From nobody Thu Sep 19 01:07:57 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715969681288180.35197269503124; Fri, 17 May 2024 11:14:41 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id CB8291E1D; Fri, 17 May 2024 14:14:39 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 275D71E6E; Fri, 17 May 2024 13:32:30 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 72D371C94; Fri, 17 May 2024 13:30:30 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DC4011A1C for ; Fri, 17 May 2024 13:30:13 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-2-dOinPGZEMe2nPNPctr9ebA-1; Fri, 17 May 2024 13:30:11 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6EDA3185A780 for ; Fri, 17 May 2024 17:30:11 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5383E40C6EB7 for ; Fri, 17 May 2024 17:30:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715967013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=D5vWCU6SExFysPf9108zIN22t/dRjgeIShWStp//dA4=; b=c9nCPk2/WQOKqhSuJxSj07YFbYdJnnAWyBxpTgV/C82c1mS1CrLXOu+bXUANJet/8G+AS7 G3sWE+UXtUah386a2cg1syXNqSVE5lC6rDUqLi9NwZYzXbds76cSYd6xbg9/+RJoGEDex1 laGL4ia/3IdRTPUTYaLd3M7wCrS4ISY= X-MC-Unique: dOinPGZEMe2nPNPctr9ebA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 25/30] tests: test cases for nftables backend Date: Fri, 17 May 2024 13:30:02 -0400 Message-ID: <20240517173007.8125-26-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: AKGX6I2MLYBICOSMTEYBFZZOIFM7S3II X-Message-ID-Hash: AKGX6I2MLYBICOSMTEYBFZZOIFM7S3II X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1715969683077100001 Content-Type: text/plain; charset="utf-8" Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- .../{base.args =3D> base.iptables} | 0 tests/networkxml2firewalldata/base.nftables | 256 ++++++++++ ...-linux.args =3D> nat-default-linux.iptables} | 0 .../nat-default-linux.nftables | 248 +++++++++ ...pv6-linux.args =3D> nat-ipv6-linux.iptables} | 0 .../nat-ipv6-linux.nftables | 384 ++++++++++++++ ...rgs =3D> nat-ipv6-masquerade-linux.iptables} | 0 .../nat-ipv6-masquerade-linux.nftables | 456 +++++++++++++++++ ...linux.args =3D> nat-many-ips-linux.iptables} | 0 .../nat-many-ips-linux.nftables | 472 ++++++++++++++++++ ...-linux.args =3D> nat-no-dhcp-linux.iptables} | 0 .../nat-no-dhcp-linux.nftables | 384 ++++++++++++++ ...ftp-linux.args =3D> nat-tftp-linux.iptables} | 0 .../nat-tftp-linux.nftables | 274 ++++++++++ ...inux.args =3D> route-default-linux.iptables} | 0 .../route-default-linux.nftables | 162 ++++++ tests/networkxml2firewalltest.c | 56 ++- 17 files changed, 2678 insertions(+), 14 deletions(-) rename tests/networkxml2firewalldata/{base.args =3D> base.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/base.nftables rename tests/networkxml2firewalldata/{nat-default-linux.args =3D> nat-defa= ult-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-default-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-linux.args =3D> nat-ipv6-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-linux.nftables rename tests/networkxml2firewalldata/{nat-ipv6-masquerade-linux.args =3D> = nat-ipv6-masquerade-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-ipv6-masquerade-linux= .nftables rename tests/networkxml2firewalldata/{nat-many-ips-linux.args =3D> nat-man= y-ips-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-many-ips-linux.nftabl= es rename tests/networkxml2firewalldata/{nat-no-dhcp-linux.args =3D> nat-no-d= hcp-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables rename tests/networkxml2firewalldata/{nat-tftp-linux.args =3D> nat-tftp-li= nux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/nat-tftp-linux.nftables rename tests/networkxml2firewalldata/{route-default-linux.args =3D> route-= default-linux.iptables} (100%) create mode 100644 tests/networkxml2firewalldata/route-default-linux.nftab= les diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2fir= ewalldata/base.iptables similarity index 100% rename from tests/networkxml2firewalldata/base.args rename to tests/networkxml2firewalldata/base.iptables diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml= 2firewalldata/base.nftables new file mode 100644 index 0000000000..4f1f475a85 --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -0,0 +1,256 @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/n= etworkxml2firewalldata/nat-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-default-linux.args rename to tests/networkxml2firewalldata/nat-default-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index 0000000000..2dafe078a1 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -0,0 +1,248 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/netw= orkxml2firewalldata/nat-ipv6-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index 0000000000..63d4d8e2a5 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -0,0 +1,384 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b= /tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args rename to tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index 0000000000..e6d5dea661 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -0,0 +1,456 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/= networkxml2firewalldata/nat-many-ips-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-many-ips-linux.args rename to tests/networkxml2firewalldata/nat-many-ips-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index 0000000000..e636916c7e --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -0,0 +1,472 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/n= etworkxml2firewalldata/nat-no-dhcp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-no-dhcp-linux.args rename to tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index 0000000000..63d4d8e2a5 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -0,0 +1,384 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/netw= orkxml2firewalldata/nat-tftp-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/nat-tftp-linux.args rename to tests/networkxml2firewalldata/nat-tftp-linux.iptables diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index 0000000000..bb0598d011 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -0,0 +1,274 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests= /networkxml2firewalldata/route-default-linux.iptables similarity index 100% rename from tests/networkxml2firewalldata/route-default-linux.args rename to tests/networkxml2firewalldata/route-default-linux.iptables diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index 0000000000..834f6366ae --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -0,0 +1,162 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 082979e5dc..4cabe39d1d 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -79,13 +79,21 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status =3D 0; - *output =3D g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output =3D g_strdup("# handle 5309"); + else + *output =3D g_strdup(""); *error =3D g_strdup(""); } =20 static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv =3D NULL; g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; @@ -98,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def =3D virNetworkDefParse(NULL, xml, NULL, false))) return -1; =20 - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) = < 0) + if (networkAddFirewallRules(def, backend, NULL) < 0) return -1; =20 actual =3D actualargv =3D virBufferContentAndReset(&buf); @@ -119,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; =20 =20 @@ -132,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data) =20 xml =3D g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args =3D g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); =20 - result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs); + result =3D testCompareXMLToArgvFiles(xml, args, info->baseargs, info->= backend); =20 return result; } @@ -145,24 +155,42 @@ static int mymain(void) { int ret =3D 0; - g_autofree char *basefile =3D NULL; - g_autofree char *baseargs =3D NULL; + g_autofree char *basefileIptables =3D NULL; + g_autofree char *basefileNftables =3D NULL; + g_autofree char *baseargsIptables =3D NULL; + g_autofree char *baseargsNftables =3D NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; =20 -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info =3D { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label =3D g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToS= tring(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret =3D -1; \ } while (0) =20 - basefile =3D g_strdup_printf("%s/networkxml2firewalldata/base.args", a= bs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); =20 - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + + basefileIptables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) return EXIT_FAILURE; =20 + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] =3D baseargsIptables; + + basefileNftables =3D g_strdup_printf("%s/networkxml2firewalldata/base.= nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] =3D baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips"); --=20 2.45.0