d8f6 100644
--- a/tests/virfirewalltest.c
+++ b/tests/virfirewalltest.c
@@ -990,11 +990,12 @@ testFirewallQueryHook(const char *const*args,
=20
 static int
 testFirewallQueryCallback(virFirewallPtr fw,
+                          virFirewallLayer layer,
                           const char *const *lines,
                           void *opaque ATTRIBUTE_UNUSED)
 {
     size_t i;
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
+    virFirewallAddRule(fw, layer,
                        "-A", "INPUT",
                        "--source-host", "!192.168.122.129",
                        "--jump", "REJECT", NULL);
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sun May  5 09:28:41 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1548338814970744.2476821921133;
 Thu, 24 Jan 2019 06:06:54 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id C8AC431F3FB;
	Thu, 24 Jan 2019 14:06:52 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 763745D756;
	Thu, 24 Jan 2019 14:06:52 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 086B03F603;
	Thu, 24 Jan 2019 14:06:52 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0OE68PI007600 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 24 Jan 2019 09:06:08 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 3D8C75D759; Thu, 24 Jan 2019 14:06:08 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-112-61.ams2.redhat.com
	[10.36.112.61])
	by smtp.corp.redhat.com (Postfix) with ESMTP id D4DBF5D6A9;
	Thu, 24 Jan 2019 14:06:06 +0000 (UTC)
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 24 Jan 2019 14:05:58 +0000
Message-Id: <20190124140559.21088-4-berrange@redhat.com>
In-Reply-To: <20190124140559.21088-1-berrange@redhat.com>
References: <20190124140559.21088-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Cc: Laine Stump <laine@laine.org>
Subject: [libvirt] [PATCH v3 3/4] util: create private chains for virtual
	network firewall rules
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]);
 Thu, 24 Jan 2019 14:06:53 +0000 (UTC)

Historically firewall rules for virtual networks were added straight
into the base chains. This works but has a number of bugs and design
limitations:

  - It is inflexible for admins wanting to add extra rules ahead
    of libvirt's rules, via hook scripts.

  - It is not clear to the admin that the rules were created by
    libvirt

  - Each rule must be deleted by libvirt individually since they
    are all directly in the builtin chains

  - The ordering of rules in the forward chain is incorrect
    when multiple networks are created, allowing traffic to
    mistakenly flow between networks in one direction.

To address all of these problems, libvirt needs to move to creating
rules in its own private chains. In the top level builtin chains,
libvirt will add links to its own private top level chains.

Addressing the traffic ordering bug requires some extra steps. With
everything going into the FORWARD chain there was interleaving of rules
for outbound traffic and inbound traffic for each network:

  -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,EST=
ABLISHED -j ACCEPT
  -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT
  -A FORWARD -i virbr1 -o virbr1 -j ACCEPT
  -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,EST=
ABLISHED -j ACCEPT
  -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT
  -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
  -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
  -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

The rule allowing outbound traffic from virbr1 would mistakenly
allow packets from virbr1 to virbr0, before the rule denying input
to virbr0 gets a chance to run.

What we really need todo is group the forwarding rules into three
distinct sets:

 * Cross rules - LIBVIRT_FWX

  -A FORWARD -i virbr1 -o virbr1 -j ACCEPT
  -A FORWARD -i virbr0 -o virbr0 -j ACCEPT

 * Incoming rules - LIBVIRT_FWI

  -A FORWARD -d 192.168.3.0/24 -o virbr1 -m conntrack --ctstate RELATED,EST=
ABLISHED -j ACCEPT
  -A FORWARD -o virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A FORWARD -d 192.168.2.0/24 -o virbr0 -m conntrack --ctstate RELATED,EST=
ABLISHED -j ACCEPT
  -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable

 * Outgoing rules - LIBVIRT_FWO

  -A FORWARD -s 192.168.3.0/24 -i virbr1 -j ACCEPT
  -A FORWARD -i virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A FORWARD -s 192.168.2.0/24 -i virbr0 -j ACCEPT
  -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable

There is thus no risk of outgoing rules for one network mistakenly
allowing incoming traffic for another network, as all incoming rules
are evalated first.

With this in mind, we'll thus need three distinct chains linked from
the FORWARD chain, so we end up with:

        INPUT --> LIBVIRT_INP   (filter)

       OUTPUT --> LIBVIRT_OUT   (filter)

      FORWARD +-> LIBVIRT_FWX   (filter)
              +-> LIBVIRT_FWO
              \-> LIBVIRT_FWI

  POSTROUTING --> LIBVIRT_PRT   (nat & mangle)

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/libvirt_private.syms          |   1 +
 src/network/bridge_driver_linux.c |   3 +
 src/util/viriptables.c            | 131 ++++++++++++++++++++++++++++++
 src/util/viriptables.h            |   2 +
 4 files changed, 137 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index c3d6306809..a88856557d 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2075,6 +2075,7 @@ iptablesRemoveOutputFixUdpChecksum;
 iptablesRemoveTcpInput;
 iptablesRemoveUdpInput;
 iptablesRemoveUdpOutput;
+iptablesSetupPrivateChains;
=20
=20
 # util/viriscsi.h
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_=
linux.c
index 1e107ee422..61f77f2735 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -36,6 +36,9 @@ VIR_LOG_INIT("network.bridge_driver_linux");
=20
 int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
+    int ret =3D iptablesSetupPrivateChains();
+    if (ret < 0)
+        return -1;
     return 0;
 }
=20
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 7f0955b82d..770dcf04a6 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -37,6 +37,7 @@
 #include "virthread.h"
 #include "virstring.h"
 #include "virutil.h"
+#include "virhash.h"
=20
 VIR_LOG_INIT("util.iptables");
=20
@@ -48,6 +49,136 @@ enum {
 };
=20
=20
+typedef struct {
+    const char *parent;
+    const char *child;
+} iptablesGlobalChain;
+
+typedef struct {
+    virFirewallLayer layer;
+    const char *table;
+    iptablesGlobalChain *chains;
+    size_t nchains;
+    bool *changed;
+} iptablesGlobalChainData;
+
+
+static int
+iptablesPrivateChainCreate(virFirewallPtr fw,
+                           virFirewallLayer layer,
+                           const char *const *lines,
+                           void *opaque)
+{
+    iptablesGlobalChainData *data =3D opaque;
+    virHashTablePtr chains =3D NULL;
+    virHashTablePtr links =3D NULL;
+    const char *const *tmp;
+    int ret =3D -1;
+    size_t i;
+
+    if (!(chains =3D virHashCreate(50, NULL)))
+        goto cleanup;
+    if (!(links =3D virHashCreate(50, NULL)))
+        goto cleanup;
+
+    tmp =3D lines;
+    while (tmp && *tmp) {
+        if (STRPREFIX(*tmp, "-N ")) { /* eg "-N LIBVIRT_INP" */
+            if (virHashUpdateEntry(chains, *tmp + 3, (void *)0x1) < 0)
+                goto cleanup;
+        } else if (STRPREFIX(*tmp, "-A ")) { /* eg "-A INPUT -j LIBVIRT_IN=
P" */
+            char *sep =3D strchr(*tmp + 3, ' ');
+            if (sep) {
+                *sep =3D '\0';
+                if (STRPREFIX(sep + 1, "-j ")) {
+                    if (virHashUpdateEntry(links, sep + 4,
+                                           (char *)*tmp + 3) < 0)
+                        goto cleanup;
+                }
+            }
+        }
+        tmp++;
+    }
+
+    for (i =3D 0; i < data->nchains; i++) {
+        const char *from;
+        if (!virHashLookup(chains, data->chains[i].child)) {
+            virFirewallAddRule(fw, layer,
+                               "--table", data->table,
+                               "--new-chain", data->chains[i].child, NULL);
+            *data->changed =3D true;
+        }
+
+        from =3D virHashLookup(links, data->chains[i].child);
+        if (!from || STRNEQ(from, data->chains[i].parent))
+            virFirewallAddRule(fw, layer,
+                               "--table", data->table,
+                               "--insert", data->chains[i].parent,
+                               "--jump", data->chains[i].child, NULL);
+    }
+
+    ret =3D 0;
+ cleanup:
+    virHashFree(chains);
+    virHashFree(links);
+    return ret;
+}
+
+
+int
+iptablesSetupPrivateChains(void)
+{
+    virFirewallPtr fw =3D NULL;
+    int ret =3D -1;
+    iptablesGlobalChain filter_chains[] =3D {
+        {"INPUT", "LIBVIRT_INP"},
+        {"OUTPUT", "LIBVIRT_OUT"},
+        {"FORWARD", "LIBVIRT_FWO"},
+        {"FORWARD", "LIBVIRT_FWI"},
+        {"FORWARD", "LIBVIRT_FWX"},
+    };
+    iptablesGlobalChain natmangle_chains[] =3D {
+        {"POSTROUTING",  "LIBVIRT_PRT"},
+    };
+    bool changed =3D false;
+    iptablesGlobalChainData data[] =3D {
+        { VIR_FIREWALL_LAYER_IPV4, "filter",
+          filter_chains, ARRAY_CARDINALITY(filter_chains), &changed },
+        { VIR_FIREWALL_LAYER_IPV4, "nat",
+          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed =
},
+        { VIR_FIREWALL_LAYER_IPV4, "mangle",
+          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed =
},
+        { VIR_FIREWALL_LAYER_IPV6, "filter",
+          filter_chains, ARRAY_CARDINALITY(filter_chains), &changed },
+        { VIR_FIREWALL_LAYER_IPV6, "nat",
+          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed =
},
+        { VIR_FIREWALL_LAYER_IPV6, "mangle",
+          natmangle_chains, ARRAY_CARDINALITY(natmangle_chains), &changed =
},
+    };
+    size_t i;
+
+    fw =3D virFirewallNew();
+
+    virFirewallStartTransaction(fw, 0);
+
+    for (i =3D 0; i < ARRAY_CARDINALITY(data); i++)
+        virFirewallAddRuleFull(fw, data[i].layer,
+                               false, iptablesPrivateChainCreate,
+                               &(data[i]), "--table", data[i].table,
+                               "--list-rules", NULL);
+
+    if (virFirewallApply(fw) < 0)
+        goto cleanup;
+
+    ret =3D changed ? 1 : 0;
+
+ cleanup:
+
+    virFirewallFree(fw);
+    return ret;
+}
+
+
 static void
 iptablesInput(virFirewallPtr fw,
               virFirewallLayer layer,
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index b978fe409b..94304401c5 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -24,6 +24,8 @@
 # include "virsocketaddr.h"
 # include "virfirewall.h"
=20
+int              iptablesSetupPrivateChains      (void);
+
 void             iptablesAddTcpInput             (virFirewallPtr fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
From nobody Sun May  5 09:28:41 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1548338881837880.8529343039894;
 Thu, 24 Jan 2019 06:08:01 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 0E0C789AED;
	Thu, 24 Jan 2019 14:07:58 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 953661A7CA;
	Thu, 24 Jan 2019 14:07:57 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 064A63F602;
	Thu, 24 Jan 2019 14:07:57 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
	[10.5.11.15])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0OE6AU4007625 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 24 Jan 2019 09:06:10 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id CF2345D756; Thu, 24 Jan 2019 14:06:10 +0000 (UTC)
Received: from localhost.localdomain.com (ovpn-112-61.ams2.redhat.com
	[10.36.112.61])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AED295D6A9;
	Thu, 24 Jan 2019 14:06:08 +0000 (UTC)
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
To: libvir-list@redhat.com
Date: Thu, 24 Jan 2019 14:05:59 +0000
Message-Id: <20190124140559.21088-5-berrange@redhat.com>
In-Reply-To: <20190124140559.21088-1-berrange@redhat.com>
References: <20190124140559.21088-1-berrange@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-loop: libvir-list@redhat.com
Cc: Laine Stump <laine@laine.org>
Subject: [libvirt] [PATCH v3 4/4] util: move virtual network firwall rules
	into private chains
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Thu, 24 Jan 2019 14:08:00 +0000 (UTC)

The previous commit created new chains to hold the firewall rules. This
commit changes the code that creates rules to place them in the new
private chains instead of the builtin top level chains.

With two networks running, the rules in the filter table now look like

  -N LIBVIRT_FWI
  -N LIBVIRT_FWO
  -N LIBVIRT_FWX
  -N LIBVIRT_INP
  -N LIBVIRT_OUT
  -A INPUT -j LIBVIRT_INP
  -A FORWARD -j LIBVIRT_FWX
  -A FORWARD -j LIBVIRT_FWI
  -A FORWARD -j LIBVIRT_FWO
  -A OUTPUT -j LIBVIRT_OUT
  -A LIBVIRT_FWI -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED=
,ESTABLISHED -j ACCEPT
  -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWI -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED=
,ESTABLISHED -j ACCEPT
  -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWO -s 192.168.0.0/24 -i virbr0 -j ACCEPT
  -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWO -s 192.168.1.0/24 -i virbr1 -j ACCEPT
  -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
  -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
  -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
  -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

While in the nat table:

  -N LIBVIRT_PRT
  -A POSTROUTING -j LIBVIRT_PRT
  -A LIBVIRT_PRT -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN
  -A LIBVIRT_PRT -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN
  -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE=
 --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE=
 --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
  -A LIBVIRT_PRT -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN
  -A LIBVIRT_PRT -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN
  -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE=
 --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE=
 --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

And finally the mangle table:

  -N LIBVIRT_PRT
  -A POSTROUTING -j LIBVIRT_PRT
  -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-=
fill
  -A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-=
fill

Signed-off-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/libvirt_private.syms                      |   1 +
 src/network/bridge_driver_linux.c             |  20 ++-
 src/util/viriptables.c                        | 123 +++++++++++-------
 src/util/viriptables.h                        |   2 +
 .../nat-default-linux.args                    |  32 ++---
 .../nat-ipv6-linux.args                       |  48 +++----
 .../nat-many-ips-linux.args                   |  60 ++++-----
 .../nat-no-dhcp-linux.args                    |  46 +++----
 .../nat-tftp-linux.args                       |  34 ++---
 .../route-default-linux.args                  |  22 ++--
 10 files changed, 222 insertions(+), 166 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index a88856557d..77fc26376d 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2075,6 +2075,7 @@ iptablesRemoveOutputFixUdpChecksum;
 iptablesRemoveTcpInput;
 iptablesRemoveUdpInput;
 iptablesRemoveUdpOutput;
+iptablesSetDeletePrivate;
 iptablesSetupPrivateChains;
=20
=20
diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_=
linux.c
index 61f77f2735..1e033fa21b 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -34,17 +34,35 @@ VIR_LOG_INIT("network.bridge_driver_linux");
=20
 #define PROC_NET_ROUTE "/proc/net/route"
=20
-int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+int networkPreReloadFirewallRules(bool startup)
 {
     int ret =3D iptablesSetupPrivateChains();
     if (ret < 0)
         return -1;
+
+    /*
+     * If this is initial startup, and we just created the
+     * top level private chains we either
+     *
+     *   - upgraded from old libvirt
+     *   - freshly booted from clean state
+     *
+     * In the first case we must delete the old rules from
+     * the built-in chains, instead of our new private chains.
+     * In the second case it doesn't matter, since no existing
+     * rules will be present. Thus we can safely just tell it
+     * to always delete from the builin chain
+     */
+    if (startup && ret =3D=3D 1) {
+        iptablesSetDeletePrivate(false);
+    }
     return 0;
 }
=20
=20
 void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
+    iptablesSetDeletePrivate(true);
 }
=20
=20
diff --git a/src/util/viriptables.c b/src/util/viriptables.c
index 770dcf04a6..04fcc84705 100644
--- a/src/util/viriptables.c
+++ b/src/util/viriptables.c
@@ -48,6 +48,7 @@ enum {
     REMOVE
 };
=20
+static int deletePrivate =3D true;
=20
 typedef struct {
     const char *parent;
@@ -179,9 +180,17 @@ iptablesSetupPrivateChains(void)
 }
=20
=20
+void
+iptablesSetDeletePrivate(bool pvt)
+{
+    deletePrivate =3D pvt;
+}
+
+
 static void
 iptablesInput(virFirewallPtr fw,
               virFirewallLayer layer,
+              bool pvt,
               const char *iface,
               int port,
               int action,
@@ -194,7 +203,8 @@ iptablesInput(virFirewallPtr fw,
=20
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action =3D=3D ADD ? "--insert" : "--delete", "INPUT=
",
+                       action =3D=3D ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_INP" : "INPUT",
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -205,6 +215,7 @@ iptablesInput(virFirewallPtr fw,
 static void
 iptablesOutput(virFirewallPtr fw,
                virFirewallLayer layer,
+               bool pvt,
                const char *iface,
                int port,
                int action,
@@ -217,7 +228,8 @@ iptablesOutput(virFirewallPtr fw,
=20
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action =3D=3D ADD ? "--insert" : "--delete", "OUTPU=
T",
+                       action =3D=3D ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_OUT" : "OUTPUT",
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -240,7 +252,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, iface, port, ADD, 1);
+    iptablesInput(fw, layer, true, iface, port, ADD, 1);
 }
=20
 /**
@@ -258,7 +270,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, iface, port, REMOVE, 1);
+    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
 }
=20
 /**
@@ -276,7 +288,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, iface, port, ADD, 0);
+    iptablesInput(fw, layer, true, iface, port, ADD, 0);
 }
=20
 /**
@@ -294,7 +306,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
                        const char *iface,
                        int port)
 {
-    return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
 }
=20
 /**
@@ -312,7 +324,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, iface, port, ADD, 0);
+    iptablesOutput(fw, layer, true, iface, port, ADD, 0);
 }
=20
 /**
@@ -330,7 +342,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+    iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
 }
=20
=20
@@ -370,6 +382,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netad=
dr,
  */
 static int
 iptablesForwardAllowOut(virFirewallPtr fw,
+                        bool pvt,
                         virSocketAddr *netaddr,
                         unsigned int prefix,
                         const char *iface,
@@ -386,7 +399,8 @@ iptablesForwardAllowOut(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action =3D=3D ADD ? "--insert" : "--delete", "F=
ORWARD",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWO" : "FORWARD",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -395,7 +409,8 @@ iptablesForwardAllowOut(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action =3D=3D ADD ? "--insert" : "--delete", "F=
ORWARD",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWO" : "FORWARD",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -424,7 +439,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
                            const char *iface,
                            const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, AD=
D);
+    return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physd=
ev, ADD);
 }
=20
 /**
@@ -447,7 +462,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
                               const char *iface,
                               const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, RE=
MOVE);
+    return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, ifa=
ce, physdev, REMOVE);
 }
=20
=20
@@ -456,6 +471,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
  */
 static int
 iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *iface,
@@ -472,7 +488,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action =3D=3D ADD ? "--insert" : "--delete", "F=
ORWARD",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -483,7 +500,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action =3D=3D ADD ? "--insert" : "--delete", "F=
ORWARD",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -514,7 +532,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
                                  const char *iface,
                                  const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd=
ev, ADD);
+    return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface,=
 physdev, ADD);
 }
=20
 /**
@@ -537,13 +555,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
                                     const char *iface,
                                     const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physd=
ev, REMOVE);
+    return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefi=
x, iface, physdev, REMOVE);
 }
=20
 /* Allow all traffic destined to the bridge, with a valid network address
  */
 static int
 iptablesForwardAllowIn(virFirewallPtr fw,
+                       bool pvt,
                        virSocketAddr *netaddr,
                        unsigned int prefix,
                        const char *iface,
@@ -560,7 +579,8 @@ iptablesForwardAllowIn(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action =3D=3D ADD ? "--insert" : "--delete", "F=
ORWARD",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -569,7 +589,8 @@ iptablesForwardAllowIn(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action =3D=3D ADD ? "--insert" : "--delete", "F=
ORWARD",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -597,7 +618,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
                           const char *iface,
                           const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD=
);
+    return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physde=
v, ADD);
 }
=20
 /**
@@ -620,18 +641,20 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
                              const char *iface,
                              const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REM=
OVE);
+    return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, ifac=
e, physdev, REMOVE);
 }
=20
 static void
 iptablesForwardAllowCross(virFirewallPtr fw,
                           virFirewallLayer layer,
+                          bool pvt,
                           const char *iface,
                           int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action =3D=3D ADD ? "--insert" : "--delete", "FORWA=
RD",
+                       action =3D=3D ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_FWX" : "FORWARD",
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -654,7 +677,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
                              virFirewallLayer layer,
                              const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, iface, ADD);
+    iptablesForwardAllowCross(fw, layer, true, iface, ADD);
 }
=20
 /**
@@ -673,18 +696,20 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
                                 virFirewallLayer layer,
                                 const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+    iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
 }
=20
 static void
 iptablesForwardRejectOut(virFirewallPtr fw,
                          virFirewallLayer layer,
+                         bool pvt,
                          const char *iface,
                          int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action =3D=3D ADD ? "--insert" : "delete", "FORWARD=
",
+                       action =3D=3D ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_FWO" : "FORWARD",
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -705,7 +730,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
                             virFirewallLayer layer,
                             const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, iface, ADD);
+    iptablesForwardRejectOut(fw, layer, true, iface, ADD);
 }
=20
 /**
@@ -723,19 +748,21 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
                                virFirewallLayer layer,
                                const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+    iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
 }
=20
=20
 static void
 iptablesForwardRejectIn(virFirewallPtr fw,
                         virFirewallLayer layer,
+                        bool pvt,
                         const char *iface,
                         int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action =3D=3D ADD ? "--insert" : "--delete", "FORWA=
RD",
+                       action =3D=3D ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_FWI" : "FORWARD",
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -756,7 +783,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
                            virFirewallLayer layer,
                            const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, iface, ADD);
+    iptablesForwardRejectIn(fw, layer, true, iface, ADD);
 }
=20
 /**
@@ -774,7 +801,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
                               virFirewallLayer layer,
                               const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+    iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
 }
=20
=20
@@ -783,6 +810,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
  */
 static int
 iptablesForwardMasquerade(virFirewallPtr fw,
+                          bool pvt,
                           virSocketAddr *netaddr,
                           unsigned int prefix,
                           const char *physdev,
@@ -821,7 +849,8 @@ iptablesForwardMasquerade(virFirewallPtr fw,
     if (protocol && protocol[0]) {
         rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                                   "--table", "nat",
-                                  action =3D=3D ADD ? "--insert" : "--dele=
te", "POSTROUTING",
+                                  action =3D=3D ADD ? "--insert" : "--dele=
te",
+                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -829,7 +858,8 @@ iptablesForwardMasquerade(virFirewallPtr fw,
     } else {
         rule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                                   "--table", "nat",
-                                  action =3D=3D ADD ? "--insert" : "--dele=
te", "POSTROUTING",
+                                  action =3D=3D ADD ? "--insert" : "--dele=
te",
+                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -907,8 +937,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
                              virPortRangePtr port,
                              const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p=
ort,
-                                     protocol, ADD);
+    return iptablesForwardMasquerade(fw, true, netaddr, prefix,
+                                     physdev, addr, port, protocol, ADD);
 }
=20
 /**
@@ -933,8 +963,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
                                 virPortRangePtr port,
                                 const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, p=
ort,
-                                     protocol, REMOVE);
+    return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
+                                     physdev, addr, port, protocol, REMOVE=
);
 }
=20
=20
@@ -943,6 +973,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
  */
 static int
 iptablesForwardDontMasquerade(virFirewallPtr fw,
+                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *physdev,
@@ -965,7 +996,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                            "--table", "nat",
-                           action =3D=3D ADD ? "--insert" : "--delete", "P=
OSTROUTING",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -974,7 +1006,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                            "--table", "nat",
-                           action =3D=3D ADD ? "--insert" : "--delete", "P=
OSTROUTING",
+                           action =3D=3D ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -1004,8 +1037,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
                           const char *physdev,
                           const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des=
taddr,
-                                         ADD);
+    return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
+                                         physdev, destaddr, ADD);
 }
=20
 /**
@@ -1029,13 +1062,14 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
                              const char *physdev,
                              const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, des=
taddr,
-                                         REMOVE);
+    return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefi=
x,
+                                         physdev, destaddr, REMOVE);
 }
=20
=20
 static void
 iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+                             bool pvt,
                              const char *iface,
                              int port,
                              int action)
@@ -1047,7 +1081,8 @@ iptablesOutputFixUdpChecksum(virFirewallPtr fw,
=20
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
-                       action =3D=3D ADD ? "--insert" : "--delete", "POSTR=
OUTING",
+                       action =3D=3D ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
@@ -1071,7 +1106,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
                                 const char *iface,
                                 int port)
 {
-    iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+    iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
 }
=20
 /**
@@ -1088,5 +1123,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
                                    const char *iface,
                                    int port)
 {
-    iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+    iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
 }
diff --git a/src/util/viriptables.h b/src/util/viriptables.h
index 94304401c5..903f390f89 100644
--- a/src/util/viriptables.h
+++ b/src/util/viriptables.h
@@ -26,6 +26,8 @@
=20
 int              iptablesSetupPrivateChains      (void);
=20
+void             iptablesSetDeletePrivate        (bool pvt);
+
 void             iptablesAddTcpInput             (virFirewallPtr fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n=
etworkxml2firewalldata/nat-default-linux.args
index ffdafdff0e..c9d523d043 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@@ -1,63 +1,63 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -65,13 +65,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -87,19 +87,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw=
orkxml2firewalldata/nat-ipv6-linux.args
index 22285afa10..a57b9266af 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@@ -1,100 +1,100 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 547 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -102,13 +102,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -124,31 +124,31 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/=
networkxml2firewalldata/nat-many-ips-linux.args
index aff9f69664..1bdc43fd6a 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@@ -1,63 +1,63 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -65,13 +65,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -87,25 +87,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.128.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.128.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -113,13 +113,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 '!' \
 --destination 192.168.128.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 -p udp '!' \
 --destination 192.168.128.0/24 \
@@ -127,7 +127,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 -p tcp '!' \
 --destination 192.168.128.0/24 \
@@ -135,25 +135,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.150.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.150.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -161,13 +161,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 '!' \
 --destination 192.168.150.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 -p udp '!' \
 --destination 192.168.150.0/24 \
@@ -175,7 +175,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 -p tcp '!' \
 --destination 192.168.150.0/24 \
@@ -183,19 +183,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n=
etworkxml2firewalldata/nat-no-dhcp-linux.args
index 2a9d79054e..7d359f3824 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@@ -1,100 +1,100 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 547 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -102,13 +102,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -124,25 +124,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw=
orkxml2firewalldata/nat-tftp-linux.args
index 1a06f0d0a5..b721801b70 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@@ -1,70 +1,70 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 69 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -72,13 +72,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -86,7 +86,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -94,19 +94,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests=
/networkxml2firewalldata/route-default-linux.args
index 65563ff8b4..ed3c560f74 100644
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@@ -1,69 +1,69 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list