[v1] nwfilter: add nwfilter nftables driver

[PATCH 5/5] nwfilter: add unit tests and test data for nwfilter nftables driver
Posted by Dion Bosschieter 1 month, 1 week ago
Add unit test files nwfilternftablestest.c and
nwfilterxml2nftfirewalltest.c, including data files in a new
nwfilterxml2nftfirewalldata directory.

Tests follow same style and structure like the ebiptables driver
for nwfilter.

Signed-off-by: Dion Bosschieter <dionbosschieter@gmail.com>
---
 tests/meson.build                             |    2 +
 tests/nwfilternftablestest.c                  |  428 ++
 .../ah-ipv6-linux.args                        |  304 ++
 .../nwfilterxml2nftfirewalldata/ah-linux.args |  298 ++
 .../all-ipv6-linux.args                       |  286 ++
 .../all-linux.args                            |  280 ++
 .../arp-linux.args                            |  215 +
 tests/nwfilterxml2nftfirewalldata/arp.xml     |   27 +
 .../comment-linux.args                        |  483 +++
 .../conntrack-linux.args                      |  198 +
 .../esp-ipv6-linux.args                       |  304 ++
 .../esp-linux.args                            |  298 ++
 .../example-1-linux.args                      |  266 ++
 .../example-2-linux.args                      |  348 ++
 .../hex-data-linux.args                       |  357 ++
 .../icmp-direction-linux.args                 |  238 ++
 .../icmp-direction2-linux.args                |  238 ++
 .../icmp-direction3-linux.args                |  184 +
 .../icmp-linux.args                           |  252 ++
 .../icmpv6-linux.args                         |  322 ++
 .../igmp-linux.args                           |  298 ++
 .../nwfilterxml2nftfirewalldata/ip-linux.args |  198 +
 .../ipt-no-macspoof-linux.args                |  169 +
 .../ipv6-linux.args                           |  474 +++
 .../iter1-linux.args                          |  298 ++
 .../iter2-linux.args                          | 3598 +++++++++++++++++
 .../iter3-linux.args                          |  418 ++
 .../mac-linux.args                            |  180 +
 .../rarp-linux.args                           |  215 +
 .../sctp-ipv6-linux.args                      |  314 ++
 .../sctp-linux.args                           |  314 ++
 .../target-linux.args                         |  452 +++
 .../target2-linux.args                        |  316 ++
 .../tcp-ipv6-linux.args                       |  314 ++
 .../tcp-linux.args                            |  468 +++
 .../udp-ipv6-linux.args                       |  314 ++
 .../udp-linux.args                            |  314 ++
 .../udplite-ipv6-linux.args                   |  304 ++
 .../udplite-linux.args                        |  298 ++
 .../vlan-linux.args                           |  264 ++
 tests/nwfilterxml2nftfirewalltest.c           |  438 ++
 41 files changed, 15286 insertions(+)
 create mode 100644 tests/nwfilternftablestest.c
 create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/all-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/arp-linux.args
 create mode 100644 tests/nwfilterxml2nftfirewalldata/arp.xml
 create mode 100755 tests/nwfilterxml2nftfirewalldata/comment-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/conntrack-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/example-1-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/example-2-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/hex-data-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/igmp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/ip-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/iter1-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/iter2-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/iter3-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/mac-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/rarp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/target-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/target2-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-linux.args
 create mode 100755 tests/nwfilterxml2nftfirewalldata/vlan-linux.args
 create mode 100644 tests/nwfilterxml2nftfirewalltest.c

diff --git a/tests/meson.build b/tests/meson.build
index 383a38a6ea..2bc81ba7e2 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -436,7 +436,9 @@ endif
 if conf.has('WITH_NWFILTER')
   tests += [
     { 'name': 'nwfilterebiptablestest', 'link_with': [ nwfilter_driver_impl ] },
+    { 'name': 'nwfilternftablestest', 'link_with': [ nwfilter_driver_impl ] },
     { 'name': 'nwfilterxml2ebipfirewalltest', 'link_with': [ nwfilter_driver_impl ] },
+    { 'name': 'nwfilterxml2nftfirewalltest', 'link_with': [ nwfilter_driver_impl ] },
   ]
 endif
 
diff --git a/tests/nwfilternftablestest.c b/tests/nwfilternftablestest.c
new file mode 100644
index 0000000000..8dfaec73d7
--- /dev/null
+++ b/tests/nwfilternftablestest.c
@@ -0,0 +1,428 @@
+/*
+ * nwfilternftablestest.c: Test nftables rule generation
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#include "testutils.h"
+#include "nwfilter/nwfilter_nftables_driver.h"
+#include "virbuffer.h"
+
+#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
+#include "vircommandpriv.h"
+
+#define VIR_FROM_THIS VIR_FROM_NONE
+
+#define EXISTING_TABLE \
+    "table bridge %s { # handle 562\n" \
+    "    comment \"this table is managed by libvirt\"\n" \
+    "    map vmap-oif { # handle 1\n" \
+    "        type iface_index : verdict\n" \
+    "        elements = { \"vnet0\" : jump n-vnet0-in }\n" \
+    "    }\n" \
+    "\n" \
+    "    map vmap-iif { # handle 2\n" \
+    "        type iface_index : verdict\n" \
+    "        elements = { \"vnet0\" : jump vnet0-out }\n" \
+    "    }\n" \
+    "\n" \
+    "    chain postrouting { # handle 3\n" \
+    "        type filter hook postrouting priority 1; policy accept;\n" \
+    "        meta nftrace set 1 # handle 4\n" \
+    "        oif vmap @vmap-oif # handle 7\n" \
+    "    }\n" \
+    "\n" \
+    "    chain prerouting { # handle 5\n" \
+    "        type filter hook prerouting priority 1; policy accept;\n" \
+    "        meta nftrace set 1 # handle 6\n" \
+    "        iif vmap @vmap-iif # handle 8\n" \
+    "    }\n" \
+    "\n" \
+    "    chain n-vnet0-in { # handle 880\n" \
+    "        ether type ip jump vnet0-ipv4-in # handle 893\n" \
+    "        ether type ip6 jump vnet0-ipv6-in # handle 897\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-in { # handle 880\n" \
+    "        ether type ip jump vnet0-ipv4-in # handle 893\n" \
+    "        ether type ip6 jump vnet0-ipv6-in # handle 897\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-out { # handle 881\n" \
+    "        ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct direction original drop comment \"priority=100\" # handle 882\n" \
+    "        ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 587-587 ct direction original drop comment \"priority=100\" # handle 883\n" \
+    "        ip saddr 192.168.1.2 tcp dport 25-25 ct direction original drop comment \"priority=100\" # handle 884\n" \
+    "        ip saddr 192.168.1.2 tcp dport 587-587 ct direction original drop comment \"priority=100\" # handle 885\n" \
+    "        ether type ip tcp dport 25-25 ct direction original drop comment \"priority=100\" # handle 886\n" \
+    "        ether type ip6 tcp dport 25-25 ct direction original drop comment \"priority=100\" # handle 887\n" \
+    "        ip6 daddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct direction original accept comment \"priority=100\" # handle 888\n" \
+    "        ip6 saddr 2a01:7c8:e100:1::78e2 udp dport 587-587 ct direction original drop comment \"priority=100\" # handle 889\n" \
+    "        ip saddr 192.168.1.2 udp dport 25-25 ct direction original continue comment \"priority=100\" # handle 890\n" \
+    "        ether type ip ct direction original continue comment \"priority=100\" # handle 891\n" \
+    "        ether type ip jump vnet0-ipv4-out # handle 895\n" \
+    "        ether type ip6 jump vnet0-ipv6-out # handle 899\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv4-in { # handle 892\n" \
+    "        ip saddr 192.168.1.1 tcp dport 4444 ct direction reply ct state established,new accept comment \"priority=302\" # handle 902\n" \
+    "        ether type ip meta l4proto tcp ct direction reply drop comment \"priority=601\" # handle 904\n" \
+    "        ether type ip meta l4proto udp ct direction reply drop comment \"priority=603\" # handle 905\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv4-out { # handle 894\n" \
+    "        ip protocol icmp ct count over 42 drop comment \"priority=400\" # handle 903\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv6-in { # handle 896\n" \
+    "        ip6 daddr fe80::5054:ff:fe60:baae udp sport 547 udp dport 546 ct direction reply accept comment \"priority=111\" # handle 901\n" \
+    "    }\n" \
+    "\n" \
+    "    chain vnet0-ipv6-out { # handle 898\n" \
+    "        ip6 saddr fe80::5054:ff:fe60:baae ip6 daddr ff02::1:2 udp sport 546 udp dport 547 ct direction original accept comment \"priority=110\" # handle 900\n" \
+    "    }\n" \
+    "}\n"
+
+#define OLD_REMOVES \
+    "nft -a list table bridge libvirt-nwfilter-ethernet\n" \
+    "nft -a list table bridge libvirt-nwfilter-other\n" \
+    "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-in\n" \
+    "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-out\n" \
+    "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv4-in\n" \
+    "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv4-out\n" \
+    "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv6-in\n" \
+    "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv6-out\n" \
+    "nft delete chain bridge libvirt-nwfilter-other vnet0-in\n" \
+    "nft delete chain bridge libvirt-nwfilter-other vnet0-out\n" \
+    "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv4-in\n" \
+    "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv4-out\n" \
+    "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv6-in\n" \
+    "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv6-out\n"
+
+static void
+testCommandDryRunCallback(const char *const*args,
+                          const char *const*env G_GNUC_UNUSED,
+                          const char *input G_GNUC_UNUSED,
+                          char **output,
+                          char **error G_GNUC_UNUSED,
+                          int *status,
+                          void *opaque G_GNUC_UNUSED)
+{
+    size_t argc = 0;
+    const char *table;
+
+    while (args[argc] != NULL)
+        argc++;
+
+    if (STRNEQ(args[0], "nft")) {
+        *status = EXIT_FAILURE;
+        return;
+    }
+
+    /* simulate an empty existing set rules */
+    if (argc == 6 && STREQ(args[1], "-a") && STREQ(args[2], "list")) {
+        table = args[argc-1];
+        *output = g_strdup_printf(EXISTING_TABLE, table);
+        *status = EXIT_SUCCESS;
+    }
+}
+
+
+static int
+testNWFilterNFTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected = OLD_REMOVES;
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.allTeardown("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesTearOldRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft -a list table bridge libvirt-nwfilter-ethernet\n"
+        "nft -a list table bridge libvirt-nwfilter-other\n"
+        OLD_REMOVES
+        "nft rename chain bridge libvirt-nwfilter-ethernet n-vnet0-in vnet0-in\n"
+        "nft rename chain bridge libvirt-nwfilter-other n-vnet0-in vnet0-in\n";
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.tearOldRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected = OLD_REMOVES;
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.removeBasicRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesTearNewRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        "nft -a list table bridge libvirt-nwfilter-ethernet\n"
+        "nft -a list table bridge libvirt-nwfilter-other\n"\
+        "nft delete chain bridge libvirt-nwfilter-ethernet n-vnet0-in\n"
+        "nft delete chain bridge libvirt-nwfilter-other n-vnet0-in\n";
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.tearNewRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        OLD_REMOVES
+        "nft list tables\n"
+        "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether saddr '!=' 10:20:30:40:50:60 drop\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether type ip accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether type arp accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out accept\n"
+        "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 : jump vnet0-out '}'\n"
+        "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vnet0 : jump vnet0-out '}'\n";
+    g_autofree char *actual = NULL;
+    virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.applyBasicRules("vnet0", &mac) < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+testNWFilterNFTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        OLD_REMOVES
+        "nft list tables\n"
+        "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether saddr 10:20:30:40:50:60 ether type ip udp sport 68 udp dport 67 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out drop\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether daddr 10:20:30:40:50:60 ether type ip ip saddr 192.168.122.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether daddr ff:ff:ff:ff:ff:ff ether type ip ip saddr 192.168.122.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether daddr 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether daddr ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether daddr 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether daddr ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport 68 accept\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in drop\n"
+        "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 : jump vnet0-out '}'\n"
+        "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vnet0 : jump vnet0-out '}'\n";
+    g_autofree char *actual = NULL;
+    virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
+    const char *servers[] = { "192.168.122.1", "10.0.0.1", "10.0.0.2" };
+    virNWFilterVarValue val = {
+        .valType = NWFILTER_VALUE_TYPE_ARRAY,
+        .u = {
+            .array = {
+                .values = (char **)servers,
+                .nValues = 3,
+            }
+        }
+    };
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+
+static int
+testNWFilterNFTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED)
+{
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    const char *expected =
+        OLD_REMOVES
+        "nft list tables\n"
+        "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n"
+        "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out drop\n"
+        "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in drop\n"
+        "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vnet0 : jump vnet0-in '}'\n"
+        "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 : jump vnet0-out '}'\n"
+        "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' vnet0 '}'\n"
+        "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vnet0 : jump vnet0-out '}'\n";
+    g_autofree char *actual = NULL;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunCallback, NULL);
+
+    if (nftables_driver.applyDropAllRules("vnet0") < 0)
+        return -1;
+
+    actual = virBufferContentAndReset(&buf);
+
+    if (virTestCompareToString(expected, actual) < 0) {
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+    if (virTestRun("nftablesAllTeardown",
+                   testNWFilterNFTablesAllTeardown,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesTearOldRules",
+                   testNWFilterNFTablesTearOldRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesRemoveBasicRules",
+                   testNWFilterNFTablesRemoveBasicRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesTearNewRules",
+                   testNWFilterNFTablesTearNewRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesApplyBasicRules",
+                   testNWFilterNFTablesApplyBasicRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesApplyDHCPOnlyRules",
+                   testNWFilterNFTablesApplyDHCPOnlyRules,
+                   NULL) < 0)
+        ret = -1;
+
+    if (virTestRun("nftablesApplyDropAllRules",
+                   testNWFilterNFTablesApplyDropAllRules,
+                   NULL) < 0)
+        ret = -1;
+
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall"))
diff --git a/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args
new file mode 100755
index 0000000000..4a59213758
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args
@@ -0,0 +1,304 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/ah-linux.args b/tests/nwfilterxml2nftfirewalldata/ah-linux.args
new file mode 100755
index 0000000000..2cd4ea4604
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/ah-linux.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+ah \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args
new file mode 100755
index 0000000000..426169a28d
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args
@@ -0,0 +1,286 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/all-linux.args b/tests/nwfilterxml2nftfirewalldata/all-linux.args
new file mode 100755
index 0000000000..ff8509e85e
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/all-linux.args
@@ -0,0 +1,280 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/arp-linux.args b/tests/nwfilterxml2nftfirewalldata/arp-linux.args
new file mode 100755
index 0000000000..254e635294
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/arp-linux.args
@@ -0,0 +1,215 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x806 \
+'arp htype' \
+12 \
+'arp operation' \
+1 \
+'arp ptype' \
+0x22 \
+'ether saddr' \
+01:02:03:04:05:06 \
+'ether daddr' \
+0a:0b:0c:0d:0e:0f \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+'arp htype' \
+255 \
+'arp operation' \
+1 \
+'arp ptype' \
+0xff \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+'arp htype' \
+256 \
+'arp operation' \
+11 \
+'arp ptype' \
+0x100 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x806 \
+'arp htype' \
+65535 \
+'arp operation' \
+65535 \
+'arp ptype' \
+0xffff \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/arp.xml b/tests/nwfilterxml2nftfirewalldata/arp.xml
new file mode 100644
index 0000000000..ba68f6d7cc
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/arp.xml
@@ -0,0 +1,27 @@
+<filter name='tck-testcase'>
+  <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid>
+  <rule action='accept' direction='out'>
+     <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+          dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff'
+          hwtype='12'
+          protocoltype='34'
+          opcode='Request'
+          arpsrcmacaddr='1:2:3:4:5:6'
+          arpdstmacaddr='a:b:c:d:e:f'/>
+  </rule>
+
+  <rule action='accept' direction='out'>
+     <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+          opcode='1' hwtype='255' protocoltype='255'/>
+  </rule>
+
+  <rule action='accept' direction='out'>
+     <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+          opcode='11' hwtype='256' protocoltype='256'/>
+  </rule>
+
+  <rule action='accept' direction='out'>
+     <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff'
+          opcode='65535' hwtype='65535' protocoltype='65535' />
+  </rule>
+</filter>
diff --git a/tests/nwfilterxml2nftfirewalldata/comment-linux.args b/tests/nwfilterxml2nftfirewalldata/comment-linux.args
new file mode 100755
index 0000000000..ef6c4ed68b
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/comment-linux.args
@@ -0,0 +1,483 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+'ether type' \
+0x1234 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+daddr \
+10.1.2.3/32 \
+'ip protocol' \
+17 \
+'th sport' \
+291-564 \
+'th dport' \
+13398-17767 \
+'ip dscp' \
+0x32 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:fe == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:80 == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/22 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/113 \
+'ip6 nexthdr' \
+6 \
+'th sport' \
+273-400 \
+'th dport' \
+13107-65535 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x806 \
+'arp htype' \
+18 \
+'arp operation' \
+1 \
+'arp ptype' \
+0x56 \
+'ether saddr' \
+01:02:03:04:05:06 \
+'ether daddr' \
+0a:0b:0c:0d:0e:0f \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+'udp dport' \
+564-1092 \
+'udp sport' \
+291-400 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=udp rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+'udp sport' \
+564-1092 \
+'udp dport' \
+291-400 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=udp rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+'tcp dport' \
+256-4369 \
+'tcp sport' \
+32-33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=tcp/ipv6 rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+'tcp sport' \
+256-4369 \
+'tcp dport' \
+32-33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=tcp/ipv6 rule"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3   spaces'\''"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3   spaces'\''"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=comment with lone '\'', `, '\'', `, \, $x, and two  spaces"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=comment with lone '\'', `, '\'', `, \, $x, and two  spaces"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+ah \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args b/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args
new file mode 100755
index 0000000000..e5e22a3460
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args
@@ -0,0 +1,198 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+count \
+over \
+1 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ct \
+count \
+over \
+2 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args
new file mode 100755
index 0000000000..ede39e4c4b
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args
@@ -0,0 +1,304 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/esp-linux.args b/tests/nwfilterxml2nftfirewalldata/esp-linux.args
new file mode 100755
index 0000000000..500d069b80
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/esp-linux.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+esp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/example-1-linux.args b/tests/nwfilterxml2nftfirewalldata/example-1-linux.args
new file mode 100755
index 0000000000..963d77b7c9
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/example-1-linux.args
@@ -0,0 +1,266 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp dport' \
+22 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=100"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp sport' \
+22 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=100"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=200"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=200"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=300"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=300"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=1000"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=1000"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/example-2-linux.args b/tests/nwfilterxml2nftfirewalldata/example-2-linux.args
new file mode 100755
index 0000000000..ffff3f1628
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/example-2-linux.args
@@ -0,0 +1,348 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+established,related \
+accept \
+comment \
+'"priority=100,usercomment=out: existing and related (ftp) connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established,related \
+accept \
+comment \
+'"priority=100,usercomment=out: existing and related (ftp) connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=100,usercomment=in: existing connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=100,usercomment=in: existing connections"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp dport' \
+21-22 \
+ct \
+direction \
+original \
+ct \
+state \
+new \
+accept \
+comment \
+'"priority=200,usercomment=in: ftp and ssh"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp sport' \
+21-22 \
+ct \
+direction \
+reply \
+ct \
+state \
+new \
+accept \
+comment \
+'"priority=200,usercomment=in: ftp and ssh"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new \
+accept \
+comment \
+'"priority=300,usercomment=in: icmp"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new \
+accept \
+comment \
+'"priority=300,usercomment=in: icmp"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'udp dport' \
+53 \
+ct \
+direction \
+original \
+ct \
+state \
+new \
+accept \
+comment \
+'"priority=300,usercomment=out: DNS lookups"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'udp sport' \
+53 \
+ct \
+direction \
+reply \
+ct \
+state \
+new \
+accept \
+comment \
+'"priority=300,usercomment=out: DNS lookups"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=1000,usercomment=inout: drop all non-accepted traffic"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=1000,usercomment=inout: drop all non-accepted traffic"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args b/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args
new file mode 100755
index 0000000000..c14b85460a
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args
@@ -0,0 +1,357 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+'ether type' \
+0x1234 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+daddr \
+10.1.2.3/32 \
+'ip protocol' \
+17 \
+'th sport' \
+291-564 \
+'th dport' \
+13398-17767 \
+'ip dscp' \
+0x32 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:fe == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:80 == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/22 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/113 \
+'ip6 nexthdr' \
+6 \
+'th sport' \
+273-400 \
+'th dport' \
+13107-65535 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x806 \
+'arp htype' \
+18 \
+'arp operation' \
+1 \
+'arp ptype' \
+0x56 \
+'ether saddr' \
+01:02:03:04:05:06 \
+'ether daddr' \
+0a:0b:0c:0d:0e:0f \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+'udp dport' \
+564-1092 \
+'udp sport' \
+291-400 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+34 \
+'udp sport' \
+564-1092 \
+'udp dport' \
+291-400 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+'tcp dport' \
+256-4369 \
+'tcp sport' \
+32-33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+57 \
+'tcp sport' \
+256-4369 \
+'tcp dport' \
+32-33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args b/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args
new file mode 100755
index 0000000000..cfa1afd466
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args
@@ -0,0 +1,238 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop \
+comment \
+'"priority=600"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop \
+comment \
+'"priority=600"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args b/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args
new file mode 100755
index 0000000000..56c30766ac
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args
@@ -0,0 +1,238 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+8 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+icmp \
+type \
+0 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop \
+comment \
+'"priority=600"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+drop \
+comment \
+'"priority=600"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args b/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args
new file mode 100755
index 0000000000..6de47f0994
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args
@@ -0,0 +1,184 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=600"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=600"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-linux.args b/tests/nwfilterxml2nftfirewalldata/icmp-linux.args
new file mode 100755
index 0000000000..a5aba05334
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/icmp-linux.args
@@ -0,0 +1,252 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+icmp \
+type \
+12 \
+icmp \
+code \
+11 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+icmp \
+type \
+12 \
+icmp \
+code \
+11 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+icmp \
+type \
+255 \
+icmp \
+code \
+255 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+protocol \
+icmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+icmp \
+type \
+255 \
+icmp \
+code \
+255 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args b/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args
new file mode 100755
index 0000000000..baaab3a720
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args
@@ -0,0 +1,322 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+icmpv6 \
+type \
+12 \
+icmpv6 \
+code \
+11 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+icmpv6 \
+type \
+12 \
+icmpv6 \
+code \
+11 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+nexthdr \
+icmpv6 \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+icmpv6 \
+type \
+255 \
+icmpv6 \
+code \
+255 \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/igmp-linux.args b/tests/nwfilterxml2nftfirewalldata/igmp-linux.args
new file mode 100755
index 0000000000..4f8de57a39
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/igmp-linux.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+igmp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/ip-linux.args b/tests/nwfilterxml2nftfirewalldata/ip-linux.args
new file mode 100755
index 0000000000..c4951b0d45
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/ip-linux.args
@@ -0,0 +1,198 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+daddr \
+10.1.2.3/32 \
+'ip protocol' \
+17 \
+'th sport' \
+20-22 \
+'th dport' \
+100-101 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip \
+ip \
+saddr \
+10.1.2.3/17 \
+ip \
+daddr \
+10.1.2.3/24 \
+'ip protocol' \
+17 \
+'ip dscp' \
+0x3f \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip \
+ip \
+saddr \
+10.1.2.3/31 \
+ip \
+daddr \
+10.1.2.3/25 \
+'ip protocol' \
+255 \
+'ip dscp' \
+0x3f \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args b/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args
new file mode 100755
index 0000000000..2646905c98
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args
@@ -0,0 +1,169 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+'!=' \
+12:34:56:78:9a:bc \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+'!=' \
+12:34:56:78:9a:bc \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+'!=' \
+aa:aa:aa:aa:aa:aa \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args
new file mode 100755
index 0000000000..5b1715f687
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args
@@ -0,0 +1,474 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:fe == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:80 == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/22 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/113 \
+'ip6 nexthdr' \
+17 \
+'th sport' \
+20-22 \
+'th dport' \
+100-101 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+6 \
+'th sport' \
+20-22 \
+'th dport' \
+100-101 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+6 \
+'th dport' \
+20-22 \
+'th sport' \
+100-101 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+6 \
+'th sport' \
+255-256 \
+'th dport' \
+65535-65535 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+6 \
+'th dport' \
+255-256 \
+'th sport' \
+65535-65535 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+18 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+18 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 type' \
+1 \
+'icmpv6 code' \
+10 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 type' \
+1 \
+'icmpv6 code' \
+10 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 type' \
+1 \
+'icmpv6 code' \
+10 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 type' \
+1 \
+'icmpv6 code' \
+10 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 code' \
+10 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 code' \
+10 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+ip6 \
+saddr \
+1::2/128 \
+ip6 \
+daddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 type' \
+1 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+ip6 \
+daddr \
+1::2/128 \
+ip6 \
+saddr \
+a:b:c::/65 \
+'ip6 nexthdr' \
+58 \
+'icmpv6 type' \
+1 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/iter1-linux.args b/tests/nwfilterxml2nftfirewalldata/iter1-linux.args
new file mode 100755
index 0000000000..18a8c2e166
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/iter1-linux.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/iter2-linux.args b/tests/nwfilterxml2nftfirewalldata/iter2-linux.args
new file mode 100755
index 0000000000..8391f933d5
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/iter2-linux.args
@@ -0,0 +1,3598 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+1 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+1 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+1 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+1 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+'udp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+'udp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+'udp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+'udp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+'udp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+2 \
+'udp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+'udp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+2 \
+'udp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1080 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1080 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1080 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1080 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1080 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1080 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1090 \
+'sctp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1090 \
+'sctp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1090 \
+'sctp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1090 \
+'sctp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1090 \
+'sctp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1090 \
+'sctp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1100 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1100 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1100 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1100 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1100 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1100 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1110 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1110 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1110 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1110 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1110 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1110 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1080 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1080 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1080 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1080 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1080 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1080 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1080 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1080 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1080 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1080 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1080 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1080 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1090 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1090 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1090 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1090 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1090 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1090 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1090 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1090 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1090 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1090 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1090 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1090 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1100 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1100 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1100 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1100 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1100 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1100 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1100 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1100 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1100 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1100 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1100 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1100 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1110 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1110 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1110 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1110 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1110 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1110 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1110 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1110 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1110 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1110 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp dport' \
+1110 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+4 \
+'tcp sport' \
+1110 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+5 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+3.3.3.3 \
+ip \
+saddr \
+3.3.3.3 \
+ip \
+dscp \
+6 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/iter3-linux.args b/tests/nwfilterxml2nftfirewalldata/iter3-linux.args
new file mode 100755
index 0000000000..d4446f13ed
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/iter3-linux.args
@@ -0,0 +1,418 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+'tcp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+'tcp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+'tcp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+ip \
+daddr \
+1.1.1.1 \
+ip \
+dscp \
+1 \
+'tcp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp sport' \
+90 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+2 \
+'udp dport' \
+90 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+saddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp dport' \
+1100 \
+'sctp sport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+ip \
+daddr \
+2.2.2.2 \
+ip \
+dscp \
+3 \
+'sctp sport' \
+1100 \
+'sctp dport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/mac-linux.args b/tests/nwfilterxml2nftfirewalldata/mac-linux.args
new file mode 100755
index 0000000000..d5a7083019
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/mac-linux.args
@@ -0,0 +1,180 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+'ether type' \
+0x806 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+'ether type' \
+0x800 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+'ether type' \
+0x600 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+'ether type' \
+0xffff \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/rarp-linux.args b/tests/nwfilterxml2nftfirewalldata/rarp-linux.args
new file mode 100755
index 0000000000..fbeae86d98
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/rarp-linux.args
@@ -0,0 +1,215 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8035 \
+'arp htype' \
+12 \
+'arp operation' \
+1 \
+'arp ptype' \
+0x22 \
+'ether saddr' \
+01:02:03:04:05:06 \
+'ether daddr' \
+0a:0b:0c:0d:0e:0f \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x8035 \
+'arp htype' \
+255 \
+'arp operation' \
+1 \
+'arp ptype' \
+0xff \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x8035 \
+'arp htype' \
+256 \
+'arp operation' \
+11 \
+'arp ptype' \
+0x100 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+type \
+0x8035 \
+'arp htype' \
+65535 \
+'arp operation' \
+65535 \
+'arp ptype' \
+0xffff \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args
new file mode 100755
index 0000000000..0898cdcb82
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args
@@ -0,0 +1,314 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+'sctp dport' \
+100-1111 \
+'sctp sport' \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+'sctp sport' \
+100-1111 \
+'sctp dport' \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+'sctp dport' \
+65535-65535 \
+'sctp sport' \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+'sctp sport' \
+65535-65535 \
+'sctp dport' \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-linux.args b/tests/nwfilterxml2nftfirewalldata/sctp-linux.args
new file mode 100755
index 0000000000..34bffb804a
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/sctp-linux.args
@@ -0,0 +1,314 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+'sctp dport' \
+100-1111 \
+'sctp sport' \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+'sctp sport' \
+100-1111 \
+'sctp dport' \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+'sctp dport' \
+65535-65535 \
+'sctp sport' \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+sctp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+'sctp sport' \
+65535-65535 \
+'sctp dport' \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/target-linux.args b/tests/nwfilterxml2nftfirewalldata/target-linux.args
new file mode 100755
index 0000000000..d4b0c0f70f
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/target-linux.args
@@ -0,0 +1,452 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=accept rule -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=accept rule -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+drop \
+comment \
+'"priority=500,usercomment=drop rule   -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+drop \
+comment \
+'"priority=500,usercomment=reject rule -- dir out"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=accept rule -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500,usercomment=accept rule -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+drop \
+comment \
+'"priority=500,usercomment=drop rule   -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+drop \
+comment \
+'"priority=500,usercomment=reject rule -- dir in"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=accept rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500,usercomment=accept rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=500,usercomment=drop   rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=500,usercomment=reject rule -- dir inout"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+'ether type' \
+0x806 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+'ether type' \
+0x806 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+'ether type' \
+0x806 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+'ether type' \
+0x800 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+'ether type' \
+0x800 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+'ether type' \
+0x800 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/target2-linux.args b/tests/nwfilterxml2nftfirewalldata/target2-linux.args
new file mode 100755
index 0000000000..33fb4351ca
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/target2-linux.args
@@ -0,0 +1,316 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp dport' \
+22 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp sport' \
+22 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp sport' \
+22 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp dport' \
+22 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp dport' \
+80 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'tcp sport' \
+80 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args
new file mode 100755
index 0000000000..47dbed5a14
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args
@@ -0,0 +1,314 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+'tcp dport' \
+100-1111 \
+'tcp sport' \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+'tcp sport' \
+100-1111 \
+'tcp dport' \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+'tcp dport' \
+65535-65535 \
+'tcp sport' \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+'tcp sport' \
+65535-65535 \
+'tcp dport' \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-linux.args b/tests/nwfilterxml2nftfirewalldata/tcp-linux.args
new file mode 100755
index 0000000000..6ccc0fd7dc
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/tcp-linux.args
@@ -0,0 +1,468 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+'tcp dport' \
+100-1111 \
+'tcp sport' \
+20-21 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+'tcp dport' \
+65535-65535 \
+'tcp sport' \
+255-256 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+'*' \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+'*' \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+syn,ack \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+syn \
+== \
+'{' \
+syn,ack \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+rst \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+rst \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+psh \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+tcp \
+tcp \
+flags \
+'&' \
+psh \
+== \
+'{' \
+0 \
+'}' \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args
new file mode 100755
index 0000000000..7bb8813ed8
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args
@@ -0,0 +1,314 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::a:b:c/128 \
+ip6 \
+dscp \
+33 \
+'udp dport' \
+100-1111 \
+'udp sport' \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::a:b:c/128 \
+ip6 \
+dscp \
+33 \
+'udp sport' \
+100-1111 \
+'udp dport' \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+'udp dport' \
+65535-65535 \
+'udp sport' \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+63 \
+'udp sport' \
+65535-65535 \
+'udp dport' \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/udp-linux.args b/tests/nwfilterxml2nftfirewalldata/udp-linux.args
new file mode 100755
index 0000000000..bff4d8ad97
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/udp-linux.args
@@ -0,0 +1,314 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+'udp dport' \
+100-1111 \
+'udp sport' \
+20-21 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+33 \
+'udp sport' \
+100-1111 \
+'udp dport' \
+20-21 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+'udp dport' \
+65535-65535 \
+'udp sport' \
+255-256 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udp \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+63 \
+'udp sport' \
+65535-65535 \
+'udp dport' \
+255-256 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args b/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args
new file mode 100755
index 0000000000..354cf9e251
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args
@@ -0,0 +1,304 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+f:e:d::c:b:a/127 \
+ip6 \
+daddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+f:e:d::c:b:a/127 \
+ip6 \
+saddr \
+a:b:c::d:e:f/128 \
+ip6 \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+a:b:c::/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+saddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip6 \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip6 \
+daddr \
+::ffff:10.1.2.3/128 \
+ip6 \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-linux.args b/tests/nwfilterxml2nftfirewalldata/udplite-linux.args
new file mode 100755
index 0000000000..97e06609aa
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/udplite-linux.args
@@ -0,0 +1,298 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/32 \
+ip \
+dscp \
+2 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-in \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+saddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+original \
+ct \
+state \
+new,established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+n-vnet0-out \
+ether \
+type \
+ip \
+meta \
+l4proto \
+udplite \
+'ether saddr' \
+01:02:03:04:05:06 \
+ip \
+daddr \
+10.1.2.3/22 \
+ip \
+dscp \
+33 \
+ct \
+direction \
+reply \
+ct \
+state \
+established \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalldata/vlan-linux.args b/tests/nwfilterxml2nftfirewalldata/vlan-linux.args
new file mode 100755
index 0000000000..8075637e4c
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalldata/vlan-linux.args
@@ -0,0 +1,264 @@
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan id' \
+291 \
+continue \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan id' \
+291 \
+continue \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan id' \
+1234 \
+return \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan id' \
+1234 \
+return \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-in \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan id' \
+291 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan type' \
+2054 \
+drop \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+n-vnet0-out \
+ether \
+saddr \
+'& ff:ff:ff:ff:ff:ff == 01:02:03:04:05:06' \
+ether \
+daddr \
+'& ff:ff:ff:ff:ff:ff == aa:bb:cc:dd:ee:ff' \
+ether \
+type \
+0x8100 \
+'vlan type' \
+4660 \
+accept \
+comment \
+'"priority=500"'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+postrouting \
+oif \
+vnet0 \
+jump \
+n-vnet0-in
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-oif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-in \
+'}'
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-other \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+add \
+rule \
+bridge \
+libvirt-nwfilter-ethernet \
+prerouting \
+iif \
+vnet0 \
+jump \
+n-vnet0-out
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-other \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
+nft \
+delete \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+'}'
+nft \
+add \
+element \
+bridge \
+libvirt-nwfilter-ethernet \
+vmap-iif \
+'{' \
+vnet0 \
+: \
+jump \
+n-vnet0-out \
+'}'
diff --git a/tests/nwfilterxml2nftfirewalltest.c b/tests/nwfilterxml2nftfirewalltest.c
new file mode 100644
index 0000000000..b65a346646
--- /dev/null
+++ b/tests/nwfilterxml2nftfirewalltest.c
@@ -0,0 +1,438 @@
+/*
+ * nwfilterxml2nftfirewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "nwfilter/nwfilter_nftables_driver.h"
+# include "virbuffer.h"
+
+# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+# ifdef __linux__
+#  define RULESTYPE "linux"
+# else
+#  error "test case not ported to this platform"
+# endif
+
+typedef struct _virNWFilterInst virNWFilterInst;
+struct _virNWFilterInst {
+    virNWFilterDef **filters;
+    size_t nfilters;
+    virNWFilterRuleInst **rules;
+    size_t nrules;
+};
+
+/*
+ * Some sets of rules that will be common to all test files,
+ * so we don't bother including them in the test data files
+ * as that would just bloat them
+ */
+
+static const char *commonRules[] = {
+    "nft \\\nlist \\\ntables\n"
+    "nft \\\nlist \\\nchains\n"
+    "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\n'{ comment \"this table is managed by libvirt\"; }'\n"
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nvmap-oif \\\n'{ type iface_index: verdict; }'\n"
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nvmap-iif \\\n'{ type iface_index: verdict; }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npostrouting \\\n'{ type filter hook postrouting priority 0; policy accept;  }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nprerouting \\\n'{ type filter hook prerouting priority 0; policy accept;  }'\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npostrouting \\\noif \\\nvmap \\\n@vmap-oif\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nprerouting \\\niif \\\nvmap \\\n@vmap-iif\n"
+    "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt-nwfilter-other \\\n'{ comment \"this table is managed by libvirt\"; }'\n"
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-other \\\nvmap-oif \\\n'{ type iface_index: verdict; }'\n",
+    "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-other \\\nvmap-iif \\\n'{ type iface_index: verdict; }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\npostrouting \\\n'{ type filter hook postrouting priority 1; policy accept;  }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nprerouting \\\n'{ type filter hook prerouting priority 1; policy accept;  }'\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-other \\\npostrouting \\\noif \\\nvmap \\\n@vmap-oif\n"
+    "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-other \\\nprerouting \\\niif \\\nvmap \\\n@vmap-iif\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nn-vnet0-in \\\n'{ }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nn-vnet0-in \\\n'{ }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nn-vnet0-out \\\n'{ }'\n"
+    "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nn-vnet0-out \\\n'{ }'\n",
+};
+
+
+static GHashTable *
+virNWFilterCreateVarsFrom(GHashTable *vars1,
+                          GHashTable *vars2)
+{
+    g_autoptr(GHashTable) res = virHashNew(virNWFilterVarValueHashFree);
+
+    if (virNWFilterHashTablePutAll(vars1, res) < 0)
+        return NULL;
+
+    if (virNWFilterHashTablePutAll(vars2, res) < 0)
+        return NULL;
+
+    return g_steal_pointer(&res);
+}
+
+
+static void
+virNWFilterRuleInstFree(virNWFilterRuleInst *inst)
+{
+    if (!inst)
+        return;
+
+    g_clear_pointer(&inst->vars, g_hash_table_unref);
+    g_free(inst);
+}
+
+
+static void
+virNWFilterInstReset(virNWFilterInst *inst)
+{
+    size_t i;
+
+    for (i = 0; i < inst->nfilters; i++)
+        virNWFilterDefFree(inst->filters[i]);
+    VIR_FREE(inst->filters);
+    inst->nfilters = 0;
+
+    for (i = 0; i < inst->nrules; i++)
+        virNWFilterRuleInstFree(inst->rules[i]);
+    VIR_FREE(inst->rules);
+    inst->nrules = 0;
+}
+
+
+static int
+virNWFilterDefToInst(const char *xml,
+                     GHashTable *vars,
+                     virNWFilterInst *inst);
+
+static int
+virNWFilterRuleDefToRuleInst(virNWFilterDef *def,
+                             virNWFilterRuleDef *rule,
+                             GHashTable *vars,
+                             virNWFilterInst *inst)
+{
+    virNWFilterRuleInst *ruleinst;
+    int ret = -1;
+
+    ruleinst = g_new0(virNWFilterRuleInst, 1);
+
+    ruleinst->chainSuffix = def->chainsuffix;
+    ruleinst->chainPriority = def->chainPriority;
+    ruleinst->def = rule;
+    ruleinst->priority = rule->priority;
+    ruleinst->vars = virHashNew(virNWFilterVarValueHashFree);
+
+    if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0)
+        goto cleanup;
+
+    VIR_APPEND_ELEMENT(inst->rules, inst->nrules, ruleinst);
+
+    ret = 0;
+ cleanup:
+    virNWFilterRuleInstFree(ruleinst);
+    return ret;
+}
+
+
+static int
+virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDef *inc,
+                                GHashTable *vars,
+                                virNWFilterInst *inst)
+{
+    g_autoptr(GHashTable) tmpvars = NULL;
+    int ret = -1;
+    g_autofree char *xml = NULL;
+
+    xml = g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcdir,
+                          inc->filterref);
+
+    /* create a temporary hashmap for depth-first tree traversal */
+    if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params,
+                                              vars)))
+        goto cleanup;
+
+    if (virNWFilterDefToInst(xml,
+                             tmpvars,
+                             inst) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    if (ret < 0)
+        virNWFilterInstReset(inst);
+    return ret;
+}
+
+static int
+virNWFilterDefToInst(const char *xml,
+                     GHashTable *vars,
+                     virNWFilterInst *inst)
+{
+    size_t i;
+    int ret = -1;
+    virNWFilterDef *def = virNWFilterDefParse(NULL, xml, 0);
+
+    if (!def)
+        return -1;
+
+    VIR_APPEND_ELEMENT_COPY(inst->filters, inst->nfilters, def);
+
+    for (i = 0; i < def->nentries; i++) {
+        if (def->filterEntries[i]->rule) {
+            if (virNWFilterRuleDefToRuleInst(def,
+                                             def->filterEntries[i]->rule,
+                                             vars,
+                                             inst) < 0)
+                goto cleanup;
+        } else if (def->filterEntries[i]->include) {
+            if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include,
+                                                vars,
+                                                inst) < 0)
+                goto cleanup;
+        }
+    }
+
+    ret = 0;
+ cleanup:
+    if (ret < 0)
+        virNWFilterInstReset(inst);
+    return ret;
+}
+
+
+static void testRemoveCommonRules(char *rules)
+{
+    size_t i;
+    char *offset = rules;
+
+    for (i = 0; i < G_N_ELEMENTS(commonRules); i++) {
+        char *tmp = strstr(offset, commonRules[i]);
+        size_t len = strlen(commonRules[i]);
+        if (tmp) {
+            memmove(tmp, tmp + len, (strlen(tmp) + 1) - len);
+            offset = tmp;
+        }
+    }
+}
+
+
+static int testSetOneParameter(GHashTable *vars,
+                               const char *name,
+                               const char *value)
+{
+    virNWFilterVarValue *val;
+
+    if ((val = virHashLookup(vars, name)) == NULL) {
+        val = virNWFilterVarValueCreateSimpleCopyValue(value);
+        if (!val)
+            return -1;
+        if (virHashUpdateEntry(vars, name, val) < 0) {
+            virNWFilterVarValueFree(val);
+            return -1;
+        }
+    } else {
+        if (virNWFilterVarValueAddValueCopy(val, value) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+static int testSetDefaultParameters(GHashTable *vars)
+{
+    if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 ||
+        testSetOneParameter(vars, "A", "1.1.1.1") ||
+        testSetOneParameter(vars, "A", "2.2.2.2") ||
+        testSetOneParameter(vars, "A", "3.3.3.3") ||
+        testSetOneParameter(vars, "A", "3.3.3.3") ||
+        testSetOneParameter(vars, "B", "80") ||
+        testSetOneParameter(vars, "B", "90") ||
+        testSetOneParameter(vars, "B", "80") ||
+        testSetOneParameter(vars, "B", "80") ||
+        testSetOneParameter(vars, "C", "1080") ||
+        testSetOneParameter(vars, "C", "1090") ||
+        testSetOneParameter(vars, "C", "1100") ||
+        testSetOneParameter(vars, "C", "1110"))
+        return -1;
+    return 0;
+}
+
+static void
+testCommandDryRunCallback(const char *const*args,
+                          const char *const*env G_GNUC_UNUSED,
+                          const char *input G_GNUC_UNUSED,
+                          char **output,
+                          char **error G_GNUC_UNUSED,
+                          int *status,
+                          void *opaque G_GNUC_UNUSED)
+{
+    if (STRNEQ(args[0], "nft")) {
+        return;
+    }
+
+    /* simulate an empty existing set rules */
+    if (STREQ(args[1], "list") && STREQ(args[2], "tables")) {
+        *output = g_strdup("table nothing\n");
+        *status = EXIT_SUCCESS;
+    } else if (STREQ(args[1], "list") && STREQ(args[2], "chains")) {
+        *output = g_strdup("chain nothing\n");
+        *status = EXIT_SUCCESS;
+    }
+}
+
+static int testCompareXMLToArgvFiles(const char *xml,
+                                     const char *cmdline)
+{
+    g_autofree char *actualargv = NULL;
+    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
+    g_autoptr(GHashTable) vars = virHashNew(virNWFilterVarValueHashFree);
+    virNWFilterInst inst = { 0 };
+    int ret = -1;
+    g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
+
+    virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRunCallback, NULL);
+
+    if (testSetDefaultParameters(vars) < 0)
+        goto cleanup;
+
+    if (virNWFilterDefToInst(xml,
+                             vars,
+                             &inst) < 0)
+        goto cleanup;
+
+    if (nftables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0)
+        goto cleanup;
+
+    actualargv = virBufferContentAndReset(&buf);
+
+    testRemoveCommonRules(actualargv);
+
+    if (virTestCompareToFileFull(actualargv, cmdline, false) < 0)
+        goto cleanup;
+
+    ret = 0;
+
+ cleanup:
+    virNWFilterInstReset(&inst);
+    return ret;
+}
+
+struct testInfo {
+    const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+    int result = -1;
+    const struct testInfo *info = data;
+    g_autofree char *xml = NULL;
+    g_autofree char *override_xml = NULL;
+    g_autofree char *args = NULL;
+
+    override_xml = g_strdup_printf("%s/nwfilterxml2nftfirewalldata/%s.xml",
+                                   abs_srcdir, info->name);
+
+    if (virFileExists(override_xml)) {
+        xml = g_strdup(override_xml);
+    } else {
+        xml = g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml",
+                              abs_srcdir, info->name);
+    }
+
+    args = g_strdup_printf("%s/nwfilterxml2nftfirewalldata/%s-%s.args",
+                           abs_srcdir, info->name, RULESTYPE);
+
+    result = testCompareXMLToArgvFiles(xml, args);
+
+    return result;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+# define DO_TEST(name) \
+    do { \
+        static struct testInfo info = { \
+            name, \
+        }; \
+        if (virTestRun("NWFilter XML-2-firewall " name, \
+                       testCompareXMLToIPTablesHelper, &info) < 0) \
+            ret = -1; \
+    } while (0)
+
+    DO_TEST("ah");
+    DO_TEST("ah-ipv6");
+    DO_TEST("all");
+    DO_TEST("all-ipv6");
+    DO_TEST("arp");
+    DO_TEST("comment");
+    DO_TEST("conntrack");
+    DO_TEST("esp");
+    DO_TEST("esp-ipv6");
+    DO_TEST("example-1");
+    DO_TEST("example-2");
+    DO_TEST("hex-data");
+    DO_TEST("icmp-direction2");
+    DO_TEST("icmp-direction3");
+    DO_TEST("icmp-direction");
+    DO_TEST("icmp");
+    DO_TEST("icmpv6");
+    DO_TEST("igmp");
+    DO_TEST("ip");
+    DO_TEST("ipt-no-macspoof");
+    DO_TEST("ipv6");
+    DO_TEST("iter1");
+    DO_TEST("iter2");
+    DO_TEST("iter3");
+    DO_TEST("mac");
+    DO_TEST("rarp");
+    DO_TEST("sctp");
+    DO_TEST("sctp-ipv6");
+    DO_TEST("target2");
+    DO_TEST("target");
+    DO_TEST("tcp");
+    DO_TEST("tcp-ipv6");
+    DO_TEST("udp");
+    DO_TEST("udp-ipv6");
+    DO_TEST("udplite");
+    DO_TEST("udplite-ipv6");
+    DO_TEST("vlan");
+
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall"))
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+    return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */
-- 
2.43.0
[PATCH 1/5] nwfilter: rename ebiptables unit tests and data files
[PATCH 2/5] nwfilter: move shared nwfilter driver functions into nwfilter_tech_driver.c
[PATCH 3/5] nwfilter: add nwfilter nftables driver
[PATCH 4/5] nwfilter: allow use of nftables nwfilter driver via nwfilter.conf
[PATCH 5/5] nwfilter: add unit tests and test data for nwfilter nftables driver