From nobody Thu Sep 19 00:15:31 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1715969190776423.17615351299344; Fri, 17 May 2024 11:06:30 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id BD46F1E0E; Fri, 17 May 2024 14:06:29 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 29EB01E50; Fri, 17 May 2024 13:32:16 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 741F0178A; Fri, 17 May 2024 13:30:26 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2628F178A for ; Fri, 17 May 2024 13:30:14 -0400 (EDT) Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-467-9VPMpw5tOWCpM6eWvgp6xA-1; Fri, 17 May 2024 13:30:12 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2E0F629AA3B5 for ; Fri, 17 May 2024 17:30:12 +0000 (UTC) Received: from vhost3.router.laine.org (unknown [10.22.16.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 17CA040C6CB4 for ; Fri, 17 May 2024 17:30:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.5 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1715967013; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/RUcLxYgZo3QbNpymRl+FulA+zVP7QstQQRk19jobJ8=; b=gix9mXbOUlb9mqbnn06C4Q7AgwNKrMA31GLGzW/wuyeLydoYoWjbZXa5VyPG8x3W4EqxCI QRSAjP3Kk5yr41jEteQPpLet9/YsIu07ilvcSYSVziye+BnhfLpPw3bu9tC5dpOdfxMWUc P0sbtDZ3sMW0+SZguDiyKB68Wk+Upew= X-MC-Unique: 9VPMpw5tOWCpM6eWvgp6xA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH v5 30/30] network: eliminate pointless host input/output rules from nftables backend Date: Fri, 17 May 2024 13:30:07 -0400 Message-ID: <20240517173007.8125-31-laine@redhat.com> In-Reply-To: <20240517173007.8125-1-laine@redhat.com> References: <20240517173007.8125-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 2T27UDK74LRPZ2UWEL3SDIKE3YZ5G2EA X-Message-ID-Hash: 2T27UDK74LRPZ2UWEL3SDIKE3YZ5G2EA X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1715969192958100001 Content-Type: text/plain; charset="utf-8" The iptables backend (which was used as the model for the nftables backend) used the same "filter" and "nat" tables used by other services on the system (e.g. firewalld or any other host firewall management application), so it was possible that one of those other services would be blocking DNS, DHCP, or TFTP from guests to the host; we added our own rules at the beginning of the chain to allow this traffic no matter if someone else rejected it later. But with nftables, each service uses their own table, and all traffic must be acepted by all tables no matter what - it's not possible for us to just insert a higher priority/earlier rule that will override some reject rule put in by, e.g., firewalld. Instead the firewalld (or other) table must be setup by that service to allow the traffic. That, along with the fact that our table is already "accept by default", makes it possible to eliminate the individual accept rules for DHCP, DNS, and TFTP. And once those rules are eliminated, there is no longer any need for the guest_to_host or host_to_guest tables. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- src/network/network_nftables.c | 36 +++- .../nat-default-linux.nftables | 104 ---------- .../nat-ipv6-linux.nftables | 182 ------------------ .../nat-ipv6-masquerade-linux.nftables | 182 ------------------ .../nat-many-ips-linux.nftables | 104 ---------- .../nat-no-dhcp-linux.nftables | 182 ------------------ .../nat-tftp-linux.nftables | 130 ------------- .../route-default-linux.nftables | 104 ---------- 8 files changed, 33 insertions(+), 991 deletions(-) diff --git a/src/network/network_nftables.c b/src/network/network_nftables.c index 12a2d4c6ad..f3824ece99 100644 --- a/src/network/network_nftables.c +++ b/src/network/network_nftables.c @@ -40,8 +40,12 @@ VIR_LOG_INIT("network.nftables"); =20 #define VIR_FROM_THIS VIR_FROM_NONE =20 -#define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" -#define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* The input and output tables aren't currently used */ +# define VIR_NFTABLES_INPUT_CHAIN "guest_to_host" +# define VIR_NFTABLES_OUTPUT_CHAIN "host_to_guest" +#endif + #define VIR_NFTABLES_FORWARD_CHAIN "forward" #define VIR_NFTABLES_FWD_IN_CHAIN "guest_input" #define VIR_NFTABLES_FWD_OUT_CHAIN "guest_output" @@ -88,9 +92,14 @@ typedef struct { =20 nftablesGlobalChain nftablesChains[] =3D { /* chains for filter rules */ + +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* nothing is being added to these chains now, so they are effective N= OPs */ {NULL, VIR_NFTABLES_INPUT_CHAIN, "{ type filter hook input priority 0;= policy accept; }"}, - {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priorit= y 0; policy accept; }"}, {NULL, VIR_NFTABLES_OUTPUT_CHAIN, "{ type filter hook output priority = 0; policy accept; }"}, +#endif + + {NULL, VIR_NFTABLES_FORWARD_CHAIN, "{ type filter hook forward priorit= y 0; policy accept; }"}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_OUT_CHAIN, NULL}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_IN_CHAIN, NULL}, {VIR_NFTABLES_FORWARD_CHAIN, VIR_NFTABLES_FWD_X_CHAIN, NULL}, @@ -209,6 +218,11 @@ nftablesSetupPrivateChains(virFirewallLayer layer) } =20 =20 +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES +/* currently these functions aren't used, but they remain in the + * source (uncompiled) as examples of adding specific rules to permit + * input/output of packets. in case the need arises in the future + */ static void nftablesAddInput(virFirewall *fw, virFirewallLayer layer, @@ -315,6 +329,9 @@ nftablesAddUdpOutput(virFirewall *fw, } =20 =20 +#endif + + /** * nftablesAddForwardAllowOut: * @@ -801,6 +818,14 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, break; } =20 +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* These rules copied from the iptables backend, have been removed + * from the nftab because they are redundant since we are using our own + * table that is default accept; there are no other users that + * could add a reject rule that we would need to / be able to + * override with these rules + */ + /* allow DHCP requests through to dnsmasq & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 67); @@ -818,6 +843,7 @@ nftablesAddGeneralIPv4FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge, 69); } +#endif =20 /* Catch all rules to block forwarding to/from bridges */ nftablesAddForwardRejectOut(fw, VIR_FIREWALL_LAYER_IPV4, def->bridge); @@ -849,6 +875,9 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, /* Allow traffic between guests on the same bridge */ nftablesAddForwardAllowCross(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge); =20 +#ifdef VIR_NFTABLES_INCLUDE_HOST_RULES + /* see the note above in nftablesAddGeneralIPv4FirewallRules */ + if (virNetworkDefGetIPByIndex(def, AF_INET6, 0)) { /* allow DNS over IPv6 & back out */ nftablesAddTcpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 53); @@ -859,6 +888,7 @@ nftablesAddGeneralIPv6FirewallRules(virFirewall *fw, nftablesAddUdpInput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 547); nftablesAddUdpOutput(fw, VIR_FIREWALL_LAYER_IPV6, def->bridge, 546= ); } +#endif } =20 =20 diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tes= ts/networkxml2firewalldata/nat-default-linux.nftables index 8b6e0ba406..298a83d088 100644 --- a/tests/networkxml2firewalldata/nat-default-linux.nftables +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/= networkxml2firewalldata/nat-ipv6-linux.nftables index 03fb7397cd..615bb4e144 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftabl= es b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables index 012a3d5d47..27817d8a68 100644 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/te= sts/networkxml2firewalldata/nat-many-ips-linux.nftables index 029274ea06..3ab6286d2c 100644 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tes= ts/networkxml2firewalldata/nat-no-dhcp-linux.nftables index 03fb7397cd..615bb4e144 100644 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ @@ -169,84 +65,6 @@ accept nft \ -ae insert \ rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -547 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip6 \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -546 \ -counter \ -accept -nft \ --ae insert \ -rule \ ip \ libvirt_network \ guest_output \ diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/= networkxml2firewalldata/nat-tftp-linux.nftables index dd84468ad6..298a83d088 100644 --- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -3,136 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -69 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/t= ests/networkxml2firewalldata/route-default-linux.nftables index c1cc8f05b1..09a32f0949 100644 --- a/tests/networkxml2firewalldata/route-default-linux.nftables +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -3,110 +3,6 @@ nft \ rule \ ip \ libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -67 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -68 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -guest_to_host \ -iifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -tcp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ -host_to_guest \ -oifname \ -virbr0 \ -udp \ -dport \ -53 \ -counter \ -accept -nft \ --ae insert \ -rule \ -ip \ -libvirt_network \ guest_output \ iifname \ virbr0 \ --=20 2.45.0