From nobody Thu May  2 13:02:43 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1550255122665529.6582115480602;
 Fri, 15 Feb 2019 10:25:22 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 9C4CEC7860;
	Fri, 15 Feb 2019 18:25:19 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 65EB55C3FD;
	Fri, 15 Feb 2019 18:25:17 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 329E73F7D0;
	Fri, 15 Feb 2019 18:25:14 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x1FILwxO010199 for <libvir-list@listman.util.phx.redhat.com>;
	Fri, 15 Feb 2019 13:21:58 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 947E3600C7; Fri, 15 Feb 2019 18:21:58 +0000 (UTC)
Received: from vhost2.laine.org (ovpn-118-13.phx2.redhat.com [10.3.118.13])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 34288600C5;
	Fri, 15 Feb 2019 18:21:55 +0000 (UTC)
From: Laine Stump <laine@laine.org>
To: libvir-list@redhat.com
Date: Fri, 15 Feb 2019 13:21:50 -0500
Message-Id: <20190215182150.32552-1-laine@laine.org>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH] nwfilter: allow for different format of IPv6
	netmask/prefix in ebtables output
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Fri, 15 Feb 2019 18:25:21 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

The iptables-ebtables package is meant as a drop-in replacement for
the native ebtables package, but it formats some items in the -L
output differently, leading to failure of scripts that depend on the
output of ebtables -L. In particular:

with old ebtables IPv6 prefixes are output as a netmask (e.g.: "/ffff:fc00")

with iptables-ebtables IPv6 prefixes are always output as a numeric
   prefix (e.g. "/22"), and suppressed completely if the prefix is
   /128.

This difference is also described in
https://bugzilla.redhat.com/show_bug.cgi?id=3D1674536

"old" ebtables upstream has just accepted a patch to change its output
to match that of iptables-ebtables:

https://marc.info/?l=3Dnetfilter-devel&m=3D155000828923204&w=3D2

so it makes sense for libvirt-tck to accept the new format (as well as
the old). As with the patch for fixing up MAC addresses with leading
0s, this patch also uses sed to apply a substitution to the scraped
output of ebtables -L. However, rather than keeping the comparison
(expected) output in the old (netmask) form, it is changed to the new
(prefix) form, and the sed commands change netmasks to prefixes. (This
works out better because in some cases we need to replace [all ff's]
with "", and it's not possible to do that in the opposite direction
:-)

Signed-off-by: Laine Stump <laine@laine.org>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---

NB: ebtables upstream hasn't changed the format of MAC addresses (yet).

Also, some new errors have cropped up when running these same tests on
RHEL8, but I think they are due to some new "real" bug in
iptables-ebtables, since the xml2fwallout tests all succeed when run
individually.


 .../nwfilterxml2fwallout/comment-test.fwall | 4 ++--
 .../nwfilterxml2fwallout/hex-data-test.fwall | 4 ++--
 .../nwfilterxml2fwallout/ipv6-test.fwall | 18 +++++++++--------- 3
 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall b/scr=
ipts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
index d87843b..4f467bf 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/comment-test.fwall
@@ -2,9 +2,9 @@
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v=
 "^$"
 -o vnet0 -j libvirt-O-vnet0
-#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/=
g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
+#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:fff=
f:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/=
1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" |=
 grep -v "^$"
 -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.=
1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:1776=
7 -j ACCEPT=20
--p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:=
ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:fff=
f:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:6553=
5 -j ACCEPT=20
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:=
ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport =
273:400 --ip6-dport 13107:65535 -j ACCEPT=20
 -p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18=
 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j AC=
CEPT=20
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
 -p 0x1234 -j ACCEPT=20
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall b/sc=
ripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
index 56d3956..0cd9a8d 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/hex-data-test.fwall
@@ -2,9 +2,9 @@
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v=
 "^$"
 -o vnet0 -j libvirt-O-vnet0
-#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/=
g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" | grep -v "^$"
+#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:fff=
f:ffff:8000#/113#g' | sed 's#/ffff:fc00::#/22#g' | sed s/01:02:03:04:05:06/=
1:2:3:4:5:6/g | sed s/0a:0b:0c:0d:0e:0f/a:b:c:d:e:f/g | grep -v "^Bridge" |=
 grep -v "^$"
 -p IPv4 -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --ip-src 10.1.2.3 --ip-dst 10.=
1.2.3 --ip-tos 0x32 --ip-proto udp --ip-sport 291:564 --ip-dport 13398:1776=
7 -j ACCEPT=20
--p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:=
ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:fff=
f:ffff:ffff:8000 --ip6-proto tcp --ip6-sport 273:400 --ip6-dport 13107:6553=
5 -j ACCEPT=20
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:=
ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto tcp --ip6-sport =
273:400 --ip6-dport 13107:65535 -j ACCEPT=20
 -p ARP -s 1:2:3:4:5:6 -d aa:bb:cc:dd:ee:ff --arp-op Request --arp-htype 18=
 --arp-ptype 0x56 --arp-mac-src 1:2:3:4:5:6 --arp-mac-dst a:b:c:d:e:f -j AC=
CEPT=20
 #ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
 -p 0x1234 -j ACCEPT=20
diff --git a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall b/script=
s/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
index 7d42f9a..d4dc627 100644
--- a/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
+++ b/scripts/nwfilter/nwfilterxml2fwallout/ipv6-test.fwall
@@ -2,12 +2,12 @@
 -i vnet0 -j libvirt-I-vnet0
 #ebtables -t nat -L POSTROUTING | grep vnet0
 -o vnet0 -j libvirt-O-vnet0
-#ebtables -t nat -L libvirt-I-vnet0 | sed s/01:02:03:04:05:06/1:2:3:4:5:6/=
g | grep -v "^Bridge" | grep -v "^$"
--p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:=
ff:80 --ip6-src ::/ffff:fc00:: --ip6-dst ::10.1.0.0/ffff:ffff:ffff:ffff:fff=
f:ffff:ffff:8000 --ip6-proto udp --ip6-sport 20:22 --ip6-dport 100:101 -j A=
CCEPT=20
--p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:f=
fff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 100:101 --ip6=
-dport 20:22 -j ACCEPT=20
--p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:f=
fff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto tcp --ip6-sport 65535 --ip6-d=
port 255:256 -j ACCEPT=20
--p IPv6 --ip6-src a:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-dst 1::2/ffff:f=
fff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-proto mux -j ACCEPT=20
-#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$"
--p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a=
:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 20:22 --ip6-d=
port 100:101 -j ACCEPT=20
--p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a=
:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto tcp --ip6-sport 255:256 --ip6=
-dport 65535 -j ACCEPT=20
--p IPv6 --ip6-src 1::2/ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --ip6-dst a=
:b:c::/ffff:ffff:ffff:ffff:8000:: --ip6-proto mux -j ACCEPT=20
+#ebtables -t nat -L libvirt-I-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:fff=
f:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000#/113#g' |=
 sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | sed 's#/ffff:fc00::#/22#g' | s=
ed s/01:02:03:04:05:06/1:2:3:4:5:6/g | grep -v "^Bridge" | grep -v "^$"
+-p IPv6 -s 1:2:3:4:5:6/ff:ff:ff:ff:ff:fe -d aa:bb:cc:dd:ee:80/ff:ff:ff:ff:=
ff:80 --ip6-src ::/22 --ip6-dst ::10.1.0.0/113 --ip6-proto udp --ip6-sport =
20:22 --ip6-dport 100:101 -j ACCEPT=20
+-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 10=
0:101 --ip6-dport 20:22 -j ACCEPT=20
+-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto tcp --ip6-sport 65=
535 --ip6-dport 255:256 -j ACCEPT=20
+-p IPv6 --ip6-src a:b:c::/65 --ip6-dst 1::2 --ip6-proto mux -j ACCEPT=20
+#ebtables -t nat -L libvirt-O-vnet0 | sed 's#/ffff:ffff:ffff:ffff:ffff:fff=
f:ffff:ffff##g' | sed 's#/ffff:ffff:ffff:ffff:8000::#/65#g' | grep -v "^Bri=
dge" | grep -v "^$"
+-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 20=
:22 --ip6-dport 100:101 -j ACCEPT=20
+-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto tcp --ip6-sport 25=
5:256 --ip6-dport 65535 -j ACCEPT=20
+-p IPv6 --ip6-src 1::2 --ip6-dst a:b:c::/65 --ip6-proto mux -j ACCEPT=20
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list