From nobody Fri Oct 18 09:19:41 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911276; cv=none; d=zohomail.com; s=zohoarc; b=DztSVbz1WDrP3/oh4SNmKp+yB2rmu/Pl6R9B0zdOTC/P4kRi4rCLro4b/Iql4+XzIcGx70YpizH2cUsI9fAKwEZS1IBqGsfEFEur0jQLVzdBF+5b5DCGW7oU3P5KAlcL0RkuQ3Xib9Uq+pQe1QjE3OOnegfPpaVTatlggeL3tJc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911276; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=RmaJG9jHNCIZOqfJQ6IRYa4DwePhSdjCJewz91Zd2aY=; b=m1WAQVV/6ZqbawUisnADOyTRmX3QD69aCaZbXwQLizjL5Tcg7Fp0sTdCRf2Biw2wlenAWd8uVz403o9zt7vGl3dwnGsmshGMuxiqRnZUQWBwXt+MCw0tn+1W2d/5puBNNoDuwhSoteur+G6O8rbroBKekhiWMDcQVU5AAgjdSPA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911276273682.7433132531418; Sun, 30 Apr 2023 20:21:16 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-656-XB2u0fAjNtulCNztBQ1eOA-1; Sun, 30 Apr 2023 23:20:28 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8395B857AA1; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 65E7F63F42; Mon, 1 May 2023 03:20:17 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 5AEB91946589; Mon, 1 May 2023 03:20:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D1A5C1946A45 for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id BB2DC463EC3; Mon, 1 May 2023 03:19:46 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9AE3A475022 for ; Mon, 1 May 2023 03:19:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911275; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=RmaJG9jHNCIZOqfJQ6IRYa4DwePhSdjCJewz91Zd2aY=; b=GwR/rOcke/OfU1e7nxCRWzppCEEhvRMeg2/v2EzVQU97qdwywKcbqKuRwWh3KWmOEuw006 ZKYSaYWJzlWlp6n49fW91bJmIkk+DKx6Hs1LXedy7AJhlXa34BsAzifhyhpMdflJovPsDT QgkD3duQSWDzQrP3Oxz4T6JG2X5CYwU= X-MC-Unique: XB2u0fAjNtulCNztBQ1eOA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 17/28] tests: test cases for nftables backend Date: Sun, 30 Apr 2023 23:19:32 -0400 Message-Id: <20230501031943.288145-18-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911276937100005 Content-Type: text/plain; charset="utf-8"; x-default="true" Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump --- .../{base.args =3D> base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++++++++++ ...-linux.args =3D> nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++++++ ...pv6-linux.args =3D> nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++++++++ ...rgs =3D> nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++ ...linux.args =3D> nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 ++++++++++++++++++ ...-linux.args =3D> nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++++++++ ...ftp-linux.args =3D> nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++++++ ...inux.args =3D> route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++++ tests/networkxml2firewalltest.c | 47 +- 17 files changed, 2670 insertions(+), 13 deletions(-) rename tests/networkxml2firewalldata/{base.args =3D> base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args =3D> nat-defa= ult-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args =3D> nat-ipv6-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =3D> = nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux= .nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =3D> nat-man= y-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftabl= es rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =3D> nat-no-d= hcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args =3D> nat-tftp-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args =3D> route-= default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftab= les diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2fir= ewalldata/base.iptables similarity index 100% rename from tests/networkxml2firewalldata/base.args rename to tests/networkxml2firewalldata/base.iptables diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml= 2firewalldata/base.nftables new file mode 100644 index 0000000000..4f1f475a85 --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -0,0 +1,256 @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-default-linux.args rename to tests/networkxml2firewalldata/nat-default-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index 0000000000..7e01ceba97 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -0,0 +1,248 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index 0000000000..3a75dfced7 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -0,0 +1,384 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index 0000000000..5959a920ff --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -0,0 +1,456 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +protocol \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +protocol \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-many-ips-linux.args rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index 0000000000..7cf989e040 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -0,0 +1,472 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index 0000000000..3a75dfced7 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -0,0 +1,384 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-tftp-linux.args rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index 0000000000..15ac92c46a --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -0,0 +1,274 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +protocol \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/route-default-linux.args rename to tests/networkxml2firewalldata/route-default-linux.iptables diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index 0000000000..f56cc2d0bc --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -0,0 +1,162 @@ +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 3a9f409e2a..ab1c7b217d 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -85,7 +85,8 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, =20 static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv =3D NULL; g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; @@ -98,7 +99,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES) < 0) + if (networkAddFirewallRules(def, backend) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); @@ -119,6 +120,7 @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; =20 =20 @@ -132,10 +134,11 @@ testCompareXMLToIPTablesHelper(const void *data) =20 xml =3D g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); =20 - result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs); + result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs, info->= backend); =20 return result; } @@ -145,24 +148,42 @@ static int mymain(void) { int ret =3D 0; - g_autofree char *basefile =3D NULL; - g_autofree char *baseargs =3D NULL; + g_autofree char *basefileIptables =3D NULL; + g_autofree char *basefileNftables =3D NULL; + g_autofree char *baseargsIptables =3D NULL; + g_autofree char *baseargsNftables =3D NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; =20 -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info =3D { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label =3D g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToS= tring(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret =3D -1; \ } while (0) =20 - basefile =3D g_strdup_printf("%s/networkxml2firewalldata/base.args", a= bs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); + + + basefileIptables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] =3D baseargsIptables; =20 - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + basefileNftables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) return EXIT_FAILURE; =20 + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] =3D baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); --=20 2.39.2