1. Patchew
  2. Libvirt
  3. View series

[libvirt] [PATCH] nwfilter: allow for different format of IPv6 netmask/prefix in ebtables output

Laine Stump posted 1 patch 5 years, 2 months ago
Failed in applying to current master (apply log)
.../nwfilterxml2fwallout/comment-test.fwall | 4 ++--
.../nwfilterxml2fwallout/hex-data-test.fwall | 4 ++--
[libvirt] [PATCH] nwfilter: allow for different format of IPv6 netmask/prefix in ebtables output
Posted by Laine Stump 5 years, 2 months ago 
The iptables-ebtables package is meant as a drop-in replacement for
the native ebtables package, but it formats some items in the -L
output differently, leading to failure of scripts that depend on the
output of ebtables -L. In particular:

with old ebtables IPv6 prefixes are output as a netmask (e.g.: "/ffff:fc00")

with iptables-ebtables IPv6 prefixes are always output as a numeric
   prefix (e.g. "/22"), and suppressed completely if the prefix is
   /128.

This difference is also described in
https://bugzilla.redhat.com/show_bug.cgi?id=1674536

"old" ebtables upstream has just accepted a patch to change its output
to match that of iptables-ebtables:

https://marc.info/?l=netfilter-devel&m=155000828923204&w=2

so it makes sense for libvirt-tck to accept the new format (as well as
the old). As with the patch for fixing up MAC addresses with leading
0s, this patch also uses sed to apply a substitution to the scraped
output of ebtables -L. However, rather than keeping the comparison
(expected) output in the old (netmask) form, it is changed to the new
(prefix) form, and the sed commands change netmasks to prefixes. (This
works out better because in some cases we need to replace [all ff's]
with "", and it's not possible to do that in the opposite direction
:-)

Signed-off-by: Laine Stump <laine@laine.org>
---

NB: ebtables upstream hasn't changed the format of MAC addresses (yet).

Also, some new errors have cropped up when running these same tests on
RHEL8, but I think they are due to some new "real" bug in
iptables-ebtables, since the xml2fwallout tests all succeed when run
individually.


 .../nwfilterxml2fwallout/comment-test.fwall | 4 ++--
 .../nwfilterxml2fwallout/hex-data-test.fwall | 4 ++--
 .../nwfilterxml2fwallout/ipv6-test.fwall | 18 +++++++++--------- 3
 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
index d87843b..4f467bf 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -2,9 +2,9 @@
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
 -o vnet0 -j libvirt-O-vnet0
-#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
+#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
 -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT 
--p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT 
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT 
 -p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT 
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
 -p 0x1234 -j ACCEPT 
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
index 56d3956..0cd9a8d 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -2,9 +2,9 @@
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
 -o vnet0 -j libvirt-O-vnet0
-#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
+#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
 -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT 
--p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT 
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT 
 -p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT 
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
 -p 0x1234 -j ACCEPT 
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
index 7d42f9a..d4dc627 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
@@ -2,12 +2,12 @@
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0
 -o vnet0 -j libvirt-O-vnet0
-#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | grep -v "^Bridge" | grep -v "^$"
--p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT 
--p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT 
--p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT 
--p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT 
-#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
--p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT 
--p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT 
--p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT 
+#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | grep -v "^Bridge" | grep -v "^$"
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT 
+-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT 
+-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT 
+-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto mux -j ACCEPT 
+#ebtables -t nat -L libvirt-O-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | grep -v "^Bridge" | grep -v "^$"
+-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT 
+-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT 
+-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto mux -j ACCEPT 
-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] NB this is a libvirt-tck patch Re: [PATCH] nwfilter: allow for different format of IPv6 netmask/prefix in ebtables output
Posted by Laine Stump 5 years, 1 month ago 
Sorry, I forgot to add "tck" to the subject line when I posted this patch.

On 2/15/19 1:21 PM, Laine Stump wrote:
> The iptables-ebtables package is meant as a drop-in replacement for
> the native ebtables package, but it formats some items in the -L
> output differently, leading to failure of scripts that depend on the
> output of ebtables -L. In particular:
>
> with old ebtables IPv6 prefixes are output as a netmask (e.g.: "/ffff:fc00")
>
> with iptables-ebtables IPv6 prefixes are always output as a numeric
>     prefix (e.g. "/22"), and suppressed completely if the prefix is
>     /128.
>
> This difference is also described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1674536
>
> "old" ebtables upstream has just accepted a patch to change its output
> to match that of iptables-ebtables:
>
> https://marc.info/?l=netfilter-devel&m=155000828923204&w=2
>
> so it makes sense for libvirt-tck to accept the new format (as well as
> the old). As with the patch for fixing up MAC addresses with leading
> 0s, this patch also uses sed to apply a substitution to the scraped
> output of ebtables -L. However, rather than keeping the comparison
> (expected) output in the old (netmask) form, it is changed to the new
> (prefix) form, and the sed commands change netmasks to prefixes. (This
> works out better because in some cases we need to replace [all ff's]
> with "", and it's not possible to do that in the opposite direction
> :-)
>
> Signed-off-by: Laine Stump <laine@laine.org>
> ---
>
> NB: ebtables upstream hasn't changed the format of MAC addresses (yet).
>
> Also, some new errors have cropped up when running these same tests on
> RHEL8, but I think they are due to some new "real" bug in
> iptables-ebtables, since the xml2fwallout tests all succeed when run
> individually.
>
>
>   .../nwfilterxml2fwallout/comment-test.fwall | 4 ++--
>   .../nwfilterxml2fwallout/hex-data-test.fwall | 4 ++--
>   .../nwfilterxml2fwallout/ipv6-test.fwall | 18 +++++++++--------- 3
>   files changed, 13 insertions(+), 13 deletions(-)
>
> diff --git a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
> index d87843b..4f467bf 100644
> --- a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
> +++ b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
> @@ -2,9 +2,9 @@
>   -i vnet0 -j libvirt-I-vnet0
>   #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
>   -o vnet0 -j libvirt-O-vnet0
> -#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
> +#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
>   -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT
> --p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
> +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
>   -p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT
>   #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
>   -p 0x1234 -j ACCEPT
> diff --git a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
> index 56d3956..0cd9a8d 100644
> --- a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
> +++ b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
> @@ -2,9 +2,9 @@
>   -i vnet0 -j libvirt-I-vnet0
>   #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$"
>   -o vnet0 -j libvirt-O-vnet0
> -#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
> +#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
>   -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:17767 -j ACCEPT
> --p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
> +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:65535 -j ACCEPT
>   -p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j ACCEPT
>   #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
>   -p 0x1234 -j ACCEPT
> diff --git a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
> index 7d42f9a..d4dc627 100644
> --- a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
> +++ b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
> @@ -2,12 +2,12 @@
>   -i vnet0 -j libvirt-I-vnet0
>   #ebtables -t nat -L POSTROUTING | grep vnet0
>   -o vnet0 -j libvirt-O-vnet0
> -#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | grep -v "^Bridge" | grep -v "^$"
> --p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT
> --p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT
> --p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT
> --p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT
> -#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
> --p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT
> --p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT
> --p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT
> +#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/1:2:3:4:5:6/g | grep -v "^Bridge" | grep -v "^$"
> +-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT
> +-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 100:101 --ip6-dport 20:22 -j ACCEPT
> +-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 65535 --ip6-dport 255:256 -j ACCEPT
> +-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto mux -j ACCEPT
> +#ebtables -t nat -L libvirt-O-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | grep -v "^Bridge" | grep -v "^$"
> +-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 20:22 --ip6-dport 100:101 -j ACCEPT
> +-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 255:256 --ip6-dport 65535 -j ACCEPT
> +-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto mux -j ACCEPT


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] nwfilter: allow for different format of IPv6 netmask/prefix in ebtables output
Posted by Daniel P. Berrangé 5 years, 1 month ago 
On Fri, Feb 15, 2019 at 01:21:50PM -0500, Laine Stump wrote:
> The iptables-ebtables package is meant as a drop-in replacement for
> the native ebtables package, but it formats some items in the -L
> output differently, leading to failure of scripts that depend on the
> output of ebtables -L. In particular:
> 
> with old ebtables IPv6 prefixes are output as a netmask (e.g.: "/ffff:fc00")
> 
> with iptables-ebtables IPv6 prefixes are always output as a numeric
>    prefix (e.g. "/22"), and suppressed completely if the prefix is
>    /128.
> 
> This difference is also described in
> https://bugzilla.redhat.com/show_bug.cgi?id=1674536
> 
> "old" ebtables upstream has just accepted a patch to change its output
> to match that of iptables-ebtables:
> 
> https://marc.info/?l=netfilter-devel&m=155000828923204&w=2
> 
> so it makes sense for libvirt-tck to accept the new format (as well as
> the old). As with the patch for fixing up MAC addresses with leading
> 0s, this patch also uses sed to apply a substitution to the scraped
> output of ebtables -L. However, rather than keeping the comparison
> (expected) output in the old (netmask) form, it is changed to the new
> (prefix) form, and the sed commands change netmasks to prefixes. (This
> works out better because in some cases we need to replace [all ff's]
> with "", and it's not possible to do that in the opposite direction
> :-)

Ok, so you're not doing a real netmask -> prefix convertor. You've
just hardcoded the conversions we need given our expected data.
This looks fine to me as a prudent approach.


> Signed-off-by: Laine Stump <laine@laine.org>
> ---

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>



Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH] nwfilter: allow for different format of IPv6 netmask/prefix in ebtables output
Posted by Laine Stump 5 years, 1 month ago 
On 2/21/19 1:02 PM, Daniel P. Berrangé wrote:
> On Fri, Feb 15, 2019 at 01:21:50PM -0500, Laine Stump wrote:
>> The iptables-ebtables package is meant as a drop-in replacement for
>> the native ebtables package, but it formats some items in the -L
>> output differently, leading to failure of scripts that depend on the
>> output of ebtables -L. In particular:
>>
>> with old ebtables IPv6 prefixes are output as a netmask (e.g.: "/ffff:fc00")
>>
>> with iptables-ebtables IPv6 prefixes are always output as a numeric
>>     prefix (e.g. "/22"), and suppressed completely if the prefix is
>>     /128.
>>
>> This difference is also described in
>> https://bugzilla.redhat.com/show_bug.cgi?id=1674536
>>
>> "old" ebtables upstream has just accepted a patch to change its output
>> to match that of iptables-ebtables:
>>
>> https://marc.info/?l=netfilter-devel&m=155000828923204&w=2
>>
>> so it makes sense for libvirt-tck to accept the new format (as well as
>> the old). As with the patch for fixing up MAC addresses with leading
>> 0s, this patch also uses sed to apply a substitution to the scraped
>> output of ebtables -L. However, rather than keeping the comparison
>> (expected) output in the old (netmask) form, it is changed to the new
>> (prefix) form, and the sed commands change netmasks to prefixes. (This
>> works out better because in some cases we need to replace [all ff's]
>> with "", and it's not possible to do that in the opposite direction
>> :-)
> Ok, so you're not doing a real netmask -> prefix convertor. You've
> just hardcoded the conversions we need given our expected data.
> This looks fine to me as a prudent approach.


Yeah, I didn't want to touch that shell script any more than absolutely 
necessary :-) (I suppose I could have added a small utility to 
find/replace generic netmasks, and call that as a part of the line of 
commands in the test cases, but I'd be just as likely to introduce a new 
bug)


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-0870f84

© 2016 - 2024 Red Hat, Inc.