From nobody Mon Sep 16 19:05:25 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1718972448973800.2544352667306; Fri, 21 Jun 2024 05:20:48 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id E5B96126E; Fri, 21 Jun 2024 08:20:46 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 925A51258; Fri, 21 Jun 2024 08:19:23 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 7B4EE11D6; Fri, 21 Jun 2024 08:19:20 -0400 (EDT) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id C49F7C93 for ; Fri, 21 Jun 2024 08:19:18 -0400 (EDT) Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-53-xDYXbWjdN3yiu7brwbWUjA-1; Fri, 21 Jun 2024 08:19:16 -0400 Received: from mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.17]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id DE2BA195608A for ; Fri, 21 Jun 2024 12:19:15 +0000 (UTC) Received: from tilapia.redhat.com (unknown [10.22.8.103]) by mx-prod-int-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id A49991956048 for ; Fri, 21 Jun 2024 12:19:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: *** X-Spam-Status: No, score=3.0 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,RCVD_IN_SBL_CSS,SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1718972358; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=U7mIpf81+IVdRTzjaxuwZFrfEd5gPuMkeVXxHYl7noA=; b=cLIl9FeZNn6RiJHIxz/1nsKZl2vATvHwfa7ogWwXZKlPBLn6hRVmE5WAvciXDtLVla6LiH SeeVObXG/zjii/dzndjZRrhcHRxOSxi0+bqBKQDYnGMQTfpZxnabcTUpWf42P/ky/pT/E8 b5piZXN0s3AfPGxUu7UbsiwE/xJL4z4= X-MC-Unique: xDYXbWjdN3yiu7brwbWUjA-1 From: Laine Stump To: devel@lists.libvirt.org Subject: [PATCH] network: add more firewall test cases Date: Fri, 21 Jun 2024 08:17:58 -0400 Message-ID: <20240621121912.1021781-1-laine@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.17 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable Message-ID-Hash: II6IA4AIV6HJ2WJ6QVJ66RU3MGRTVB47 X-Message-ID-Hash: II6IA4AIV6HJ2WJ6QVJ66RU3MGRTVB47 X-MailFrom: laine@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1718972451021100001 Content-Type: text/plain; charset="utf-8"; x-default="true" This patch adds some previously missing test cases that test for proper firewall rule creation when the following are included in the network definition: * * no forward element (an "isolated" network) * nat port range when only ipv4 is nat-ed * nat port range when both ipv4 & ipv6 are nated Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrang=C3=A9 --- If you ack this, please also push it, as I'm on vacation and only sporadically connected. .../forward-dev-linux.iptables | 154 +++++++ .../forward-dev-linux.nftables | 158 +++++++ tests/networkxml2firewalldata/forward-dev.xml | 10 + .../isolated-linux.iptables | 159 ++++++++ .../isolated-linux.nftables | 64 +++ tests/networkxml2firewalldata/isolated.xml | 15 + .../nat-port-range-ipv6-linux.iptables | 317 ++++++++++++++ .../nat-port-range-ipv6-linux.nftables | 386 ++++++++++++++++++ .../nat-port-range-ipv6.xml | 20 + .../nat-port-range-linux.iptables | 283 +++++++++++++ .../nat-port-range-linux.nftables | 314 ++++++++++++++ .../nat-port-range.xml | 20 + tests/networkxml2firewalltest.c | 5 + 13 files changed, 1905 insertions(+) create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.iptables create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.nftables create mode 100644 tests/networkxml2firewalldata/forward-dev.xml create mode 100644 tests/networkxml2firewalldata/isolated-linux.iptables create mode 100644 tests/networkxml2firewalldata/isolated-linux.nftables create mode 100644 tests/networkxml2firewalldata/isolated.xml create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux= .iptables create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux= .nftables create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6.xml create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.ipta= bles create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.nfta= bles create mode 100644 tests/networkxml2firewalldata/nat-port-range.xml diff --git a/tests/networkxml2firewalldata/forward-dev-linux.iptables b/tes= ts/networkxml2firewalldata/forward-dev-linux.iptables new file mode 100644 index 0000000000..bc483c4512 --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev-linux.iptables @@ -0,0 +1,154 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--out-interface enp0s7 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--in-interface enp0s7 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--out-interface enp0s7 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--out-interface enp0s7 \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--out-interface enp0s7 \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/forward-dev-linux.nftables b/tes= ts/networkxml2firewalldata/forward-dev-linux.nftables new file mode 100644 index 0000000000..8badb74beb --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev-linux.nftables @@ -0,0 +1,158 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +oifname \ +enp0s7 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +iifname \ +enp0s7 \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +oifname \ +enp0s7 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +oifname \ +enp0s7 \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +oifname \ +enp0s7 \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/forward-dev.xml b/tests/networkx= ml2firewalldata/forward-dev.xml new file mode 100644 index 0000000000..8e49d3984d --- /dev/null +++ b/tests/networkxml2firewalldata/forward-dev.xml @@ -0,0 +1,10 @@ + + default + + + + + + + + diff --git a/tests/networkxml2firewalldata/isolated-linux.iptables b/tests/= networkxml2firewalldata/isolated-linux.iptables new file mode 100644 index 0000000000..135189ce41 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated-linux.iptables @@ -0,0 +1,159 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/isolated-linux.nftables b/tests/= networkxml2firewalldata/isolated-linux.nftables new file mode 100644 index 0000000000..d1b4dac178 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated-linux.nftables @@ -0,0 +1,64 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/isolated.xml b/tests/networkxml2= firewalldata/isolated.xml new file mode 100644 index 0000000000..0e3bed10d1 --- /dev/null +++ b/tests/networkxml2firewalldata/isolated.xml @@ -0,0 +1,15 @@ + + default + + + + + + + + + + + + + diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptabl= es b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables new file mode 100644 index 0000000000..c2e845cc4f --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables @@ -0,0 +1,317 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p udp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 500-1000 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p tcp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 500-1000 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +--destination ff02::/16 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftabl= es b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables new file mode 100644 index 0000000000..ceaed6fa40 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables @@ -0,0 +1,386 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.128.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=3D' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_nat \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6.xml b/tests/= networkxml2firewalldata/nat-port-range-ipv6.xml new file mode 100644 index 0000000000..9a70764fa0 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml @@ -0,0 +1,20 @@ + + default + + + + + + + + + + + + + + + + + + diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.iptables b/= tests/networkxml2firewalldata/nat-port-range-linux.iptables new file mode 100644 index 0000000000..8e5c2c8193 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-linux.iptables @@ -0,0 +1,283 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 500-1000 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.nftables b/= tests/networkxml2firewalldata/nat-port-range-linux.nftables new file mode 100644 index 0000000000..1dc37a26ec --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range-linux.nftables @@ -0,0 +1,314 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +iif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_cross \ +iif \ +virbr0 \ +oif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.122.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_output \ +ip \ +saddr \ +192.168.128.0/24 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_input \ +oif \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=3D' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:500-1000 +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt_network \ +guest_nat \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_output \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iif \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt_network \ +guest_input \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oif \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-port-range.xml b/tests/netwo= rkxml2firewalldata/nat-port-range.xml new file mode 100644 index 0000000000..81b29d3b72 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-port-range.xml @@ -0,0 +1,20 @@ + + default + + + + + + + + + + + + + + + + + + diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltes= t.c index 4cabe39d1d..f7b87ff798 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -198,6 +198,11 @@ mymain(void) DO_TEST("nat-ipv6"); DO_TEST("nat-ipv6-masquerade"); DO_TEST("route-default"); + DO_TEST("forward-dev"); + DO_TEST("isolated"); + DO_TEST("forward-dev"); + DO_TEST("nat-port-range"); + DO_TEST("nat-port-range-ipv6"); =20 return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; } --=20 2.45.2