From nobody Thu Sep 19 01:47:48 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=fail(p=none dis=none)  header.from=redhat.com
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1715969467893809.726330524467;
 Fri, 17 May 2024 11:11:07 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id C3E471B9B; Fri, 17 May 2024 14:11:06 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id 2F92F1A0A;
	Fri, 17 May 2024 13:32:25 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 30D5D1C94; Fri, 17 May 2024 13:30:29 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id B15EC1A3A
	for <devel@lists.libvirt.org>; Fri, 17 May 2024 13:30:14 -0400 (EDT)
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-354-_1tfExssO46HcuXDny-MEw-1; Fri, 17 May 2024 13:30:12 -0400
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0D4CD185A783
	for <devel@lists.libvirt.org>; Fri, 17 May 2024 17:30:12 +0000 (UTC)
Received: from vhost3.router.laine.org (unknown [10.22.16.223])
	by smtp.corp.redhat.com (Postfix) with ESMTP id E4BA840C6CB4
	for <devel@lists.libvirt.org>; Fri, 17 May 2024 17:30:11 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE
	autolearn=unavailable autolearn_force=no version=3.4.4
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1715967014;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=7azRimR844CJHN840kT8WOAnGPaOBGPlevvU3YfriWY=;
	b=BOdJRA/nttf8KZ4ZwK+kIXJFHJ6YdAqqBJG1/zz5tqTPa8qCZ07CCnYttiJkAbeqCQPMOb
	k619pp9C4h4U/ENnVanlqI8T+oYTR423OzsjQH8UWcswBB4rOm7eXR/RmNguhoaEs3J3A3
	YpenD9JRdBoZopiN+y+XC55cyf77ytw=
X-MC-Unique: _1tfExssO46HcuXDny-MEw-1
From: Laine Stump <laine@redhat.com>
To: devel@lists.libvirt.org
Subject: [PATCH v5 29/30] network: rename chains used by network driver
 nftables backend
Date: Fri, 17 May 2024 13:30:06 -0400
Message-ID: <20240517173007.8125-30-laine@redhat.com>
In-Reply-To: <20240517173007.8125-1-laine@redhat.com>
References: <20240517173007.8125-1-laine@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 7IRD4T7ZAXYYWNYIL7BKOJBJEHVSDXAY
X-Message-ID-Hash: 7IRD4T7ZAXYYWNYIL7BKOJBJEHVSDXAY
X-MailFrom: laine@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/7IRD4T7ZAXYYWNYIL7BKOJBJEHVSDXAY/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1715969468107100001
Content-Type: text/plain; charset="utf-8"

Because the chains added by the network driver nftables backend will
go into a table used only by libvirt, we don't need to have "libvirt"
in the chain names. Instead, we can make them more descriptive and
less abrasive (by using lower case, and using full words rather than
abbreviations).

Also (again because nobody else is using the private "libvirt_network"
table) we can directly put our rules into the input ("guest_to_host"),
output ("host_to_guest"), and postrouting ("guest_nat") chains rather
than creating a subordinate chain as done in the iptables backend.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrang=C3=A9 <berrange@redhat.com>
---
 src/network/network_nftables.c                | 30 ++++-----
 .../nat-default-linux.nftables                | 36 +++++-----
 .../nat-ipv6-linux.nftables                   | 58 ++++++++--------
 .../nat-ipv6-masquerade-linux.nftables        | 66 +++++++++----------
 .../nat-many-ips-linux.nftables               | 64 +++++++++---------
 .../nat-no-dhcp-linux.nftables                | 58 ++++++++--------
 .../nat-tftp-linux.nftables                   | 40 +++++------
 .../route-default-linux.nftables              | 26 ++++----
 8 files changed, 188 insertions(+), 190 deletions(-)

diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c
index ec9194a8b8..12a2d4c6ad 100644
--- a/src/network/network_nftables.c
+++ b/src/network/network_nftables.c
@@ -40,12 +40,13 @@ VIR_LOG_INIT("network.nftables");
=20
 #define VIR_FROM_THIS VIR_FROM_NONE
=20
-#define VIR_NFTABLES_INPUT_CHAIN "LIBVIRT_INP"
-#define VIR_NFTABLES_OUTPUT_CHAIN "LIBVIRT_OUT"
-#define VIR_NFTABLES_FWD_IN_CHAIN "LIBVIRT_FWI"
-#define VIR_NFTABLES_FWD_OUT_CHAIN "LIBVIRT_FWO"
-#define VIR_NFTABLES_FWD_X_CHAIN "LIBVIRT_FWX"
-#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "LIBVIRT_PRT"
+#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host"
+#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest"
+#define VIR_NFTABLES_FORWARD_CHAIN "forward"
+#define VIR_NFTABLES_FWD_IN_CHAIN "guest_input"
+#define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output"
+#define VIR_NFTABLES_FWD_X_CHAIN "guest_cross"
+#define VIR_NFTABLES_NAT_POSTROUTE_CHAIN "guest_nat"
=20
 /* we must avoid using the standard "filter" table as used by
  * iptables, as any subsequent attempts to use iptables commands will
@@ -87,18 +88,15 @@ typedef struct {
=20
 nftablesGlobalChain nftablesChains[] =3D {
     /* chains for filter rules */
-    {NULL, "INPUT", "{ type filter hook input priority 0; policy accept; }=
"},
-    {NULL, "FORWARD", "{ type filter hook forward priority 0; policy accep=
t; }"},
-    {NULL, "OUTPUT", "{ type filter hook output priority 0; policy accept;=
 }"},
-    {"INPUT", VIR_NFTABLES_INPUT_CHAIN, NULL},
-    {"OUTPUT", VIR_NFTABLES_OUTPUT_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_IN_CHAIN, NULL},
-    {"FORWARD", VIR_NFTABLES_FWD_X_CHAIN, NULL},
+    {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0;=
 policy accept; }"},
+    {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priorit=
y 0; policy accept; }"},
+    {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority =
0; policy accept; }"},
+    {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL},
+    {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL},
+    {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL},
=20
     /* chains for NAT rules */
-    {NULL, "POSTROUTING", "{ type nat hook postrouting priority 100; polic=
y accept; }"},
-    {"POSTROUTING",  VIR_NFTABLES_NAT_POSTROUTE_CHAIN, NULL},
+    {NULL, VIR_NFTABLES_NAT_POSTROUTE_CHAIN, "{ type nat hook postrouting =
priority 100; policy accept; }"},
 };
=20
=20
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes=
ts/networkxml2firewalldata/nat-default-linux.nftables
index 92b3dd7fc0..8b6e0ba406 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -168,7 +168,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -203,7 +203,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/=
networkxml2firewalldata/nat-ipv6-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl=
es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index a15b38478b..012a3d5d47 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip6 \
@@ -390,7 +390,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -405,7 +405,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -425,7 +425,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -445,7 +445,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te=
sts/networkxml2firewalldata/nat-many-ips-linux.nftables
index bd88ec9d83..029274ea06 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -168,7 +168,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -183,7 +183,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -203,7 +203,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -237,7 +237,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -251,7 +251,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -264,7 +264,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -280,7 +280,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -295,7 +295,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -315,7 +315,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -335,7 +335,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -349,7 +349,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.128.0/24 \
@@ -363,7 +363,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -376,7 +376,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -392,7 +392,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -407,7 +407,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -427,7 +427,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -447,7 +447,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
@@ -461,7 +461,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.150.0/24 \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes=
ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index f8317415cf..03fb7397cd 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -149,7 +149,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -159,7 +159,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -171,7 +171,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -184,7 +184,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -197,7 +197,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -210,7 +210,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -223,7 +223,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -236,7 +236,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -262,7 +262,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -278,7 +278,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -293,7 +293,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -313,7 +313,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -333,7 +333,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -347,7 +347,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -361,7 +361,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip6 \
 saddr \
 2001:db8:ca2:2::/64 \
@@ -374,7 +374,7 @@ nft \
 rule \
 ip6 \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip6 \
 daddr \
 2001:db8:ca2:2::/64 \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/=
networkxml2firewalldata/nat-tftp-linux.nftables
index a25935b831..dd84468ad6 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -120,7 +120,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -133,7 +133,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -143,7 +143,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -153,7 +153,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -165,7 +165,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -178,7 +178,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 ip \
@@ -194,7 +194,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -209,7 +209,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 udp \
@@ -229,7 +229,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 meta \
 l4proto \
 tcp \
@@ -249,7 +249,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -263,7 +263,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_PRT \
+guest_nat \
 ip \
 saddr \
 192.168.122.0/24 \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t=
ests/networkxml2firewalldata/route-default-linux.nftables
index 2337d50baf..c1cc8f05b1 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -3,7 +3,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -16,7 +16,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -29,7 +29,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -42,7 +42,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -55,7 +55,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 tcp \
@@ -68,7 +68,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_INP \
+guest_to_host \
 iifname \
 virbr0 \
 udp \
@@ -81,7 +81,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 tcp \
@@ -94,7 +94,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_OUT \
+host_to_guest \
 oifname \
 virbr0 \
 udp \
@@ -107,7 +107,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 iifname \
 virbr0 \
 counter \
@@ -117,7 +117,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 oifname \
 virbr0 \
 counter \
@@ -127,7 +127,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWX \
+guest_cross \
 iifname \
 virbr0 \
 oifname \
@@ -139,7 +139,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWO \
+guest_output \
 ip \
 saddr \
 192.168.122.0/24 \
@@ -152,7 +152,7 @@ nft \
 rule \
 ip \
 libvirt_network \
-LIBVIRT_FWI \
+guest_input \
 ip \
 daddr \
 192.168.122.0/24 \
--=20
2.45.0