From nobody Wed Jan 15 09:59:41 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1682911277; cv=none; d=zohomail.com; s=zohoarc; b=dG4B/U+GXbzdG9WeSrqhvSz/9r4BnHvsKTDuOa93O2KVAhpqkDr0R/Ck9g1aoQ2pYn/NZTQQrOtNnvoVU4WymlAKSCtS/jZ0U7JsulFlnt7xOJk3EOG3+VrbxW7i/JSMKSsr/sGn9XekTyhUhujL6vQLYuaXk/3Ws4ySp63tt1Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1682911277; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=OzzbUMF7T/WvobUyfNEvrX5gWckI93Vr3gUHT/zHrv4=; b=NuKLVgkVYhRGjUYZrro3rPVcG6xuMCFx/pDoqgD4qRHKCbucLUp4pzXT+IISzjpDJNZlwO0sw83UDma/JkRtGaS3lzd1NBwFL3qGNLGubYX+WMkk/fgd/Wl6eSKataK976jQNF4ZFQL3gEH9xYpdRtnFw2NK6AltonQq99CeyiE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1682911277646324.43932200333813; Sun, 30 Apr 2023 20:21:17 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-670-WlfAnxvsPV6w4s4IJWAtWA-1; Sun, 30 Apr 2023 23:20:29 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C3708A0F3A0; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id AEDF440C200B; Mon, 1 May 2023 03:20:18 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 1E8F4194E11A; Mon, 1 May 2023 03:20:10 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id D41FC1946A4F for ; Mon, 1 May 2023 03:20:05 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 83B5F463ED0; Mon, 1 May 2023 03:19:47 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.8.105]) by smtp.corp.redhat.com (Postfix) with ESMTP id 69FAB463ECD for ; Mon, 1 May 2023 03:19:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682911276; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=OzzbUMF7T/WvobUyfNEvrX5gWckI93Vr3gUHT/zHrv4=; b=FsY4+7WnU4d7WAYn2KeySEjtAoKKAL/TskkyTMvaEbzv07i25inKc0E1Vut6Ps7ixEfefr yWwiFzFB5/z29Yb/eYdjjAvBb+uXVBFWITZSo/h/sw5uA610lbT9By5SfKPxFO5Gxkumnv xkrVtxHPpBhpo+hkSyLWHVlTqLBcPV8= X-MC-Unique: WlfAnxvsPV6w4s4IJWAtWA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Laine Stump To: libvir-list@redhat.com Subject: [libvirt PATCH 22/28] network: turn on auto-rollback for the rules added for virtual networks Date: Sun, 30 Apr 2023 23:19:37 -0400 Message-Id: <20230501031943.288145-23-laine@redhat.com> In-Reply-To: <20230501031943.288145-1-laine@redhat.com> References: <20230501031943.288145-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1682911278029100007 Content-Type: text/plain; charset="utf-8"; x-default="true" So far this will only affect what happens if there is some failure while applying the firewall rules; the rollback rules aren't yet persistent beyond that time. More work is needed to remember the rollback rules while the network is active, and use those rules to remove the firewall for the network when it is destroyed. Note that the test case data changed because enabling auto-rollback will cause the nftables backend to add "-ae" to each commandline in order to retrieve the handle for the newly created table/chain/rule. (in our simplistic unit-test world, the handle is always "5309"). Signed-off-by: Laine Stump --- src/network/bridge_driver_linux.c | 15 +---- .../nat-default-linux.nftables | 36 +++++----- .../nat-ipv6-linux.nftables | 58 ++++++++-------- .../nat-ipv6-masquerade-linux.nftables | 66 +++++++++---------- .../nat-many-ips-linux.nftables | 64 +++++++++--------- .../nat-no-dhcp-linux.nftables | 58 ++++++++-------- .../nat-tftp-linux.nftables | 40 +++++------ .../route-default-linux.nftables | 26 ++++---- tests/networkxml2firewalltest.c | 9 ++- 9 files changed, 185 insertions(+), 187 deletions(-) diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_= linux.c index 058cfa1d80..f6bae334aa 100644 --- a/src/network/bridge_driver_linux.c +++ b/src/network/bridge_driver_linux.c @@ -915,7 +915,7 @@ networkAddFirewallRules(virNetworkDef *def, } } =20 - virFirewallStartTransaction(fw, 0); + virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK= ); =20 networkAddGeneralFirewallRules(fw, def); =20 @@ -926,17 +926,8 @@ networkAddFirewallRules(virNetworkDef *def, return -1; } =20 - virFirewallStartRollback(fw, 0); - - for (i =3D 0; - (ipdef =3D virNetworkDefGetIPByIndex(def, AF_UNSPEC, i)); - i++) { - if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0) - return -1; - } - networkRemoveGeneralFirewallRules(fw, def); - - virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS= ); + virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS + | VIR_FIREWALL_TRANSACTION_AUTO_ROLLB= ACK)); networkAddChecksumFirewallRules(fw, def); =20 return virFirewallApply(fw); diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables index 7e01ceba97..7d3c767cc4 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -148,7 +148,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -164,7 +164,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -179,7 +179,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -199,7 +199,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -219,7 +219,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -233,7 +233,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables index 3a75dfced7..1fcfd8f709 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -145,7 +145,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -155,7 +155,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -167,7 +167,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -180,7 +180,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -193,7 +193,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -206,7 +206,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -219,7 +219,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -232,7 +232,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -245,7 +245,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -258,7 +258,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -274,7 +274,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -289,7 +289,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -309,7 +309,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -329,7 +329,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -343,7 +343,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -357,7 +357,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -370,7 +370,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index 5959a920ff..c0594e8817 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -145,7 +145,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -155,7 +155,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -167,7 +167,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -180,7 +180,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -193,7 +193,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -206,7 +206,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -219,7 +219,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -232,7 +232,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -245,7 +245,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -258,7 +258,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -274,7 +274,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -289,7 +289,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -309,7 +309,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -329,7 +329,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -343,7 +343,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -357,7 +357,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -370,7 +370,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -386,7 +386,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -401,7 +401,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -421,7 +421,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -441,7 +441,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables index 7cf989e040..ac9b3fcfbb 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -148,7 +148,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -164,7 +164,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -179,7 +179,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -199,7 +199,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -219,7 +219,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -233,7 +233,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -247,7 +247,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -260,7 +260,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -276,7 +276,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -291,7 +291,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -311,7 +311,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -331,7 +331,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -345,7 +345,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -359,7 +359,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -372,7 +372,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -388,7 +388,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -403,7 +403,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -423,7 +423,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -443,7 +443,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -457,7 +457,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables index 3a75dfced7..1fcfd8f709 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -145,7 +145,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -155,7 +155,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -167,7 +167,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -180,7 +180,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -193,7 +193,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -206,7 +206,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -219,7 +219,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -232,7 +232,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -245,7 +245,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -258,7 +258,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -274,7 +274,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -289,7 +289,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -309,7 +309,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -329,7 +329,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -343,7 +343,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -357,7 +357,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ @@ -370,7 +370,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip6 \ libvirt \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables index 15ac92c46a..2102aa97bc 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -116,7 +116,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -129,7 +129,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -139,7 +139,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -149,7 +149,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -161,7 +161,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -174,7 +174,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -190,7 +190,7 @@ related,established \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -205,7 +205,7 @@ daddr \ counter \ masquerade nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -225,7 +225,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -245,7 +245,7 @@ masquerade \ to \ :1024-65535 nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -259,7 +259,7 @@ daddr \ counter \ return nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables index f56cc2d0bc..834f6366ae 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -1,5 +1,5 @@ nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -12,7 +12,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -25,7 +25,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -38,7 +38,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -51,7 +51,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -64,7 +64,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -77,7 +77,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -90,7 +90,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -103,7 +103,7 @@ dport \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -113,7 +113,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -123,7 +123,7 @@ virbr0 \ counter \ reject nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -135,7 +135,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ @@ -148,7 +148,7 @@ virbr0 \ counter \ accept nft \ -insert \ +-ae insert \ rule \ ip \ libvirt \ diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index ab1c7b217d..6e9eca0832 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -79,7 +79,14 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status =3D 0; - *output =3D g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output =3D g_strdup("# handle 5309"); + else + *output =3D g_strdup(""); *error =3D g_strdup(""); } =20 --=20 2.39.2