From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188650; cv=none; d=zohomail.com; s=zohoarc; b=j9KFMu2mOV1s5iu0U8HDUbsJeMxK/PQfPlAiBQBF/Qjeuk88hNiLcFwGx3SwwOF856DP1P08CWXhWQ9LY1V2Qq7pkFE/qi0dk/qkqv5IsnBTAZe40jayn/Hvoousq+QhtpMHwVyACcoYNU0+WJF8Vse6rg9gxN9R8FAXufMa+n0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188650; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7Uo/FY43YZ+T3S4zYM69Y736ZUYx40D+wjAReXAPdZM=; b=V0wXzXRU7mxRj17oh4ZSQZ3QbgXQBWPox/+QxY+fB4vs4NxvPGQ6nP0VDENs9o0SfqMY+ltNg8yLWUT84euZXna868eHaSvbswptY/oSpQhFWOcLXBON6NvCidAXZwcGQuH/jIMGoGkqKg8nV+EvP4+2L6bPpILrert5XC3lTwo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606188650983623.2912384292425; Mon, 23 Nov 2020 19:30:50 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-414-v9kYrq6sMcqBHCWeW_yg3w-1; Mon, 23 Nov 2020 22:30:47 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 00BC68030B6; Tue, 24 Nov 2020 03:30:42 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CDE36189B4; Tue, 24 Nov 2020 03:30:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 969EF1809CA4; Tue, 24 Nov 2020 03:30:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UCoB007367 for ; Mon, 23 Nov 2020 22:30:12 -0500 Received: by smtp.corp.redhat.com (Postfix) id 6A7135D705; Tue, 24 Nov 2020 03:30:12 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 339E65D6A1 for ; Tue, 24 Nov 2020 03:30:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188649; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7Uo/FY43YZ+T3S4zYM69Y736ZUYx40D+wjAReXAPdZM=; b=fqx9hNJq1SXrVtY54ZQjTTrMjsR0KuEDRdy9RIzKVEOrmZ+xwcaDnA24qXKR7HprML/Plk 3rUBiQGf0wEU9R1MWO3iQA/kgF47aiOuWEdDEN/23s5rKjhJgjv9hpC+SkMOHnLlo+MiuX IjrHQb/taWd6cHaD/CevrBfqwyvgULw= X-MC-Unique: v9kYrq6sMcqBHCWeW_yg3w-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 1/8] util: fix typo in VIR_MOCK_WRAP_RET_ARGS() Date: Mon, 23 Nov 2020 22:29:57 -0500 Message-Id: <20201124033004.1163126-2-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" (This is the most inconsequential of inconsequential typos, but the incongruity was bugging me.) When virfirewalltest.c was first written in commit 3a0ca7de51 (March 2013), a conditional accidentally tested for "ipv4" instead of "ipv6". Since the file ended up only testing ipv4 rules, this has never made any difference in practice, but I'm making some other changes in this file and just couldn't let it stand :-) Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- tests/virfirewalltest.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index dc631dfc5d..872ee3ed17 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -128,7 +128,7 @@ VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync, if (fwBuf) { if (STREQ(type, "ipv4")) virBufferAddLit(fwBuf, IPTABLES_PATH); - else if (STREQ(type, "ipv4")) + else if (STREQ(type, "ipv6")) virBufferAddLit(fwBuf, IP6TABLES_PATH); else virBufferAddLit(fwBuf, EBTABLES_PATH); --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188654; cv=none; d=zohomail.com; s=zohoarc; b=GrbpR+kJ8OvfUJb+ilaggJ5Cm3uRfE0Y8KdFcqr3tz2BYduuORbZO9ky4/KltC17RrWgkM62y3Ohr3vdhP2z2GXBX0kYYm14lXdRI1o1kNAhT8wm17x8SiKNLi8P95bvYk7Wg1nTAu/RcG/aotKnaklXgxHpJ2HFxGjL3Ph8BZ0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188654; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=vyYy67hKfPP3//bUT4hhoH5KrgdrhItLYD0JLsr7S7c=; b=NhhcS/S8lWfx5yVj0XuECiMEe+9nfVaFdtFleGI6z46qNM8dONFOGrvXeSMQhLUyX8sPwSL6MuXZCsUAyA57APs9HI6spauU8amDuOC1cfULIoXQXBR5yj1yIMKmctQ2YqJ2QQYUxScbXgJrRerYa5p/wX4Vrz5rUHe8CEYXq3c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606188654736867.815131445921; Mon, 23 Nov 2020 19:30:54 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-388-gZ0R6xFdNXWSkd91zps3bg-1; Mon, 23 Nov 2020 22:30:50 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C2DCD18B9F0A; Tue, 24 Nov 2020 03:30:44 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 96B7F19D9D; Tue, 24 Nov 2020 03:30:44 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4B5DE1809CA6; Tue, 24 Nov 2020 03:30:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UDdM007374 for ; Mon, 23 Nov 2020 22:30:13 -0500 Received: by smtp.corp.redhat.com (Postfix) id 1F59C5D705; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 91E005D6A1 for ; Tue, 24 Nov 2020 03:30:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188653; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=vyYy67hKfPP3//bUT4hhoH5KrgdrhItLYD0JLsr7S7c=; b=fc0C6HjgVAaoYPLFqJnpWQSpP29Flgmm8Apk86kcHR1+3HD12WFvmRQF8OGDbREqmSUs5J 7KSo/Kcus/6KX81GcQaXWtduZxkcx+c4qPHKsa7BavAZcWY5UsHZ90FpL/rfAN+M5q+K0I 9pyO5KTPzA17Y2ML1IVJUpIIED8aT1E= X-MC-Unique: gZ0R6xFdNXWSkd91zps3bg-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 2/8] util/tests: enable locking on iptables/ebtables commandlines in unit tests Date: Mon, 23 Nov 2020 22:29:58 -0500 Message-Id: <20201124033004.1163126-3-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" All the unit tests that use iptables/ip6tables/ebtables have been written to omit the locking/exclusive use primitive on the generated commandlines. Even though none of the tests actually execute those commands (and so it doesn't matter for purposes of the test whether or not the commands support these options), it still made sense when some systems had these locking options and some didn't. We are now at a point where every supported Linux distro has supported the locking options on these commands for quite a long time, and are going to make their use non-optional. As a first step, this patch uses the virFirewallSetLockOverride() function, which is called at the beginning of all firewall-related tests, to set all the bools controlling whether or not the locking options are used to true. This means that all the test cases must be updated to include the proper locking option in their commandlines. The change to make actual execs of the commands unconditionally use the locking option will be in an upcoming patch - this one affects only the unit tests. Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/util/virfirewall.c | 6 + tests/networkxml2firewalldata/base.args | 34 ++ .../nat-default-linux.args | 19 + .../nat-ipv6-linux.args | 30 ++ .../nat-ipv6-masquerade-linux.args | 34 ++ .../nat-many-ips-linux.args | 33 ++ .../nat-no-dhcp-linux.args | 29 ++ .../nat-tftp-linux.args | 21 + .../route-default-linux.args | 14 + tests/nwfilterebiptablestest.c | 464 +++++++++--------- .../ah-ipv6-linux.args | 9 + tests/nwfilterxml2firewalldata/ah-linux.args | 9 + .../all-ipv6-linux.args | 9 + tests/nwfilterxml2firewalldata/all-linux.args | 9 + tests/nwfilterxml2firewalldata/arp-linux.args | 5 + .../comment-linux.args | 19 + .../conntrack-linux.args | 7 + .../esp-ipv6-linux.args | 9 + tests/nwfilterxml2firewalldata/esp-linux.args | 9 + .../example-1-linux.args | 12 + .../example-2-linux.args | 10 + .../hex-data-linux.args | 10 + .../icmp-direction-linux.args | 6 + .../icmp-direction2-linux.args | 6 + .../icmp-direction3-linux.args | 6 + .../nwfilterxml2firewalldata/icmp-linux.args | 3 + .../icmpv6-linux.args | 4 + .../nwfilterxml2firewalldata/igmp-linux.args | 9 + tests/nwfilterxml2firewalldata/ip-linux.args | 3 + .../nwfilterxml2firewalldata/ipset-linux.args | 18 + .../ipt-no-macspoof-linux.args | 2 + .../nwfilterxml2firewalldata/ipv6-linux.args | 15 + .../nwfilterxml2firewalldata/iter1-linux.args | 9 + .../nwfilterxml2firewalldata/iter2-linux.args | 171 +++++++ .../nwfilterxml2firewalldata/iter3-linux.args | 15 + tests/nwfilterxml2firewalldata/mac-linux.args | 4 + .../nwfilterxml2firewalldata/rarp-linux.args | 6 + .../sctp-ipv6-linux.args | 9 + .../nwfilterxml2firewalldata/sctp-linux.args | 9 + tests/nwfilterxml2firewalldata/stp-linux.args | 11 + .../target-linux.args | 33 ++ .../target2-linux.args | 12 + .../tcp-ipv6-linux.args | 9 + tests/nwfilterxml2firewalldata/tcp-linux.args | 13 + .../udp-ipv6-linux.args | 9 + tests/nwfilterxml2firewalldata/udp-linux.args | 9 + .../udplite-ipv6-linux.args | 9 + .../udplite-linux.args | 9 + .../nwfilterxml2firewalldata/vlan-linux.args | 7 + tests/nwfilterxml2firewalltest.c | 144 +++--- tests/virfirewalltest.c | 112 +++-- 51 files changed, 1115 insertions(+), 358 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index f6a8beec95..5f30c34483 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -105,6 +105,12 @@ void virFirewallSetLockOverride(bool avoid) { lockOverride =3D avoid; + if (avoid) { + /* add the lock option to all commands */ + iptablesUseLock =3D true; + ip6tablesUseLock =3D true; + ebtablesUseLock =3D true; + } } =20 static void diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2fir= ewalldata/base.args index 0e71bf3a64..056ee12758 100644 --- a/tests/networkxml2firewalldata/base.args +++ b/tests/networkxml2firewalldata/base.args @@ -1,116 +1,150 @@ iptables \ +-w \ --table filter \ --list-rules iptables \ +-w \ --table nat \ --list-rules iptables \ +-w \ --table mangle \ --list-rules iptables \ +-w \ --table filter \ --new-chain LIBVIRT_INP iptables \ +-w \ --table filter \ --insert INPUT \ --jump LIBVIRT_INP iptables \ +-w \ --table filter \ --new-chain LIBVIRT_OUT iptables \ +-w \ --table filter \ --insert OUTPUT \ --jump LIBVIRT_OUT iptables \ +-w \ --table filter \ --new-chain LIBVIRT_FWO iptables \ +-w \ --table filter \ --insert FORWARD \ --jump LIBVIRT_FWO iptables \ +-w \ --table filter \ --new-chain LIBVIRT_FWI iptables \ +-w \ --table filter \ --insert FORWARD \ --jump LIBVIRT_FWI iptables \ +-w \ --table filter \ --new-chain LIBVIRT_FWX iptables \ +-w \ --table filter \ --insert FORWARD \ --jump LIBVIRT_FWX iptables \ +-w \ --table nat \ --new-chain LIBVIRT_PRT iptables \ +-w \ --table nat \ --insert POSTROUTING \ --jump LIBVIRT_PRT iptables \ +-w \ --table mangle \ --new-chain LIBVIRT_PRT iptables \ +-w \ --table mangle \ --insert POSTROUTING \ --jump LIBVIRT_PRT ip6tables \ +-w \ --table filter \ --list-rules ip6tables \ +-w \ --table nat \ --list-rules ip6tables \ +-w \ --table mangle \ --list-rules ip6tables \ +-w \ --table filter \ --new-chain LIBVIRT_INP ip6tables \ +-w \ --table filter \ --insert INPUT \ --jump LIBVIRT_INP ip6tables \ +-w \ --table filter \ --new-chain LIBVIRT_OUT ip6tables \ +-w \ --table filter \ --insert OUTPUT \ --jump LIBVIRT_OUT ip6tables \ +-w \ --table filter \ --new-chain LIBVIRT_FWO ip6tables \ +-w \ --table filter \ --insert FORWARD \ --jump LIBVIRT_FWO ip6tables \ +-w \ --table filter \ --new-chain LIBVIRT_FWI ip6tables \ +-w \ --table filter \ --insert FORWARD \ --jump LIBVIRT_FWI ip6tables \ +-w \ --table filter \ --new-chain LIBVIRT_FWX ip6tables \ +-w \ --table filter \ --insert FORWARD \ --jump LIBVIRT_FWX ip6tables \ +-w \ --table nat \ --new-chain LIBVIRT_PRT ip6tables \ +-w \ --table nat \ --insert POSTROUTING \ --jump LIBVIRT_PRT ip6tables \ +-w \ --table mangle \ --new-chain LIBVIRT_PRT ip6tables \ +-w \ --table mangle \ --insert POSTROUTING \ --jump LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.args index ab18f30bd0..3cfa61333c 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ b/tests/networkxml2firewalldata/nat-default-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,28 +63,33 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ @@ -85,12 +98,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -99,6 +114,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -107,18 +123,21 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ +-w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.args index 05d9ee33ca..ce295cbc6d 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,38 +63,45 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -94,6 +109,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -101,6 +117,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -108,6 +125,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -115,6 +133,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -122,6 +141,7 @@ ip6tables \ --destination-port 547 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -129,12 +149,14 @@ ip6tables \ --destination-port 546 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ @@ -143,12 +165,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -157,6 +181,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -165,30 +190,35 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 2001:db8:ca2:2::/64 \ --out-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args index f7b82c987a..d78537dc5c 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,38 +63,45 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -94,6 +109,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -101,6 +117,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -108,6 +125,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -115,6 +133,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -122,6 +141,7 @@ ip6tables \ --destination-port 547 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -129,12 +149,14 @@ ip6tables \ --destination-port 546 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ @@ -143,12 +165,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -157,6 +181,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -165,24 +190,28 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 2001:db8:ca2:2::/64 \ @@ -191,12 +220,14 @@ ip6tables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT ip6tables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 '!' \ --destination 2001:db8:ca2:2::/64 \ --jump MASQUERADE ip6tables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 \ @@ -205,6 +236,7 @@ ip6tables \ --jump MASQUERADE \ --to-ports 1024-65535 ip6tables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 \ @@ -213,12 +245,14 @@ ip6tables \ --jump MASQUERADE \ --to-ports 1024-65535 ip6tables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 2001:db8:ca2:2::/64 \ --destination ff02::/16 \ --jump RETURN iptables \ +-w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.args index 82e1380f51..ba7f234b82 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,28 +63,33 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ @@ -85,12 +98,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -99,6 +114,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -107,24 +123,28 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.128.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.128.0/24 \ @@ -133,12 +153,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 '!' \ --destination 192.168.128.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ @@ -147,6 +169,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ @@ -155,24 +178,28 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.128.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.150.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.150.0/24 \ @@ -181,12 +208,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.150.0/24 '!' \ --destination 192.168.150.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ @@ -195,6 +224,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ @@ -203,18 +233,21 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.150.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ +-w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.args index 8954cc5473..1e5aa05231 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,38 +63,45 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -94,6 +109,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -101,6 +117,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -108,6 +125,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -115,6 +133,7 @@ ip6tables \ --destination-port 53 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -122,6 +141,7 @@ ip6tables \ --destination-port 547 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -129,12 +149,14 @@ ip6tables \ --destination-port 546 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ @@ -143,12 +165,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -157,6 +181,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -165,24 +190,28 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \ --jump ACCEPT ip6tables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 2001:db8:ca2:2::/64 \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.args index 88e9929b62..565fff737c 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ b/tests/networkxml2firewalldata/nat-tftp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,6 +63,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -62,6 +71,7 @@ iptables \ --destination-port 69 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -69,28 +79,33 @@ iptables \ --destination-port 69 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ @@ -99,12 +114,14 @@ iptables \ --ctstate ESTABLISHED,RELATED \ --jump ACCEPT iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 '!' \ --destination 192.168.122.0/24 \ --jump MASQUERADE iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -113,6 +130,7 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ @@ -121,18 +139,21 @@ iptables \ --jump MASQUERADE \ --to-ports 1024-65535 iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 255.255.255.255/32 \ --jump RETURN iptables \ +-w \ --table nat \ --insert LIBVIRT_PRT \ --source 192.168.122.0/24 \ --destination 224.0.0.0/24 \ --jump RETURN iptables \ +-w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.args index c427d9602d..a7b969c077 100644 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ b/tests/networkxml2firewalldata/route-default-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -6,6 +7,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -13,6 +15,7 @@ iptables \ --destination-port 67 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -20,6 +23,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -27,6 +31,7 @@ iptables \ --destination-port 68 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -34,6 +39,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_INP \ --in-interface virbr0 \ @@ -41,6 +47,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -48,6 +55,7 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_OUT \ --out-interface virbr0 \ @@ -55,34 +63,40 @@ iptables \ --destination-port 53 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --in-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --out-interface virbr0 \ --jump REJECT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWX \ --in-interface virbr0 \ --out-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWO \ --source 192.168.122.0/24 \ --in-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table filter \ --insert LIBVIRT_FWI \ --destination 192.168.122.0/24 \ --out-interface virbr0 \ --jump ACCEPT iptables \ +-w \ --table mangle \ --insert LIBVIRT_PRT \ --out-interface virbr0 \ diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c index 4d8791023c..5562682e9a 100644 --- a/tests/nwfilterebiptablestest.c +++ b/tests/nwfilterebiptablestest.c @@ -36,34 +36,34 @@ =20 =20 #define VIR_NWFILTER_NEW_RULES_TEARDOWN \ - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out= vnet0 -g FP-vnet0\n" \ - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"= \ - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \ - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0= \n" \ - "iptables -F FP-vnet0\n" \ - "iptables -X FP-vnet0\n" \ - "iptables -F FJ-vnet0\n" \ - "iptables -X FJ-vnet0\n" \ - "iptables -F HJ-vnet0\n" \ - "iptables -X HJ-vnet0\n" \ - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-ou= t vnet0 -g FP-vnet0\n" \ - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n= " \ - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \ - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet= 0\n" \ - "ip6tables -F FP-vnet0\n" \ - "ip6tables -X FP-vnet0\n" \ - "ip6tables -F FJ-vnet0\n" \ - "ip6tables -X FJ-vnet0\n" \ - "ip6tables -F HJ-vnet0\n" \ - "ip6tables -X HJ-vnet0\n" \ - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \ - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \ - "ebtables -t nat -L libvirt-J-vnet0\n" \ - "ebtables -t nat -L libvirt-P-vnet0\n" \ - "ebtables -t nat -F libvirt-J-vnet0\n" \ - "ebtables -t nat -X libvirt-J-vnet0\n" \ - "ebtables -t nat -F libvirt-P-vnet0\n" \ - "ebtables -t nat -X libvirt-P-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-= out vnet0 -g FP-vnet0\n" \ + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0= \n" \ + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n= " \ + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vn= et0\n" \ + "iptables -w -F FP-vnet0\n" \ + "iptables -w -X FP-vnet0\n" \ + "iptables -w -F FJ-vnet0\n" \ + "iptables -w -X FJ-vnet0\n" \ + "iptables -w -F HJ-vnet0\n" \ + "iptables -w -X HJ-vnet0\n" \ + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FP-vnet0\n" \ + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet= 0\n" \ + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\= n" \ + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-v= net0\n" \ + "ip6tables -w -F FP-vnet0\n" \ + "ip6tables -w -X FP-vnet0\n" \ + "ip6tables -w -F FJ-vnet0\n" \ + "ip6tables -w -X FJ-vnet0\n" \ + "ip6tables -w -F HJ-vnet0\n" \ + "ip6tables -w -X HJ-vnet0\n" \ + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet= 0\n" \ + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vne= t0\n" \ + "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" \ + "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" \ + "ebtables --concurrent -t nat -F libvirt-J-vnet0\n" \ + "ebtables --concurrent -t nat -X libvirt-J-vnet0\n" \ + "ebtables --concurrent -t nat -F libvirt-P-vnet0\n" \ + "ebtables --concurrent -t nat -X libvirt-P-vnet0\n" =20 static int testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED) @@ -71,36 +71,36 @@ testNWFilterEBIPTablesAllTeardown(const void *opaque G_= GNUC_UNUSED) g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; const char *expected =3D VIR_NWFILTER_NEW_RULES_TEARDOWN - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FO-vnet0\n" - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet= 0\n" - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\= n" - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-v= net0\n" - "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCE= PT\n" - "iptables -F FO-vnet0\n" - "iptables -X FO-vnet0\n" - "iptables -F FI-vnet0\n" - "iptables -X FI-vnet0\n" - "iptables -F HI-vnet0\n" - "iptables -X HI-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physde= v-out vnet0 -g FO-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vne= t0\n" - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0= \n" - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-= vnet0\n" - "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACC= EPT\n" - "ip6tables -F FO-vnet0\n" - "ip6tables -X FO-vnet0\n" - "ip6tables -F FI-vnet0\n" - "ip6tables -X FI-vnet0\n" - "ip6tables -F HI-vnet0\n" - "ip6tables -X HI-vnet0\n" - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-I-vnet0\n" - "ebtables -t nat -L libvirt-O-vnet0\n" - "ebtables -t nat -F libvirt-I-vnet0\n" - "ebtables -t nat -X libvirt-I-vnet0\n" - "ebtables -t nat -F libvirt-O-vnet0\n" - "ebtables -t nat -X libvirt-O-vnet0\n"; + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --phys= dev-out vnet0 -g FO-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-v= net0\n" + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vne= t0\n" + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g H= I-vnet0\n" + "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j A= CCEPT\n" + "iptables -w -F FO-vnet0\n" + "iptables -w -X FO-vnet0\n" + "iptables -w -F FI-vnet0\n" + "iptables -w -X FI-vnet0\n" + "iptables -w -F HI-vnet0\n" + "iptables -w -X HI-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --phy= sdev-out vnet0 -g FO-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-= vnet0\n" + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vn= et0\n" + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g = HI-vnet0\n" + "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j = ACCEPT\n" + "ip6tables -w -F FO-vnet0\n" + "ip6tables -w -X FO-vnet0\n" + "ip6tables -w -F FI-vnet0\n" + "ip6tables -w -X FI-vnet0\n" + "ip6tables -w -F HI-vnet0\n" + "ip6tables -w -X HI-vnet0\n" + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"; char *actual =3D NULL; int ret =3D -1; =20 @@ -130,44 +130,44 @@ testNWFilterEBIPTablesTearOldRules(const void *opaque= G_GNUC_UNUSED) { g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; const char *expected =3D - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FO-vnet0\n" - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet= 0\n" - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\= n" - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-v= net0\n" - "iptables -F FO-vnet0\n" - "iptables -X FO-vnet0\n" - "iptables -F FI-vnet0\n" - "iptables -X FI-vnet0\n" - "iptables -F HI-vnet0\n" - "iptables -X HI-vnet0\n" - "iptables -E FP-vnet0 FO-vnet0\n" - "iptables -E FJ-vnet0 FI-vnet0\n" - "iptables -E HJ-vnet0 HI-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physde= v-out vnet0 -g FO-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vne= t0\n" - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0= \n" - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-= vnet0\n" - "ip6tables -F FO-vnet0\n" - "ip6tables -X FO-vnet0\n" - "ip6tables -F FI-vnet0\n" - "ip6tables -X FI-vnet0\n" - "ip6tables -F HI-vnet0\n" - "ip6tables -X HI-vnet0\n" - "ip6tables -E FP-vnet0 FO-vnet0\n" - "ip6tables -E FJ-vnet0 FI-vnet0\n" - "ip6tables -E HJ-vnet0 HI-vnet0\n" - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-I-vnet0\n" - "ebtables -t nat -L libvirt-O-vnet0\n" - "ebtables -t nat -F libvirt-I-vnet0\n" - "ebtables -t nat -X libvirt-I-vnet0\n" - "ebtables -t nat -F libvirt-O-vnet0\n" - "ebtables -t nat -X libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-J-vnet0\n" - "ebtables -t nat -L libvirt-P-vnet0\n" - "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n" - "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n"; + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --phys= dev-out vnet0 -g FO-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-v= net0\n" + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vne= t0\n" + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g H= I-vnet0\n" + "iptables -w -F FO-vnet0\n" + "iptables -w -X FO-vnet0\n" + "iptables -w -F FI-vnet0\n" + "iptables -w -X FI-vnet0\n" + "iptables -w -F HI-vnet0\n" + "iptables -w -X HI-vnet0\n" + "iptables -w -E FP-vnet0 FO-vnet0\n" + "iptables -w -E FJ-vnet0 FI-vnet0\n" + "iptables -w -E HJ-vnet0 HI-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --phy= sdev-out vnet0 -g FO-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-= vnet0\n" + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vn= et0\n" + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g = HI-vnet0\n" + "ip6tables -w -F FO-vnet0\n" + "ip6tables -w -X FO-vnet0\n" + "ip6tables -w -F FI-vnet0\n" + "ip6tables -w -X FI-vnet0\n" + "ip6tables -w -F HI-vnet0\n" + "ip6tables -w -X HI-vnet0\n" + "ip6tables -w -E FP-vnet0 FO-vnet0\n" + "ip6tables -w -E FJ-vnet0 FI-vnet0\n" + "ip6tables -w -E HJ-vnet0 HI-vnet0\n" + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n= "; char *actual =3D NULL; int ret =3D -1; =20 @@ -197,22 +197,22 @@ testNWFilterEBIPTablesRemoveBasicRules(const void *op= aque G_GNUC_UNUSED) { g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; const char *expected =3D - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-I-vnet0\n" - "ebtables -t nat -L libvirt-O-vnet0\n" - "ebtables -t nat -F libvirt-I-vnet0\n" - "ebtables -t nat -X libvirt-I-vnet0\n" - "ebtables -t nat -F libvirt-O-vnet0\n" - "ebtables -t nat -X libvirt-O-vnet0\n" - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" - "ebtables -t nat -L libvirt-J-vnet0\n" - "ebtables -t nat -L libvirt-P-vnet0\n" - "ebtables -t nat -F libvirt-J-vnet0\n" - "ebtables -t nat -X libvirt-J-vnet0\n" - "ebtables -t nat -F libvirt-P-vnet0\n" - "ebtables -t nat -X libvirt-P-vnet0\n"; + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-P-vnet0\n"; char *actual =3D NULL; int ret =3D -1; =20 @@ -273,43 +273,43 @@ testNWFilterEBIPTablesApplyBasicRules(const void *opa= que G_GNUC_UNUSED) g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; const char *expected =3D VIR_NWFILTER_NEW_RULES_TEARDOWN - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FO-vnet0\n" - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet= 0\n" - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\= n" - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-v= net0\n" - "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCE= PT\n" - "iptables -F FO-vnet0\n" - "iptables -X FO-vnet0\n" - "iptables -F FI-vnet0\n" - "iptables -X FI-vnet0\n" - "iptables -F HI-vnet0\n" - "iptables -X HI-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physde= v-out vnet0 -g FO-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vne= t0\n" - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0= \n" - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-= vnet0\n" - "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACC= EPT\n" - "ip6tables -F FO-vnet0\n" - "ip6tables -X FO-vnet0\n" - "ip6tables -F FI-vnet0\n" - "ip6tables -X FI-vnet0\n" - "ip6tables -F HI-vnet0\n" - "ip6tables -X HI-vnet0\n" - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-I-vnet0\n" - "ebtables -t nat -L libvirt-O-vnet0\n" - "ebtables -t nat -F libvirt-I-vnet0\n" - "ebtables -t nat -X libvirt-I-vnet0\n" - "ebtables -t nat -F libvirt-O-vnet0\n" - "ebtables -t nat -X libvirt-O-vnet0\n" - "ebtables -t nat -N libvirt-J-vnet0\n" - "ebtables -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DR= OP\n" - "ebtables -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n" - "ebtables -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n" - "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n" - "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n" - "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"; + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --phys= dev-out vnet0 -g FO-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-v= net0\n" + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vne= t0\n" + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g H= I-vnet0\n" + "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j A= CCEPT\n" + "iptables -w -F FO-vnet0\n" + "iptables -w -X FO-vnet0\n" + "iptables -w -F FI-vnet0\n" + "iptables -w -X FI-vnet0\n" + "iptables -w -F HI-vnet0\n" + "iptables -w -X HI-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --phy= sdev-out vnet0 -g FO-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-= vnet0\n" + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vn= et0\n" + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g = HI-vnet0\n" + "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j = ACCEPT\n" + "ip6tables -w -F FO-vnet0\n" + "ip6tables -w -X FO-vnet0\n" + "ip6tables -w -F FI-vnet0\n" + "ip6tables -w -X FI-vnet0\n" + "ip6tables -w -F HI-vnet0\n" + "ip6tables -w -X HI-vnet0\n" + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -N libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:4= 0:50:60 -j DROP\n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT= \n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\= n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n" + "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-= vnet0\n" + "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n= "; char *actual =3D NULL; int ret =3D -1; virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; @@ -341,51 +341,51 @@ testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *= opaque G_GNUC_UNUSED) g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; const char *expected =3D VIR_NWFILTER_NEW_RULES_TEARDOWN - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FO-vnet0\n" - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet= 0\n" - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\= n" - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-v= net0\n" - "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCE= PT\n" - "iptables -F FO-vnet0\n" - "iptables -X FO-vnet0\n" - "iptables -F FI-vnet0\n" - "iptables -X FI-vnet0\n" - "iptables -F HI-vnet0\n" - "iptables -X HI-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physde= v-out vnet0 -g FO-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vne= t0\n" - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0= \n" - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-= vnet0\n" - "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACC= EPT\n" - "ip6tables -F FO-vnet0\n" - "ip6tables -X FO-vnet0\n" - "ip6tables -F FI-vnet0\n" - "ip6tables -X FI-vnet0\n" - "ip6tables -F HI-vnet0\n" - "ip6tables -X HI-vnet0\n" - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-I-vnet0\n" - "ebtables -t nat -L libvirt-O-vnet0\n" - "ebtables -t nat -F libvirt-I-vnet0\n" - "ebtables -t nat -X libvirt-I-vnet0\n" - "ebtables -t nat -F libvirt-O-vnet0\n" - "ebtables -t nat -X libvirt-O-vnet0\n" - "ebtables -t nat -N libvirt-J-vnet0\n" - "ebtables -t nat -N libvirt-P-vnet0\n" - "ebtables -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 -= -ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n" - "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n" - "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 -= -ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCE= PT\n" - "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 -= -ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCE= PT\n" - "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 -= -ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n" - "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 -= -ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n" - "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 -= -ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n" - "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 -= -ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n" - "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n" - "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n" - "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" - "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n" - "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n"; + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --phys= dev-out vnet0 -g FO-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-v= net0\n" + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vne= t0\n" + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g H= I-vnet0\n" + "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j A= CCEPT\n" + "iptables -w -F FO-vnet0\n" + "iptables -w -X FO-vnet0\n" + "iptables -w -F FI-vnet0\n" + "iptables -w -X FI-vnet0\n" + "iptables -w -F HI-vnet0\n" + "iptables -w -X HI-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --phy= sdev-out vnet0 -g FO-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-= vnet0\n" + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vn= et0\n" + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g = HI-vnet0\n" + "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j = ACCEPT\n" + "ip6tables -w -F FO-vnet0\n" + "ip6tables -w -X FO-vnet0\n" + "ip6tables -w -F FI-vnet0\n" + "ip6tables -w -X FI-vnet0\n" + "ip6tables -w -F HI-vnet0\n" + "ip6tables -w -X HI-vnet0\n" + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -N libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -N libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50= :60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50= :60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dpo= rt 68 -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff= :ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dpo= rt 68 -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50= :60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68= -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff= :ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68= -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50= :60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68= -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff= :ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68= -j ACCEPT\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n" + "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-= vnet0\n" + "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P= -vnet0\n" + "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n= "; char *actual =3D NULL; int ret =3D -1; virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; @@ -428,44 +428,44 @@ testNWFilterEBIPTablesApplyDropAllRules(const void *o= paque G_GNUC_UNUSED) g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; const char *expected =3D VIR_NWFILTER_NEW_RULES_TEARDOWN - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FO-vnet0\n" - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet= 0\n" - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\= n" - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-v= net0\n" - "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCE= PT\n" - "iptables -F FO-vnet0\n" - "iptables -X FO-vnet0\n" - "iptables -F FI-vnet0\n" - "iptables -X FI-vnet0\n" - "iptables -F HI-vnet0\n" - "iptables -X HI-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physde= v-out vnet0 -g FO-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vne= t0\n" - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0= \n" - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-= vnet0\n" - "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACC= EPT\n" - "ip6tables -F FO-vnet0\n" - "ip6tables -X FO-vnet0\n" - "ip6tables -F FI-vnet0\n" - "ip6tables -X FI-vnet0\n" - "ip6tables -F HI-vnet0\n" - "ip6tables -X HI-vnet0\n" - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n" - "ebtables -t nat -L libvirt-I-vnet0\n" - "ebtables -t nat -L libvirt-O-vnet0\n" - "ebtables -t nat -F libvirt-I-vnet0\n" - "ebtables -t nat -X libvirt-I-vnet0\n" - "ebtables -t nat -F libvirt-O-vnet0\n" - "ebtables -t nat -X libvirt-O-vnet0\n" - "ebtables -t nat -N libvirt-J-vnet0\n" - "ebtables -t nat -N libvirt-P-vnet0\n" - "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n" - "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n" - "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n" - "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" - "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n" - "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n"; + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --phys= dev-out vnet0 -g FO-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-v= net0\n" + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vne= t0\n" + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g H= I-vnet0\n" + "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j A= CCEPT\n" + "iptables -w -F FO-vnet0\n" + "iptables -w -X FO-vnet0\n" + "iptables -w -F FI-vnet0\n" + "iptables -w -X FI-vnet0\n" + "iptables -w -F HI-vnet0\n" + "iptables -w -X HI-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --phy= sdev-out vnet0 -g FO-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-= vnet0\n" + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vn= et0\n" + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g = HI-vnet0\n" + "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j = ACCEPT\n" + "ip6tables -w -F FO-vnet0\n" + "ip6tables -w -X FO-vnet0\n" + "ip6tables -w -F FI-vnet0\n" + "ip6tables -w -X FI-vnet0\n" + "ip6tables -w -F HI-vnet0\n" + "ip6tables -w -X HI-vnet0\n" + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-= vnet0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O= -vnet0\n" + "ebtables --concurrent -t nat -L libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-O-vnet0\n" + "ebtables --concurrent -t nat -N libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -N libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n" + "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n" + "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-= vnet0\n" + "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P= -vnet0\n" + "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n" + "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n= "; char *actual =3D NULL; int ret =3D -1; =20 diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfi= lterxml2firewalldata/ah-ipv6-linux.args index 35c9de38b8..77f0532fd2 100644 --- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p ah \ -m mac \ @@ -11,6 +12,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p ah \ --destination f:e:d::c:b:a/127 \ @@ -21,6 +23,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p ah \ -m mac \ @@ -33,6 +36,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p ah \ --destination a:b:c::/128 \ @@ -42,6 +46,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p ah \ -m mac \ @@ -53,6 +58,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p ah \ --destination a:b:c::/128 \ @@ -62,6 +68,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p ah \ --destination ::10.1.2.3/128 \ @@ -71,6 +78,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p ah \ -m mac \ @@ -82,6 +90,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p ah \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterx= ml2firewalldata/ah-linux.args index 269636754e..c7e5c1eb17 100644 --- a/tests/nwfilterxml2firewalldata/ah-linux.args +++ b/tests/nwfilterxml2firewalldata/ah-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p ah \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p ah \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p ah \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p ah \ --destination 10.1.2.3/22 \ @@ -39,6 +43,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p ah \ -m mac \ @@ -50,6 +55,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p ah \ --destination 10.1.2.3/22 \ @@ -59,6 +65,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p ah \ --destination 10.1.2.3/22 \ @@ -68,6 +75,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p ah \ -m mac \ @@ -79,6 +87,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p ah \ --destination 10.1.2.3/22 \ diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/all-ipv6-linux.args index 2f84c1bfea..d86908663c 100644 --- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p all \ -m mac \ @@ -11,6 +12,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p all \ --destination f:e:d::c:b:a/127 \ @@ -21,6 +23,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p all \ -m mac \ @@ -33,6 +36,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p all \ --destination a:b:c::/128 \ @@ -42,6 +46,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -53,6 +58,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p all \ --destination a:b:c::/128 \ @@ -62,6 +68,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p all \ --destination ::10.1.2.3/128 \ @@ -71,6 +78,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -82,6 +90,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p all \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilter= xml2firewalldata/all-linux.args index 7ea769f74f..187d9ed9ca 100644 --- a/tests/nwfilterxml2firewalldata/all-linux.args +++ b/tests/nwfilterxml2firewalldata/all-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -39,6 +43,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -50,6 +55,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -59,6 +65,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -68,6 +75,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -79,6 +87,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ diff --git a/tests/nwfilterxml2firewalldata/arp-linux.args b/tests/nwfilter= xml2firewalldata/arp-linux.args index b1360175c4..ef9f44d7bb 100644 --- a/tests/nwfilterxml2firewalldata/arp-linux.args +++ b/tests/nwfilterxml2firewalldata/arp-linux.args @@ -1,4 +1,5 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -11,6 +12,7 @@ ebtables \ --arp-mac-dst 0a:0b:0c:0d:0e:0f \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -20,6 +22,7 @@ ebtables \ --arp-ptype 0xff \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -29,6 +32,7 @@ ebtables \ --arp-ptype 0x100 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -38,6 +42,7 @@ ebtables \ --arp-ptype 0xffff \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p 0x806 \ diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfi= lterxml2firewalldata/comment-linux.args index 462b2e2177..6233ccf9f5 100644 --- a/tests/nwfilterxml2firewalldata/comment-linux.args +++ b/tests/nwfilterxml2firewalldata/comment-linux.args @@ -1,9 +1,11 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p 0x1234 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -17,6 +19,7 @@ ebtables \ --ip-tos 0x32 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ @@ -29,6 +32,7 @@ ebtables \ --ip6-destination-port 13107:65535 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -41,6 +45,7 @@ ebtables \ --arp-mac-dst 0a:0b:0c:0d:0e:0f \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p udp \ -m mac \ @@ -56,6 +61,7 @@ iptables \ --comment 'udp rule' \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --source 10.1.2.3/32 \ @@ -69,6 +75,7 @@ iptables \ --comment 'udp rule' \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ -m mac \ @@ -84,6 +91,7 @@ iptables \ --comment 'udp rule' \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p tcp \ --destination a:b:c::/128 \ @@ -97,6 +105,7 @@ ip6tables \ --comment 'tcp/ipv6 rule' \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p tcp \ -m mac \ @@ -112,6 +121,7 @@ ip6tables \ --comment 'tcp/ipv6 rule' \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p tcp \ --destination a:b:c::/128 \ @@ -125,6 +135,7 @@ ip6tables \ --comment 'tcp/ipv6 rule' \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p udp \ -m state \ @@ -133,6 +144,7 @@ ip6tables \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udp \ -m state \ @@ -141,6 +153,7 @@ ip6tables \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udp \ -m state \ @@ -149,6 +162,7 @@ ip6tables \ --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p sctp \ -m state \ @@ -157,6 +171,7 @@ ip6tables \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p sctp \ -m state \ @@ -165,6 +180,7 @@ ip6tables \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p sctp \ -m state \ @@ -173,6 +189,7 @@ ip6tables \ --comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p ah \ -m state \ @@ -182,6 +199,7 @@ ip6tables \ -f ${tmp}' \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p ah \ -m state \ @@ -191,6 +209,7 @@ ip6tables \ -f ${tmp}' \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p ah \ -m state \ diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nw= filterxml2firewalldata/conntrack-linux.args index c653049e8e..78495598a1 100644 --- a/tests/nwfilterxml2firewalldata/conntrack-linux.args +++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args @@ -1,40 +1,47 @@ iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ -m connlimit \ --connlimit-above 1 \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ -m connlimit \ --connlimit-above 1 \ -j DROP iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ -m connlimit \ --connlimit-above 2 \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ -m connlimit \ --connlimit-above 2 \ -j DROP iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/esp-ipv6-linux.args index 51cf74815b..22dad0b412 100644 --- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p esp \ -m mac \ @@ -11,6 +12,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p esp \ --destination f:e:d::c:b:a/127 \ @@ -21,6 +23,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p esp \ -m mac \ @@ -33,6 +36,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p esp \ --destination a:b:c::/128 \ @@ -42,6 +46,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p esp \ -m mac \ @@ -53,6 +58,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p esp \ --destination a:b:c::/128 \ @@ -62,6 +68,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p esp \ --destination ::10.1.2.3/128 \ @@ -71,6 +78,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p esp \ -m mac \ @@ -82,6 +90,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p esp \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilter= xml2firewalldata/esp-linux.args index 17acb8133c..7cd70afaa1 100644 --- a/tests/nwfilterxml2firewalldata/esp-linux.args +++ b/tests/nwfilterxml2firewalldata/esp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p esp \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p esp \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p esp \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p esp \ --destination 10.1.2.3/22 \ @@ -39,6 +43,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p esp \ -m mac \ @@ -50,6 +55,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p esp \ --destination 10.1.2.3/22 \ @@ -59,6 +65,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p esp \ --destination 10.1.2.3/22 \ @@ -68,6 +75,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p esp \ -m mac \ @@ -79,6 +87,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p esp \ --destination 10.1.2.3/22 \ diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nw= filterxml2firewalldata/example-1-linux.args index c5549f8dd6..1cc3746d40 100644 --- a/tests/nwfilterxml2firewalldata/example-1-linux.args +++ b/tests/nwfilterxml2firewalldata/example-1-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --sport 22 \ @@ -6,6 +7,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --dport 22 \ @@ -13,6 +15,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --sport 22 \ @@ -20,50 +23,59 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ -m state \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p icmp \ -m state \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ -m state \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ -j DROP diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args b/tests/nw= filterxml2firewalldata/example-2-linux.args index 2db58f1e0f..87462ad954 100644 --- a/tests/nwfilterxml2firewalldata/example-2-linux.args +++ b/tests/nwfilterxml2firewalldata/example-2-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ @@ -7,6 +8,7 @@ iptables \ --comment 'out: existing and related (ftp) connections' \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ @@ -15,6 +17,7 @@ iptables \ --comment 'out: existing and related (ftp) connections' \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ @@ -23,6 +26,7 @@ iptables \ --comment 'in: existing connections' \ -j ACCEPT iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --dport 21:22 \ @@ -32,6 +36,7 @@ iptables \ --comment 'in: ftp and ssh' \ -j ACCEPT iptables \ +-w \ -A FP-vnet0 \ -p icmp \ -m state \ @@ -40,6 +45,7 @@ iptables \ --comment 'in: icmp' \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --dport 53 \ @@ -49,6 +55,7 @@ iptables \ --comment 'out: DNS lookups' \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --dport 53 \ @@ -58,18 +65,21 @@ iptables \ --comment 'out: DNS lookups' \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m comment \ --comment 'inout: drop all non-accepted traffic' \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -m comment \ --comment 'inout: drop all non-accepted traffic' \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m comment \ diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwf= ilterxml2firewalldata/hex-data-linux.args index f1a1f588f2..3c04e1c23d 100644 --- a/tests/nwfilterxml2firewalldata/hex-data-linux.args +++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args @@ -1,9 +1,11 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p 0x1234 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -17,6 +19,7 @@ ebtables \ --ip-tos 0x32 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ @@ -29,6 +32,7 @@ ebtables \ --ip6-destination-port 13107:65535 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -41,6 +45,7 @@ ebtables \ --arp-mac-dst 0a:0b:0c:0d:0e:0f \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p udp \ -m mac \ @@ -54,6 +59,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --source 10.1.2.3/32 \ @@ -65,6 +71,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ -m mac \ @@ -78,6 +85,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p tcp \ --destination a:b:c::/128 \ @@ -89,6 +97,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p tcp \ -m mac \ @@ -102,6 +111,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p tcp \ --destination a:b:c::/128 \ diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args b/tes= ts/nwfilterxml2firewalldata/icmp-direction-linux.args index 9f481fa831..7548aaeba5 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FP-vnet0 \ -p icmp \ --icmp-type 0 \ @@ -6,6 +7,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ --icmp-type 8 \ @@ -13,6 +15,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ --icmp-type 8 \ @@ -20,14 +23,17 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p icmp \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ -j DROP diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args b/te= sts/nwfilterxml2firewalldata/icmp-direction2-linux.args index 1faa3d880a..026702caee 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FP-vnet0 \ -p icmp \ --icmp-type 8 \ @@ -6,6 +7,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ --icmp-type 0 \ @@ -13,6 +15,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ --icmp-type 0 \ @@ -20,14 +23,17 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p icmp \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ -j DROP diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/te= sts/nwfilterxml2firewalldata/icmp-direction3-linux.args index 6cc8e132d9..6ee6a4f84a 100644 --- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args @@ -1,30 +1,36 @@ iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ -m state \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p icmp \ -m state \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ -m state \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ -j DROP diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args b/tests/nwfilte= rxml2firewalldata/icmp-linux.args index d808f0ea60..d688e29213 100644 --- a/tests/nwfilterxml2firewalldata/icmp-linux.args +++ b/tests/nwfilterxml2firewalldata/icmp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p icmp \ -m mac \ @@ -11,6 +12,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p icmp \ -m mac \ @@ -23,6 +25,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p icmp \ -m mac \ diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args b/tests/nwfil= terxml2firewalldata/icmpv6-linux.args index 92190eb311..6e2110fb81 100644 --- a/tests/nwfilterxml2firewalldata/icmpv6-linux.args +++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p icmpv6 \ -m mac \ @@ -12,6 +13,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A HJ-vnet0 \ -p icmpv6 \ -m mac \ @@ -25,6 +27,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p icmpv6 \ -m mac \ @@ -37,6 +40,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A FP-vnet0 \ -p icmpv6 \ -m mac \ diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilte= rxml2firewalldata/igmp-linux.args index 727463a62d..b954b0ae99 100644 --- a/tests/nwfilterxml2firewalldata/igmp-linux.args +++ b/tests/nwfilterxml2firewalldata/igmp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p igmp \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p igmp \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p igmp \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p igmp \ --destination 10.1.2.3/22 \ @@ -39,6 +43,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p igmp \ -m mac \ @@ -50,6 +55,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p igmp \ --destination 10.1.2.3/22 \ @@ -59,6 +65,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p igmp \ --destination 10.1.2.3/22 \ @@ -68,6 +75,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p igmp \ -m mac \ @@ -79,6 +87,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p igmp \ --destination 10.1.2.3/22 \ diff --git a/tests/nwfilterxml2firewalldata/ip-linux.args b/tests/nwfilterx= ml2firewalldata/ip-linux.args index 399a47491e..8e64839678 100644 --- a/tests/nwfilterxml2firewalldata/ip-linux.args +++ b/tests/nwfilterxml2firewalldata/ip-linux.args @@ -1,4 +1,5 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -11,6 +12,7 @@ ebtables \ --ip-destination-port 100:101 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv4 \ @@ -20,6 +22,7 @@ ebtables \ --ip-tos 0x3f \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv4 \ diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilt= erxml2firewalldata/ipset-linux.args index 0fe0739962..5cdb151354 100644 --- a/tests/nwfilterxml2firewalldata/ipset-linux.args +++ b/tests/nwfilterxml2firewalldata/ipset-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ @@ -7,6 +8,7 @@ iptables \ --match-set tck_test src,dst \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ @@ -15,6 +17,7 @@ iptables \ --match-set tck_test dst,src \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ @@ -23,6 +26,7 @@ iptables \ --match-set tck_test src,dst \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m set \ @@ -31,6 +35,7 @@ iptables \ --comment in+NONE \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m set \ @@ -39,6 +44,7 @@ iptables \ --comment out+NONE \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m set \ @@ -47,6 +53,7 @@ iptables \ --comment out+NONE \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ @@ -55,6 +62,7 @@ iptables \ --match-set tck_test dst,src,dst \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ @@ -63,6 +71,7 @@ iptables \ --match-set tck_test src,dst,src \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ @@ -71,6 +80,7 @@ iptables \ --match-set tck_test dst,src,dst \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ @@ -79,6 +89,7 @@ iptables \ --match-set tck_test dst,src,dst \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ @@ -87,6 +98,7 @@ iptables \ --match-set tck_test src,dst,src \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ @@ -95,6 +107,7 @@ iptables \ --match-set tck_test dst,src,dst \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m state \ @@ -103,6 +116,7 @@ iptables \ --match-set tck_test dst,src \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m state \ @@ -111,6 +125,7 @@ iptables \ --match-set tck_test src,dst \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m state \ @@ -119,6 +134,7 @@ iptables \ --match-set tck_test dst,src \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m set \ @@ -127,6 +143,7 @@ iptables \ --comment inout \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m set \ @@ -135,6 +152,7 @@ iptables \ --comment inout \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m set \ diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args b/te= sts/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args index 86ab228fb8..c35fa1e488 100644 --- a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args +++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args @@ -1,10 +1,12 @@ iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac '!' \ --mac-source 12:34:56:78:9a:bc \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac '!' \ diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilte= rxml2firewalldata/ipv6-linux.args index 6fba19f2eb..87db9c2979 100644 --- a/tests/nwfilterxml2firewalldata/ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args @@ -1,4 +1,5 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ @@ -11,6 +12,7 @@ ebtables \ --ip6-destination-port 100:101 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -21,6 +23,7 @@ ebtables \ --ip6-source-port 100:101 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ @@ -31,6 +34,7 @@ ebtables \ --ip6-destination-port 100:101 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -41,6 +45,7 @@ ebtables \ --ip6-source-port 65535:65535 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ @@ -51,6 +56,7 @@ ebtables \ --ip6-destination-port 65535:65535 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -59,6 +65,7 @@ ebtables \ --ip6-protocol 18 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ @@ -67,6 +74,7 @@ ebtables \ --ip6-protocol 18 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -76,6 +84,7 @@ ebtables \ --ip6-icmp-type 1:11/10:11 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ @@ -85,6 +94,7 @@ ebtables \ --ip6-icmp-type 1:11/10:11 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -94,6 +104,7 @@ ebtables \ --ip6-icmp-type 1:1/10:10 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ @@ -103,6 +114,7 @@ ebtables \ --ip6-icmp-type 1:1/10:10 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -112,6 +124,7 @@ ebtables \ --ip6-icmp-type 0:255/10:10 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ @@ -121,6 +134,7 @@ ebtables \ --ip6-icmp-type 0:255/10:10 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -p ipv6 \ @@ -130,6 +144,7 @@ ebtables \ --ip6-icmp-type 1:1/0:255 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -p ipv6 \ diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilt= erxml2firewalldata/iter1-linux.args index 31f37cf537..9bdad18748 100644 --- a/tests/nwfilterxml2firewalldata/iter1-linux.args +++ b/tests/nwfilterxml2firewalldata/iter1-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -9,6 +10,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -29,6 +32,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -39,6 +43,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -49,6 +54,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -59,6 +65,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -69,6 +76,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -79,6 +87,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilt= erxml2firewalldata/iter2-linux.args index 4230a9d524..b088350ee5 100644 --- a/tests/nwfilterxml2firewalldata/iter2-linux.args +++ b/tests/nwfilterxml2firewalldata/iter2-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -9,6 +10,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -29,6 +32,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -39,6 +43,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -49,6 +54,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -59,6 +65,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -69,6 +76,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -79,6 +87,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -89,6 +98,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -99,6 +109,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 1.1.1.1 \ @@ -109,6 +120,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -119,6 +131,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -129,6 +142,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -139,6 +153,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -149,6 +164,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -159,6 +175,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 3.3.3.3 \ @@ -169,6 +186,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -179,6 +197,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -189,6 +208,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 1.1.1.1 \ @@ -199,6 +219,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -209,6 +230,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -219,6 +241,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -229,6 +252,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -239,6 +263,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -249,6 +274,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 3.3.3.3 \ @@ -259,6 +285,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -269,6 +296,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -280,6 +308,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 1.1.1.1 \ @@ -291,6 +320,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -302,6 +332,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -313,6 +344,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 2.2.2.2 \ @@ -324,6 +356,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -335,6 +368,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -346,6 +380,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 3.3.3.3 \ @@ -357,6 +392,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -368,6 +404,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -379,6 +416,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 1.1.1.1 \ @@ -390,6 +428,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -401,6 +440,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -412,6 +452,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 2.2.2.2 \ @@ -423,6 +464,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -434,6 +476,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -445,6 +488,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 3.3.3.3 \ @@ -456,6 +500,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -467,6 +512,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -478,6 +524,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 1.1.1.1 \ @@ -489,6 +536,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -500,6 +548,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -511,6 +560,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 2.2.2.2 \ @@ -522,6 +572,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -533,6 +584,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -544,6 +596,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 3.3.3.3 \ @@ -555,6 +608,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -566,6 +620,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -577,6 +632,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 1.1.1.1 \ @@ -588,6 +644,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -599,6 +656,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -610,6 +668,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 2.2.2.2 \ @@ -621,6 +680,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -632,6 +692,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -643,6 +704,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 3.3.3.3 \ @@ -654,6 +716,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -665,6 +728,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -676,6 +740,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -687,6 +752,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -698,6 +764,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -709,6 +776,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -720,6 +788,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -731,6 +800,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -742,6 +812,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -753,6 +824,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -764,6 +836,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -775,6 +848,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -786,6 +860,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -797,6 +872,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -808,6 +884,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -819,6 +896,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -830,6 +908,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -841,6 +920,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -852,6 +932,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -863,6 +944,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -874,6 +956,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -885,6 +968,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -896,6 +980,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -907,6 +992,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -918,6 +1004,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -929,6 +1016,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -940,6 +1028,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -951,6 +1040,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -962,6 +1052,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -973,6 +1064,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -984,6 +1076,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -995,6 +1088,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1006,6 +1100,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -1017,6 +1112,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1028,6 +1124,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1039,6 +1136,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -1050,6 +1148,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1061,6 +1160,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1072,6 +1172,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -1083,6 +1184,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1094,6 +1196,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1105,6 +1208,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -1116,6 +1220,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1127,6 +1232,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1138,6 +1244,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -1149,6 +1256,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1160,6 +1268,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1171,6 +1280,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -1182,6 +1292,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1193,6 +1304,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1204,6 +1316,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -1215,6 +1328,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1226,6 +1340,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1237,6 +1352,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -1248,6 +1364,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1259,6 +1376,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1270,6 +1388,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -1281,6 +1400,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1292,6 +1412,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1303,6 +1424,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -1314,6 +1436,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1325,6 +1448,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1336,6 +1460,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -1347,6 +1472,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1358,6 +1484,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1369,6 +1496,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -1380,6 +1508,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -1391,6 +1520,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1402,6 +1532,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 2.2.2.2 \ @@ -1413,6 +1544,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 2.2.2.2 \ @@ -1424,6 +1556,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1435,6 +1568,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 3.3.3.3 \ @@ -1446,6 +1580,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 3.3.3.3 \ @@ -1457,6 +1592,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -1467,6 +1603,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 1.1.1.1 \ @@ -1477,6 +1614,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -1487,6 +1625,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -1497,6 +1636,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -1507,6 +1647,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -1517,6 +1658,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -1527,6 +1669,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 3.3.3.3 \ @@ -1537,6 +1680,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -1547,6 +1691,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -1557,6 +1702,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 1.1.1.1 \ @@ -1567,6 +1713,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -1577,6 +1724,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -1587,6 +1735,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -1597,6 +1746,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -1607,6 +1757,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -1617,6 +1768,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 3.3.3.3 \ @@ -1627,6 +1779,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -1637,6 +1790,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -1647,6 +1801,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 1.1.1.1 \ @@ -1657,6 +1812,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 1.1.1.1 \ @@ -1667,6 +1823,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -1677,6 +1834,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -1687,6 +1845,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -1697,6 +1856,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -1707,6 +1867,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 3.3.3.3 \ @@ -1717,6 +1878,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 3.3.3.3 \ @@ -1727,6 +1889,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -1737,6 +1900,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 1.1.1.1 \ @@ -1747,6 +1911,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 1.1.1.1 \ @@ -1757,6 +1922,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -1767,6 +1933,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 2.2.2.2 \ @@ -1777,6 +1944,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -1787,6 +1955,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ @@ -1797,6 +1966,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 3.3.3.3 \ @@ -1807,6 +1977,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 3.3.3.3 \ diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilt= erxml2firewalldata/iter3-linux.args index 0b16577992..cc6d442c75 100644 --- a/tests/nwfilterxml2firewalldata/iter3-linux.args +++ b/tests/nwfilterxml2firewalldata/iter3-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -9,6 +10,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -29,6 +32,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -39,6 +43,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --destination 1.1.1.1 \ @@ -49,6 +54,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --source 1.1.1.1 \ @@ -59,6 +65,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -69,6 +76,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -79,6 +87,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -89,6 +98,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -99,6 +109,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --destination 2.2.2.2 \ @@ -109,6 +120,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --source 2.2.2.2 \ @@ -119,6 +131,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ @@ -130,6 +143,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --destination 2.2.2.2 \ @@ -141,6 +155,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --source 2.2.2.2 \ diff --git a/tests/nwfilterxml2firewalldata/mac-linux.args b/tests/nwfilter= xml2firewalldata/mac-linux.args index 0fd9dbccc0..cc3aab2b92 100644 --- a/tests/nwfilterxml2firewalldata/mac-linux.args +++ b/tests/nwfilterxml2firewalldata/mac-linux.args @@ -1,22 +1,26 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -p 0x806 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -p 0x800 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -p 0x600 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.args b/tests/nwfilte= rxml2firewalldata/rarp-linux.args index f5fd6433bd..3e2441818c 100644 --- a/tests/nwfilterxml2firewalldata/rarp-linux.args +++ b/tests/nwfilterxml2firewalldata/rarp-linux.args @@ -1,7 +1,9 @@ ebtables \ +--concurrent \ -t nat \ -N libvirt-J-vnet0 ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -14,6 +16,7 @@ ebtables \ --arp-mac-dst 0a:0b:0c:0d:0e:0f \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -23,6 +26,7 @@ ebtables \ --arp-ptype 0xff \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -32,6 +36,7 @@ ebtables \ --arp-ptype 0x100 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -41,6 +46,7 @@ ebtables \ --arp-ptype 0xffff \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A PREROUTING \ -i vnet0 \ diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nw= filterxml2firewalldata/sctp-ipv6-linux.args index 959c4e8e0f..fbe6f39198 100644 --- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p sctp \ -m mac \ @@ -10,6 +11,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p sctp \ --source a:b:c::d:e:f/128 \ @@ -19,6 +21,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p sctp \ -m mac \ @@ -30,6 +33,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p sctp \ --destination a:b:c::/128 \ @@ -41,6 +45,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p sctp \ -m mac \ @@ -54,6 +59,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p sctp \ --destination a:b:c::/128 \ @@ -65,6 +71,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p sctp \ --destination ::10.1.2.3/128 \ @@ -76,6 +83,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p sctp \ -m mac \ @@ -89,6 +97,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p sctp \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilte= rxml2firewalldata/sctp-linux.args index 671fc0480f..a3c5a7a72d 100644 --- a/tests/nwfilterxml2firewalldata/sctp-linux.args +++ b/tests/nwfilterxml2firewalldata/sctp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --destination 10.1.2.3/32 \ @@ -41,6 +45,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ -m mac \ @@ -54,6 +59,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --destination 10.1.2.3/32 \ @@ -65,6 +71,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p sctp \ --destination 10.1.2.3/32 \ @@ -76,6 +83,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p sctp \ -m mac \ @@ -89,6 +97,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p sctp \ --destination 10.1.2.3/32 \ diff --git a/tests/nwfilterxml2firewalldata/stp-linux.args b/tests/nwfilter= xml2firewalldata/stp-linux.args index e3114ac622..76f5321856 100644 --- a/tests/nwfilterxml2firewalldata/stp-linux.args +++ b/tests/nwfilterxml2firewalldata/stp-linux.args @@ -1,32 +1,41 @@ ebtables \ +--concurrent \ -t nat \ -F J-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -X J-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -N J-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -d 01:80:c2:00:00:00 \ -j J-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -F P-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -X P-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -N P-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d 01:80:c2:00:00:00 \ -j P-vnet0-stp-xyz ebtables \ +--concurrent \ -t nat \ -A P-vnet0-stp-xyz \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -35,6 +44,7 @@ ebtables \ --stp-flags 68 \ -j CONTINUE ebtables \ +--concurrent \ -t nat \ -A J-vnet0-stp-xyz \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -44,6 +54,7 @@ ebtables \ --stp-root-cost 287454020:573785173 \ -j RETURN ebtables \ +--concurrent \ -t nat \ -A P-vnet0-stp-xyz \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfil= terxml2firewalldata/target-linux.args index d219877716..5216c709dd 100644 --- a/tests/nwfilterxml2firewalldata/target-linux.args +++ b/tests/nwfilterxml2firewalldata/target-linux.args @@ -1,40 +1,47 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -p 0x806 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -p 0x806 \ -j DROP ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -p 0x806 \ -j DROP ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -p 0x800 \ -j ACCEPT ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -p 0x800 \ -j DROP ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -p 0x800 \ -j DROP iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m mac \ @@ -49,6 +56,7 @@ iptables \ -- dir out' \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ --source 10.1.2.3/32 \ @@ -61,6 +69,7 @@ iptables \ -- dir out' \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m mac \ @@ -75,6 +84,7 @@ iptables \ -- dir out' \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m mac \ @@ -87,6 +97,7 @@ iptables \ -- dir out' \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ --source 10.1.2.3/32 \ @@ -97,6 +108,7 @@ iptables \ -- dir out' \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m mac \ @@ -109,6 +121,7 @@ iptables \ -- dir out' \ -j DROP iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m mac \ @@ -121,6 +134,7 @@ iptables \ -- dir out' \ -j REJECT iptables \ +-w \ -A FP-vnet0 \ -p all \ --source 10.1.2.3/32 \ @@ -131,6 +145,7 @@ iptables \ -- dir out' \ -j REJECT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m mac \ @@ -143,6 +158,7 @@ iptables \ -- dir out' \ -j REJECT iptables \ +-w \ -A FJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -155,6 +171,7 @@ iptables \ -- dir in' \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -169,6 +186,7 @@ iptables \ -- dir in' \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -181,6 +199,7 @@ iptables \ -- dir in' \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -191,6 +210,7 @@ iptables \ -- dir in' \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -203,6 +223,7 @@ iptables \ -- dir in' \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -213,6 +234,7 @@ iptables \ -- dir in' \ -j DROP iptables \ +-w \ -A FJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -223,6 +245,7 @@ iptables \ -- dir in' \ -j REJECT iptables \ +-w \ -A FP-vnet0 \ -p all \ -m mac \ @@ -235,6 +258,7 @@ iptables \ -- dir in' \ -j REJECT iptables \ +-w \ -A HJ-vnet0 \ -p all \ --destination 10.1.2.3/22 \ @@ -245,6 +269,7 @@ iptables \ -- dir in' \ -j REJECT iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m comment \ @@ -252,6 +277,7 @@ iptables \ -- dir inout' \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p all \ -m comment \ @@ -259,6 +285,7 @@ iptables \ -- dir inout' \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m comment \ @@ -266,6 +293,7 @@ iptables \ -- dir inout' \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m comment \ @@ -273,6 +301,7 @@ iptables \ -- dir inout' \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -m comment \ @@ -280,6 +309,7 @@ iptables \ -- dir inout' \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m comment \ @@ -287,6 +317,7 @@ iptables \ -- dir inout' \ -j DROP iptables \ +-w \ -A FJ-vnet0 \ -p all \ -m comment \ @@ -294,6 +325,7 @@ iptables \ -- dir inout' \ -j REJECT iptables \ +-w \ -A FP-vnet0 \ -p all \ -m comment \ @@ -301,6 +333,7 @@ iptables \ -- dir inout' \ -j REJECT iptables \ +-w \ -A HJ-vnet0 \ -p all \ -m comment \ diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfi= lterxml2firewalldata/target2-linux.args index cfa4f589d6..c774f6f24a 100644 --- a/tests/nwfilterxml2firewalldata/target2-linux.args +++ b/tests/nwfilterxml2firewalldata/target2-linux.args @@ -1,19 +1,23 @@ iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --dport 22 \ -j ACCEPT iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --sport 22 \ -j RETURN iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --sport 22 \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --sport 80 \ @@ -21,6 +25,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --dport 80 \ @@ -28,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --sport 80 \ @@ -35,26 +41,32 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ -j REJECT iptables \ +-w \ -A FP-vnet0 \ -p tcp \ -j REJECT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ -j REJECT iptables \ +-w \ -A FJ-vnet0 \ -p all \ -j DROP iptables \ +-w \ -A FP-vnet0 \ -p all \ -j DROP iptables \ +-w \ -A HJ-vnet0 \ -p all \ -j DROP diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/tcp-ipv6-linux.args index e6f8de3fca..8fa5e24eff 100644 --- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p tcp \ -m mac \ @@ -10,6 +11,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p tcp \ --source a:b:c::d:e:f/128 \ @@ -19,6 +21,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p tcp \ -m mac \ @@ -30,6 +33,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p tcp \ --destination a:b:c::/128 \ @@ -41,6 +45,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p tcp \ -m mac \ @@ -54,6 +59,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p tcp \ --destination a:b:c::/128 \ @@ -65,6 +71,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p tcp \ --destination ::10.1.2.3/128 \ @@ -76,6 +83,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p tcp \ -m mac \ @@ -89,6 +97,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p tcp \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilter= xml2firewalldata/tcp-linux.args index 195bfc01e6..74ac4a6733 100644 --- a/tests/nwfilterxml2firewalldata/tcp-linux.args +++ b/tests/nwfilterxml2firewalldata/tcp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --destination 10.1.2.3/32 \ @@ -39,6 +43,7 @@ iptables \ --sport 100:1111 \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ -m mac \ @@ -50,6 +55,7 @@ iptables \ --dport 100:1111 \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --destination 10.1.2.3/32 \ @@ -59,6 +65,7 @@ iptables \ --sport 100:1111 \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p tcp \ --destination 10.1.2.3/32 \ @@ -68,6 +75,7 @@ iptables \ --sport 65535:65535 \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ -m mac \ @@ -79,6 +87,7 @@ iptables \ --dport 65535:65535 \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p tcp \ --destination 10.1.2.3/32 \ @@ -88,21 +97,25 @@ iptables \ --sport 65535:65535 \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --tcp-flags SYN ALL \ -j ACCEPT iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --tcp-flags SYN SYN,ACK \ -j ACCEPT iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --tcp-flags RST NONE \ -j ACCEPT iptables \ +-w \ -A FP-vnet0 \ -p tcp \ --tcp-flags PSH NONE \ diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwf= ilterxml2firewalldata/udp-ipv6-linux.args index 9183c08753..59367ed3d3 100644 --- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p udp \ -m mac \ @@ -10,6 +11,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udp \ --source a:b:c::d:e:f/128 \ @@ -19,6 +21,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udp \ -m mac \ @@ -30,6 +33,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p udp \ --destination ::a:b:c/128 \ @@ -41,6 +45,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udp \ -m mac \ @@ -54,6 +59,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udp \ --destination ::a:b:c/128 \ @@ -65,6 +71,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p udp \ --destination ::10.1.2.3/128 \ @@ -76,6 +83,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udp \ -m mac \ @@ -89,6 +97,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udp \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilter= xml2firewalldata/udp-linux.args index 910d648a8a..32a8f56dfc 100644 --- a/tests/nwfilterxml2firewalldata/udp-linux.args +++ b/tests/nwfilterxml2firewalldata/udp-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p udp \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --destination 10.1.2.3/32 \ @@ -41,6 +45,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ -m mac \ @@ -54,6 +59,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --destination 10.1.2.3/32 \ @@ -65,6 +71,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udp \ --destination 10.1.2.3/32 \ @@ -76,6 +83,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udp \ -m mac \ @@ -89,6 +97,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udp \ --destination 10.1.2.3/32 \ diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests= /nwfilterxml2firewalldata/udplite-ipv6-linux.args index 9eb38d7e6d..de564aee36 100644 --- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args @@ -1,4 +1,5 @@ ip6tables \ +-w \ -A FJ-vnet0 \ -p udplite \ -m mac \ @@ -11,6 +12,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udplite \ --destination f:e:d::c:b:a/127 \ @@ -21,6 +23,7 @@ ip6tables \ --state ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udplite \ -m mac \ @@ -33,6 +36,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p udplite \ --destination a:b:c::/128 \ @@ -42,6 +46,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udplite \ -m mac \ @@ -53,6 +58,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udplite \ --destination a:b:c::/128 \ @@ -62,6 +68,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FJ-vnet0 \ -p udplite \ --destination ::10.1.2.3/128 \ @@ -71,6 +78,7 @@ ip6tables \ --state ESTABLISHED \ -j RETURN ip6tables \ +-w \ -A FP-vnet0 \ -p udplite \ -m mac \ @@ -82,6 +90,7 @@ ip6tables \ --state NEW,ESTABLISHED \ -j ACCEPT ip6tables \ +-w \ -A HJ-vnet0 \ -p udplite \ --destination ::10.1.2.3/128 \ diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfi= lterxml2firewalldata/udplite-linux.args index 53bc667459..8f3a9e8f24 100644 --- a/tests/nwfilterxml2firewalldata/udplite-linux.args +++ b/tests/nwfilterxml2firewalldata/udplite-linux.args @@ -1,4 +1,5 @@ iptables \ +-w \ -A FJ-vnet0 \ -p udplite \ -m mac \ @@ -10,6 +11,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udplite \ --source 10.1.2.3/32 \ @@ -19,6 +21,7 @@ iptables \ --state ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udplite \ -m mac \ @@ -30,6 +33,7 @@ iptables \ --state NEW,ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udplite \ --destination 10.1.2.3/22 \ @@ -39,6 +43,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udplite \ -m mac \ @@ -50,6 +55,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udplite \ --destination 10.1.2.3/22 \ @@ -59,6 +65,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FJ-vnet0 \ -p udplite \ --destination 10.1.2.3/22 \ @@ -68,6 +75,7 @@ iptables \ --state ESTABLISHED \ -j RETURN iptables \ +-w \ -A FP-vnet0 \ -p udplite \ -m mac \ @@ -79,6 +87,7 @@ iptables \ --state NEW,ESTABLISHED \ -j ACCEPT iptables \ +-w \ -A HJ-vnet0 \ -p udplite \ --destination 10.1.2.3/22 \ diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.args b/tests/nwfilte= rxml2firewalldata/vlan-linux.args index 0a8204c4dc..a93c09cfbd 100644 --- a/tests/nwfilterxml2firewalldata/vlan-linux.args +++ b/tests/nwfilterxml2firewalldata/vlan-linux.args @@ -1,4 +1,5 @@ ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -7,6 +8,7 @@ ebtables \ --vlan-id 291 \ -j CONTINUE ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -15,6 +17,7 @@ ebtables \ --vlan-id 291 \ -j CONTINUE ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -23,6 +26,7 @@ ebtables \ --vlan-id 1234 \ -j RETURN ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -31,6 +35,7 @@ ebtables \ --vlan-id 1234 \ -j RETURN ebtables \ +--concurrent \ -t nat \ -A libvirt-P-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -39,6 +44,7 @@ ebtables \ --vlan-id 291 \ -j DROP ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ @@ -47,6 +53,7 @@ ebtables \ --vlan-encap 2054 \ -j DROP ebtables \ +--concurrent \ -t nat \ -A libvirt-J-vnet0 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewallt= est.c index f3fbacce59..7427108e39 100644 --- a/tests/nwfilterxml2firewalltest.c +++ b/tests/nwfilterxml2firewalltest.c @@ -58,90 +58,90 @@ struct _virNWFilterInst { =20 static const char *commonRules[] =3D { /* Dropping ebtables rules */ - "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" - "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" - "ebtables -t nat -L libvirt-J-vnet0\n" - "ebtables -t nat -L libvirt-P-vnet0\n" - "ebtables -t nat -F libvirt-J-vnet0\n" - "ebtables -t nat -X libvirt-J-vnet0\n" - "ebtables -t nat -F libvirt-P-vnet0\n" - "ebtables -t nat -X libvirt-P-vnet0\n", + "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet= 0\n" + "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vne= t0\n" + "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -F libvirt-P-vnet0\n" + "ebtables --concurrent -t nat -X libvirt-P-vnet0\n", =20 /* Creating ebtables chains */ - "ebtables -t nat -N libvirt-J-vnet0\n" - "ebtables -t nat -N libvirt-P-vnet0\n", + "ebtables --concurrent -t nat -N libvirt-J-vnet0\n" + "ebtables --concurrent -t nat -N libvirt-P-vnet0\n", =20 /* Dropping iptables rules */ - "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out= vnet0 -g FP-vnet0\n" - "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" - "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" - "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0= \n" - "iptables -F FP-vnet0\n" - "iptables -X FP-vnet0\n" - "iptables -F FJ-vnet0\n" - "iptables -X FJ-vnet0\n" - "iptables -F HJ-vnet0\n" - "iptables -X HJ-vnet0\n", + "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-= out vnet0 -g FP-vnet0\n" + "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0= \n" + "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" + "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vn= et0\n" + "iptables -w -F FP-vnet0\n" + "iptables -w -X FP-vnet0\n" + "iptables -w -F FJ-vnet0\n" + "iptables -w -X FJ-vnet0\n" + "iptables -w -F HJ-vnet0\n" + "iptables -w -X HJ-vnet0\n", =20 /* Creating iptables chains */ - "iptables -N libvirt-in\n" - "iptables -N libvirt-out\n" - "iptables -N libvirt-in-post\n" - "iptables -N libvirt-host-in\n" - "iptables -D FORWARD -j libvirt-in\n" - "iptables -D FORWARD -j libvirt-out\n" - "iptables -D FORWARD -j libvirt-in-post\n" - "iptables -D INPUT -j libvirt-host-in\n" - "iptables -I FORWARD 1 -j libvirt-in\n" - "iptables -I FORWARD 2 -j libvirt-out\n" - "iptables -I FORWARD 3 -j libvirt-in-post\n" - "iptables -I INPUT 1 -j libvirt-host-in\n" - "iptables -N FP-vnet0\n" - "iptables -N FJ-vnet0\n" - "iptables -N HJ-vnet0\n" - "iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out= vnet0 -g FP-vnet0\n" - "iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" - "iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0= \n" - "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n" - "iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n= ", + "iptables -w -N libvirt-in\n" + "iptables -w -N libvirt-out\n" + "iptables -w -N libvirt-in-post\n" + "iptables -w -N libvirt-host-in\n" + "iptables -w -D FORWARD -j libvirt-in\n" + "iptables -w -D FORWARD -j libvirt-out\n" + "iptables -w -D FORWARD -j libvirt-in-post\n" + "iptables -w -D INPUT -j libvirt-host-in\n" + "iptables -w -I FORWARD 1 -j libvirt-in\n" + "iptables -w -I FORWARD 2 -j libvirt-out\n" + "iptables -w -I FORWARD 3 -j libvirt-in-post\n" + "iptables -w -I INPUT 1 -j libvirt-host-in\n" + "iptables -w -N FP-vnet0\n" + "iptables -w -N FJ-vnet0\n" + "iptables -w -N HJ-vnet0\n" + "iptables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-= out vnet0 -g FP-vnet0\n" + "iptables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" + "iptables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vn= et0\n" + "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEP= T\n" + "iptables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEP= T\n", =20 /* Dropping ip6tables rules */ - "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-ou= t vnet0 -g FP-vnet0\n" - "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" - "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" - "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet= 0\n" - "ip6tables -F FP-vnet0\n" - "ip6tables -X FP-vnet0\n" - "ip6tables -F FJ-vnet0\n" - "ip6tables -X FJ-vnet0\n" - "ip6tables -F HJ-vnet0\n" - "ip6tables -X HJ-vnet0\n", + "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FP-vnet0\n" + "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet= 0\n" + "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\= n" + "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-v= net0\n" + "ip6tables -w -F FP-vnet0\n" + "ip6tables -w -X FP-vnet0\n" + "ip6tables -w -F FJ-vnet0\n" + "ip6tables -w -X FJ-vnet0\n" + "ip6tables -w -F HJ-vnet0\n" + "ip6tables -w -X HJ-vnet0\n", =20 /* Creating ip6tables chains */ - "ip6tables -N libvirt-in\n" - "ip6tables -N libvirt-out\n" - "ip6tables -N libvirt-in-post\n" - "ip6tables -N libvirt-host-in\n" - "ip6tables -D FORWARD -j libvirt-in\n" - "ip6tables -D FORWARD -j libvirt-out\n" - "ip6tables -D FORWARD -j libvirt-in-post\n" - "ip6tables -D INPUT -j libvirt-host-in\n" - "ip6tables -I FORWARD 1 -j libvirt-in\n" - "ip6tables -I FORWARD 2 -j libvirt-out\n" - "ip6tables -I FORWARD 3 -j libvirt-in-post\n" - "ip6tables -I INPUT 1 -j libvirt-host-in\n" - "ip6tables -N FP-vnet0\n" - "ip6tables -N FJ-vnet0\n" - "ip6tables -N HJ-vnet0\n" - "ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-ou= t vnet0 -g FP-vnet0\n" - "ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" - "ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet= 0\n" - "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\= n" - "ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\= n", + "ip6tables -w -N libvirt-in\n" + "ip6tables -w -N libvirt-out\n" + "ip6tables -w -N libvirt-in-post\n" + "ip6tables -w -N libvirt-host-in\n" + "ip6tables -w -D FORWARD -j libvirt-in\n" + "ip6tables -w -D FORWARD -j libvirt-out\n" + "ip6tables -w -D FORWARD -j libvirt-in-post\n" + "ip6tables -w -D INPUT -j libvirt-host-in\n" + "ip6tables -w -I FORWARD 1 -j libvirt-in\n" + "ip6tables -w -I FORWARD 2 -j libvirt-out\n" + "ip6tables -w -I FORWARD 3 -j libvirt-in-post\n" + "ip6tables -w -I INPUT 1 -j libvirt-host-in\n" + "ip6tables -w -N FP-vnet0\n" + "ip6tables -w -N FJ-vnet0\n" + "ip6tables -w -N HJ-vnet0\n" + "ip6tables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev= -out vnet0 -g FP-vnet0\n" + "ip6tables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\= n" + "ip6tables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-v= net0\n" + "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCE= PT\n" + "ip6tables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCE= PT\n", =20 /* Inserting ebtables rules */ - "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n" - "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n", + "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet= 0\n" + "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vne= t0\n", }; =20 =20 diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index 872ee3ed17..bf1d325017 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -149,15 +149,17 @@ VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync, *error =3D g_dbus_error_new_for_dbus_error("org.firewalld.= error", "something bad ha= ppened"); } else { - if (nargs =3D=3D 1 && + if (nargs =3D=3D 2 && STREQ(type, "ipv4") && - STREQ(args[0], "-L")) { + STREQ(args[0], "-w") && + STREQ(args[1], "-L")) { reply =3D g_variant_new("(s)", TEST_FILTER_TABLE_LIST); - } else if (nargs =3D=3D 3 && + } else if (nargs =3D=3D 4 && STREQ(type, "ipv4") && - STREQ(args[0], "-t") && - STREQ(args[1], "nat") && - STREQ(args[2], "-L")) { + STREQ(args[0], "-w") && + STREQ(args[1], "-t") && + STREQ(args[2], "nat") && + STREQ(args[3], "-L")) { reply =3D g_variant_new("(s)", TEST_NAT_TABLE_LIST); } else { reply =3D g_variant_new("(s)", "success"); @@ -184,8 +186,8 @@ testFirewallSingleGroup(const void *opaque) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -236,8 +238,8 @@ testFirewallRemoveRule(const void *opaque) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; const struct testFirewallData *data =3D opaque; virFirewallRulePtr fwrule; =20 @@ -295,10 +297,10 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUS= ED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n" - IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEP= T\n" - IPTABLES_PATH " -A OUTPUT --jump DROP\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n" + IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump AC= CEPT\n" + IPTABLES_PATH " -w -A OUTPUT --jump DROP\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -382,10 +384,10 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC= _UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEP= T\n" - IPTABLES_PATH " -A OUTPUT --jump DROP\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump AC= CEPT\n" + IPTABLES_PATH " -w -A OUTPUT --jump DROP\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -450,10 +452,10 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_= UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEP= T\n" - IPTABLES_PATH " -A OUTPUT --jump DROP\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump AC= CEPT\n" + IPTABLES_PATH " -w -A OUTPUT --jump DROP\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -517,8 +519,8 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJE= CT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -577,11 +579,11 @@ testFirewallSingleRollback(const void *opaque G_GNUC_= UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -657,10 +659,10 @@ testFirewallManyRollback(const void *opaque G_GNUC_UN= USED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -740,14 +742,14 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJE= CT\n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n" - IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJE= CT\n" - IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump R= EJECT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.127 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump R= EJECT\n" + IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -882,12 +884,14 @@ testFirewallQueryHook(const char *const*args, void *opaque G_GNUC_UNUSED) { if (STREQ(args[0], IPTABLES_PATH) && - STREQ(args[1], "-L")) { + STREQ(args[1], "-w") && + STREQ(args[2], "-L")) { *output =3D g_strdup(TEST_FILTER_TABLE_LIST); } else if (STREQ(args[0], IPTABLES_PATH) && - STREQ(args[1], "-t") && - STREQ(args[2], "nat") && - STREQ(args[3], "-L")) { + STREQ(args[1], "-w") && + STREQ(args[2], "-t") && + STREQ(args[3], "nat") && + STREQ(args[4], "-L")) { *output =3D g_strdup(TEST_NAT_TABLE_LIST); } } @@ -930,15 +934,15 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT= \n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJE= CT\n" - IPTABLES_PATH " -L\n" - IPTABLES_PATH " -t nat -L\n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump REJE= CT\n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump R= EJECT\n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump R= EJECT\n" - IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump REJE= CT\n" - IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJ= ECT\n"; + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump R= EJECT\n" + IPTABLES_PATH " -w -L\n" + IPTABLES_PATH " -w -t nat -L\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.130 --jump R= EJECT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jum= p REJECT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jum= p REJECT\n" + IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.128 --jump R= EJECT\n" + IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; const struct testFirewallData *data =3D opaque; =20 expectedLineNum =3D 0; --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188657; cv=none; d=zohomail.com; s=zohoarc; b=UzEUnlQ11rAepov2sdc9wJ+MYavlX8knG0xC3bUKpECepD1rvWMeGRCLbMfSyBReBCy1Bzc9m+JiojlKrFZ2ksgLXUScaMqRUHQp+NC+DV7IMTrE3wtQWImHRiKN1ThllQ+1uv6su3GI/ZxcmAs53p+b3yIscnkGcLEOjGs2upY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188657; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=wxwo8MbuoJ24+ncc9QjiMGN+idHGwGidNSqXPEHnW8w=; b=TlYm6ZaRnquxxqh2M1wBzvO8tazpPYhTK/ygVAm5vv3VpRoZsNZrCypuoLjtFMwisVIcs8SMeMzBZutYaHP1Y7fUHZaGli35RD3+lBcJh2eyKDelrFYTtMC9du48nLLS1ZsqnRxAXhnpwBgMnAVMmq/ds9OGsr7dxvS8i3Ug5+M= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606188657298774.0518157498758; Mon, 23 Nov 2020 19:30:57 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-484-ISHRVN7DO-y6YcVyuDcVlQ-1; Mon, 23 Nov 2020 22:30:53 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9639780364D; Tue, 24 Nov 2020 03:30:47 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 764A360C43; Tue, 24 Nov 2020 03:30:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3FFB11809CA8; Tue, 24 Nov 2020 03:30:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UD7x007381 for ; Mon, 23 Nov 2020 22:30:13 -0500 Received: by smtp.corp.redhat.com (Postfix) id 7891C5D705; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 409165D6A1 for ; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188656; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=wxwo8MbuoJ24+ncc9QjiMGN+idHGwGidNSqXPEHnW8w=; b=D83EZnTNeO+ztHEwJYtL7D4OHbgvO0QyzpFGAGwNWO8CzP+VqD7g6asVvGCpzR3c7ZWD9/ wPwMQSV3cvc16642H/qRAL+vvJnpggdbwYfirzltrE9fwxED6mpOcLfr3aimt0cE/RmsTU vYHXzwFXWo35apTfZGuPbSMjtzAjAIU= X-MC-Unique: ISHRVN7DO-y6YcVyuDcVlQ-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 3/8] util/tests: enable locking on iptables/ebtables commandlines by default Date: Mon, 23 Nov 2020 22:29:59 -0500 Message-Id: <20201124033004.1163126-4-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" iptables and ip6tables have had a "-w" commandline option to grab a systemwide lock that prevents two iptables invocations from modifying the iptables chains since 2013 (upstream commit 93587a04 in iptables-1.4.20). Similarly, ebtables has had a "--concurrent" commandline option for the same purpose since 2011 (in the upstream ebtables commit f9b4bcb93, which was present in ebtables-2.0.10.4). Libvirt added code to conditionally use the commandline option for iptables/ip6tables in upstream commit ba95426d6f (libvirt-1.2.0, November 2013), and for ebtables in upstream commit dc33e6e4a5 (libvirt-1.2.11, November 2014) (the latter actually *re*-added the locking for iptables/ip6tables, as it had accidentally been removed during a refactor of firewall code in the interim). I say "conditionally" because a check was made during firewall module initialization that tried executing a test command with the -w/--concurrent option, and only continued using it for actual commands if that test command completed successfully. At the time the code was added this was a reasonable thing to do, as it had been less than a year since introduction of -w to iptables, so many distros supported by libvirt were still using iptables (and possibly even ebtables) versions too old to have the new commandline options. It is now 2020, and as far as I can discern from repology.org (and manually examining a RHEL7.9 system), every version of every distro that is supported by libvirt now uses new enough versions of both iptables and ebtables that they all have support for -w/--concurrent. That means we can finally remove the conditional code and simply always use them. Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/libvirt_private.syms | 1 - src/util/virfirewall.c | 64 ++------------------------------ src/util/virfirewall.h | 2 - tests/networkxml2firewalltest.c | 2 - tests/nwfilterebiptablestest.c | 2 - tests/nwfilterxml2firewalltest.c | 2 - tests/virfirewalltest.c | 2 - 7 files changed, 3 insertions(+), 72 deletions(-) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 79a23f34cb..5684cd3316 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2157,7 +2157,6 @@ virFirewallRuleAddArgList; virFirewallRuleAddArgSet; virFirewallRuleGetArgCount; virFirewallSetBackend; -virFirewallSetLockOverride; virFirewallStartRollback; virFirewallStartTransaction; =20 diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 5f30c34483..694bb32f62 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -96,59 +96,6 @@ virFirewallOnceInit(void) =20 VIR_ONCE_GLOBAL_INIT(virFirewall); =20 -static bool iptablesUseLock; -static bool ip6tablesUseLock; -static bool ebtablesUseLock; -static bool lockOverride; /* true to avoid lock probes */ - -void -virFirewallSetLockOverride(bool avoid) -{ - lockOverride =3D avoid; - if (avoid) { - /* add the lock option to all commands */ - iptablesUseLock =3D true; - ip6tablesUseLock =3D true; - ebtablesUseLock =3D true; - } -} - -static void -virFirewallCheckUpdateLock(bool *lockflag, - const char *const*args) -{ - int status; /* Ignore failed commands without logging them */ - g_autoptr(virCommand) cmd =3D virCommandNewArgs(args); - if (virCommandRun(cmd, &status) < 0 || status) { - VIR_INFO("locking not supported by %s", args[0]); - } else { - VIR_INFO("using locking for %s", args[0]); - *lockflag =3D true; - } -} - -static void -virFirewallCheckUpdateLocking(void) -{ - const char *iptablesArgs[] =3D { - IPTABLES_PATH, "-w", "-L", "-n", NULL, - }; - const char *ip6tablesArgs[] =3D { - IP6TABLES_PATH, "-w", "-L", "-n", NULL, - }; - const char *ebtablesArgs[] =3D { - EBTABLES_PATH, "--concurrent", "-L", NULL, - }; - if (lockOverride) - return; - virFirewallCheckUpdateLock(&iptablesUseLock, - iptablesArgs); - virFirewallCheckUpdateLock(&ip6tablesUseLock, - ip6tablesArgs); - virFirewallCheckUpdateLock(&ebtablesUseLock, - ebtablesArgs); -} - static int virFirewallValidateBackend(virFirewallBackend backend) { @@ -196,8 +143,6 @@ virFirewallValidateBackend(virFirewallBackend backend) =20 currentBackend =3D backend; =20 - virFirewallCheckUpdateLocking(); - return 0; } =20 @@ -359,16 +304,13 @@ virFirewallAddRuleFullV(virFirewallPtr firewall, =20 switch (rule->layer) { case VIR_FIREWALL_LAYER_ETHERNET: - if (ebtablesUseLock) - ADD_ARG(rule, "--concurrent"); + ADD_ARG(rule, "--concurrent"); break; case VIR_FIREWALL_LAYER_IPV4: - if (iptablesUseLock) - ADD_ARG(rule, "-w"); + ADD_ARG(rule, "-w"); break; case VIR_FIREWALL_LAYER_IPV6: - if (ip6tablesUseLock) - ADD_ARG(rule, "-w"); + ADD_ARG(rule, "-w"); break; case VIR_FIREWALL_LAYER_LAST: break; diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index 6148f46827..fda3cdec01 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -111,6 +111,4 @@ void virFirewallStartRollback(virFirewallPtr firewall, =20 int virFirewallApply(virFirewallPtr firewall); =20 -void virFirewallSetLockOverride(bool avoid); - G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 3496445f0d..d358f12897 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -179,8 +179,6 @@ mymain(void) ret =3D -1; \ } while (0) =20 - virFirewallSetLockOverride(true); - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { if (!hasNetfilterTools()) { fprintf(stderr, "iptables/ip6tables/ebtables tools not present= "); diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c index 5562682e9a..f47b4f1dfd 100644 --- a/tests/nwfilterebiptablestest.c +++ b/tests/nwfilterebiptablestest.c @@ -503,8 +503,6 @@ mymain(void) { int ret =3D 0; =20 - virFirewallSetLockOverride(true); - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { if (!hasNetfilterTools()) { fprintf(stderr, "iptables/ip6tables/ebtables tools not present= "); diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewallt= est.c index 7427108e39..0901250aaf 100644 --- a/tests/nwfilterxml2firewalltest.c +++ b/tests/nwfilterxml2firewalltest.c @@ -457,8 +457,6 @@ mymain(void) ret =3D -1; \ } while (0) =20 - virFirewallSetLockOverride(true); - if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { if (!hasNetfilterTools()) { fprintf(stderr, "iptables/ip6tables/ebtables tools not present= "); diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index bf1d325017..fac7e20c06 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -1076,8 +1076,6 @@ mymain(void) RUN_TEST_DIRECT(name, method); \ RUN_TEST_FIREWALLD(name, method) =20 - virFirewallSetLockOverride(true); - RUN_TEST("single group", testFirewallSingleGroup); RUN_TEST("remove rule", testFirewallRemoveRule); RUN_TEST("many groups", testFirewallManyGroups); --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188659; cv=none; d=zohomail.com; s=zohoarc; b=ZzmWyxv8P5WNDDCtGBr59p99Ab6hkhLdAAV0pGu0dxg5nbOt6aV30GH6PZ2GbToSKcSq5ufcgTuqNpmt+nD9RYE/Mz7c+t/lGl8DyIGb/A+W0gaaWyPGcV8waQkivCFabzpv2QYuGoMsD7pPYDgdahrCi0p1MeSvMRtE38fEoks= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188659; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=KXD71QZscCjYRVOMoVqvvBxYhbP4hzfoakM3PALkpqU=; b=fGCRO/+/JqPygNyE2OBD2Z1lB6SQXnXgoT648NLd0seMuT2Mt0DjYzNAnBeInIw8QY9Bkg5WK/frcpv8ngh9DyGMYYhsmKXNFsSX0xet4nPHr9PPFgEtooQQItYa+aEWroWpAfdGFZyiOzPIyzYpTqUvYQLVSYgcQv4X7OQa9dI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606188659932403.46638421018713; Mon, 23 Nov 2020 19:30:59 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-520-p7YOibzaOWWgy4gR46TdFw-1; Mon, 23 Nov 2020 22:30:56 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B9F6A803651; Tue, 24 Nov 2020 03:30:50 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 980DD60C43; Tue, 24 Nov 2020 03:30:50 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 610C15002D; Tue, 24 Nov 2020 03:30:50 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UDU8007387 for ; Mon, 23 Nov 2020 22:30:13 -0500 Received: by smtp.corp.redhat.com (Postfix) id D19DC5D705; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9B64E5D6A1 for ; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188658; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=KXD71QZscCjYRVOMoVqvvBxYhbP4hzfoakM3PALkpqU=; b=Aj7aPmnaP3GeButVyODjk09L8vUdhE65lfSzVL6dvxbqUN3usmAQDJ/Vny7JqjNRk7k65y Ddcn4txvSqIHajHZUccNV0bKh+jp69dvrBRUvnB489CzjUXvf4Z7LrQeMfRZzSjxdNhB+I v6WOrkesIBQy56fI1P0DM0NGaAAOJ2k= X-MC-Unique: p7YOibzaOWWgy4gR46TdFw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 4/8] tests: fix iptables test case commandline options in virfirewalltest.c Date: Mon, 23 Nov 2020 22:30:00 -0500 Message-Id: <20201124033004.1163126-5-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" This test was created with all the commandlines erroneously having "--source-host", which is not a valid iptables option. The correct name for the option is "--source". However, since the test is just checking that the generated commandline matches what we told it to generate (and never actually runs iptables, as that would be a "Really Bad Idea"(tm)), the test has always succeeded. I only found it because I made a change to the code that caused the test to incorrectly try to run iptables during the test, and the error message I received was "odd" (it complained about the bad option, rather than complaining that I had insufficient privilege to run the command). Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- tests/virfirewalltest.c | 168 ++++++++++++++++++++-------------------- 1 file changed, 84 insertions(+), 84 deletions(-) diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index fac7e20c06..fa1838a499 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -186,8 +186,8 @@ testFirewallSingleGroup(const void *opaque) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.1' --jump REJEC= T\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -203,12 +203,12 @@ testFirewallSingleGroup(const void *opaque) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) @@ -238,8 +238,8 @@ testFirewallRemoveRule(const void *opaque) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.1' --jump REJEC= T\n"; const struct testFirewallData *data =3D opaque; virFirewallRulePtr fwrule; =20 @@ -256,17 +256,17 @@ testFirewallRemoveRule(const void *opaque) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source-host"); + virFirewallRuleAddArg(fw, fwrule, "--source"); virFirewallRemoveRule(fw, fwrule); =20 fwrule =3D virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", NULL); - virFirewallRuleAddArg(fw, fwrule, "--source-host"); + virFirewallRuleAddArg(fw, fwrule, "--source"); virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1"); virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL); =20 @@ -297,9 +297,9 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n" - IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump AC= CEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.1' --jump REJEC= T\n" + IPTABLES_PATH " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\= n" IPTABLES_PATH " -w -A OUTPUT --jump DROP\n"; const struct testFirewallData *data =3D opaque; =20 @@ -316,19 +316,19 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUS= ED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "OUTPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, @@ -384,9 +384,9 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_U= NUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump AC= CEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\= n" IPTABLES_PATH " -w -A OUTPUT --jump DROP\n"; const struct testFirewallData *data =3D opaque; =20 @@ -405,19 +405,19 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC= _UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "OUTPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, @@ -452,9 +452,9 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UN= USED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump AC= CEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -A OUTPUT --source 192.168.122.1 --jump ACCEPT\= n" IPTABLES_PATH " -w -A OUTPUT --jump DROP\n"; const struct testFirewallData *data =3D opaque; =20 @@ -473,18 +473,18 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_= UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, true, NULL, NULL, "-A", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "OUTPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, @@ -519,8 +519,8 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.255 --jump REJECT= \n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -538,17 +538,17 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUS= ED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { @@ -579,11 +579,11 @@ testFirewallSingleRollback(const void *opaque G_GNUC_= UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -D INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source '!192.168.122.1' --jump REJEC= T\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -601,34 +601,34 @@ testFirewallSingleRollback(const void *opaque G_GNUC_= UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { @@ -659,10 +659,10 @@ testFirewallManyRollback(const void *opaque G_GNUC_UN= USED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source '!192.168.122.1' --jump REJEC= T\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -680,38 +680,38 @@ testFirewallManyRollback(const void *opaque G_GNUC_UN= USED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallStartRollback(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { @@ -742,14 +742,14 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump R= EJECT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.127 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump R= EJECT\n" - IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.127 --jump REJECT= \n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.1' --jump REJEC= T\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source 192.168.122.127 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source '!192.168.122.1' --jump REJEC= T\n" + IPTABLES_PATH " -w -D INPUT --source 192.168.122.255 --jump REJECT= \n" + IPTABLES_PATH " -w -D INPUT --source '!192.168.122.1' --jump REJEC= T\n"; const struct testFirewallData *data =3D opaque; =20 fwDisabled =3D data->fwDisabled; @@ -767,14 +767,14 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallStartRollback(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 =20 @@ -782,24 +782,24 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.127", + "--source", "192.168.122.127", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.127", + "--source", "192.168.122.127", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 =20 @@ -807,24 +807,24 @@ testFirewallChainedRollback(const void *opaque G_GNUC= _UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "192.168.122.255", + "--source", "192.168.122.255", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-D", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) =3D=3D 0) { @@ -906,7 +906,7 @@ testFirewallQueryCallback(virFirewallPtr fw, size_t i; virFirewallAddRule(fw, layer, "-A", "INPUT", - "--source-host", "!192.168.122.129", + "--source", "!192.168.122.129", "--jump", "REJECT", NULL); =20 for (i =3D 0; lines[i] !=3D NULL; i++) { @@ -934,15 +934,15 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) int ret =3D -1; const char *actual =3D NULL; const char *expected =3D - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACC= EPT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump R= EJECT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.127 --jump REJECT= \n" IPTABLES_PATH " -w -L\n" IPTABLES_PATH " -w -t nat -L\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.130 --jump R= EJECT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jum= p REJECT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jum= p REJECT\n" - IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.128 --jump R= EJECT\n" - IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump = REJECT\n"; + IPTABLES_PATH " -w -A INPUT --source 192.168.122.130 --jump REJECT= \n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.129' --jump REJ= ECT\n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.129' --jump REJ= ECT\n" + IPTABLES_PATH " -w -A INPUT --source 192.168.122.128 --jump REJECT= \n" + IPTABLES_PATH " -w -A INPUT --source '!192.168.122.1' --jump REJEC= T\n"; const struct testFirewallData *data =3D opaque; =20 expectedLineNum =3D 0; @@ -962,14 +962,14 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.1", + "--source", "192.168.122.1", "--jump", "ACCEPT", NULL); =20 virFirewallStartTransaction(fw, 0); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.127", + "--source", "192.168.122.127", "--jump", "REJECT", NULL); =20 virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4, @@ -985,7 +985,7 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.130", + "--source", "192.168.122.130", "--jump", "REJECT", NULL); =20 =20 @@ -993,12 +993,12 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "192.168.122.128", + "--source", "192.168.122.128", "--jump", "REJECT", NULL); =20 virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4, "-A", "INPUT", - "--source-host", "!192.168.122.1", + "--source", "!192.168.122.1", "--jump", "REJECT", NULL); =20 if (virFirewallApply(fw) < 0) --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) client-ip=63.128.21.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188629; cv=none; d=zohomail.com; s=zohoarc; b=gIjufMM8XlWygMEVRAO3BZ22kMU4drFrZgVkOwSk23QfXiPyFSSikuaecjT/+39s+uOovSmD9iaYachMNmgFP53dmHTFL8SIHeKyHVkzkYGfR6CjH61TEeo2FVKlb6M57dY89U9+3ntIEptW+DsVYlWLHZBXo5ORFMJ/Gv3JJI0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188629; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=9fH6HzOsgcG6OqoF21tvz/r6SLOBbbPIpr7tMh55eBQ=; b=Pr6q9tumoeLbezsBWo7j5ZZ/ab8XnitSmzBmbOezCDSAPyLuk63P+cBNzEy431Q0WlABSWz/gcSlB9E/8ZhTnLKvXAeROiN3ZPJMTsgScPK9DPY4+/4+GoO85sOGY0Ai+FBBLMS7XhnI1uY4n/GE/8sEWyfRkxVKkeNTQiTKvvE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com with SMTPS id 1606188629850662.5665345286528; Mon, 23 Nov 2020 19:30:29 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-462-7H2ACzXlOOCDvahwqKzAoA-1; Mon, 23 Nov 2020 22:30:26 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E97718030B4; Tue, 24 Nov 2020 03:30:20 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D4A2260C04; Tue, 24 Nov 2020 03:30:19 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 10AB45002C; Tue, 24 Nov 2020 03:30:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UEiA007394 for ; Mon, 23 Nov 2020 22:30:14 -0500 Received: by smtp.corp.redhat.com (Postfix) id 36CC45D705; Tue, 24 Nov 2020 03:30:14 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id F3FB25D6A1 for ; Tue, 24 Nov 2020 03:30:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188628; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=9fH6HzOsgcG6OqoF21tvz/r6SLOBbbPIpr7tMh55eBQ=; b=DRefYrvf+n69gyZNpK7OTT5aPZ576tstGJgXKlpFmAnPsJwKQ+WX1amDf6L11ogQ2cI2Dz BRTc7eDHTVLMzjEVaz0gzgjiZtA7O6iJ40BooBNJKPmfZPizjofeckm56/l0lAarj7XpnY rJhkSeyId4arScrm8Gf0QW4fXo3SMO0= X-MC-Unique: 7H2ACzXlOOCDvahwqKzAoA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 5/8] network: be more verbose about the reason for a firewall reload Date: Mon, 23 Nov 2020 22:30:01 -0500 Message-Id: <20201124033004.1163126-6-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/network/bridge_driver.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 5d9b9eaa4f..fdad2191e6 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -653,6 +653,7 @@ firewalld_dbus_signal_callback(GDBusConnection *connect= ion G_GNUC_UNUSED, if (STREQ(interfaceName, "org.fedoraproject.FirewallD1") && STREQ(signalName, "Reloaded")) { reload =3D true; + VIR_DEBUG("Reload in bridge_driver because of 'Reloaded' signal"); } else if (STREQ(interfaceName, "org.freedesktop.DBus") && STREQ(signalName, "NameOwnerChanged")) { char *name =3D NULL; @@ -661,14 +662,15 @@ firewalld_dbus_signal_callback(GDBusConnection *conne= ction G_GNUC_UNUSED, =20 g_variant_get(parameters, "(&s&s&s)", &name, &old_owner, &new_owne= r); =20 - if (new_owner && *new_owner) + if (new_owner && *new_owner) { + VIR_DEBUG("Reload in bridge_driver because of 'NameOwnerChange= d' signal, new owner is: '%s'", + new_owner); reload =3D true; + } } =20 - if (reload) { - VIR_DEBUG("Reload in bridge_driver because of firewalld."); + if (reload) networkReloadFirewallRules(driver, false, true); - } } #endif =20 --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188663; cv=none; d=zohomail.com; s=zohoarc; b=e2mtVX+AfqNWzCO/oWwS5FmkcYHDe7Ea2BUA9kKwrhcn8R+v/YWgnpeme9Pp3s02omdofbyBoOQKAg1YhqDc80kwZVdMoLSpfSL6B3pWW0o/04h990iT6/cw5iwO4Pvg1lh+tv6/Y/vNvnQcjoA6EZVYQsKDeVdruOG5mCQHMv4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188663; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=gHw5Za/ap70ZXT67Ax53qgdjam/Abv0AMtNMOiQDWJ8=; b=WGlWlp6Lgu41lFavm0lHjwKRwF5NBMxGLLYQ8aMk1OlZWMnmmEbYntHHglyRmF+DMf7FuMxYNrd6ybxc7jPIJqfk+WN0UXMdQSuKAcJrqyX9DDArEaemAocL0kRn8aXrV9fS+XYc2dvj5JftJngCTI1LQ1cQYnXBy9eX5VLf8gc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1606188663294976.9414180985582; Mon, 23 Nov 2020 19:31:03 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-323-cGwg0Xy1PD2Pdc1Zs0Kbiw-1; Mon, 23 Nov 2020 22:30:59 -0500 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 734541005E46; Tue, 24 Nov 2020 03:30:53 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4F60418993; Tue, 24 Nov 2020 03:30:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1BB3B50032; Tue, 24 Nov 2020 03:30:53 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UEWT007399 for ; Mon, 23 Nov 2020 22:30:14 -0500 Received: by smtp.corp.redhat.com (Postfix) id 9243D5D705; Tue, 24 Nov 2020 03:30:14 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5A05B5D6A1 for ; Tue, 24 Nov 2020 03:30:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188662; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=gHw5Za/ap70ZXT67Ax53qgdjam/Abv0AMtNMOiQDWJ8=; b=bfDthj+CMA5Id40WmBF0do0r1o7zUAkk+DzM0cttHvah+NqmBtDmPu1jeXsGZWFFTgczDO /w3ofcy96/ieeOhwy6Kt0CvnKqQAIdqITDm4/AeCFjClko/VoA4myRjEGdVJHc49r09nzh ejOBndbKnWrKviMUK6fsGDzZWz6xoIE= X-MC-Unique: cGwg0Xy1PD2Pdc1Zs0Kbiw-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 6/8] util: always check for ebtables/iptables binaries, even when using firewalld Date: Mon, 23 Nov 2020 22:30:02 -0500 Message-Id: <20201124033004.1163126-7-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" Even though *we* don't call ebtables/iptables/ip6tables (yet) when the firewalld backend is selected, firewalld does, so these binaries need to be there; let's check for them. (Also, the patch after this one is going to start execing those binaries directly rather than via firewalld). Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/util/virfirewall.c | 56 ++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 694bb32f62..0b022b14af 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -99,24 +99,38 @@ VIR_ONCE_GLOBAL_INIT(virFirewall); static int virFirewallValidateBackend(virFirewallBackend backend) { - VIR_DEBUG("Validating backend %d", backend); + const char *commands[] =3D { + IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH + }; + size_t i; + + for (i =3D 0; i < G_N_ELEMENTS(commands); i++) { + if (!virFileIsExecutable(commands[i])) { + virReportSystemError(errno, + _("%s not available, firewall backend wil= l not function"), + commands[i]); + return -1; + } + } + VIR_DEBUG("found iptables/ip6tables/ebtables"); + if (backend =3D=3D VIR_FIREWALL_BACKEND_AUTOMATIC || backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { int rv =3D virFirewallDIsRegistered(); =20 VIR_DEBUG("Firewalld is registered ? %d", rv); - if (rv < 0) { - if (rv =3D=3D -2) { - if (backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("firewalld firewall backend requested= , but service is not running")); - return -1; - } else { - VIR_DEBUG("firewalld service not running, trying direc= t backend"); - backend =3D VIR_FIREWALL_BACKEND_DIRECT; - } - } else { + + if (rv =3D=3D -1) + return -1; + + if (rv =3D=3D -2) { + if (backend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("firewalld backend requested, but service= is not running")); return -1; + } else { + VIR_DEBUG("firewalld service not running, using direct bac= kend"); + backend =3D VIR_FIREWALL_BACKEND_DIRECT; } } else { VIR_DEBUG("firewalld service running, using firewalld backend"= ); @@ -124,25 +138,7 @@ virFirewallValidateBackend(virFirewallBackend backend) } } =20 - if (backend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { - const char *commands[] =3D { - IPTABLES_PATH, IP6TABLES_PATH, EBTABLES_PATH - }; - size_t i; - - for (i =3D 0; i < G_N_ELEMENTS(commands); i++) { - if (!virFileIsExecutable(commands[i])) { - virReportSystemError(errno, - _("direct firewall backend requested,= but %s is not available"), - commands[i]); - return -1; - } - } - VIR_DEBUG("found iptables/ip6tables/ebtables, using direct backend= "); - } - currentBackend =3D backend; - return 0; } =20 --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188651; cv=none; d=zohomail.com; s=zohoarc; b=BJ8sx/e6Y8NZrM3sSjA2Vs56o9/Uxrn4uVZCpz/XneVnCZw+XrOQc7AzifP35J86pJAFE3gz3cKdau09Cb5b/NWvTwNzzQPXCBu00rGD7mIJYMTkj76Roby844Z9vd5e28K6kV3uyNJu4P3OlcZUEOEcpEiXfC15tdVPutUEF5M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188651; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=jxYaLwr46p3xa2yrprL2FA+7eKXif83IbOrhQymOhKo=; b=nzPG2CoVU6Iw4PEp14cqxnM/mB6uWTA7Dq5CsPYey8GS0Pi/AgUpeojNxrZ7tM9LIUTpUgkUglx08/aimzDyZlMK94HQXSXuOBDdSl7bE9LP28hnzmmfUEUUHa0hsHQIfFZ6PGkHGHIuJC7qx7TqbcDyUqYdMZddPEy/HHF4ClM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1606188651559885.5702013886671; Mon, 23 Nov 2020 19:30:51 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-565-WLlrs92kNF2prc90ASquuQ-1; Mon, 23 Nov 2020 22:30:47 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E79768030B4; Tue, 24 Nov 2020 03:30:41 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C4E8A60C13; Tue, 24 Nov 2020 03:30:41 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 915C650030; Tue, 24 Nov 2020 03:30:41 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UEAd007405 for ; Mon, 23 Nov 2020 22:30:15 -0500 Received: by smtp.corp.redhat.com (Postfix) id ED59F5D705; Tue, 24 Nov 2020 03:30:14 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id B3BF95D6A1 for ; Tue, 24 Nov 2020 03:30:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188650; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=jxYaLwr46p3xa2yrprL2FA+7eKXif83IbOrhQymOhKo=; b=eiOtDnqngUXRfj5ol3FGlk0xbyjE7TUdwtDvaeaC7+rS5pceC00+H6MAYLOzYevEQ35XXT I+VpMLEFoCGunkGlzm+0P1PyfX9W6OsKccR3cE+ODJSywuaKdH6NIMIjfsq1XNHbBD/ZPI 9mqQwEs56ZbmXDOboQghsbL+0eo6d0U= X-MC-Unique: WLlrs92kNF2prc90ASquuQ-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 7/8] util: synchronize with firewalld before we start calling iptables directly Date: Mon, 23 Nov 2020 22:30:03 -0500 Message-Id: <20201124033004.1163126-8-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When it is starting up, firewalld will delete all existing iptables rules and chains before adding its own rules. If libvirtd were to try to directly add iptables rules during the time before firewalld has finished initializing, firewalld would end up deleting the rules that libvirtd has just added. Currently this isn't a problem, since libvirtd only adds iptables rules via the firewalld "passthrough command" API, and so firewalld is able to properly serialize everything. However, we will soon be changing libvirtd to add its iptables and ebtables rules by directly calling iptables/ebtables rather than via firewalld, thus removing the serialization of libvirtd adding rules vs. firewalld deleting rules. This will especially apparent (if we don't fix it in advance, as this patch does) when libvirtd is responding to the dbus NameOwnerChanged event, which is used to learn when firewalld has been restarted. In that case, dbus sends the event before firewalld has been able to complete its initialization, so when libvirt responds to the event by adding back its iptables rules (with direct calls to /usr/bin/iptables), some of those rules are added before firewalld has a chance to do its "remove everything" startup protocol. The usual result of this is that libvirt will successfully add its private chains (e.g. LIBVIRT_INP, etc), but then fail when it tries to add a rule jumping to one of those chains (because in the interim, firewalld has deleted the new chains). The solution is for libvirt to preface it's direct calling to iptables with a iptables command sent via firewalld's passthrough command API. Since cmmands sent to firewalld are completed synchronously, and since firewalld won't service them until it has completed its own initialization, this will assure that by the time libvirt starts calling iptables to add rules, that firewalld will not be following up by deleting any of those rules. To minimize the amount of extra overhead, we request the simplest iptables command possible: "iptables -V" (and aside from logging a debug message, we ignore the result, for good measure). (This patch is being done *before* the patch that switches to calling iptables directly, so that everything will function properly with any fractional part of the series applied). Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/libvirt_private.syms | 1 + src/util/virfirewall.c | 30 ++++++++++++++++++++++++++++++ src/util/virfirewall.h | 2 ++ src/util/viriptables.c | 7 +++++++ 4 files changed, 40 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 5684cd3316..2cd046df8b 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2148,6 +2148,7 @@ virFileCacheSetPriv; # util/virfirewall.h virFirewallAddRuleFull; virFirewallApply; +virFirewallBackendSynchronize; virFirewallFree; virFirewallNew; virFirewallRemoveRule; diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 0b022b14af..307825331d 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -649,6 +649,36 @@ virFirewallApplyRuleFirewallD(virFirewallRulePtr rule, return virFirewallDApplyRule(rule->layer, rule->args, rule->argsLen, i= gnoreErrors, output); } =20 + +void +virFirewallBackendSynchronize(void) +{ + const char *arg =3D "-V"; + g_autofree char *output =3D NULL; + + switch (currentBackend) { + case VIR_FIREWALL_BACKEND_DIRECT: + /* nobody to synchronize with */ + break; + case VIR_FIREWALL_BACKEND_FIREWALLD: + /* Send a simple rule via firewalld's passthrough iptables + * command so that we'll be sure firewalld has fully + * initialized and caught up with its internal queue of + * iptables commands. Waiting for this will prevent our own + * directly-executed iptables commands from being run while + * firewalld is still initializing. + */ + ignore_value(virFirewallDApplyRule(VIR_FIREWALL_LAYER_IPV4, + (char **)&arg, 1, true, &output= )); + VIR_DEBUG("Result of 'iptables -V' via firewalld: %s", NULLSTR(out= put)); + break; + case VIR_FIREWALL_BACKEND_AUTOMATIC: + case VIR_FIREWALL_BACKEND_LAST: + break; + } +} + + static int virFirewallApplyRule(virFirewallPtr firewall, virFirewallRulePtr rule, diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h index fda3cdec01..3db0864380 100644 --- a/src/util/virfirewall.h +++ b/src/util/virfirewall.h @@ -111,4 +111,6 @@ void virFirewallStartRollback(virFirewallPtr firewall, =20 int virFirewallApply(virFirewallPtr firewall); =20 +void virFirewallBackendSynchronize(void); + G_DEFINE_AUTOPTR_CLEANUP_FUNC(virFirewall, virFirewallFree); diff --git a/src/util/viriptables.c b/src/util/viriptables.c index 9cfbc9f2aa..5fbb77fd5b 100644 --- a/src/util/viriptables.c +++ b/src/util/viriptables.c @@ -150,6 +150,13 @@ iptablesSetupPrivateChains(virFirewallLayer layer) }; size_t i; =20 + /* When the backend is firewalld, we need to make sure that + * firewalld has been fully started and completed its + * initialization, otherwise firewalld might delete our rules soon + * after we add them! + */ + virFirewallBackendSynchronize(); + virFirewallStartTransaction(fw, 0); =20 for (i =3D 0; i < G_N_ELEMENTS(data); i++) --=20 2.28.0 From nobody Fri May 3 14:16:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1606188631; cv=none; d=zohomail.com; s=zohoarc; b=QF2nTNWPAP3YQTDmVS4g0OKFDBZnMPdpT+jCfFJa4qtl1DK0EWn2o4gOa48gL5fAMqLesKCacOzfAp0PrHUUMCyKO9I9fZirnz8fmRGNn2O37Cq5/G1D+kHVG7YnGm6h1aTbmZlPCZPT+3G2x952EfDzYVzyj81Bpnd2dYtIz40= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606188631; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=IimdoBJvRaYw0dtj+RFlg2jPYq58U70pExLUu5J5QZk=; b=RdzdgnHZw8RbOaqlFWvgUKm7/Vp6Ee3kM6+t0OzoFsetZYM5i7bO3MCiU39aDk3QQUTJfmUQ4Dpu2VvCYB3MAKsqdBpP6quzMABm/gZICksAOyrtmZ4cE8nLpO53H8YGs2sqtxG/B7YF5gEvF4A/tZ5UhSQM9XXCGUNXgHvs4BY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 160618863170755.97611838266573; Mon, 23 Nov 2020 19:30:31 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-327-VWilUVAFOrSovRwx7bPfDA-1; Mon, 23 Nov 2020 22:30:27 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 250955212; Tue, 24 Nov 2020 03:30:21 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DF85219C59; Tue, 24 Nov 2020 03:30:19 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E9A401809C9F; Tue, 24 Nov 2020 03:30:15 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 0AO3UFrC007410 for ; Mon, 23 Nov 2020 22:30:15 -0500 Received: by smtp.corp.redhat.com (Postfix) id 545545D705; Tue, 24 Nov 2020 03:30:15 +0000 (UTC) Received: from vhost2.laine.org (ovpn-112-35.phx2.redhat.com [10.3.112.35]) by smtp.corp.redhat.com (Postfix) with ESMTP id 1C4655D6A1 for ; Tue, 24 Nov 2020 03:30:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1606188630; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=IimdoBJvRaYw0dtj+RFlg2jPYq58U70pExLUu5J5QZk=; b=EZRpBeIduMvcSCe+utTJvvhn/+mz7Im4vf/86btKSK2BJPuURWndA0J+Vh57ID5Z1uxBlQ gQsOZR+K615J3/AHxEtkVy8HQbSlg+eVZZofQfW43skMJXGxgLVotj/sMIo3ts1zZAvDpa IvcQ/walbsXl7bdQrMkueT3bYipOAF0= X-MC-Unique: VWilUVAFOrSovRwx7bPfDA-1 From: Laine Stump To: libvir-list@redhat.com Subject: [PATCH 8/8] util: call iptables directly rather than via firewalld Date: Mon, 23 Nov 2020 22:30:04 -0500 Message-Id: <20201124033004.1163126-9-laine@redhat.com> In-Reply-To: <20201124033004.1163126-1-laine@redhat.com> References: <20201124033004.1163126-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Content-Type: text/plain; charset="utf-8" When libvirt added support for firewalld, we were unable to use firewalld's higher level rules, because they weren't detailed enough and could not be applied to the iptables FORWARD or OUTPUT chains (only to the INPUT chain). Instead we changed our code so that rather than running the iptables/ip6tables/ebtables binaries ourselves, we would send these commands to firewalld as "passthrough commands", and firewalld would run the appropriate program on our behalf. This was done under the assumption that firewalld was somehow tracking all these rules, and that this tracking was benefitting proper operation of firewalld and the system in general. Several years later this came up in a discussion on IRC, and we learned from the firewalld developers that, in fact, adding iptables and ebtables rules with firewalld's passthrough commands actually has *no* advantage; firewalld doesn't keep track of these rules in any way, and doesn't use them to tailor the construction of its own rules. Meanwhile, users have been complaining for some time that whenever firewalld is restarted on a system with libvirt virtual networks and/or nwfilter rules active, the system logs would be flooded with warning messages whining that [lots of different rules] could not be deleted because they didn't exist. For example: firewalld[3536040]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virbr4 --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?). (See https://bugzilla.redhat.com/1790837 for many more examples and a discussion) Note that these messages are created by iptables, but are logged by firewalld - when an iptables/ebtables command fails, firewalld grabs whatever is in stderr of the program, and spits it out to the system log as a warning. We've requested that firewalld not do this (and instead leave it up to the calling application to do the appropriate logging), but this request has been respectfully denied. But combining the two problems above ( 1) firewalld doesn't do anything useful when you use it as a proxy to add/remove iptables rules, 2) firewalld often insists on logging lots of annoying/misleading/useless "error" messages when you use it as a proxy to remove iptables rules that don't already exist), leads to a solution - simply stop using firewalld to add and remove iptables rules. Instead, exec iptables/ip6tables/ebtables directly in the same way we do when firewalld isn't active. We still need to keep track of whether or not firewalld is active, as there are some things that must be done, e.g. we need to add some actual firewalld rules in the firewalld "libvirt" zone, and we need to take notice when firewalld restarts, so that we can reload all our rules. This patch doesn't remove the infrastructure that allows having different firewall backends that perform their functions in different ways, as that will very possibly come in handy in the future when we want to have an nftables direct backend, and possibly a "pure" firewalld backend (now that firewalld supports more complex rules, and can add those rules to the FORWARD and OUTPUT chains). Instead, it just changes the action when the selected backend is "firewalld" so that it adds rules directly rather than through firewalld, while leaving as much of the existing code intact as possible. In order for tests to still pass, virfirewalltest also had to be modified to behave in a different way (i.e. by capturing the generated commandline as it does for the DIRECT backend, rather than capturing dbus messages using a mocked dbus API). Signed-off-by: Laine Stump Reviewed-by: Daniel Henrique Barboza --- src/util/virfirewall.c | 13 +++++++++++-- tests/virfirewalltest.c | 30 ++++++++++++++++++++---------- 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c index 307825331d..21dea3013a 100644 --- a/src/util/virfirewall.c +++ b/src/util/virfirewall.c @@ -640,7 +640,7 @@ virFirewallApplyRuleDirect(virFirewallRulePtr rule, } =20 =20 -static int +static int G_GNUC_UNUSED virFirewallApplyRuleFirewallD(virFirewallRulePtr rule, bool ignoreErrors, char **output) @@ -698,7 +698,16 @@ virFirewallApplyRule(virFirewallPtr firewall, return -1; break; case VIR_FIREWALL_BACKEND_FIREWALLD: - if (virFirewallApplyRuleFirewallD(rule, ignoreErrors, &output) < 0) + /* Since we are using raw iptables rules, there is no + * advantage to going through firewalld, so instead just add + * them directly rather that via dbus calls to firewalld. This + * has the useful side effect of eliminating extra unwanted + * warning messages in the system logs when trying to delete + * rules that don't exist (which is something that happens + * often when libvirtd is started, and *always* when firewalld + * is restarted) + */ + if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0) return -1; break; =20 diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c index fa1838a499..2670eb1561 100644 --- a/tests/virfirewalltest.c +++ b/tests/virfirewalltest.c @@ -194,7 +194,8 @@ testFirewallSingleGroup(const void *opaque) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) virCommandSetDryRun(&cmdbuf, NULL, NULL); else fwBuf =3D &cmdbuf; @@ -247,7 +248,8 @@ testFirewallRemoveRule(const void *opaque) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) virCommandSetDryRun(&cmdbuf, NULL, NULL); else fwBuf =3D &cmdbuf; @@ -307,7 +309,8 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) virCommandSetDryRun(&cmdbuf, NULL, NULL); else fwBuf =3D &cmdbuf; @@ -394,7 +397,8 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_U= NUSED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL); } else { fwBuf =3D &cmdbuf; @@ -462,7 +466,8 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UN= USED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL); } else { fwBuf =3D &cmdbuf; @@ -527,7 +532,8 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL); } else { fwBuf =3D &cmdbuf; @@ -590,7 +596,8 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UN= USED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL); } else { fwError =3D true; @@ -669,7 +676,8 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUS= ED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL); } else { fwBuf =3D &cmdbuf; @@ -756,7 +764,8 @@ testFirewallChainedRollback(const void *opaque G_GNUC_U= NUSED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallRollbackHook, NULL); } else { fwBuf =3D &cmdbuf; @@ -951,7 +960,8 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED) if (virFirewallSetBackend(data->tryBackend) < 0) goto cleanup; =20 - if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT) { + if (data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_DIRECT || + data->expectBackend =3D=3D VIR_FIREWALL_BACKEND_FIREWALLD) { virCommandSetDryRun(&cmdbuf, testFirewallQueryHook, NULL); } else { fwBuf =3D &cmdbuf; --=20 2.28.0