From nobody Fri Dec 12 14:07:31 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1761912665; cv=none; d=zohomail.com; s=zohoarc; b=cztlbJqeQezMN9WKXxyUM92WGg2qH5n9wu56LIkmFKt3QNdTbp6vUuD9GrUwnz3VLBiisJ7TQ9EO5S0rdozvymmCTdI9HVbtpxYeYuUE+HBK9DzX+Jk8cHy5PyqGWIxBZF5CaKeeXpZSaGVwAYJwlwmmBqYnZZ6Onpd28BmyRbM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761912665; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=p9q6xHtQ6x7cBSaJ4wlBfzbxbv4W322uiJv+GjtZHrw=; b=CxPIdKzrMCL6N7/tSUMyNYJeguxsP2W+3ByufrXZPO15zEuEcVrNhYJTRnVRnXZHTi/XNMO2IRPc/GcPjy5AF4lpR1Z36p2ebxRvxYhTn2IwGUltsGH258+WsEVQvy+QSERwuzaIoUE0AREzntZDi9+veHwr/T+bD5XFD8D7wIA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 176191266507520.821133836478793; Fri, 31 Oct 2025 05:11:05 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 5FFC043F2D; Fri, 31 Oct 2025 08:11:04 -0400 (EDT) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id EDF5744013; Fri, 31 Oct 2025 08:08:07 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 4F96843E56; Fri, 31 Oct 2025 08:07:52 -0400 (EDT) Received: from mail-ej1-f51.google.com (mail-ej1-f51.google.com [209.85.218.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 62F9041A3C for ; Fri, 31 Oct 2025 08:07:49 -0400 (EDT) Received: by mail-ej1-f51.google.com with SMTP id a640c23a62f3a-b6d53684cfdso459968466b.0 for ; Fri, 31 Oct 2025 05:07:49 -0700 (PDT) Received: from thinkiepadje.home (2a02-a470-a384-0-62ef-bf5-dc71-bd78.fixed6.kpn.net. [2a02:a470:a384:0:62ef:bf5:dc71:bd78]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b70779ddf48sm158255866b.32.2025.10.31.05.07.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Oct 2025 05:07:47 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761912468; x=1762517268; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=p9q6xHtQ6x7cBSaJ4wlBfzbxbv4W322uiJv+GjtZHrw=; b=aH1VYHiERk2g+Tk23WB9HcGReuNMyFYUGd4FrymjGCM3T5fFYoom0uxI+wP0Ln17m+ mpz0AvWIgsa5UakFtax8T8KYnxLjZkIexImMMiqshyV51iN9ylcxrLJiPNosyQPEBXVZ LUJb6HjesuJG4UFQ0JqfcIuR2u81KuFM2oZmtIkht9Gd9Yyv0nlzz9XGsbd8b/2h4hj8 VA6UxM7funPrGyOWAWoeMJDMrazKBSu1jE8Ostm2neuruutP3av6QgxJ8lxuxM9xsWte L175LDbbBLZkcpYX1h4rdxfqoDxfFtZbCx1m6eIs+92Cs2pOTHdVVgYuExVru4VnBRtC xq/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761912468; x=1762517268; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p9q6xHtQ6x7cBSaJ4wlBfzbxbv4W322uiJv+GjtZHrw=; b=QXW9Nh/F+U0npw+Llw4qy+O71lJYpchRB5fugPKhp4FC/SSmF1ipBeNDM0eJeRxLjz sjjvdeJwrLsKX/piSxYzqCyp3NrG60lxxuz8RZyUEqim0H9vrgNp35I5GDvNeqrdmlX2 0xK1YF/dG4Sb9OEmnRw7stCTUPueeJ882weIavl8BAsFMWFohUe3sTS3nFiQ4VZNUtee 4azCigPHc6EkvoCKUl6S20kW8v5Mp8D0Clovpn9TivjUxC6/q4Ex58PFN8aU7cpVIAPx imEujaUnL8zbf1tZvMXbqJJyQ9ZH141BNEvDDr+VySUb5OIDBxshDfLr6k4Nx/EOrhX3 MBSg== X-Gm-Message-State: AOJu0Yx6GtVu/c5WrIx8e6XjIxa1s8ymhWMK1RjKNCpOIr3wLADK3ikd 8OPiNJCMIACVgIPxVUoo0wWHT1i+c64M7SCHfmNgdtEkhkUpq9cIbD2xNiJNpQ3F1w== X-Gm-Gg: ASbGncvhsOIpCttM3yD7auU7pPw7bWMStZkbKs9LkMGo8UWr9o1lu81doLvFJ+xpmMJ IZna1PqGWVo0i0jE01Y+jrGqrPjsl6/dzppR7HiQ1MEWnUy1E+P+vsD/A1jIHZ5kuLPwt+n4KRs Bj0drAhwe9JmFKjIg5ZRKH267w0cw3ZEKKmvxojo69ZNTjjmu2E3i83em6ESOd8IKg9jbCfDRRj mKxZCBRxmaRbuU2xCBoWthFR+64NVUcPMFcDLHVzI3kmIg/K/wQ7vOrEJ6FgPME5RDkbslqSH9z cevnbaWVPa17CMo2QzcpNW3dP/ibEPskXYn4yxFtXUafcyLk3Z4CwpM8EbMPqShetiJDJfDdwwa 8LzDncF1Tpzy14TkzbMzv9h4ZJAJmelgdTKbdVOql2nuoJBVhDysGCewarxfAMgUL1/q0hJBLJN oXZssD+laB03hx9V2oOJaBZMGicc4Gb/ly8QFoxESB1F2AaxGiWYi37QMIAjWB9cnvhHXx1pE= X-Google-Smtp-Source: AGHT+IFPk19oZP0oHYSgebN4cLA7XyiN/2JBxEdlN1lmW7HPhR19APWWc390f90QbmoggVl/mC2f8Q== X-Received: by 2002:a17:907:868b:b0:b6e:2935:9285 with SMTP id a640c23a62f3a-b7070870cdemr312624266b.59.1761912467714; Fri, 31 Oct 2025 05:07:47 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH 1/5] nwfilter: rename ebiptables unit tests and data files Date: Fri, 31 Oct 2025 13:05:41 +0100 Message-ID: <20251031120546.942126-2-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031120546.942126-1-dionbosschieter@gmail.com> References: <20251031120546.942126-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: FTIVOXNWUWQYO6OXAPEG5WM774K2IRBN X-Message-ID-Hash: FTIVOXNWUWQYO6OXAPEG5WM774K2IRBN X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1761912668796154100 Content-Type: text/plain; charset="utf-8" Prepare for introduction of nwfilter nftables driver test files. Create new nwfilterxml2ebipfirewalldata directory for nwfilter ebiptables driver specific test files. This way we split off the xml test data from the argument test files, which are driver specific. Signed-off-by: Dion Bosschieter --- tests/meson.build | 2 +- .../ah-ipv6-linux.args | 0 .../ah-linux.args | 0 .../all-ipv6-linux.args | 0 .../all-linux.args | 0 .../arp-linux.args | 0 .../comment-linux.args | 0 .../conntrack-linux.args | 0 .../esp-ipv6-linux.args | 0 .../esp-linux.args | 0 .../example-1-linux.args | 0 .../example-2-linux.args | 0 .../hex-data-linux.args | 0 .../icmp-direction-linux.args | 0 .../icmp-direction2-linux.args | 0 .../icmp-direction3-linux.args | 0 .../icmp-linux.args | 0 .../icmpv6-linux.args | 0 .../igmp-linux.args | 0 .../ip-linux.args | 0 .../ipset-linux.args | 0 .../ipt-no-macspoof-linux.args | 0 .../ipv6-linux.args | 0 .../iter1-linux.args | 0 .../iter2-linux.args | 0 .../iter3-linux.args | 0 .../mac-linux.args | 0 .../rarp-linux.args | 0 .../sctp-ipv6-linux.args | 0 .../sctp-linux.args | 0 .../stp-linux.args | 0 .../target-linux.args | 0 .../target2-linux.args | 0 .../tcp-ipv6-linux.args | 0 .../tcp-linux.args | 0 .../udp-ipv6-linux.args | 0 .../udp-linux.args | 0 .../udplite-ipv6-linux.args | 0 .../udplite-linux.args | 0 .../vlan-linux.args | 0 ...ilterxml2firewalltest.c =3D> nwfilterxml2ebipfirewalltest.c} | 4 ++-- 41 files changed, 3 insertions(+), 3 deletions(-) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= ah-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= ah-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= all-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= all-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= arp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= comment-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= conntrack-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= esp-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= esp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= example-1-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= example-2-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= hex-data-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= icmp-direction-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= icmp-direction2-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= icmp-direction3-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= icmp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= icmpv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= igmp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= ip-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= ipset-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= ipt-no-macspoof-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= iter1-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= iter2-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= iter3-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= mac-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= rarp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= sctp-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= sctp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= stp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= target-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= target2-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= tcp-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= tcp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= udp-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= udp-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= udplite-ipv6-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= udplite-linux.args (100%) rename tests/{nwfilterxml2firewalldata =3D> nwfilterxml2ebipfirewalldata}/= vlan-linux.args (100%) rename tests/{nwfilterxml2firewalltest.c =3D> nwfilterxml2ebipfirewalltest= .c} (99%) diff --git a/tests/meson.build b/tests/meson.build index 0d76d37959..383a38a6ea 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -436,7 +436,7 @@ endif if conf.has('WITH_NWFILTER') tests +=3D [ { 'name': 'nwfilterebiptablestest', 'link_with': [ nwfilter_driver_imp= l ] }, - { 'name': 'nwfilterxml2firewalltest', 'link_with': [ nwfilter_driver_i= mpl ] }, + { 'name': 'nwfilterxml2ebipfirewalltest', 'link_with': [ nwfilter_driv= er_impl ] }, ] endif =20 diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfi= lterxml2ebipfirewalldata/ah-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/ah-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/ah-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterx= ml2ebipfirewalldata/ah-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/ah-linux.args rename to tests/nwfilterxml2ebipfirewalldata/ah-linux.args diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwf= ilterxml2ebipfirewalldata/all-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/all-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/all-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilter= xml2ebipfirewalldata/all-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/all-linux.args rename to tests/nwfilterxml2ebipfirewalldata/all-linux.args diff --git a/tests/nwfilterxml2firewalldata/arp-linux.args b/tests/nwfilter= xml2ebipfirewalldata/arp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/arp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/arp-linux.args diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfi= lterxml2ebipfirewalldata/comment-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/comment-linux.args rename to tests/nwfilterxml2ebipfirewalldata/comment-linux.args diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nw= filterxml2ebipfirewalldata/conntrack-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/conntrack-linux.args rename to tests/nwfilterxml2ebipfirewalldata/conntrack-linux.args diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwf= ilterxml2ebipfirewalldata/esp-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/esp-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/esp-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilter= xml2ebipfirewalldata/esp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/esp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/esp-linux.args diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nw= filterxml2ebipfirewalldata/example-1-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/example-1-linux.args rename to tests/nwfilterxml2ebipfirewalldata/example-1-linux.args diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args b/tests/nw= filterxml2ebipfirewalldata/example-2-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/example-2-linux.args rename to tests/nwfilterxml2ebipfirewalldata/example-2-linux.args diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwf= ilterxml2ebipfirewalldata/hex-data-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/hex-data-linux.args rename to tests/nwfilterxml2ebipfirewalldata/hex-data-linux.args diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args b/tes= ts/nwfilterxml2ebipfirewalldata/icmp-direction-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/icmp-direction-linux.args rename to tests/nwfilterxml2ebipfirewalldata/icmp-direction-linux.args diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args b/te= sts/nwfilterxml2ebipfirewalldata/icmp-direction2-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/icmp-direction2-linux.args rename to tests/nwfilterxml2ebipfirewalldata/icmp-direction2-linux.args diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/te= sts/nwfilterxml2ebipfirewalldata/icmp-direction3-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/icmp-direction3-linux.args rename to tests/nwfilterxml2ebipfirewalldata/icmp-direction3-linux.args diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args b/tests/nwfilte= rxml2ebipfirewalldata/icmp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/icmp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/icmp-linux.args diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args b/tests/nwfil= terxml2ebipfirewalldata/icmpv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/icmpv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/icmpv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilte= rxml2ebipfirewalldata/igmp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/igmp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/igmp-linux.args diff --git a/tests/nwfilterxml2firewalldata/ip-linux.args b/tests/nwfilterx= ml2ebipfirewalldata/ip-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/ip-linux.args rename to tests/nwfilterxml2ebipfirewalldata/ip-linux.args diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilt= erxml2ebipfirewalldata/ipset-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/ipset-linux.args rename to tests/nwfilterxml2ebipfirewalldata/ipset-linux.args diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args b/te= sts/nwfilterxml2ebipfirewalldata/ipt-no-macspoof-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args rename to tests/nwfilterxml2ebipfirewalldata/ipt-no-macspoof-linux.args diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilte= rxml2ebipfirewalldata/ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilt= erxml2ebipfirewalldata/iter1-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/iter1-linux.args rename to tests/nwfilterxml2ebipfirewalldata/iter1-linux.args diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilt= erxml2ebipfirewalldata/iter2-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/iter2-linux.args rename to tests/nwfilterxml2ebipfirewalldata/iter2-linux.args diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilt= erxml2ebipfirewalldata/iter3-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/iter3-linux.args rename to tests/nwfilterxml2ebipfirewalldata/iter3-linux.args diff --git a/tests/nwfilterxml2firewalldata/mac-linux.args b/tests/nwfilter= xml2ebipfirewalldata/mac-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/mac-linux.args rename to tests/nwfilterxml2ebipfirewalldata/mac-linux.args diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.args b/tests/nwfilte= rxml2ebipfirewalldata/rarp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/rarp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/rarp-linux.args diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nw= filterxml2ebipfirewalldata/sctp-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/sctp-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilte= rxml2ebipfirewalldata/sctp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/sctp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/sctp-linux.args diff --git a/tests/nwfilterxml2firewalldata/stp-linux.args b/tests/nwfilter= xml2ebipfirewalldata/stp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/stp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/stp-linux.args diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfil= terxml2ebipfirewalldata/target-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/target-linux.args rename to tests/nwfilterxml2ebipfirewalldata/target-linux.args diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfi= lterxml2ebipfirewalldata/target2-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/target2-linux.args rename to tests/nwfilterxml2ebipfirewalldata/target2-linux.args diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwf= ilterxml2ebipfirewalldata/tcp-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/tcp-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilter= xml2ebipfirewalldata/tcp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/tcp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/tcp-linux.args diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwf= ilterxml2ebipfirewalldata/udp-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/udp-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/udp-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilter= xml2ebipfirewalldata/udp-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/udp-linux.args rename to tests/nwfilterxml2ebipfirewalldata/udp-linux.args diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests= /nwfilterxml2ebipfirewalldata/udplite-ipv6-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args rename to tests/nwfilterxml2ebipfirewalldata/udplite-ipv6-linux.args diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfi= lterxml2ebipfirewalldata/udplite-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/udplite-linux.args rename to tests/nwfilterxml2ebipfirewalldata/udplite-linux.args diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.args b/tests/nwfilte= rxml2ebipfirewalldata/vlan-linux.args similarity index 100% rename from tests/nwfilterxml2firewalldata/vlan-linux.args rename to tests/nwfilterxml2ebipfirewalldata/vlan-linux.args diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2ebipfirew= alltest.c similarity index 99% rename from tests/nwfilterxml2firewalltest.c rename to tests/nwfilterxml2ebipfirewalltest.c index 88ba15677d..2cb100cca7 100644 --- a/tests/nwfilterxml2firewalltest.c +++ b/tests/nwfilterxml2ebipfirewalltest.c @@ -1,5 +1,5 @@ /* - * nwfilterxml2firewalltest.c: Test iptables rule generation + * nwfilterxml2ebipfirewalltest.c: Test iptables rule generation * * Copyright (C) 2014 Red Hat, Inc. * @@ -418,7 +418,7 @@ testCompareXMLToIPTablesHelper(const void *data) =20 xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcdir, info->name); - args =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s-%s.args", + args =3D g_strdup_printf("%s/nwfilterxml2ebipfirewalldata/%s-%s.args", abs_srcdir, info->name, RULESTYPE); =20 result =3D testCompareXMLToArgvFiles(xml, args); --=20 2.43.0 From nobody Fri Dec 12 14:07:31 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1761913010; cv=none; d=zohomail.com; s=zohoarc; b=CRBM7kMYAzqEN9kC9yGawxmC2y/iPBhbzBSzCGFcfbwNJv5UJApSVvfs8O7IlAqE3qSpIpNM5MgWRd9Y7xbcu0HxG586QT1gd3hqavgwtWyXBycq651Vd6nph6iPOqI/VQMj50OqpWDvsJzmZtv5M7czO7ckuOQ3lGrgV59mPjw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761913010; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=8bM8zGi2RKInlhnzbjb54ZRYMrjkVtDAtBs1mLAj920=; b=TKNcD9FvO/07p1CuW9JvSpj8H5N+rq7CnZQdoLWhPlYMZ9/tCB1TK1lc26lHR7SYEJjLzCXO1BY4oMfyFUnZ3GVPix09aYjqfkE++/qwMwMTuVtb5Di8s1+lmJac4FsKnTV6YGHqkEXu8GMDD3X3PaPKUhIdjAIRhW49S/Q+bhA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1761913010096338.0897722661829; Fri, 31 Oct 2025 05:16:50 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 530A443F3D; Fri, 31 Oct 2025 08:16:49 -0400 (EDT) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 8D8D2440BE; Fri, 31 Oct 2025 08:08:21 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 8D55841BAE; Fri, 31 Oct 2025 08:07:53 -0400 (EDT) Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id D088243E51 for ; Fri, 31 Oct 2025 08:07:49 -0400 (EDT) Received: by mail-ej1-f41.google.com with SMTP id a640c23a62f3a-b3b27b50090so375054966b.0 for ; Fri, 31 Oct 2025 05:07:49 -0700 (PDT) Received: from thinkiepadje.home (2a02-a470-a384-0-62ef-bf5-dc71-bd78.fixed6.kpn.net. [2a02:a470:a384:0:62ef:bf5:dc71:bd78]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b70779ddf48sm158255866b.32.2025.10.31.05.07.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Oct 2025 05:07:47 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761912468; x=1762517268; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8bM8zGi2RKInlhnzbjb54ZRYMrjkVtDAtBs1mLAj920=; b=A4Qit7OimO26T2KLHnPp82sLsMP4ue0lGdoJbUG4YyFUjS5gbMud9tK30WrRwPOM+o vPQ5l4myq0ZukZaFnbsc2YBuxWXzl8FhEQgCUSqZKFMMj2lah3cJl0htrsHIR72n1Uaq AZFJQeHFAZotamtMAcl/kKE4xPIc/uRDbGEIEs7ANRxibuuIwx3yBXWvV5lA7w4qrIcB AJVQo0u2XVdkaxCfhOM3gRRMbTThFr4pteufBv66d8MFM/rdyqXWspsCJdC/LVN8SLlU AVQX4Sl6ZV7Q3vrw42ZYp79yWt1Rxyzu5AjVakl4GQA9HkdO+/nkToA+gLxLG3zuQisv Zr4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761912468; x=1762517268; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8bM8zGi2RKInlhnzbjb54ZRYMrjkVtDAtBs1mLAj920=; b=RHdWriN/LG9SDiO3E1fHi9IScN2FB+N4xmVRqrolQ/hARpV32yHCabVb8A8DN3EDtG EzV0B3Hu9Sgs1zgOkuIJ1gmDALRBwiumMl+2h6dw1i305RLZ7eu1OuFop8Egucv82083 WyqqKlBijjLjzJxixy0KRO3NZeKCibtjVylo7HgdzjF9K4bMMCLItQkJec49YoNq7IjK WZ58wTyw8VqfYwVNE9SJc7ZCYNenLDiYj5+WZO/L7hTSNm20HiJpO1WJffb2APWk9+pw ts2uf+vQWwdUiQswxbBDE2efQWv8UoaNMa3g5FDtwCvO7/slLoZ0YDEE1k7SMXzRbw6H Qcew== X-Gm-Message-State: AOJu0YzjCVy8JM9vKnlKcjlrAPz5EPzOrrZ38LCFTYNNdBrCUv2tj33b lu4EglTQ2Oshyk01vUjjqm/NxDC2VTWyGkCkGrpW4qTdzk2UbJ7Y7oEa7ISuko3QKA== X-Gm-Gg: ASbGncsyXrY4/fwkLIcYwiI4PQ3qaMIvlIuMOCHwset477DEf7IQ2ArEu0c4F9A/w4x F5a8flfmMqWgcJUGpRycyEtoJtj52oeDeFSWY3RJvCam8kNsUw6FJh3lGq4S4CE8lu7LMb6X+nG Yo236NYNxCGtfwQ9b1kXpikD2gkH9mrWqVNN7sZ6bbRnUoQQBVetdH622CQfnPZ4BO6Cjy5r1M4 WETeSS3dSz7YPGrflJBUAX3Cjez5ottEguj/85LD9Xu07irLqBuheIbYUY7CZAhX4Yj8hmcFZ/l 88kmb+JyP1jwCk8JeHIiobttr18vmmB9sjzjsmsHQ9gzJNRbo6W25hr7DOWWrLvQJro9DhcoZ6T 5+BkTA4Pgb5zVSvj+seQIJA1YuyQhHWtlKqNt00iaUVtotPiItmdIXxb4MyAVOjzptlPkpry3eE CNsLbZKljihaR5W9lU7JI0pqp10F5BZBX1GvctEgfKG1P4S8IRBJc7qyXM4u9pVtiFrckPteZox q3LqlhWSg== X-Google-Smtp-Source: AGHT+IFs8bb2DdSXJRvalVGfqlYcT/HN7MWBKMwznTTj+JTY72QxoLUTO2xOhu9jiyP3vDxA04IlCg== X-Received: by 2002:a17:906:7313:b0:b6d:692e:9a84 with SMTP id a640c23a62f3a-b70704b2e87mr294484566b.38.1761912468226; Fri, 31 Oct 2025 05:07:48 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH 2/5] nwfilter: move shared nwfilter driver functions into nwfilter_tech_driver.c Date: Fri, 31 Oct 2025 13:05:42 +0100 Message-ID: <20251031120546.942126-3-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031120546.942126-1-dionbosschieter@gmail.com> References: <20251031120546.942126-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: U4VEDMA4PLLUKL5JMVGYIJYT6GUBDAUS X-Message-ID-Hash: U4VEDMA4PLLUKL5JMVGYIJYT6GUBDAUS X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1761913012143154100 Content-Type: text/plain; charset="utf-8" Introduce nwfilter_tech_driver.c which holds shared non driver specific methods. The following logic can be reused by new nwfilter drivers, which are not ebiptables specific: - data type print logic, used for constructing ascii cli arguments out of nwfilter data; - chain jump proto type l3_proto_idx logic; - virNWFilterRule sorting. Signed-off-by: Dion Bosschieter --- src/nwfilter/meson.build | 1 + src/nwfilter/nwfilter_ebiptables_driver.c | 262 +--------------------- src/nwfilter/nwfilter_tech_driver.c | 250 +++++++++++++++++++++ src/nwfilter/nwfilter_tech_driver.h | 50 ++++- 4 files changed, 299 insertions(+), 264 deletions(-) create mode 100644 src/nwfilter/nwfilter_tech_driver.c diff --git a/src/nwfilter/meson.build b/src/nwfilter/meson.build index de3d202267..9e8a4797c5 100644 --- a/src/nwfilter/meson.build +++ b/src/nwfilter/meson.build @@ -1,6 +1,7 @@ nwfilter_driver_sources =3D [ 'nwfilter_driver.c', 'nwfilter_gentech_driver.c', + 'nwfilter_tech_driver.c', 'nwfilter_dhcpsnoop.c', 'nwfilter_ebiptables_driver.c', 'nwfilter_learnipaddr.c', diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfil= ter_ebiptables_driver.c index 4578152670..97a90d586e 100644 --- a/src/nwfilter/nwfilter_ebiptables_driver.c +++ b/src/nwfilter/nwfilter_ebiptables_driver.c @@ -25,7 +25,6 @@ #include #include #include -#include =20 #include "internal.h" =20 @@ -35,6 +34,7 @@ #include "virerror.h" #include "nwfilter_conf.h" #include "nwfilter_ebiptables_driver.h" +#include "nwfilter_tech_driver.h" #include "virfile.h" #include "configmake.h" #include "virstring.h" @@ -83,24 +83,6 @@ static void ebiptablesDriverShutdown(void); static int ebtablesCleanAll(const char *ifname); static int ebiptablesAllTeardown(const char *ifname); =20 -struct ushort_map { - unsigned short attr; - const char *val; -}; - - -enum l3_proto_idx { - L3_PROTO_IPV4_IDX =3D 0, - L3_PROTO_IPV6_IDX, - L3_PROTO_ARP_IDX, - L3_PROTO_RARP_IDX, - L2_PROTO_MAC_IDX, - L2_PROTO_VLAN_IDX, - L2_PROTO_STP_IDX, - L3_PROTO_LAST_IDX -}; - -#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] =3D { .attr =3D ATT, .val= =3D VAL } =20 /* A lookup table for translating ethernet protocol IDs to human readable * strings. None of the human readable strings must be found as a prefix @@ -118,7 +100,6 @@ static const struct ushort_map l3_protocols[] =3D { USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0, NULL), }; =20 - static char chainprefixes_host[3] =3D { CHAINPREFIX_HOST_IN, CHAINPREFIX_HOST_OUT, @@ -137,12 +118,6 @@ typedef struct { const char *targetChain; } iptablesBaseChainFW; =20 -typedef struct { - const char *ifname; - int nrules; - virNWFilterRuleInst **rules; -} chainCreateCallbackData; - static iptablesBaseChainFW fw_base_chains[] =3D { {"FORWARD", "1", VIRT_IN_CHAIN}, {"FORWARD", "2", VIRT_OUT_CHAIN}, @@ -150,206 +125,6 @@ static iptablesBaseChainFW fw_base_chains[] =3D { {"INPUT", "1", HOST_IN_CHAIN}, }; =20 -static int -printVar(virNWFilterVarCombIter *vars, - char *buf, int bufsize, - nwItemDesc *item, - bool *done) -{ - *done =3D false; - - if ((item->flags & NWFILTER_ENTRY_ITEM_FLAG_HAS_VAR)) { - const char *val; - - val =3D virNWFilterVarCombIterGetVarValue(vars, item->varAccess); - if (!val) { - /* error has been reported */ - return -1; - } - - if (virStrcpy(buf, val, bufsize) < 0) { - const char *varName; - - varName =3D virNWFilterVarAccessGetVarName(item->varAccess); - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Buffer too small to print variable '%1$s' in= to"), - varName); - return -1; - } - - *done =3D true; - } - return 0; -} - - -static int -_printDataType(virNWFilterVarCombIter *vars, - char *buf, int bufsize, - nwItemDesc *item, - bool asHex, bool directionIn) -{ - bool done; - g_autofree char *data =3D NULL; - uint8_t ctr; - g_auto(virBuffer) vb =3D VIR_BUFFER_INITIALIZER; - g_autofree char *flags =3D NULL; - - if (printVar(vars, buf, bufsize, item, &done) < 0) - return -1; - - if (done) - return 0; - - switch (item->datatype) { - case DATATYPE_IPADDR: - data =3D virSocketAddrFormat(&item->u.ipaddr); - if (!data) - return -1; - if (g_snprintf(buf, bufsize, "%s", data) >=3D bufsize) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("buffer too small for IP address")); - return -1; - } - break; - - case DATATYPE_IPV6ADDR: - data =3D virSocketAddrFormat(&item->u.ipaddr); - if (!data) - return -1; - - if (g_snprintf(buf, bufsize, "%s", data) >=3D bufsize) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("buffer too small for IPv6 address")); - return -1; - } - break; - - case DATATYPE_MACADDR: - case DATATYPE_MACMASK: - if (bufsize < VIR_MAC_STRING_BUFLEN) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer too small for MAC address")); - return -1; - } - - virMacAddrFormat(&item->u.macaddr, buf); - break; - - case DATATYPE_IPV6MASK: - case DATATYPE_IPMASK: - if (g_snprintf(buf, bufsize, "%d", - item->u.u8) >=3D bufsize) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer too small for uint8 type")); - return -1; - } - break; - - case DATATYPE_UINT32: - case DATATYPE_UINT32_HEX: - if (g_snprintf(buf, bufsize, asHex ? "0x%x" : "%u", - item->u.u32) >=3D bufsize) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer too small for uint32 type")); - return -1; - } - break; - - case DATATYPE_UINT16: - case DATATYPE_UINT16_HEX: - if (g_snprintf(buf, bufsize, asHex ? "0x%x" : "%d", - item->u.u16) >=3D bufsize) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer too small for uint16 type")); - return -1; - } - break; - - case DATATYPE_UINT8: - case DATATYPE_UINT8_HEX: - if (g_snprintf(buf, bufsize, asHex ? "0x%x" : "%d", - item->u.u8) >=3D bufsize) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer too small for uint8 type")); - return -1; - } - break; - - case DATATYPE_IPSETNAME: - if (virStrcpy(buf, item->u.ipset.setname, bufsize) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer to small for ipset name")); - return -1; - } - break; - - case DATATYPE_IPSETFLAGS: - for (ctr =3D 0; ctr < item->u.ipset.numFlags; ctr++) { - if (ctr !=3D 0) - virBufferAddLit(&vb, ","); - if ((item->u.ipset.flags & (1 << ctr))) { - if (directionIn) - virBufferAddLit(&vb, "dst"); - else - virBufferAddLit(&vb, "src"); - } else { - if (directionIn) - virBufferAddLit(&vb, "src"); - else - virBufferAddLit(&vb, "dst"); - } - } - - flags =3D virBufferContentAndReset(&vb); - - if (virStrcpy(buf, flags, bufsize) < 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", - _("Buffer too small for IPSETFLAGS type")); - return -1; - } - break; - - case DATATYPE_STRING: - case DATATYPE_STRINGCOPY: - case DATATYPE_BOOLEAN: - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Cannot print data type %1$x"), item->datatype); - return -1; - case DATATYPE_LAST: - default: - virReportEnumRangeError(virNWFilterAttrDataType, item->datatype); - return -1; - } - - return 0; -} - - -static int -printDataType(virNWFilterVarCombIter *vars, - char *buf, int bufsize, - nwItemDesc *item) -{ - return _printDataType(vars, buf, bufsize, item, 0, 0); -} - -static int -printDataTypeDirection(virNWFilterVarCombIter *vars, - char *buf, int bufsize, - nwItemDesc *item, bool directionIn) -{ - return _printDataType(vars, buf, bufsize, item, 0, directionIn); -} - -static int -printDataTypeAsHex(virNWFilterVarCombIter *vars, - char *buf, int bufsize, - nwItemDesc *item) -{ - return _printDataType(vars, buf, bufsize, item, 1, 0); -} - =20 static int ebtablesHandleEthHdr(virFirewall *fw, @@ -3041,41 +2816,6 @@ ebtablesCleanAll(const char *ifname) } =20 =20 -static int -virNWFilterRuleInstSort(const void *a, const void *b) -{ - const virNWFilterRuleInst *insta =3D a; - const virNWFilterRuleInst *instb =3D b; - const char *root =3D virNWFilterChainSuffixTypeToString( - VIR_NWFILTER_CHAINSUFFIX_ROOT); - bool root_a =3D STREQ(insta->chainSuffix, root); - bool root_b =3D STREQ(instb->chainSuffix, root); - - /* ensure root chain commands appear before all others since - we will need them to create the child chains */ - if (root_a) { - if (!root_b) - return -1; /* a before b */ - } else if (root_b) { - return 1; /* b before a */ - } - - /* priorities are limited to range [-1000, 1000] */ - return insta->priority - instb->priority; -} - - -static int -virNWFilterRuleInstSortPtr(const void *a, - const void *b, - void *opaque G_GNUC_UNUSED) -{ - virNWFilterRuleInst * const *insta =3D a; - virNWFilterRuleInst * const *instb =3D b; - return virNWFilterRuleInstSort(*insta, *instb); -} - - static int ebiptablesFilterOrderSort(const void *va, const void *vb, diff --git a/src/nwfilter/nwfilter_tech_driver.c b/src/nwfilter/nwfilter_te= ch_driver.c new file mode 100644 index 0000000000..7b3edff8e6 --- /dev/null +++ b/src/nwfilter/nwfilter_tech_driver.c @@ -0,0 +1,250 @@ +/* + * nwfilter_tech_driver.c: common/shared functions used in nwfilter gentec= h drivers + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include "nwfilter_tech_driver.h" +#include "nwfilter_conf.h" + +#define VIR_FROM_THIS VIR_FROM_NWFILTER + +int virNWFilterRuleInstSort(const void *a, const void *b) +{ + const virNWFilterRuleInst *insta =3D a; + const virNWFilterRuleInst *instb =3D b; + const char *root =3D virNWFilterChainSuffixTypeToString( + VIR_NWFILTER_CHAINSUFFIX_ROOT); + bool root_a =3D STREQ(insta->chainSuffix, root); + bool root_b =3D STREQ(instb->chainSuffix, root); + + /* ensure root chain commands appear before all others since + we will need them to create the child chains */ + if (root_a) { + if (!root_b) + return -1; /* a before b */ + } else if (root_b) { + return 1; /* b before a */ + } + + /* priorities are limited to range [-1000, 1000] */ + return insta->priority - instb->priority; +} + + +int virNWFilterRuleInstSortPtr(const void *a, + const void *b, + void *opaque G_GNUC_UNUSED) +{ + virNWFilterRuleInst * const *insta =3D a; + virNWFilterRuleInst * const *instb =3D b; + return virNWFilterRuleInstSort(*insta, *instb); +} + +int printVar(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item, + bool *done) +{ + *done =3D false; + + if ((item->flags & NWFILTER_ENTRY_ITEM_FLAG_HAS_VAR)) { + const char *val; + + val =3D virNWFilterVarCombIterGetVarValue(vars, item->varAccess); + if (!val) { + /* error has been reported */ + return -1; + } + + if (virStrcpy(buf, val, bufsize) < 0) { + const char *varName; + + varName =3D virNWFilterVarAccessGetVarName(item->varAccess); + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Buffer too small to print variable '%1$s' in= to"), + varName); + return -1; + } + + *done =3D true; + } + return 0; +} + +static int +_printDataType(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item, + bool asHex, bool directionIn) +{ + bool done; + g_autofree char *data =3D NULL; + uint8_t ctr; + g_auto(virBuffer) vb =3D VIR_BUFFER_INITIALIZER; + g_autofree char *flags =3D NULL; + + if (printVar(vars, buf, bufsize, item, &done) < 0) + return -1; + + if (done) + return 0; + + switch (item->datatype) { + case DATATYPE_IPADDR: + data =3D virSocketAddrFormat(&item->u.ipaddr); + if (!data) + return -1; + if (g_snprintf(buf, bufsize, "%s", data) >=3D bufsize) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("buffer too small for IP address")); + return -1; + } + break; + + case DATATYPE_IPV6ADDR: + data =3D virSocketAddrFormat(&item->u.ipaddr); + if (!data) + return -1; + + if (g_snprintf(buf, bufsize, "%s", data) >=3D bufsize) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("buffer too small for IPv6 address")); + return -1; + } + break; + + case DATATYPE_MACADDR: + case DATATYPE_MACMASK: + if (bufsize < VIR_MAC_STRING_BUFLEN) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for MAC address")); + return -1; + } + + virMacAddrFormat(&item->u.macaddr, buf); + break; + + case DATATYPE_IPV6MASK: + case DATATYPE_IPMASK: + if (g_snprintf(buf, bufsize, "%d", + item->u.u8) >=3D bufsize) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for uint8 type")); + return -1; + } + break; + + case DATATYPE_UINT32: + case DATATYPE_UINT32_HEX: + if (g_snprintf(buf, bufsize, asHex ? "0x%x" : "%u", + item->u.u32) >=3D bufsize) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for uint32 type")); + return -1; + } + break; + + case DATATYPE_UINT16: + case DATATYPE_UINT16_HEX: + if (g_snprintf(buf, bufsize, asHex ? "0x%x" : "%d", + item->u.u16) >=3D bufsize) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for uint16 type")); + return -1; + } + break; + + case DATATYPE_UINT8: + case DATATYPE_UINT8_HEX: + if (g_snprintf(buf, bufsize, asHex ? "0x%x" : "%d", + item->u.u8) >=3D bufsize) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for uint8 type")); + return -1; + } + break; + + case DATATYPE_IPSETNAME: + if (virStrcpy(buf, item->u.ipset.setname, bufsize) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer to small for ipset name")); + return -1; + } + break; + + case DATATYPE_IPSETFLAGS: + for (ctr =3D 0; ctr < item->u.ipset.numFlags; ctr++) { + if (ctr !=3D 0) + virBufferAddLit(&vb, ","); + if ((item->u.ipset.flags & (1 << ctr))) { + if (directionIn) + virBufferAddLit(&vb, "dst"); + else + virBufferAddLit(&vb, "src"); + } else { + if (directionIn) + virBufferAddLit(&vb, "src"); + else + virBufferAddLit(&vb, "dst"); + } + } + + flags =3D virBufferContentAndReset(&vb); + + if (virStrcpy(buf, flags, bufsize) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Buffer too small for IPSETFLAGS type")); + return -1; + } + break; + + case DATATYPE_STRING: + case DATATYPE_STRINGCOPY: + case DATATYPE_BOOLEAN: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot print data type %1$x"), item->datatype); + return -1; + case DATATYPE_LAST: + default: + virReportEnumRangeError(virNWFilterAttrDataType, item->datatype); + return -1; + } + + return 0; +} + +int printDataType(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item) +{ + return _printDataType(vars, buf, bufsize, item, 0, 0); +} + +int printDataTypeDirection(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item, bool directionIn) +{ + return _printDataType(vars, buf, bufsize, item, 0, directionIn); +} + +int printDataTypeAsHex(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item) +{ + return _printDataType(vars, buf, bufsize, item, 1, 0); +} diff --git a/src/nwfilter/nwfilter_tech_driver.h b/src/nwfilter/nwfilter_te= ch_driver.h index a4af0bf6d5..7a85c46339 100644 --- a/src/nwfilter/nwfilter_tech_driver.h +++ b/src/nwfilter/nwfilter_tech_driver.h @@ -24,9 +24,7 @@ #pragma once =20 #include "virnwfilterobj.h" - -typedef struct _virNWFilterTechDriver virNWFilterTechDriver; - +#include "virstring.h" =20 typedef struct _virNWFilterRuleInst virNWFilterRuleInst; struct _virNWFilterRuleInst { @@ -38,6 +36,31 @@ struct _virNWFilterRuleInst { }; =20 =20 +typedef struct _chainCreateCallbackData chainCreateCallbackData; +struct _chainCreateCallbackData { + const char *ifname; + int nrules; + virNWFilterRuleInst **rules; +}; + +struct ushort_map { + unsigned short attr; + const char *val; +}; + +#define USHORTMAP_ENTRY_IDX(IDX, ATT, VAL) [IDX] =3D { .attr =3D ATT, .val= =3D VAL } + +enum l3_proto_idx { + L3_PROTO_IPV4_IDX =3D 0, + L3_PROTO_IPV6_IDX, + L3_PROTO_ARP_IDX, + L3_PROTO_RARP_IDX, + L2_PROTO_MAC_IDX, + L2_PROTO_VLAN_IDX, + L2_PROTO_STP_IDX, + L3_PROTO_LAST_IDX +}; + typedef int (*virNWFilterTechDrvInit)(bool privileged); typedef void (*virNWFilterTechDrvShutdown)(void); =20 @@ -69,6 +92,7 @@ enum techDrvFlags { TECHDRV_FLAG_INITIALIZED =3D (1 << 0), }; =20 +typedef struct _virNWFilterTechDriver virNWFilterTechDriver; struct _virNWFilterTechDriver { const char *name; enum techDrvFlags flags; @@ -87,3 +111,23 @@ struct _virNWFilterTechDriver { virNWFilterDropAllRules applyDropAllRules; virNWFilterRemoveBasicRules removeBasicRules; }; + +int virNWFilterRuleInstSort(const void *a, const void *b); +int virNWFilterRuleInstSortPtr(const void *a, + const void *b, + void *opaque); +int printVar(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item, + bool *done); + +int printDataType(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item); + +int printDataTypeDirection(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item, bool directionIn); +int printDataTypeAsHex(virNWFilterVarCombIter *vars, + char *buf, int bufsize, + nwItemDesc *item); --=20 2.43.0 From nobody Fri Dec 12 14:07:31 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1761913218; cv=none; d=zohomail.com; s=zohoarc; b=EZwMUpYKMIHbZq5qtG9GisEDjOVzCKXdeCzXoevH1Wmmq4F+qom+vUAi35XOq1EXRMJbRCgAa8gYr3F0Spi0Oj+/B4FdD8bkJNsnKba9AaacUxe0o7hOSWE1uihU1eW2JtGgQ9bd2lmbKeUQz2sOohimoLCfIQCtv5uWgb47FMI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761913218; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=RnE6tS2WitFUrPLHMDWC79UhdSjd24sdoNu8teAMIoY=; b=J5/KeNTzpKEIopYunXiee6C//3SGKuNT+43mxaQIcG1L+sEe/OFd7lgf/CVfO0HdO+Gu310Eb0EBy/NCZJlj2uVEa21V58C5CWisXPKSzZ6vm8/nrDMDe9MYBsTOZOdS/HpugShvKdCHlGRJmChl7XFnLqJE7WAxLLR7LJKCUz4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1761913218736512.8909267293648; Fri, 31 Oct 2025 05:20:18 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id E07F043ECD; Fri, 31 Oct 2025 08:20:17 -0400 (EDT) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 063AB4410C; Fri, 31 Oct 2025 08:08:27 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 1D4C641BAE; Fri, 31 Oct 2025 08:07:54 -0400 (EDT) Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 0ED9943E55 for ; Fri, 31 Oct 2025 08:07:51 -0400 (EDT) Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-b6dbb4a209aso408753466b.1 for ; Fri, 31 Oct 2025 05:07:51 -0700 (PDT) Received: from thinkiepadje.home (2a02-a470-a384-0-62ef-bf5-dc71-bd78.fixed6.kpn.net. [2a02:a470:a384:0:62ef:bf5:dc71:bd78]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b70779ddf48sm158255866b.32.2025.10.31.05.07.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Oct 2025 05:07:48 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761912470; x=1762517270; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=RnE6tS2WitFUrPLHMDWC79UhdSjd24sdoNu8teAMIoY=; b=FWOiXW7oQeMBwuLMKo7IKU0lzZy9llx1U9yGO0SN+ybsC4CClzhTO2iud8qQc59wL6 7LKqduZPB3qTRabo/pojvuO8hvdgNay9BFgeRH8QjDV0yvhgYB2f5yUQvWsVv+tO70Ls QJgjkQ4OibmFrCRPk7WizBb4Azvq6XmuRnEpbtHnIU/hkQ82y5TUvDZ7iSd6FxzRSATD BSSjWXcSE04jhwnjszvxqMEST+HbF+5BE4vbhDayO0eo/XSPyPNdu4X2sIJh5BhyakMq P2I092T4on/fJyl53OotleBjk5wbb93/lAgZXuBvTse0XoaR1C9gjFe/RXFXcl9VQzOh u54g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761912470; x=1762517270; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RnE6tS2WitFUrPLHMDWC79UhdSjd24sdoNu8teAMIoY=; b=fb5ravz0ahZH/iC8pFNwPaGD9mOeVRsJV/9dMgrtdN6fqklYMSNf0vG8q51k44OtwO 4k+i7ko8YQO7/v1MfVZl2CnprW5TT9POf001d32H1M6flvdABqq/hxn0rie6IfI96lOo fy58u/0qyGCZ2P/Uih519UaBZrZ3Ey7cX0Xc0sJ0oBigq2tNcN/DzGJ3rXg2HbNiGQxl vUmdLLAD2IkI2rEsq0I+qM+rGN73chptocEQLUrhyuL2z6i6oOKjBL9icxxK3S1kQoNs o0qNZO33QjTtn98+mbHjWnr0bszrUPNEfvn0iU6156PLJlLTK1+ibUtMhKrD2bMULcGM QY4Q== X-Gm-Message-State: AOJu0YwUN3AXFKW3bRcXsIvLGmYiHaTmB5UTAwZSSr6N69s9J29uT+Q7 DpNa+w1VpSmgEOgAS/JXGl+LnzS7im4GlUDWo4iBZrpKhTYcrwWv46buIo87jD+Dtg== X-Gm-Gg: ASbGncvT/IGU77sUM3Fqwnhv5ICfBLnFc+coA0Ji/kh5x9Hci+RDcDf589QWAvxoZk+ s9wo9JC4/zRTnk21pbxLcH0ulj+4ytbNyYeNeB8yFX3rNvjg4/EW8pxh7q4BGaVZ7R8L8bYuKI3 2UYccQCG4qMFtbFqBIc0IlCTVLLT95qV5s0xFw5hC7p8+rvjQm7ViUdntbmWPEFufLfpB41yCIS uECbT2CxuR6Wcj1ltM6mCgY/88MpnqqGgftq6LFo/Fc13sqk8jjY6ubPnRI+OZagM6N/X2/BpLC FaXqzx+YQfMGrDWWo20DzGr+l5ng9rxsfO9OxrCq77zg5j3knLKDvkX8lUub5v4uWKDL4bNv25W xYzPmRPtLpHKbd3TIfATRrqJAbWOujfJS80XS686m1R+zEnNqCL6HLuNAnnSWWuw8oCBjFtjkEH qaKvffY0gSjTP29JrC3QjpXOQHkyM6XZ+cIHsagqbuvMpvuu7NQtQ07U1X4T6tq1qQskvPUQskj nEed/sVeA== X-Google-Smtp-Source: AGHT+IHE051z88QwhRadJAprlD5rB3Vwkfo0Lda9AiMorKwZHwv8Au34oRsXpdwYjqRQVeQ3BVxX8w== X-Received: by 2002:a17:907:7205:b0:b6d:3f8a:bda1 with SMTP id a640c23a62f3a-b7070626ff6mr373075266b.46.1761912469055; Fri, 31 Oct 2025 05:07:49 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH 3/5] nwfilter: add nwfilter nftables driver Date: Fri, 31 Oct 2025 13:05:43 +0100 Message-ID: <20251031120546.942126-4-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031120546.942126-1-dionbosschieter@gmail.com> References: <20251031120546.942126-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: XLWFZ4RVCUGIGRSJE3VJXISZZDILYTQJ X-Message-ID-Hash: XLWFZ4RVCUGIGRSJE3VJXISZZDILYTQJ X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1761913221514154100 Resolves issue: https://gitlab.com/libvirt/libvirt/-/issues/603 Benchmarks showed that the amount of iifname jumps for each interface is the cause for this. Switched the nftables driver towards a vmap (verdict map) so we can have 1 rule that jumps to the correct root input/output chain per interface. Which improves throughput as when the number of interface check and jump rules increases the throughput decreases. The issue describes the interface matching works using the interface name and the majority of the effort is the strncpy, this commit also switches nftables to an interface_index compare instead. However, just using the interface_index is not enough, the amount of oif and iif jump rules causes quite a performance issue, the vmap instead solves this. Split rules into separate tables: "libvirt-nwfilter-ethernet" and "libvirt-nwfilter-other" to preserve existing ebip firewall behavior. Reworked chain logic for clarity with root -input/-output chains per interface. input in the VM interface is filtered in the -input chain(s), output out of the VM inteface is filtered in the -output chain(s). Stuck with 2 tables for compatibility reasons with eb iptables, unifying into 1 table will break users firewall definitions, which depend on being able to do accepts on ethernet rules (which currently get defined via ebtables) and additional filtering via the ip rules (which currently get defined via ip(6)tables). The nwfilter_nftables_driver keeps splitting the ethernet and non ethernet (other) rules in seperate tables =E2=80=9Clibvirt-nwfilter-ethernet=E2=80=9D and =E2=80=9Clibvirt-nwfilter-o= ther=E2=80=9D. Rewrote chain logic, so it is easier to understand, input in the VM interface is filtered in the -input chain(s), output out of the VM inteface is filtered in the -output chain(s). -ethernet and -other table follow the same style and hook in the same way. Simplified conntrack handling: rules with accept+conntrack are duplicated to the opposite chain for symmetric behavior, to support the existing ebiptables logic. Firewall updates continue use tmp names for atomic replacement. Unsupported nwfilter features (for now): - STP filtering - Gratuitous ARP filtering - IPSets (potential future support via nft sets) Signed-off-by: Dion Bosschieter --- po/POTFILES | 2 + src/nwfilter/meson.build | 1 + src/nwfilter/nwfilter_nftables_driver.c | 2374 +++++++++++++++++++++++ src/nwfilter/nwfilter_nftables_driver.h | 28 + 4 files changed, 2405 insertions(+) create mode 100644 src/nwfilter/nwfilter_nftables_driver.c create mode 100644 src/nwfilter/nwfilter_nftables_driver.h diff --git a/po/POTFILES b/po/POTFILES index 23da794f84..fa28239104 100644 --- a/po/POTFILES +++ b/po/POTFILES @@ -162,6 +162,8 @@ src/nwfilter/nwfilter_driver.c src/nwfilter/nwfilter_ebiptables_driver.c src/nwfilter/nwfilter_gentech_driver.c src/nwfilter/nwfilter_learnipaddr.c +src/nwfilter/nwfilter_nftables_driver.c +src/nwfilter/nwfilter_tech_driver.c src/openvz/openvz_conf.c src/openvz/openvz_driver.c src/openvz/openvz_util.c diff --git a/src/nwfilter/meson.build b/src/nwfilter/meson.build index 9e8a4797c5..a94d72d570 100644 --- a/src/nwfilter/meson.build +++ b/src/nwfilter/meson.build @@ -5,6 +5,7 @@ nwfilter_driver_sources =3D [ 'nwfilter_dhcpsnoop.c', 'nwfilter_ebiptables_driver.c', 'nwfilter_learnipaddr.c', + 'nwfilter_nftables_driver.c', ] =20 driver_source_files +=3D files(nwfilter_driver_sources) diff --git a/src/nwfilter/nwfilter_nftables_driver.c b/src/nwfilter/nwfilte= r_nftables_driver.c new file mode 100644 index 0000000000..36a6c63f22 --- /dev/null +++ b/src/nwfilter/nwfilter_nftables_driver.c @@ -0,0 +1,2374 @@ +/* + * nwfilter_nftables_driver.c: driver for nftables on tap devices + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#include + +#include +#include +#include + +#include "internal.h" + +#include "virbuffer.h" +#include "viralloc.h" +#include "virlog.h" +#include "virerror.h" +#include "nwfilter_conf.h" +#include "nwfilter_nftables_driver.h" +#include "nwfilter_tech_driver.h" +#include "virfile.h" +#include "configmake.h" +#include "virstring.h" +#include "virfirewall.h" + +#define VIR_FROM_THIS VIR_FROM_NWFILTER + +/* define nftable root table */ +#define NF_ETHERNET_TABLE "libvirt-nwfilter-ethernet" +#define NF_OTHER_TABLE "libvirt-nwfilter-other" +#define NF_COMMENT "{ comment \"this table is managed by libvirt\";= }" +/* nftables counter can be enabled for firewalls transparency */ +#ifndef NF_COUNTER +# define NF_COUNTER 0 +#endif + +/* define chains */ +#define IN_CHAIN "postrouting" +#define OUT_CHAIN "prerouting" +#define FORWARD_CHAIN "forward" + +#define IN_IFMATCH "oif" +#define OUT_IFMATCH "iif" + +#define DEFAULT_POLICY "accept" + +#ifndef NF_TRACE +# define NF_TRACE 0 +#endif +#if NF_TRACE +# define TRACE_SETTING "meta nftrace set 1;" +#else +# define TRACE_SETTING "" +#endif + +#define CHAINSETTINGS "{ }" + +#define VMAP_IN "vmap-oif" +#define VMAP_OUT "vmap-iif" +#define VMAPSETTINGS "{ type iface_index: verdict; }" + +#define ROOT_CHAINSETTINGS(chain, defaultPolicy) \ + "{ type filter hook "chain" priority %d;" \ + " policy "defaultPolicy"; "TRACE_SETTING" }" + +VIR_LOG_INIT("nwfilter.nwfilter_nftables_driver"); + +/* A lookup table for translating ethernet protocol IDs to human readable + * strings. None of the human readable strings must be found as a prefix + * in another entry here (example 'ab' would be found in 'abc') to allow + * for prefix matching. + */ +static const struct ushort_map l3_protocols[] =3D { + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV4_IDX, ETHERTYPE_IP, "ipv4"), + USHORTMAP_ENTRY_IDX(L3_PROTO_IPV6_IDX, ETHERTYPE_IPV6, "ipv6"), + USHORTMAP_ENTRY_IDX(L3_PROTO_ARP_IDX, ETHERTYPE_ARP, "arp"), + USHORTMAP_ENTRY_IDX(L3_PROTO_RARP_IDX, ETHERTYPE_REVARP, "rarp"), + USHORTMAP_ENTRY_IDX(L2_PROTO_VLAN_IDX, ETHERTYPE_VLAN, "vlan"), + USHORTMAP_ENTRY_IDX(L2_PROTO_STP_IDX, 0, "stp"), + USHORTMAP_ENTRY_IDX(L2_PROTO_MAC_IDX, 0, "mac"), + USHORTMAP_ENTRY_IDX(L3_PROTO_LAST_IDX, 0, NULL), +}; + +/* + * Given a filtername determine the protocol it is used for evaluating + * We do prefix-matching to determine the protocol. + */ +static enum l3_proto_idx +nftablesGetProtoIdxByFiltername(const char *filtername) +{ + enum l3_proto_idx idx; + + for (idx =3D 0; idx < L3_PROTO_LAST_IDX; idx++) { + if (STRPREFIX(filtername, l3_protocols[idx].val)) + return idx; + } + + return -1; +} + +static void nftablesCreateTable(virFirewall *fw, + virFirewallLayer layer, + const char *tableName) +{ + virFirewallCmd *fwrule =3D NULL; + int tablePriority =3D STREQ(tableName, NF_ETHERNET_TABLE) ? 0 : 1; + + /* define table */ + virFirewallAddCmd(fw, layer, + "add", "table", "bridge", + tableName, NF_COMMENT, NULL); + + /* create vmap for iface matches */ + virFirewallAddCmd(fw, layer, "add", "map", "bridge", tableName, VMAP_I= N, + VMAPSETTINGS, NULL); + virFirewallAddCmd(fw, layer, "add", "map", "bridge", tableName, VMAP_O= UT, + VMAPSETTINGS, NULL); + + /* define default chains */ + fwrule =3D virFirewallAddCmd(fw, layer, "add", "chain", "bridge", + tableName, IN_CHAIN, NULL); + virFirewallCmdAddArgFormat(fw, fwrule, + ROOT_CHAINSETTINGS(IN_CHAIN, DEFAULT_POLICY= ), + tablePriority); + fwrule =3D virFirewallAddCmd(fw, layer, "add", "chain", "bridge", + tableName, OUT_CHAIN, NULL); + virFirewallCmdAddArgFormat(fw, fwrule, + ROOT_CHAINSETTINGS(OUT_CHAIN, DEFAULT_POLIC= Y), + tablePriority); + + /* add the one jump rule based on the vmap */ + fwrule =3D virFirewallAddCmd(fw, layer, "add", "rule", "bridge", table= Name, + IN_CHAIN, IN_IFMATCH, "vmap", NULL); + virFirewallCmdAddArgFormat(fw, fwrule, "@%s", VMAP_IN); + fwrule =3D virFirewallAddCmd(fw, layer, "add", "rule", "bridge", table= Name, + OUT_CHAIN, OUT_IFMATCH, "vmap", NULL); + virFirewallCmdAddArgFormat(fw, fwrule, "@%s", VMAP_OUT); +} + +static int +nftablesHandleCreateRootTables(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque G_GNUC_UNUSED) +{ + bool ethernetTableDefined =3D false; + bool otherTableDefined =3D false; + size_t i; + + /* parse nft tables list output to see if tables exist */ + for (i =3D 0; lines[i] !=3D NULL; i++) { + const char *line =3D lines[i]; + if ((line =3D STRSKIP(line, "table bridge ")) =3D=3D NULL) { + continue; + } + + VIR_DEBUG("Considering table for comparison '%s'", lines[i]); + + /* if chain matches basechain */ + if (STRPREFIX(line, NF_ETHERNET_TABLE)) { + ethernetTableDefined =3D true; + } else if (STRPREFIX(line, NF_OTHER_TABLE)) { + otherTableDefined =3D true; + } + } + + /* if the ethernet table doesn't exist, + * we create it including the default chains*/ + if (!ethernetTableDefined) + nftablesCreateTable(fw, layer, NF_ETHERNET_TABLE); + /* if the non ethernet table (other) doesn't exist, + * we create it including the default chains */ + if (!otherTableDefined) + nftablesCreateTable(fw, layer, NF_OTHER_TABLE); + + return 0; +} + +static void nftablesAddCmdAction(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterRuleActionType action) +{ + switch (action) { + case VIR_NWFILTER_RULE_ACTION_ACCEPT: + virFirewallCmdAddArg(fw, fwrule, "accept"); + break; + case VIR_NWFILTER_RULE_ACTION_DROP: + virFirewallCmdAddArg(fw, fwrule, "drop"); + break; + case VIR_NWFILTER_RULE_ACTION_REJECT: + virFirewallCmdAddArg(fw, fwrule, "drop"); + break; + case VIR_NWFILTER_RULE_ACTION_RETURN: + virFirewallCmdAddArg(fw, fwrule, "return"); + break; + case VIR_NWFILTER_RULE_ACTION_CONTINUE: + virFirewallCmdAddArg(fw, fwrule, "continue"); + break; + case VIR_NWFILTER_RULE_ACTION_LAST: + default: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unexpected action %1$d"), action); + } +} + +static const char *nftablesGetProtocolType(int protocol) +{ + switch (protocol) { + case VIR_NWFILTER_RULE_PROTOCOL_TCP: + case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: + return "tcp"; + case VIR_NWFILTER_RULE_PROTOCOL_UDP: + case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: + return "udp"; + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: + return "udplite"; + case VIR_NWFILTER_RULE_PROTOCOL_ESP: + case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: + return "esp"; + case VIR_NWFILTER_RULE_PROTOCOL_AH: + case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: + return "ah"; + case VIR_NWFILTER_RULE_PROTOCOL_SCTP: + case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: + return "sctp"; + case VIR_NWFILTER_RULE_PROTOCOL_ICMP: + return "icmp"; + case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: + return "icmpv6"; + case VIR_NWFILTER_RULE_PROTOCOL_IGMP: + return "igmp"; + case VIR_NWFILTER_RULE_PROTOCOL_ALL: + case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: + return "all"; + default: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unexpected protocol %1$d"), + protocol); + return ""; + } +} + +static const char * +nftablesGetIpTypeByDataType(nwItemDesc *item) +{ + return (item->datatype =3D=3D DATATYPE_IPV6ADDR) ? "ip6" : "ip"; +} + +static int +nftablesHandleIPHdr(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + ipHdrDataDef *ipHdr, + bool reverseRule) +{ + char ipaddr[INET6_ADDRSTRLEN]; + char ipaddralt[INET6_ADDRSTRLEN]; + char number[VIR_INT64_STR_BUFLEN]; + const char *ip =3D NULL; + const char *saddr =3D reverseRule ? "daddr" : "saddr"; + const char *daddr =3D reverseRule ? "saddr" : "daddr"; + + if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPAddr)) { + ip =3D nftablesGetIpTypeByDataType(&ipHdr->dataSrcIPAddr); + virFirewallCmdAddArgList(fw, fwrule, ip, saddr, NULL); + + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &ipHdr->dataSrcIPAddr) < 0) + return -1; + + if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr)) + virFirewallCmdAddArg(fw, fwrule, "!"); + + if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) { + if (printDataType(vars, + number, sizeof(number), + &ipHdr->dataSrcIPMask) < 0) + return -1; + + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); + } else { + virFirewallCmdAddArg(fw, fwrule, ipaddr); + } + } else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) { + ip =3D nftablesGetIpTypeByDataType(&ipHdr->dataSrcIPFrom); + virFirewallCmdAddArgList(fw, fwrule, ip, saddr, NULL); + + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &ipHdr->dataSrcIPFrom) < 0) + return -1; + + if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom)) + virFirewallCmdAddArg(fw, fwrule, "!"); + + if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) { + + if (printDataType(vars, + ipaddralt, sizeof(ipaddralt), + &ipHdr->dataSrcIPTo) < 0) + return -1; + + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); + } else { + virFirewallCmdAddArg(fw, fwrule, ipaddr); + } + } + + if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPAddr)) { + ip =3D nftablesGetIpTypeByDataType(&ipHdr->dataDstIPAddr); + virFirewallCmdAddArgList(fw, fwrule, ip, daddr, NULL); + + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &ipHdr->dataDstIPAddr) < 0) + return -1; + + if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr)) + virFirewallCmdAddArg(fw, fwrule, "!"); + + if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) { + if (printDataType(vars, + number, sizeof(number), + &ipHdr->dataDstIPMask) < 0) + return -1; + + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); + } else { + virFirewallCmdAddArg(fw, fwrule, ipaddr); + } + } else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) { + ip =3D nftablesGetIpTypeByDataType(&ipHdr->dataDstIPFrom); + virFirewallCmdAddArgList(fw, fwrule, ip, daddr, NULL); + + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &ipHdr->dataDstIPFrom) < 0) + return -1; + + if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom)) + virFirewallCmdAddArg(fw, fwrule, "!"); + + if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) { + if (printDataType(vars, + ipaddralt, sizeof(ipaddralt), + &ipHdr->dataDstIPTo) < 0) + return -1; + + virFirewallCmdAddArgFormat(fw, fwrule, + "%s-%s", ipaddr, ipaddralt); + } else { + virFirewallCmdAddArg(fw, fwrule, ipaddr); + } + } + + if (HAS_ENTRY_ITEM(&ipHdr->dataDSCP)) { + if (!ip) + ip =3D nftablesGetIpTypeByDataType(&ipHdr->dataDSCP); + + if (printDataType(vars, + number, sizeof(number), + &ipHdr->dataDSCP) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, ip, "dscp", NULL); + if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP)) + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArgList(fw, fwrule, number, NULL); + } + + return 0; +} + +static int +nftablesHandleEthHdr(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + ethHdrDataDef *ethHdr, + bool reverseRule) +{ + char macaddr[VIR_MAC_STRING_BUFLEN]; + char macmask[VIR_MAC_STRING_BUFLEN]; + const char *saddr =3D reverseRule ? "daddr" : "saddr"; + const char *daddr =3D reverseRule ? "saddr" : "daddr"; + + if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACAddr)) { + const char *comparison =3D NULL; + if (printDataType(vars, + macaddr, sizeof(macaddr), + ðHdr->dataSrcMACAddr) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ether", saddr, NULL); + comparison =3D ENTRY_WANT_NEG_SIGN(ðHdr->dataSrcMACAddr) ? + "!=3D" : "=3D=3D"; + + if (HAS_ENTRY_ITEM(ðHdr->dataSrcMACMask)) { + if (printDataType(vars, + macmask, sizeof(macmask), + ðHdr->dataSrcMACMask) < 0) + return -1; + + virFirewallCmdAddArgFormat(fw, fwrule, + "& %s %s %s", + macmask, comparison, macaddr); + } else { + virFirewallCmdAddArgList(fw, fwrule, comparison, macaddr, NULL= ); + } + } + + if (HAS_ENTRY_ITEM(ðHdr->dataDstMACAddr)) { + const char *comparison =3D NULL; + if (printDataType(vars, + macaddr, sizeof(macaddr), + ðHdr->dataDstMACAddr) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ether", daddr, NULL); + comparison =3D ENTRY_WANT_NEG_SIGN(ðHdr->dataDstMACAddr) ? + "!=3D" : "=3D=3D"; + + if (HAS_ENTRY_ITEM(ðHdr->dataDstMACMask)) { + if (printDataType(vars, + macmask, sizeof(macmask), + ðHdr->dataDstMACMask) < 0) + return -1; + + virFirewallCmdAddArgFormat(fw, fwrule, + "& %s %s %s", + macmask, comparison, macaddr); + } else { + virFirewallCmdAddArgList(fw, fwrule, comparison, macaddr, NULL= ); + } + } + + return 0; +} + +static int +insertRuleArg2Param(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + nwItemDesc *itemLow, + nwItemDesc *itemHigh, + const char *argument, + const char *seperator) +{ + char field[VIR_INT64_STR_BUFLEN]; + char fieldalt[VIR_INT64_STR_BUFLEN]; + + if (HAS_ENTRY_ITEM(itemLow)) { + if (printDataType(vars, + field, sizeof(field), + itemLow) < 0) + return -1; + virFirewallCmdAddArg(fw, fwrule, argument); + if (ENTRY_WANT_NEG_SIGN(itemLow)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + if (HAS_ENTRY_ITEM(itemHigh)) { + if (printDataType(vars, + fieldalt, sizeof(fieldalt), + itemHigh) < 0) + return -1; + virFirewallCmdAddArgFormat(fw, fwrule, + "%s%s%s", field, seperator, fieldal= t); + } else { + virFirewallCmdAddArg(fw, fwrule, field); + } + } + + return 0; +} + +static int +nftablesHandlePortData(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + const char *protocol, + portDataDef *portData, + bool reverseRule) +{ + char dport[VIR_INT64_STR_BUFLEN]; + char sport[VIR_INT64_STR_BUFLEN]; + + g_snprintf(dport, sizeof(dport), reverseRule ? "%s sport" : "%s dport", + protocol); + g_snprintf(sport, sizeof(sport), reverseRule ? "%s dport": "%s sport", + protocol); + + if (insertRuleArg2Param(fw, fwrule, vars, + &portData->dataDstPortStart, + &portData->dataDstPortEnd, dport, "-") < 0) + return -1; + if (insertRuleArg2Param(fw, fwrule, vars, + &portData->dataSrcPortStart, + &portData->dataSrcPortEnd, sport, "-") < 0) + return -1; + + return 0; +} + +static int +nftablesHandleMacAddr(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + nwItemDesc *macaddr, + const char *argument) +{ + char macstr[VIR_MAC_STRING_BUFLEN]; + + if (HAS_ENTRY_ITEM(macaddr)) { + if (printDataType(vars, + macstr, sizeof(macstr), + macaddr) < 0) + return -1; + + virFirewallCmdAddArg(fw, fwrule, argument); + if (ENTRY_WANT_NEG_SIGN(macaddr)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + virFirewallCmdAddArg(fw, fwrule, macstr); + } + + return 0; +} + +static int +nftablesHandleSrcMacAddr(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + nwItemDesc *srcMacAddr) +{ + return nftablesHandleMacAddr(fw, fwrule, vars, srcMacAddr, "ether sadd= r"); +} + +static void +printStateMatchFlags(int32_t flags, char **bufptr) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + virNWFilterPrintStateMatchFlags(&buf, "", flags, false); + + /* str to lower needed as nft doesn't accept upper case states */ + g_string_ascii_down(buf.str); + + *bufptr =3D virBufferContentAndReset(&buf); +} + +static bool +nftablesRuleNeedsConntrack(virNWFilterRuleDef *rule) +{ + /* ip only */ + if (virNWFilterRuleIsProtocolEthernet(rule)) { + return false; + } + + /* Skip conntrack if statematch=3Dfalse flag has been set */ + if (rule->flags & RULE_FLAG_NO_STATEMATCH) { + return false; + } + + /* If no state flags are set and rule->action is not accept, + * we should skip conntrack */ + if (!(rule->flags & IPTABLES_STATE_FLAGS) && + rule->action !=3D VIR_NWFILTER_RULE_ACTION_ACCEPT) { + return false; + } + + return true; +} + +static bool +nftablesRuleNeedsConnLimit(ipHdrDataDef *ipHdr, + bool directionIn) +{ + return HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove) && !directionIn; +} + +static char * +nftablesPrintTCPFlags(uint8_t flags) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + g_autofree char *flagsstr =3D NULL; + + if (flags =3D=3D 0) { + virBufferAddLit(&buf, "0"); + } else if (flags =3D=3D 0x3f) { + virBufferAddLit(&buf, "*"); + } else { + flagsstr =3D virNWFilterPrintTCPFlags(flags); + virBufferAdd(&buf, flagsstr, -1); + g_string_ascii_down(buf.str); + } + + return virBufferContentAndReset(&buf); +} + +/* + * nftablesHandleOtherRule: + * @fw: the firewall ruleset to add to + * @fwrule: the firewall command to add arguments to + * @vars : A map containing the variables to resolve + * @rule: The rule of the filter to convert + * @directionIn: direction of the rule, true for in false for out + * directionIn is needed for additional conntrack logic + * @reverseRule: Whether to reverse src and dst attributes + * ethernet reverse flag is set conntrack requires a reverse + * rule on the opposite chain + * + * Set arguments on fwrule based on given struct *rule + * + */ +static int +nftablesHandleOtherRule(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + virNWFilterRuleDef *rule, + bool directionIn, + bool reverseRule) +{ + char number[VIR_INT64_STR_BUFLEN]; + bool hasICMPType =3D false; + bool skipDirection =3D false; + g_autofree char *matchState =3D NULL; + ipHdrDataDef *ipHdr =3D NULL; + const char *protocol =3D nftablesGetProtocolType(rule->prtclType); + + virFirewallCmdAddArgList(fw, fwrule, "ether", "type", NULL); + if (virNWFilterRuleIsProtocolIPv6(rule) && + !virNWFilterRuleIsProtocolIPv4(rule)) { + virFirewallCmdAddArg(fw, fwrule, "ip6"); + } else if (virNWFilterRuleIsProtocolIPv4(rule) && + !virNWFilterRuleIsProtocolIPv6(rule)) { + virFirewallCmdAddArg(fw, fwrule, "ip"); + } + + switch ((int)rule->prtclType) { + case VIR_NWFILTER_RULE_PROTOCOL_TCP: + case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "tcp", NUL= L); + ipHdr =3D &rule->p.tcpHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.tcpHdrFilter.dataSrcMACAddr)= < 0) + return -1; + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPFlags)) { + g_autofree char *mask =3D NULL; + g_autofree char *flags =3D NULL; + + /* flags & syn =3D=3D syn */ + virFirewallCmdAddArgList(fw, fwrule, "tcp", "flags", "&", NULL= ); + + if (!(mask =3D nftablesPrintTCPFlags( + rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mas= k))) + return -1; + virFirewallCmdAddArgList(fw, fwrule, mask, ENTRY_WANT_NEG_SIGN( + &rule->p.tcpHdrFilter.dataTCPF= lags) + ? "!=3D" : "=3D=3D", NULL); + + if (!(flags =3D nftablesPrintTCPFlags( + rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.fl= ags))) + return -1; + virFirewallCmdAddArgList(fw, fwrule, "{", flags, "}", NULL); + } + + if (HAS_ENTRY_ITEM(&rule->p.tcpHdrFilter.dataTCPOption)) { + if (printDataType(vars, number, sizeof(number), + &rule->p.tcpHdrFilter.dataTCPOption) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "tcp", "option", NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption)) + virFirewallCmdAddArg(fw, fwrule, "!"); + virFirewallCmdAddArg(fw, fwrule, number); + } + + if (nftablesHandlePortData(fw, fwrule, vars, protocol, + &rule->p.tcpHdrFilter.portData, reverseRule) < 0) + return -1; + + break; + case VIR_NWFILTER_RULE_PROTOCOL_UDP: + case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "udp", NUL= L); + ipHdr =3D &rule->p.udpHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.udpHdrFilter.dataSrcMACAddr)= < 0) + return -1; + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + if (nftablesHandlePortData(fw, fwrule, vars, protocol, + &rule->p.udpHdrFilter.portData, reverseRule) < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE: + case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "udplite",= NULL); + ipHdr =3D &rule->p.udpliteHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.udpliteHdrFilter.dataSrcMACA= ddr) < 0) + return -1; + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_ESP: + case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "esp", NUL= L); + ipHdr =3D &rule->p.espHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.espHdrFilter.dataSrcMACAddr) = < 0) + return -1; + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_AH: + case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "ah", NULL= ); + ipHdr =3D &rule->p.ahHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.ahHdrFilter.dataSrcMACAddr) <= 0) + return -1; + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_SCTP: + case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "sctp", NU= LL); + ipHdr =3D &rule->p.sctpHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.sctpHdrFilter.dataSrcMACAddr)= < 0) + return -1; + + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + + if (nftablesHandlePortData(fw, fwrule, vars, protocol, + &rule->p.sctpHdrFilter.portData, reverseRule) < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_ICMP: + case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6: + if (rule->prtclType =3D=3D VIR_NWFILTER_RULE_PROTOCOL_ICMPV6) { + virFirewallCmdAddArgList(fw, fwrule, "ip6", "nexthdr", NULL); + } else { + virFirewallCmdAddArgList(fw, fwrule, "ip", "protocol", NULL); + } + virFirewallCmdAddArg(fw, fwrule, protocol); + + ipHdr =3D &rule->p.icmpHdrFilter.ipHdr; + hasICMPType =3D true; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.icmpHdrFilter.dataSrcMACAddr)= < 0) + return -1; + + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPType)) { + virFirewallCmdAddArgList(fw, fwrule, protocol, "type", NULL); + + if (printDataType(vars, + number, sizeof(number), + &rule->p.icmpHdrFilter.dataICMPType) < 0) + return -1; + + if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + virFirewallCmdAddArg(fw, fwrule, number); + + if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) { + virFirewallCmdAddArgList(fw, fwrule, protocol, "code", NUL= L); + + if (printDataType(vars, + number, sizeof(number), + &rule->p.icmpHdrFilter.dataICMPCode) < 0) + return -1; + + if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPCod= e)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + virFirewallCmdAddArg(fw, fwrule, number); + } + } + break; + case VIR_NWFILTER_RULE_PROTOCOL_IGMP: + virFirewallCmdAddArgList(fw, fwrule, "meta", "l4proto", "igmp", NU= LL); + ipHdr =3D &rule->p.igmpHdrFilter.ipHdr; + + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.igmpHdrFilter.dataSrcMACAddr)= < 0) + return -1; + + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_ALL: + case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6: + ipHdr =3D &rule->p.allHdrFilter.ipHdr; + if (nftablesHandleSrcMacAddr(fw, fwrule, vars, + &rule->p.allHdrFilter.dataSrcMACAddr) = < 0) + return -1; + + if (nftablesHandleIPHdr(fw, fwrule, vars, ipHdr, reverseRule) < 0) + return -1; + break; + default: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unexpected protocol %1$d"), + rule->prtclType); + return -1; + } + + /* no support for ipset */ + if (HAS_ENTRY_ITEM(&ipHdr->dataIPSet) && + HAS_ENTRY_ITEM(&ipHdr->dataIPSetFlags)) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Rule contains unsupported ipset flags")); + } + + /* apply conn limit only to outgoing connections */ + if (nftablesRuleNeedsConnLimit(ipHdr, directionIn)) { + if (printDataType(vars, + number, sizeof(number), + &ipHdr->dataConnlimitAbove) < 0) + return -1; + + /* place connlimit after potential state logic + since this is the most useful order */ + virFirewallCmdAddArgList(fw, fwrule, "ct", "count", "over", NULL); + if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + virFirewallCmdAddArgList(fw, fwrule, number, NULL); + } + + if (nftablesRuleNeedsConntrack(rule)) { + /* we skip direction when ct count is set or type is icmp */ + skipDirection =3D nftablesRuleNeedsConnLimit(ipHdr, directionIn) || + hasICMPType; + + /* no direction */ + if (!skipDirection) + /* reverse rules are replies, + * otherwise it is the originating direction */ + virFirewallCmdAddArgList(fw, fwrule, "ct", "direction", + (reverseRule ? "reply" : "original"), + NULL); + + if (rule->flags & IPTABLES_STATE_FLAGS && + !(rule->flags & RULE_FLAG_STATE_NONE)) { + printStateMatchFlags(rule->flags, &matchState); + } else { + /* static state match is needed because when no state flags + * have been set but statematch is enabled we need a default */ + /* reverse rules are established connections */ + matchState =3D g_strdup(reverseRule ? + "established" : + "new,established"); + } + virFirewallCmdAddArgList(fw, fwrule, "ct", "state", matchState, NU= LL); + } + + return 0; +} + +static int +insertRuleArgParam(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + nwItemDesc *item, + const char *argument) +{ + char field[VIR_INT64_STR_BUFLEN]; + + if (HAS_ENTRY_ITEM(item)) { + if (printDataType(vars, + field, sizeof(field), + item) < 0) + return -1; + virFirewallCmdAddArg(fw, fwrule, argument); + if (ENTRY_WANT_NEG_SIGN(item)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + virFirewallCmdAddArg(fw, fwrule, field); + } + + return 0; +} + +static int +insertRuleArgParamHex(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + nwItemDesc *item, + const char *argument) +{ + char field[VIR_INT64_STR_BUFLEN]; + + if (HAS_ENTRY_ITEM(item)) { + if (printDataTypeAsHex(vars, + field, sizeof(field), + item) < 0) + return -1; + virFirewallCmdAddArg(fw, fwrule, argument); + if (ENTRY_WANT_NEG_SIGN(item)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + virFirewallCmdAddArg(fw, fwrule, field); + } + + return 0; +} + +/* + * nftablesHandleEthernetRule: + * @fw: the firewall ruleset to add to + * @vars : A map containing the variables to resolve + * @rule: The rule of the filter to convert + * @reverseRule : Whether to reverse src and dst attributes + * ethernet reverse flag is set when direction=3D'inout' is= set + * + * Set arguments on fwrule based on given struct *rule + * + */ +static int +nftablesHandleEthernetRule(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterVarCombIter *vars, + virNWFilterRuleDef *rule, + bool reverseRule) +{ + char number[VIR_INT64_STR_BUFLEN]; + char ipaddr[INET_ADDRSTRLEN]; + char ipmask[INET_ADDRSTRLEN]; + char ipv6addr[INET6_ADDRSTRLEN]; + bool hasMask =3D false; + const char *saddr =3D reverseRule ? "daddr" : "saddr"; + const char *daddr =3D reverseRule ? "saddr" : "daddr"; + + switch ((int)rule->prtclType) { + case VIR_NWFILTER_RULE_PROTOCOL_MAC: + if (nftablesHandleEthHdr(fw, fwrule, + vars, + &rule->p.ethHdrFilter.ethHdr, reverseRule= ) < 0) + return -1; + + if (insertRuleArgParamHex(fw, fwrule, vars, + &rule->p.ethHdrFilter.dataProtocolID, + "ether type") < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_IP: + virFirewallCmdAddArgList(fw, fwrule, "ether", "type", NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + virFirewallCmdAddArg(fw, fwrule, "ip"); + + if (nftablesHandleEthHdr(fw, fwrule, + vars, + &rule->p.ipHdrFilter.ethHdr, reverseRule)= < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) { + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < = 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ip", saddr, NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAd= dr)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) { + if (printDataType(vars, + number, sizeof(number), + &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask= ) < 0) + return -1; + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); + } else { + virFirewallCmdAddArg(fw, fwrule, ipaddr); + } + } + + if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr)) { + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < = 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ip", daddr, NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAd= dr)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) { + if (printDataType(vars, + number, sizeof(number), + &rule->p.ipHdrFilter.ipHdr.dataDstIPMask= ) < 0) + return -1; + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, number); + } else { + virFirewallCmdAddArg(fw, fwrule, ipaddr); + } + } + + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.ipHdrFilter.ipHdr.dataProtocolID, + "ip protocol") < 0) + return -1; + if (insertRuleArg2Param(fw, fwrule, vars, + &rule->p.ipHdrFilter.portData.dataSrcPortS= tart, + &rule->p.ipHdrFilter.portData.dataSrcPortE= nd, + reverseRule ? "th dport" : "th sport", "-"= ) < 0) + return -1; + if (insertRuleArg2Param(fw, fwrule, vars, + &rule->p.ipHdrFilter.portData.dataDstPortS= tart, + &rule->p.ipHdrFilter.portData.dataDstPortE= nd, + reverseRule ? "th sport" : "th dport", "-"= ) < 0) + return -1; + if (insertRuleArgParamHex(fw, fwrule, vars, + &rule->p.ipHdrFilter.ipHdr.dataDSCP, + "ip dscp") < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_ARP: + case VIR_NWFILTER_RULE_PROTOCOL_RARP: + if (nftablesHandleEthHdr(fw, fwrule, + vars, + &rule->p.arpHdrFilter.ethHdr, reverseRule= ) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ether", "type", NULL); + virFirewallCmdAddArgFormat(fw, fwrule, "0x%x", + (rule->prtclType =3D=3D VIR_NWFILTER_RULE_PROTO= COL_ARP) + ? l3_protocols[L3_PROTO_ARP_IDX].attr + : l3_protocols[L3_PROTO_RARP_IDX].attr); + + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.arpHdrFilter.dataHWType, + "arp htype") < 0) + return -1; + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.arpHdrFilter.dataOpcode, + "arp operation") < 0) + return -1; + if (insertRuleArgParamHex(fw, fwrule, vars, + &rule->p.arpHdrFilter.dataProtocolType, + "arp ptype") < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) { + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &rule->p.arpHdrFilter.dataARPSrcIPAddr) < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPMask)) { + if (printDataType(vars, + ipmask, sizeof(ipmask), + &rule->p.arpHdrFilter.dataARPSrcIPMask) = < 0) + return -1; + hasMask =3D true; + } + + virFirewallCmdAddArgList(fw, fwrule, "arp", saddr, "ip", NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr= )) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask := "32"); + } + + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) { + if (printDataType(vars, + ipaddr, sizeof(ipaddr), + &rule->p.arpHdrFilter.dataARPDstIPAddr) < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPMask)) { + if (printDataType(vars, + ipmask, sizeof(ipmask), + &rule->p.arpHdrFilter.dataARPDstIPMask) = < 0) + return -1; + hasMask =3D true; + } + + virFirewallCmdAddArgList(fw, fwrule, "arp", daddr, "ip", NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr= )) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipaddr, hasMask ? ipmask := "32"); + } + + if (nftablesHandleMacAddr(fw, fwrule, vars, + &rule->p.arpHdrFilter.dataARPSrcMACAddr, + reverseRule ? "ether daddr": "ether sadd= r") < 0) + return -1; + if (nftablesHandleMacAddr(fw, fwrule, vars, + &rule->p.arpHdrFilter.dataARPDstMACAddr, + reverseRule ? "ether saddr": "ether dadd= r") < 0) + return -1; + + if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) && + rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("GARP filtering in nftables is not supported"= )); + return -1; + } + break; + case VIR_NWFILTER_RULE_PROTOCOL_IPV6: + if (nftablesHandleEthHdr(fw, fwrule, + vars, + &rule->p.ipv6HdrFilter.ethHdr, reverseRul= e) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ether", "type", "ip6", NULL); + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) { + if (printDataType(vars, + ipv6addr, sizeof(ipv6addr), + &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) = < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ip6", saddr, NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIP= Addr)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)= ) { + if (printDataType(vars, + number, sizeof(number), + &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMa= sk) < 0) + return -1; + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); + } else { + virFirewallCmdAddArg(fw, fwrule, ipv6addr); + } + } + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr)) { + + if (printDataType(vars, + ipv6addr, sizeof(ipv6addr), + &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) = < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ip6", daddr, NULL); + if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIP= Addr)) + virFirewallCmdAddArg(fw, fwrule, "!=3D"); + + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)= ) { + if (printDataType(vars, + number, sizeof(number), + &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMa= sk) < 0) + return -1; + virFirewallCmdAddArgFormat(fw, fwrule, + "%s/%s", ipv6addr, number); + } else { + virFirewallCmdAddArg(fw, fwrule, ipv6addr); + } + } + + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID, + "ip6 nexthdr") < 0) + return -1; + if (insertRuleArg2Param(fw, fwrule, vars, + &rule->p.ipv6HdrFilter.portData.dataSrcPor= tStart, + &rule->p.ipv6HdrFilter.portData.dataSrcPor= tEnd, + reverseRule ? "th dport" : "th sport", "-"= ) < 0) + return -1; + if (insertRuleArg2Param(fw, fwrule, vars, + &rule->p.ipv6HdrFilter.portData.dataDstPor= tStart, + &rule->p.ipv6HdrFilter.portData.dataDstPor= tEnd, + reverseRule ? "th sport" : "th dport", "-"= ) < 0) + return -1; + if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart) || + HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPCodeStart)) { + + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.ipv6HdrFilter.dataICMPTypeStar= t, + "icmpv6 type") < 0) + return -1; + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.ipv6HdrFilter.dataICMPCodeStar= t, + "icmpv6 code") < 0) + return -1; + } + break; + case VIR_NWFILTER_RULE_PROTOCOL_VLAN: + if (nftablesHandleEthHdr(fw, fwrule, + vars, + &rule->p.vlanHdrFilter.ethHdr, reverseRul= e) < 0) + return -1; + + virFirewallCmdAddArgList(fw, fwrule, "ether", "type", "0x8100", NU= LL); + + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.vlanHdrFilter.dataVlanID, + "vlan id") < 0) + return -1; + if (insertRuleArgParam(fw, fwrule, vars, + &rule->p.vlanHdrFilter.dataVlanEncap, + "vlan type") < 0) + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_STP: + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("STP filtering in nftables is not supported")); + return -1; + break; + case VIR_NWFILTER_RULE_PROTOCOL_NONE: + break; + default: + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Unexpected rule protocol '%1$d', priority '%2$d'= "), + rule->prtclType, + rule->priority); + return -1; + } + + return 0; +} + +/* + * nftablesGetNFTable: + * + * @rule: The rule of the filter + * + * We have a seperate table, due to eb/iptables compatibilty + * Ideally we allow users to have only 1 table in which all rules are plac= ed + * We'll need to turn that into a nwfilter feature + */ +static const char *nftablesGetNFTable(virNWFilterRuleDef *rule) +{ + return virNWFilterRuleIsProtocolEthernet(rule) ? + NF_ETHERNET_TABLE : + NF_OTHER_TABLE; +} + +static void +nftablesAddCmdUserComment(virFirewall *fw, + virFirewallCmd *fwrule, + virNWFilterRuleDef *rule) +{ + g_autofree char *comment =3D NULL; + comment =3D virStringReplace( + rule->p.allHdrFilter.ipHdr.dataComment.u.string, + "\"", "'"); + + virFirewallCmdAddArgFormat(fw, fwrule, + "\"priority=3D%d,usercomment=3D%s\"", + rule->priority, comment); +} + +/* + * nftablesCreateRuleInstance: + * @fw: the firewall ruleset instance + * @layer: the firewall layer + * @chainPrefix: The suffix to put on the end of the name of the chain + * @rule: The rule of the filter to convert + * @ifname : The name of the interface to apply the rule to + * @vars : A map containing the variables to resolve + * @res : The data structure to store the result(s) into + * + * Convert a single rule into its representation for later instantiation + * + * Returns 0 in case of success with the result stored in the data structu= re + * pointed to by res, -1 otherwise + */ +static int +nftablesCreateRuleInstance(virFirewall *fw, + virFirewallLayer layer, + const char *chainPrefix, + virNWFilterRuleDef *rule, + const char *ifname, + virNWFilterVarCombIter *vars, + bool directionIn, + bool reverseRule) +{ + int ret =3D -1; + char chain[MAX_NF_CHAINNAME_LENGTH]; + virFirewallCmd *fwrule =3D NULL; + const char *root =3D virNWFilterChainSuffixTypeToString( + VIR_NWFILTER_CHAINSUFFIX_ROOT); + const char *nftablesRootTable =3D nftablesGetNFTable(rule); + + /* apply root rules directly on the root chain, for example: + * vnet1-in vnet1-out */ + if (STREQ(chainPrefix, root)) { + g_snprintf(chain, sizeof(chain), "n-%s-%s", ifname, + directionIn ? "in" : "out"); + } else { + g_snprintf(chain, sizeof(chain), "n-%s-%s-%s", ifname, chainPrefix, + directionIn ? "in" : "out"); + } + + fwrule =3D virFirewallAddCmd(fw, layer, + "add", "rule", "bridge", + nftablesRootTable, chain, NULL); + + if (virNWFilterRuleIsProtocolEthernet(rule)) { + if (nftablesHandleEthernetRule(fw, fwrule, vars, rule, reverseRule= ) < 0) + goto cleanup; + } else { + if (nftablesHandleOtherRule(fw, fwrule, vars, rule, + directionIn, reverseRule) < 0) + goto cleanup; + } + + if (NF_COUNTER) + virFirewallCmdAddArg(fw, fwrule, "counter"); + + /* specify the action for this rule */ + nftablesAddCmdAction(fw, fwrule, rule->action); + + /* process rule comment */ + virFirewallCmdAddArg(fw, fwrule, "comment"); + + /* ethernet rules don't have the allHdrFilter */ + if (HAS_ENTRY_ITEM(&rule->p.allHdrFilter.ipHdr.dataComment) && + !virNWFilterRuleIsProtocolEthernet(rule)) { + nftablesAddCmdUserComment(fw, fwrule, rule); + } else { + virFirewallCmdAddArgFormat(fw, fwrule, "\"priority=3D%d\"", rule->= priority); + } + + ret =3D 0; + + cleanup: + if (ret =3D=3D -1) + virFirewallRemoveCmd(fw, fwrule); + + return ret; +} + +static int +nftablesRuleInstCommand(virFirewall *fw, + virFirewallLayer layer, + const char *ifname, + virNWFilterRuleInst *rule) +{ + int ret =3D -1; + virNWFilterVarCombIter *vciter; + virNWFilterVarCombIter *tmp; + virNWFilterRuleDirectionType direction =3D rule->def->tt; + + /* rule->vars holds all the variables names that this rule will access. + * iterate over all combinations of the variables' values and instanti= ate + * the filtering rule with each combination. + */ + tmp =3D vciter =3D virNWFilterVarCombIterCreate(rule->vars, + rule->def->varAccess, + rule->def->nVarAccess); + if (!vciter) + return -1; + + do { + bool reverseRule =3D false; + + VIR_DEBUG("rule[chain=3D'%s', dir=3D'%d', prio=3D'%d', action=3D'%= d', chainPrio=3D'%d']", + rule->chainSuffix, + direction, + rule->priority, + rule->def->action, + rule->chainPriority); + + if (direction =3D=3D VIR_NWFILTER_RULE_DIRECTION_INOUT) { + /* for direction inout we run the create instance twice, + * with directionIn set to true and false */ + + /* in */ + if (nftablesCreateRuleInstance(fw, layer, rule->chainSuffix, + rule->def, ifname, tmp, + true, reverseRule) < 0) + goto cleanup; + + /* for ethernet rules, to comply to what ebiptables did, + * we set reverseRule to true on direction inout */ + reverseRule =3D virNWFilterRuleIsProtocolEthernet(rule->def); + + /* out */ + if (nftablesCreateRuleInstance(fw, layer, rule->chainSuffix, + rule->def, ifname, tmp, + false, reverseRule) < 0) + goto cleanup; + } else { + bool directionIn =3D direction =3D=3D VIR_NWFILTER_RULE_DIRECT= ION_IN; + /* otherwise we provide directionIn */ + if (nftablesCreateRuleInstance(fw, layer, rule->chainSuffix, + rule->def, ifname, tmp, + directionIn, reverseRule) < 0) + goto cleanup; + + /* rules that do conntrack matching and have action accept nee= d a + * reverse rule on the other chain to accept the reply directi= on + * so if we accept outbound we need an accept on the inbound f= or + * established connections */ + if (nftablesRuleNeedsConntrack(rule->def) && + rule->def->action =3D=3D VIR_NWFILTER_RULE_ACTION_ACCEPT) { + reverseRule =3D true; + if (nftablesCreateRuleInstance(fw, layer, rule->chainSuffi= x, + rule->def, ifname, tmp, + !directionIn, reverseRule) = < 0) + goto cleanup; + } + } + + tmp =3D virNWFilterVarCombIterNext(tmp); + } while (tmp !=3D NULL); + + ret =3D 0; + cleanup: + virNWFilterVarCombIterFree(vciter); + + return ret; +} + +/* + * nftablesCreateSubChain: + * @fw: the firewall ruleset instance + * @layer: the firewall layer + * @ifname : The name of the interface to apply the chain to + * @chainPrefix: The prefix to put on the beginning of the name of the cha= in + * @protoidx: Protocol id for conditional jump + * @rootChain: The chain to define the jump on + * @chainPostfix: The postfix to put at the end of the name of the chain + * + * Creates the user defined chain, chain=3D'mac', with chainPostfix set to= 'in' + * on vnet1 for example leads to: + * - vnet1-mac-in + * + * Rules get defined on the corresponding chain based on the chosen direct= ion, + * either in or out or both (in and out) when direction has been set to 'i= nout' + */ +static void +nftablesCreateSubChain(virFirewall *fw, + virFirewallLayer layer, + const char *nftablesTableName, + const char *chainPrefix, + enum l3_proto_idx protoidx, + const char *rootChain, + const char *chainPostfix) +{ + char chain[MAX_NF_CHAINNAME_LENGTH]; + virFirewallCmd *fwrule =3D NULL; + g_snprintf(chain, sizeof(chain), "%s-%s", chainPrefix, chainPostfix); + + VIR_DEBUG("Defining chain '%s'", chain); + + virFirewallAddCmd(fw, layer, "add", "chain", "bridge", + nftablesTableName, chain, CHAINSETTINGS, NULL); + + /* add VM interface jump */ + fwrule =3D virFirewallAddCmd(fw, layer, "add", "rule", "bridge", + nftablesTableName, rootChain, NULL); + if (protoidx !=3D -1 && l3_protocols[protoidx].attr) { + virFirewallCmdAddArgList(fw, fwrule, "ether", "type", NULL); + virFirewallCmdAddArgFormat(fw, fwrule, + "0x%04x", l3_protocols[protoidx].attr); + } + + virFirewallCmdAddArgList(fw, fwrule, "jump", chain, NULL); +} + +static void +nftablesCreateRootChainJump(virFirewall *fw, + virFirewallLayer layer, + const char *ifname, + const char *ifMatch, + const char *topChain, + const char *rootChain, + bool addTmpJump) +{ + virFirewallCmd *fwrule =3D NULL; + + if (addTmpJump) { + /* tmp iif oif jump */ + virFirewallAddCmd(fw, layer, "add", "rule", "bridge", NF_OTHER_TAB= LE, + topChain, ifMatch, ifname, "jump", rootChain, NU= LL); + virFirewallAddCmd(fw, layer, "add", "rule", "bridge", NF_ETHERNET_= TABLE, + topChain, ifMatch, ifname, "jump", rootChain, NU= LL); + } + + /* remove VM interface jump */ + fwrule =3D virFirewallAddCmdFull(fw, layer, true, NULL, NULL, "delete", + "element", "bridge", NF_OTHER_TABLE, NU= LL); + virFirewallCmdAddArgFormat(fw, fwrule, "vmap-%s", ifMatch); + virFirewallCmdAddArgList(fw, fwrule, "{", ifname, "}", NULL); + /* add VM interface jump */ + fwrule =3D virFirewallAddCmd(fw, layer, "add", "element", "bridge", + NF_OTHER_TABLE, NULL); + virFirewallCmdAddArgFormat(fw, fwrule, "vmap-%s", ifMatch); + virFirewallCmdAddArgList(fw, fwrule, "{", ifname, ":", "jump", + rootChain, "}", NULL); + + /* remove VM interface jump */ + fwrule =3D virFirewallAddCmdFull(fw, layer, true, NULL, NULL, "delete", + "element", "bridge", + NF_ETHERNET_TABLE, NULL); + virFirewallCmdAddArgFormat(fw, fwrule, "vmap-%s", ifMatch); + virFirewallCmdAddArgList(fw, fwrule, "{", ifname, "}", NULL); + /* add VM interface jump */ + fwrule =3D virFirewallAddCmd(fw, layer, "add", "element", "bridge", + NF_ETHERNET_TABLE, NULL); + virFirewallCmdAddArgFormat(fw, fwrule, "vmap-%s", ifMatch); + virFirewallCmdAddArgList(fw, fwrule, "{", ifname, ":", "jump", rootCha= in, + "}", NULL); +} + +/* + * nftablesCreateRootChain: + * @fw: the firewall ruleset instance + * @layer: the firewall layer + * @ifname : The name of the interface to apply the chain to + * @ifMatch : The matcher to use for this root chain, iif/oif + * @chainPrefix: The prefix to put on the beginning of the name of the cha= in + * @protoidx: Protocol id for conditional jump + * @topChain: The chain to define the jump on + * @rootChain: The root chain for the interface to create + * + * Creates the interface root chain, chainPostfix set to 'in' + * on vnet1 for example, leads to: + * - vnet1-in + * + * These root chains are the chains where all the subchains jumps get adde= d to + * vnet1-in -> jump vnet-mac-in; ether type ip jump vnet-ip-in; + */ +static void +nftablesCreateRootChain(virFirewall *fw, + virFirewallLayer layer, + const char *rootChain) +{ + VIR_DEBUG("Defining root chain '%s'", rootChain); + + virFirewallAddCmd(fw, layer, "add", "chain", "bridge", + NF_ETHERNET_TABLE, rootChain, CHAINSETTINGS, NULL); + + virFirewallAddCmd(fw, layer, "add", "chain", "bridge", + NF_OTHER_TABLE, rootChain, CHAINSETTINGS, NULL); +} + +typedef struct _nftablesSubChain nftablesSubChain; +struct _nftablesSubChain { + /* we use the lowest rule priority in a chain to compare root rule ins= erts + * see nftablesHandleCreateChains for the explanation */ + virNWFilterRulePriority lowestRulePriority; + virNWFilterChainPriority priority; + enum l3_proto_idx protoidx; + char prefix[MAX_NF_CHAINNAME_LENGTH]; + const char *suffix; + bool hasEthernetRules; + bool hasOtherRules; +}; + +static int nftablesChainCreateSort(const void *a, const void *b, + void *opaque G_GNUC_UNUSED) +{ + const nftablesSubChain *insta =3D *(const nftablesSubChain **)a; + const nftablesSubChain *instb =3D *(const nftablesSubChain **)b; + const char *root =3D virNWFilterChainSuffixTypeToString( + VIR_NWFILTER_CHAINSUFFIX_ROOT); + bool root_a =3D STREQ(insta->suffix, root); + bool root_b =3D STREQ(instb->suffix, root); + + /* ensure root chain commands appear before all others since + we will need them to create the child chains */ + if (root_a) { + if (!root_b) + return -1; /* a before b */ + } else if (root_b) { + return 1; /* b before a */ + } + + /* priorities are limited to range [-1000, 1000] */ + return insta->priority - instb->priority; +} + +static void +nftablesGetSubChains(nftablesSubChain ***chains, + size_t *nchains, + virNWFilterRuleInst **rules, + size_t nrules, + const char *ifname) +{ + size_t i, j; + + for (i =3D 0; i < nrules; i++) { + g_autofree nftablesSubChain *chain =3D NULL; + nftablesSubChain **chainst =3D *chains; + bool registered =3D false; + bool isEthernetRule =3D virNWFilterRuleIsProtocolEthernet( + rules[i]->def); + + for (j =3D 0; j < *nchains; j++) { + if (STREQ(rules[i]->chainSuffix, chainst[j]->suffix)) { + VIR_DEBUG("Chain already registered '%s'", chainst[j]->suf= fix); + + /* using ifs here as they are more readable */ + if (!chainst[j]->hasEthernetRules && isEthernetRule) + chainst[j]->hasEthernetRules =3D true; + if (!chainst[j]->hasOtherRules && !isEthernetRule) + chainst[j]->hasOtherRules =3D true; + + registered =3D true; + break; + } + } + + if (registered) + continue; + + /* filter out the root chain */ + if (STREQ(rules[i]->chainSuffix, + virNWFilterChainSuffixTypeToString(VIR_NWFILTER_CHAINSUFFIX_RO= OT))) + continue; + + /* register the chain for creation */ + chain =3D g_new0(nftablesSubChain, 1); + + chain->hasEthernetRules =3D isEthernetRule; + chain->hasOtherRules =3D !chain->hasEthernetRules; + chain->priority =3D rules[i]->chainPriority; + chain->lowestRulePriority =3D rules[i]->priority; + chain->suffix =3D rules[i]->chainSuffix; + g_snprintf(chain->prefix, sizeof(chain->prefix), + "n-%s-%s", ifname, chain->suffix); + + VIR_APPEND_ELEMENT(*chains, *nchains, chain); + } +} + +static int +nftablesHandleCreateChains(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines G_GNUC_UNUSED, + void *opaque) +{ + size_t i, j, nchains =3D 0; + size_t lastProcessedRootRuleIndex =3D 0; + int ret =3D -1; + chainCreateCallbackData *cbdata =3D opaque; + nftablesSubChain **chains =3D NULL; + char rootChainIn[MAX_NF_CHAINNAME_LENGTH]; + char rootChainOut[MAX_NF_CHAINNAME_LENGTH]; + const char *rootChainName =3D virNWFilterChainSuffixTypeToString( + VIR_NWFILTER_CHAINSUFFIX_ROOT); + g_snprintf(rootChainIn, sizeof(rootChainIn), "n-%s-in", cbdata->ifname= ); + g_snprintf(rootChainOut, sizeof(rootChainOut), "n-%s-out", cbdata->ifn= ame); + + nftablesGetSubChains(&chains, + &nchains, + cbdata->rules, + cbdata->nrules, + cbdata->ifname); + + /* sort chains on their chain priority */ + g_qsort_with_data(chains, nchains, sizeof(chains[0]), + nftablesChainCreateSort, NULL); + + /* first we create the root interface in-out chains */ + nftablesCreateRootChain(fw, layer, rootChainIn); + nftablesCreateRootChain(fw, layer, rootChainOut); + + /* Note that filtering rules in the root chain are sorted with filters + * connected to the root chain following their priorities. This allows + * interleaving filtering rules with access to filter chains. (See also + * the nwfilter documentation section on Filtering chain priorities.) + * + * On the root chain, to maintain compatibility with tables created un= der + * the ebiptables driver, we need to process root rule commands before= or + * after chain definitions and jumps based on rule priority. For examp= le, + * if we have root chain rules with prio 100 and the ipv4 chain has ru= les + * between 200=E2=80=93300, the root chain rules must be placed BEFORE= the ipv4 + * root chain jump. + * + * This only applies to rules on the root chain, as all other chain ru= les + * are sorted correctly. Since chain definitions are processed before = the + * rules, the ordering would otherwise be messed up. We also can't just + * create chains whenever a new one appears during rule processing, si= nce + * chains have their own priority, which would disrupt both chain and = jump + * priorities. + * + * To sum up: create the root chain, then create root rules and subcha= ins + * in order based on chain priority. Root rules are created and insert= ed + * according to their own priority, while subchains follow based on th= eir + * lowest rule priority. */ + + /* create chain if it doesn't exist */ + /* define undefined sub chains */ + for (i =3D 0; i < nchains; i++) { + enum l3_proto_idx protoidx; + + /* root chain firewall rules, if there are root chain firewall rul= es + * with a lower priority than this chains lowest rule priority */ + for (j =3D lastProcessedRootRuleIndex; j < cbdata->nrules; j++) { + /* as root rules are inserted before all other rules, + * we stop walking the rules list when we've hit a no root rul= e*/ + if (STRNEQ(cbdata->rules[j]->chainSuffix, rootChainName)) { + break; + } + + lastProcessedRootRuleIndex =3D j; + if (chains[i]->lowestRulePriority > cbdata->rules[j]->priority= ) { + if (nftablesRuleInstCommand(fw, layer, + cbdata->ifname, + cbdata->rules[j]) < 0) + goto cleanup; + } else { + break; + } + } + + protoidx =3D nftablesGetProtoIdxByFiltername(chains[i]->suffix); + if (chains[i]->hasEthernetRules) { + nftablesCreateSubChain(fw, layer, NF_ETHERNET_TABLE, + chains[i]->prefix, protoidx, + rootChainIn, "in"); + nftablesCreateSubChain(fw, layer, NF_ETHERNET_TABLE, + chains[i]->prefix, protoidx, + rootChainOut, "out"); + } + if (chains[i]->hasOtherRules) { + nftablesCreateSubChain(fw, layer, NF_OTHER_TABLE, + chains[i]->prefix, protoidx, + rootChainIn, "in"); + nftablesCreateSubChain(fw, layer, NF_OTHER_TABLE, + chains[i]->prefix, protoidx, + rootChainOut, "out"); + } + } + + /* process the firewall rules and chains */ + /* everything before lastProcessedRootRuleIndex has been created */ + for (i =3D lastProcessedRootRuleIndex; i < cbdata->nrules; i++) { + if (nftablesRuleInstCommand(fw, layer, + cbdata->ifname, cbdata->rules[i]) < 0) + goto cleanup; + } + + /* creation of temp jumps is done as libvirt doesn't execute + * atomic nft changes (yet) */ + nftablesCreateRootChainJump(fw, layer, cbdata->ifname, IN_IFMATCH, + IN_CHAIN, rootChainIn, true); + nftablesCreateRootChainJump(fw, layer, cbdata->ifname, OUT_IFMATCH, + OUT_CHAIN, rootChainOut, true); + + ret =3D 0; + + cleanup: + for (i =3D 0; i < nchains; i++) + g_free(chains[i]); + + return ret; +} + +/** + * nftablesCreateRootTables + * + * @fw: the firewall instance + * + * Run nft list tables and parse if the table already exist + * skips creation of base table if possible + * see handler in nftablesHandleCreateRootTables + */ +static void nftablesCreateRootTables(virFirewall *fw) +{ + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, nftablesHandleCreateRootTables, + NULL, + "list", "tables", NULL); +} + +/** + * nftablesCreateChains + * + * @fw: the firewleset instance + * @cbdata: callback data struct which holds variables that + * the call back handler needs in order to create + * the base table and the dependant rules + * + * Run nft list table libvirt-nwfilter and parse if the chains already exi= st + * skips creation of chains if possible + * see handler in nftablesHandleCreateChains + */ +static void nftablesCreateChains(virFirewall *fw, + chainCreateCallbackData *cbdata) +{ + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, nftablesHandleCreateChains, + (void *)cbdata, + "list", "chains", NULL); +} + +static const char *breakStrAt(const char *str, char untilc) +{ + const char *untilPtr =3D strchr(str, untilc); + if (untilPtr) { + *(char *)untilPtr =3D '\0'; + } + + return str; +} + +static int +nftablesHandleRenameChains(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + size_t i =3D 0; + const char *ifname =3D opaque; + const char *tableName =3D NULL; + const char *chain =3D NULL; + const char *newName =3D NULL; + char chainCompare[MAX_NF_CHAINNAME_LENGTH]; + g_snprintf(chainCompare, sizeof(chainCompare), "n-%s-", ifname); + + /* parse nft tables list output to see if chains exist */ + for (i =3D 0; lines[i] !=3D NULL; i++) { + const char *line =3D lines[i]; + + /* first we'll have to parse the table name */ + if (tableName =3D=3D NULL && STRPREFIX(line, "table bridge ")) { + line =3D STRSKIP(line, "table bridge "); + /* parse table that we want to clean */ + tableName =3D breakStrAt(line, ' '); + continue; + } + + virSkipSpaces(&line); + + if ((line =3D STRSKIP(line, "chain ")) =3D=3D NULL) { + continue; + } + chain =3D breakStrAt(line, ' '); + + if (STRPREFIX(chain, chainCompare) && STRPREFIX(chain, "n-")) { + /* new name is name without n- at the prefix */ + newName =3D chain + strlen("n-"); + VIR_DEBUG("Scheduling chain rename '%s'->'%s' on table '%s'", + chain, newName, tableName); + /* delete the chain */ + virFirewallAddCmd(fw, layer, + "rename", "chain", "bridge", + tableName, chain, newName, NULL); + } + } + + return 0; +} + +static int +nftablesHandleRemoveAll(virFirewall *fw, + virFirewallLayer layer, + const char *const *lines, + void *opaque) +{ + size_t i =3D 0; + const char *ifname =3D opaque; + const char *tableName =3D NULL; + const char *chain =3D NULL; + char chainCompare[MAX_NF_CHAINNAME_LENGTH]; + char fwCompare[MAX_NF_CHAINNAME_LENGTH]; + char tmpFwCompare[MAX_NF_CHAINNAME_LENGTH]; + g_snprintf(chainCompare, sizeof(chainCompare), "%s-", ifname); + g_snprintf(fwCompare, sizeof(fwCompare), "\"%s\" jump %s-", ifname, if= name); + /* match possible tmp jump on tmp name "\"vnet0\"" jump n-vnet0-" */ + g_snprintf(tmpFwCompare, sizeof(tmpFwCompare), "\"%s\" jump n-%s-", if= name, + ifname); + + /* parse nft tables list output to see if chains exist */ + for (i =3D 0; lines[i] !=3D NULL; i++) { + const char *line =3D lines[i]; + + /* first we'll have to parse the table name */ + if (tableName =3D=3D NULL && STRPREFIX(line, "table bridge ")) { + line =3D STRSKIP(line, "table bridge "); + /* parse table that we want to clean */ + tableName =3D breakStrAt(line, ' '); + continue; + } + + virSkipSpaces(&line); + + /* delete tmp jumps */ + if (strstr(line, fwCompare) !=3D NULL || + strstr(line, tmpFwCompare) !=3D NULL) { + line =3D strchr(line, '#'); + if ((line =3D STRSKIP(line, "# handle ")) =3D=3D NULL) + continue; + + /* delete jump */ + virFirewallAddCmd(fw, layer, + "delete", "rule", "bridge", tableName, chain, + "handle", line, NULL); + + continue; + } + + if ((line =3D STRSKIP(line, "chain ")) =3D=3D NULL) { + continue; + } + chain =3D breakStrAt(line, ' '); + + if (STRPREFIX(chain, chainCompare)) { + VIR_DEBUG("Scheduling chain '%s' on table '%s' for deletion", + chain, tableName); + /* delete the chain */ + virFirewallAddCmd(fw, layer, + "delete", "chain", "bridge", + tableName, chain, NULL); + } + } + + return 0; +} + +static void +nftablesRemoveAllInterfaceChains(virFirewall *fw, const char *ifname) +{ + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, nftablesHandleRemoveAll, + (void *)ifname, + "-a", "list", "table", "bridge", + NF_ETHERNET_TABLE, NULL); + + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, nftablesHandleRemoveAll, + (void *)ifname, + "-a", "list", "table", "bridge", + NF_OTHER_TABLE, NULL); +} + +static void +nftablesRenameAllInterfaceChains(virFirewall *fw, const char *ifname) +{ + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, nftablesHandleRenameChains, + (void *)ifname, + "-a", "list", "table", "bridge", + NF_ETHERNET_TABLE, NULL); + + virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET, + false, nftablesHandleRenameChains, + (void *)ifname, + "-a", "list", "table", "bridge", + NF_OTHER_TABLE, NULL); +} + +static int +nftablesApplyNewRules(const char *ifname, + virNWFilterRuleInst **rules, + size_t nrules) +{ + size_t i; + g_autoptr(GHashTable) chains_in_set =3D virHashNew(NULL); + g_autoptr(GHashTable) chains_out_set =3D virHashNew(NULL); + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + chainCreateCallbackData chainCallbackData =3D {ifname, nrules, rules}; + + /* nwfilter_nftables applies new rules first, then remove old rules + * in order to do this we: + * - place the new chains under a name prefixed with "n-" + * - create tmp jump that catches vmap switch moment, + * traffic will temporarily not be matched as an entry from the vmap= will + * be deleted and then recreated as you can't atomic update vmaps vi= a a + * single command + * - in the tearOldRules function, we also remove the tmp interface ju= mp to + * the new chains + * - in tearOldRules we remove the old chains + * - in tearOldRules we rename the "n-" chains by removing "n-" from t= he + * chain name + * + * This allows us in a rollback scenario to simply remove the new chai= ns + * and jumps + */ + char tmpIfname[VIR_INT64_STR_BUFLEN]; + g_snprintf(tmpIfname, sizeof(tmpIfname), "n-%s", ifname); + + /* walk the list of rules and increase the priority + * of rules in case the chain priority is of higher value; + * this preserves the order of the rules and ensures that + * the chain will be created before the chain's rules + * are created; don't adjust rules in the root chain + * example: a rule of priority -510 will be adjusted to + * priority -500 and the chain with priority -500 will + * then be created before it. + */ + for (i =3D 0; i < nrules; i++) { + if (rules[i]->chainPriority > rules[i]->priority && + !strstr("root", rules[i]->chainSuffix)) { + + rules[i]->priority =3D rules[i]->chainPriority; + } + } + + /* sort rules */ + if (nrules) { + g_qsort_with_data(rules, nrules, sizeof(rules[0]), + virNWFilterRuleInstSortPtr, NULL); + } + + virFirewallStartTransaction(fw, 0); + + /* create root tables if they don't exist already */ + nftablesCreateRootTables(fw); + /* create user chains and rules */ + nftablesCreateChains(fw, &chainCallbackData); + + /* rollback commands, if necessary */ + virFirewallStartRollback(fw, 0); + nftablesRemoveAllInterfaceChains(fw, tmpIfname); + + /* process rules and apply them */ + return virFirewallApply(fw); +} + +static int +nftablesTeardownNewRules(const char *ifname) +{ + char matchIfname[VIR_INT64_STR_BUFLEN]; + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + + g_snprintf(matchIfname, sizeof(matchIfname), "n-%s", ifname); + + virFirewallStartTransaction(fw, 0); + + /* remove tmp interface chains and rules */ + nftablesRemoveAllInterfaceChains(fw, matchIfname); + + return virFirewallApply(fw); +} + +static int +nftablesTeardownOldRules(const char *ifname) +{ + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + virFirewallStartTransaction(fw, 0); + + /* remove old interface chains and rules */ + nftablesRemoveAllInterfaceChains(fw, ifname); + + /* rename new temp interface chains and rules */ + nftablesRenameAllInterfaceChains(fw, ifname); + + return virFirewallApply(fw); +} + +/** + * nftablesAllTeardown: + * @ifname : the name of the interface to which the rules apply + * + * Unconditionally remove all possible user defined tables and rules + * that were created for the given interface (ifname). + * + * Returns 0 on success, -1 on OOM + */ +static int +nftablesAllTeardown(const char *ifname) +{ + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + virFirewallStartTransaction(fw, 0); + + /* remove interface chains and rules */ + nftablesRemoveAllInterfaceChains(fw, ifname); + + return virFirewallApply(fw); +} + +/** + * nftablesCanApplyBasicRules + * + * Determine whether this driver can apply the basic rules, meaning + * run nftablesApplyBasicRules and nftablesApplyDHCPOnlyRules. + * In case of this driver we need the nft tool available. + */ +static bool nftablesCanApplyBasicRules(void) +{ + return true; +} + +/** + * nftablesApplyBasicRules + * + * @ifname: name of the backend-interface to which to apply the rules + * @macaddr: MAC address the VM is using in packets sent through the + * interface + * + * Returns 0 on success, -1 on failure with the rules removed + * + * Apply basic filtering rules on the given interface + * - filtering for MAC address spoofing + * - allowing IPv4 & ARP traffic + */ +static int +nftablesApplyBasicRules(const char *ifname, + const virMacAddr *macaddr) +{ + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + char macaddr_str[VIR_MAC_STRING_BUFLEN]; + char rootChainIn[MAX_NF_CHAINNAME_LENGTH]; + char rootChainOut[MAX_NF_CHAINNAME_LENGTH]; + + virMacAddrFormat(macaddr, macaddr_str); + + if (nftablesAllTeardown(ifname) < 0) + return -1; + + virFirewallStartTransaction(fw, 0); + + /* create root tables if they don't exist already */ + nftablesCreateRootTables(fw); + + /* create root chain */ + g_snprintf(rootChainIn, sizeof(rootChainIn), "%s-in", ifname); + g_snprintf(rootChainOut, sizeof(rootChainOut), "%s-out", ifname); + nftablesCreateRootChain(fw, VIR_FIREWALL_LAYER_ETHERNET, rootChainIn); + nftablesCreateRootChain(fw, VIR_FIREWALL_LAYER_ETHERNET, rootChainOut); + + + /* apply rules to root chain */ + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "ether", "saddr", + "!=3D", macaddr_str, "drop", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "ether", "type", "i= p", + "accept", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "ether", "type", "a= rp", + "accept", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "accept", NULL); + + nftablesCreateRootChainJump(fw, VIR_FIREWALL_LAYER_ETHERNET, ifname, + IN_IFMATCH, IN_CHAIN, rootChainIn, false); + nftablesCreateRootChainJump(fw, VIR_FIREWALL_LAYER_ETHERNET, ifname, + OUT_IFMATCH, OUT_CHAIN, rootChainOut, fals= e); + + if (virFirewallApply(fw) < 0) { + nftablesAllTeardown(ifname); + return -1; + } + + return 0; +} + +/** + * nftablesApplyDHCPOnlyRules + * + * @ifname: name of the backend-interface to which to apply the rules + * @macaddr: MAC address the VM is using in packets sent through the + * interface + * @dhcpsrvrs: The DHCP server(s) from which the VM may receive traffic + * from; may be NULL + * @leaveTemporary: Whether to leave the table names with their temporary + * names (true) or also perform the renaming to their final names as + * part of this call (false) + * + * Returns 0 on success, -1 on failure with the rules removed + * + * Apply filtering rules so that the VM can only send and receive + * DHCP traffic and nothing else. + */ +static int +nftablesApplyDHCPOnlyRules(const char *ifname, + const virMacAddr *macaddr, + virNWFilterVarValue *dhcpsrvrs, + bool leaveTemporary G_GNUC_UNUSED) +{ + char rootChainIn [MAX_NF_CHAINNAME_LENGTH], + rootChainOut[MAX_NF_CHAINNAME_LENGTH]; + char macaddr_str[VIR_MAC_STRING_BUFLEN]; + unsigned int idx =3D 0; + unsigned int num_dhcpsrvrs; + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + + virMacAddrFormat(macaddr, macaddr_str); + + if (nftablesAllTeardown(ifname) < 0) + return -1; + + virFirewallStartTransaction(fw, 0); + + /* create root tables if they don't exist already */ + nftablesCreateRootTables(fw); + + /* create root chain */ + g_snprintf(rootChainIn, sizeof(rootChainIn), "%s-in", ifname); + g_snprintf(rootChainOut, sizeof(rootChainOut), "%s-out", ifname); + nftablesCreateRootChain(fw, VIR_FIREWALL_LAYER_ETHERNET, rootChainIn); + nftablesCreateRootChain(fw, VIR_FIREWALL_LAYER_ETHERNET, rootChainOut); + + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "ether", "saddr", + macaddr_str, "ether", "type", "ip", + "udp", "sport", "68", "udp", "dport", "67", "accept", NU= LL); + + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "drop", NULL); + + num_dhcpsrvrs =3D (dhcpsrvrs !=3D NULL) + ? virNWFilterVarValueGetCardinality(dhcpsrvrs) + : 0; + + while (true) { + const char *dhcpserver =3D NULL; + int ctr; + + if (idx < num_dhcpsrvrs) + dhcpserver =3D virNWFilterVarValueGetNthValue(dhcpsrvrs, idx); + + /* + * create two rules allowing response to MAC address of VM + * or to broadcast MAC address + */ + for (ctr =3D 0; ctr < 2; ctr++) { + if (dhcpserver) + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "add", "rule", "bridge", + NF_ETHERNET_TABLE, rootChainIn, "ether", + "daddr", + (ctr =3D=3D 0) ? macaddr_str : "ff:ff:ff= :ff:ff:ff", + "ether", "type", "ip", + "ip", "saddr", dhcpserver, + "udp", "sport", "67", + "udp", "dport", "68", "accept", NULL); + else + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, + "add", "rule", "bridge", + NF_ETHERNET_TABLE, rootChainIn, "ether", + "daddr", + (ctr =3D=3D 0) ? macaddr_str : "ff:ff:ff= :ff:ff:ff", + "ether", "type", "ip", + "udp", "sport", "67", + "udp", "dport", "68", "accept", NULL); + } + + idx++; + + if (idx >=3D num_dhcpsrvrs) + break; + } + + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainIn, "drop", NULL); + + nftablesCreateRootChainJump(fw, VIR_FIREWALL_LAYER_ETHERNET, ifname, + IN_IFMATCH, IN_CHAIN, rootChainIn, false); + nftablesCreateRootChainJump(fw, VIR_FIREWALL_LAYER_ETHERNET, ifname, + OUT_IFMATCH, OUT_CHAIN, rootChainOut, fals= e); + + if (virFirewallApply(fw) < 0) { + nftablesAllTeardown(ifname); + return -1; + } + + return 0; +} + +static int +nftablesRemoveBasicRules(const char *ifname) +{ + return nftablesAllTeardown(ifname); +} + +/** + * nftablesApplyDropAllRules + * + * @ifname: name of the backend-interface to which to apply the rules + * + * Returns 0 on success, -1 on failure with the rules removed + * + * Apply filtering rules so that the VM cannot receive or send traffic. + */ +static int +nftablesDropAllRules(const char *ifname) +{ + char rootChainIn [MAX_NF_CHAINNAME_LENGTH], + rootChainOut[MAX_NF_CHAINNAME_LENGTH]; + g_autoptr(virFirewall) fw =3D virFirewallNew(VIR_FIREWALL_BACKEND_NFTA= BLES); + + if (nftablesAllTeardown(ifname) < 0) + return -1; + + virFirewallStartTransaction(fw, 0); + + /* create root tables if they don't exist already */ + nftablesCreateRootTables(fw); + + /* create root chain */ + g_snprintf(rootChainIn, sizeof(rootChainIn), "%s-in", ifname); + g_snprintf(rootChainOut, sizeof(rootChainOut), "%s-out", ifname); + nftablesCreateRootChain(fw, VIR_FIREWALL_LAYER_ETHERNET, rootChainIn); + nftablesCreateRootChain(fw, VIR_FIREWALL_LAYER_ETHERNET, rootChainOut); + + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainOut, "drop", NULL); + virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET, "add", "rule", "bri= dge", + NF_ETHERNET_TABLE, rootChainIn, "drop", NULL); + + nftablesCreateRootChainJump(fw, VIR_FIREWALL_LAYER_ETHERNET, ifname, + IN_IFMATCH, IN_CHAIN, rootChainIn, false); + nftablesCreateRootChainJump(fw, VIR_FIREWALL_LAYER_ETHERNET, ifname, + OUT_IFMATCH, OUT_CHAIN, rootChainOut, fals= e); + + if (virFirewallApply(fw) < 0) { + nftablesAllTeardown(ifname); + return -1; + } + + return 0; +} + +static int +nftablesDriverInit(bool privileged) +{ + if (!privileged) + return 0; + + nftables_driver.flags =3D TECHDRV_FLAG_INITIALIZED; + + return 0; +} + +static void +nftablesDriverShutdown(void) +{ + nftables_driver.flags =3D 0; +} + +virNWFilterTechDriver nftables_driver =3D { + .name =3D NFTABLES_DRIVER_ID, + .flags =3D 0, + + .init =3D nftablesDriverInit, + .shutdown =3D nftablesDriverShutdown, + + .applyNewRules =3D nftablesApplyNewRules, + .tearNewRules =3D nftablesTeardownNewRules, + .tearOldRules =3D nftablesTeardownOldRules, + .allTeardown =3D nftablesAllTeardown, + + .canApplyBasicRules =3D nftablesCanApplyBasicRules, + .applyBasicRules =3D nftablesApplyBasicRules, + .applyDHCPOnlyRules =3D nftablesApplyDHCPOnlyRules, + .applyDropAllRules =3D nftablesDropAllRules, + .removeBasicRules =3D nftablesRemoveBasicRules, +}; diff --git a/src/nwfilter/nwfilter_nftables_driver.h b/src/nwfilter/nwfilte= r_nftables_driver.h new file mode 100644 index 0000000000..a767413208 --- /dev/null +++ b/src/nwfilter/nwfilter_nftables_driver.h @@ -0,0 +1,28 @@ +/* + * nwfilter_nftables_driver.h: nftables driver support + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + */ + +#pragma once + +#include "nwfilter_tech_driver.h" + +extern virNWFilterTechDriver nftables_driver; + +#define NFTABLES_DRIVER_ID "nftables" + +/* see source/include/uapi/linux/netfilter/nf_tables.h */ +#define MAX_NF_CHAINNAME_LENGTH 256 --=20 2.43.0 From nobody Fri Dec 12 14:07:31 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1761912777; cv=none; d=zohomail.com; s=zohoarc; b=TFr/Za8GSU6/GKbadUaPnVRjHHwbn1K+G0wawkb/rmN23j6BFRol3iAuD2FClUtB6fiuiWrZ7dUfQVXeL860UdOIBJUlILh+3f49CsLbGbeqTia/JXBJZvKF4EE0WkV0bwL/+G7pqly7QR33WYagTdNbXo8FaIRvVHh1AgDex3Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761912777; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=w7sWf8+DjIEnCDKqkkcTdRfr1ThUCoZJPXwYvWMu8Mw=; b=NRaBkcNUH0DTYSZhWXniQ1mmVbiaW2SI9VOusPa65ycX9iAcn6n/tPHhTz4VD8DeAn3fygVw2Q8bjB8sKtwLPZAVHwfcADePiv/89e/HwI0RKYlMb3Qt9oSPI1CuUs/LugI5K2XLE1U2Gm6jN5n4HkfNQoOtOs/Jw4FCVqY20gU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1761912777910678.8186151994457; Fri, 31 Oct 2025 05:12:57 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 0278643F44; Fri, 31 Oct 2025 08:12:56 -0400 (EDT) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id E198C44070; Fri, 31 Oct 2025 08:08:15 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id EACCE41BAE; Fri, 31 Oct 2025 08:07:52 -0400 (EDT) Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id F315843E57 for ; Fri, 31 Oct 2025 08:07:50 -0400 (EDT) Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-b6d6984a5baso415446566b.3 for ; Fri, 31 Oct 2025 05:07:50 -0700 (PDT) Received: from thinkiepadje.home (2a02-a470-a384-0-62ef-bf5-dc71-bd78.fixed6.kpn.net. [2a02:a470:a384:0:62ef:bf5:dc71:bd78]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b70779ddf48sm158255866b.32.2025.10.31.05.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Oct 2025 05:07:49 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761912470; x=1762517270; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=w7sWf8+DjIEnCDKqkkcTdRfr1ThUCoZJPXwYvWMu8Mw=; b=mm/byGiGi8XzmgearBvVdeZOy5JAOwNMW06cI49MXEsX7ioS8CZ/FYA7lQ5TL31aP0 5LmlRwh4COypoziUbGsXJkKyKdicPNxabGb1pw1YqPuPJ8czIfOr1rA9s2CFPzvSVVOI r1s1oHkWYfOWBn+HuT4VfnP297tyC2AjNppXKgwTQxEdxpo7JHuX58obkfMxb5oPb0c4 UJwN0pLgA/TcygOYZxVuC+1CQfFmGA023sX5U7tl/KtiTI86050SIo4XWt6OhRKfkLkQ qmhlQ/qOzCRuCJC1GEYjryagfYD4ArAuKI+8DscXvSvmhYf7MHEkepBwP3Ca4F+Wj6B+ xOdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761912470; x=1762517270; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=w7sWf8+DjIEnCDKqkkcTdRfr1ThUCoZJPXwYvWMu8Mw=; b=fKlP7aNUF1RUofu4bfVm8/5lJ2KHFspnsfIVHbNpQWv7uLDNiaq6BZxt1Ppo61ZFUI RaT0PbpvoqGGIoS1bBwxgy5nGJOUMdG86u/n6SOKdkimiFmeZwnE85sPpL1tccxSTL+1 OeVzMBiG0u94OCXgr45xcsM79dChxbCFhSd1QAiD8GsWC7YYzA2TKuaezmFAk68Rx44l 7a3i3EIIMSVcbXCMt6+FEH7Y22rO2D1v9ZW1/7JwlGtvvhpc72yh7DrSY0/X5DpCS+LZ M2jTENH9ebDDVwcb+kVFSZmIgbvGll2NNItxlpW9BsOZWdm0+QC/GbmF7JhD4qNR7WG3 zH1Q== X-Gm-Message-State: AOJu0Ywvx4j4WNIsv/FO3400+u4+qKmwjl8yfWX5OJL16E9JSv1uMqMc 9nklHCKilrLnVdNBuvMyiin5xBCg8MZh/1XvIkw/Y0i7e5Zo+PJbtip3xHA86+RJPw== X-Gm-Gg: ASbGncssyV0HdeK0k4pSAAxfrvWK53M5b2ZQS2y/OcYZsib0QeBrvNGYxFqVjNhaY28 3ncZ1yxtHGJFtVnMPRn+K0yvQ4qEVjl8SokBEglfWR9v2Gm2gBHA2aG9mkpEXqxNQvonfJg1Hjm 6r/D96mkoKjbJjsQjV7VAJBhFkrfsfPYnfkPiprB0FongVLT4XfbLqauIWHR9PYdoO+9Mws9QIJ DNwJU78suTxnMmO05BG+w8eRd7awcYD06JFrdz1TZQ+8936ywn2kkMZJo6g/lramTF8HxhL88Vm BCyPR9N+D+cZW9tVE3LLMn+73Z33q6TCFMXNfqUnL2XW3ODTFy8+qCPEVhaGQngirdSG2vfC+yU a3r79sd64eZmhuXB7OTn8YFyYoD3scag8rSJ2XXy3qjakAyq+hiu84bsAj48MQ79Vlngf1Cxgqz dDU1KsQPO5PsIDshWiJSXm6AaADN/JYnfa8XkbNnUE1yFHNymv7Zg5Oa8YqA6YNiF7kOb52sUtE h8IUGuMJQ== X-Google-Smtp-Source: AGHT+IHEpsYvmiA86gR0u6cCbK/KNLj44C589Xz9SwDcHjjfce9i74qToY/dmgc+dwnFeo1vV8G5/Q== X-Received: by 2002:a17:906:6a14:b0:b3c:f0f2:842f with SMTP id a640c23a62f3a-b7070628352mr297852066b.49.1761912469544; Fri, 31 Oct 2025 05:07:49 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH 4/5] nwfilter: allow use of nftables nwfilter driver via nwfilter.conf Date: Fri, 31 Oct 2025 13:05:44 +0100 Message-ID: <20251031120546.942126-5-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031120546.942126-1-dionbosschieter@gmail.com> References: <20251031120546.942126-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 6L5OOI6WRU2HXHWOQOD7A6Z3SXRTLVPY X-Message-ID-Hash: 6L5OOI6WRU2HXHWOQOD7A6Z3SXRTLVPY X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1761912779479158500 Content-Type: text/plain; charset="utf-8" Change the nwfilter driver loading mechanism to read from nwfilter.conf. By default, it will use the existing ebiptables driver, which can be replaced in the future to remove the {eb,ip}tables dependency. Added nftables to *filter_tech_drivers as an available driver option for users to choose from. Signed-off-by: Dion Bosschieter --- src/nwfilter/nwfilter_driver.c | 49 +++++++++++++++++++-- src/nwfilter/nwfilter_gentech_driver.c | 60 +++++++++++--------------- src/nwfilter/nwfilter_gentech_driver.h | 4 +- 3 files changed, 73 insertions(+), 40 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 522cfda022..18d322574d 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -26,9 +26,7 @@ =20 #include "virgdbus.h" #include "virlog.h" - #include "internal.h" - #include "virerror.h" #include "datatypes.h" #include "nwfilter_driver.h" @@ -36,7 +34,6 @@ #include "configmake.h" #include "virpidfile.h" #include "viraccessapicheck.h" - #include "nwfilter_ipaddrmap.h" #include "nwfilter_dhcpsnoop.h" #include "nwfilter_learnipaddr.h" @@ -203,6 +200,41 @@ nwfilterStateCleanup(void) } =20 =20 +/** + * virNWFilterLoadGentechDriverFromConfig: + * + * Loading driver name from nwfilter.conf config file + */ +static char * +virNWFilterLoadGentechDriverFromConfig(const char *configfile) +{ + g_autoptr(virConf) conf =3D NULL; + g_autofree char *drivername =3D NULL; + + if (access(configfile, R_OK) =3D=3D 0) { + + conf =3D virConfReadFile(configfile, 0); + if (!conf) + return NULL; + + if (virConfGetValueString(conf, "driver", &drivername) < 0) + return NULL; + + if (drivername) { + VIR_DEBUG("nwfilter driver setting requested from config file = %s: '%s'", + configfile, drivername); + } + } + + if (!drivername) { + drivername =3D g_strdup(NWFILTER_DEFAULT_DRIVER); + } + + + return g_steal_pointer(&drivername); +} + + /** * nwfilterStateInitialize: * @@ -217,6 +249,8 @@ nwfilterStateInitialize(bool privileged, { VIR_LOCK_GUARD lock =3D virLockGuardLock(&driverMutex); GDBusConnection *sysbus =3D NULL; + g_autofree char *configfile =3D NULL; + char *gentechdrivername =3D NULL; =20 if (root !=3D NULL) { virReportError(VIR_ERR_INVALID_ARG, "%s", @@ -266,7 +300,14 @@ nwfilterStateInitialize(bool privileged, if (virNWFilterDHCPSnoopInit() < 0) goto error; =20 - if (virNWFilterTechDriversInit(privileged) < 0) + configfile =3D g_strdup(SYSCONFDIR "/libvirt/nwfilter.conf"); + + /* get chosen driver from config file */ + gentechdrivername =3D virNWFilterLoadGentechDriverFromConfig(configfil= e); + if (gentechdrivername =3D=3D NULL) + goto error; + + if (virNWFilterTechDriversInit(privileged, gentechdrivername) < 0) goto error; =20 if (virNWFilterConfLayerInit(virNWFilterTriggerRebuildImpl, driver) < = 0) diff --git a/src/nwfilter/nwfilter_gentech_driver.c b/src/nwfilter/nwfilter= _gentech_driver.c index 1465734a54..adb96acca6 100644 --- a/src/nwfilter/nwfilter_gentech_driver.c +++ b/src/nwfilter/nwfilter_gentech_driver.c @@ -32,6 +32,7 @@ #include "nwfilter_dhcpsnoop.h" #include "nwfilter_ipaddrmap.h" #include "nwfilter_learnipaddr.h" +#include "nwfilter_nftables_driver.h" #include "virnetdev.h" =20 #define VIR_FROM_THIS VIR_FROM_NWFILTER @@ -48,18 +49,20 @@ static int _virNWFilterTeardownFilter(const char *ifnam= e); =20 static virNWFilterTechDriver *filter_tech_drivers[] =3D { &ebiptables_driver, - NULL + &nftables_driver, }; =20 -int virNWFilterTechDriversInit(bool privileged) +int virNWFilterTechDriversInit(bool privileged, const char *drivername) { size_t i =3D 0; - VIR_DEBUG("Initializing NWFilter technology drivers"); - while (filter_tech_drivers[i]) { - if (!(filter_tech_drivers[i]->flags & TECHDRV_FLAG_INITIALIZED)) + VIR_DEBUG("Initializing NWFilter technology drivers, chosen %s", drive= rname); + + for (i =3D 0; i < G_N_ELEMENTS(filter_tech_drivers); i++) { + if (!(filter_tech_drivers[i]->flags & TECHDRV_FLAG_INITIALIZED) + && STREQ(filter_tech_drivers[i]->name, drivername)) filter_tech_drivers[i]->init(privileged); - i++; } + return 0; } =20 @@ -67,25 +70,20 @@ int virNWFilterTechDriversInit(bool privileged) void virNWFilterTechDriversShutdown(void) { size_t i =3D 0; - while (filter_tech_drivers[i]) { + for (i =3D 0; i < G_N_ELEMENTS(filter_tech_drivers); i++) { if ((filter_tech_drivers[i]->flags & TECHDRV_FLAG_INITIALIZED)) filter_tech_drivers[i]->shutdown(); - i++; } } =20 =20 static virNWFilterTechDriver * -virNWFilterTechDriverForName(const char *name) +virNWFilterInitializedTechDriver(void) { size_t i =3D 0; - while (filter_tech_drivers[i]) { - if (STREQ(filter_tech_drivers[i]->name, name)) { - if ((filter_tech_drivers[i]->flags & TECHDRV_FLAG_INITIALIZED)= =3D=3D 0) - break; + for (i =3D 0; i < G_N_ELEMENTS(filter_tech_drivers); i++) { + if ((filter_tech_drivers[i]->flags & TECHDRV_FLAG_INITIALIZED)) return filter_tech_drivers[i]; - } - i++; } return NULL; } @@ -617,7 +615,6 @@ virNWFilterInstantiateFilterUpdate(virNWFilterDriverSta= te *driver, bool *foundNewFilter) { int rc =3D -1; - const char *drvname =3D EBIPTABLES_DRIVER_ID; virNWFilterTechDriver *techdriver; virNWFilterObj *obj; virNWFilterDef *filter; @@ -625,12 +622,11 @@ virNWFilterInstantiateFilterUpdate(virNWFilterDriverS= tate *driver, char vmmacaddr[VIR_MAC_STRING_BUFLEN] =3D {0}; virNWFilterVarValue *ipaddr; =20 - techdriver =3D virNWFilterTechDriverForName(drvname); + techdriver =3D virNWFilterInitializedTechDriver(); =20 if (!techdriver) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Could not get access to ACL tech driver '%1$s'"), - drvname); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not get access to ACL tech driver")); return -1; } =20 @@ -768,15 +764,13 @@ virNWFilterUpdateInstantiateFilter(virNWFilterDriverS= tate *driver, static int virNWFilterRollbackUpdateFilter(virNWFilterBindingDef *binding) { - const char *drvname =3D EBIPTABLES_DRIVER_ID; int ifindex; virNWFilterTechDriver *techdriver; =20 - techdriver =3D virNWFilterTechDriverForName(drvname); + techdriver =3D virNWFilterInitializedTechDriver(); if (!techdriver) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Could not get access to ACL tech driver '%1$s'"), - drvname); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not get access to ACL tech driver")); return -1; } =20 @@ -793,15 +787,13 @@ virNWFilterRollbackUpdateFilter(virNWFilterBindingDef= *binding) static int virNWFilterTearOldFilter(virNWFilterBindingDef *binding) { - const char *drvname =3D EBIPTABLES_DRIVER_ID; int ifindex; virNWFilterTechDriver *techdriver; =20 - techdriver =3D virNWFilterTechDriverForName(drvname); + techdriver =3D virNWFilterInitializedTechDriver(); if (!techdriver) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Could not get access to ACL tech driver '%1$s'"), - drvname); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not get access to ACL tech driver")); return -1; } =20 @@ -818,14 +810,12 @@ virNWFilterTearOldFilter(virNWFilterBindingDef *bindi= ng) static int _virNWFilterTeardownFilter(const char *ifname) { - const char *drvname =3D EBIPTABLES_DRIVER_ID; virNWFilterTechDriver *techdriver; - techdriver =3D virNWFilterTechDriverForName(drvname); + techdriver =3D virNWFilterInitializedTechDriver(); =20 if (!techdriver) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Could not get access to ACL tech driver '%1$s'"), - drvname); + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("Could not get access to ACL tech driver")); return -1; } =20 diff --git a/src/nwfilter/nwfilter_gentech_driver.h b/src/nwfilter/nwfilter= _gentech_driver.h index 946d5d3d56..8f6f4d164a 100644 --- a/src/nwfilter/nwfilter_gentech_driver.h +++ b/src/nwfilter/nwfilter_gentech_driver.h @@ -25,7 +25,9 @@ #include "virnwfilterobj.h" #include "virnwfilterbindingdef.h" =20 -int virNWFilterTechDriversInit(bool privileged); +#define NWFILTER_DEFAULT_DRIVER "ebiptables" + +int virNWFilterTechDriversInit(bool privileged, const char *drivername); void virNWFilterTechDriversShutdown(void); =20 enum instCase { --=20 2.43.0 From nobody Fri Dec 12 14:07:31 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1761913598; cv=none; d=zohomail.com; s=zohoarc; b=a3teOdc7pOIBCPegtUNVhndeL/tFjPVK/6W6maZ61Fn58vsia3Bj5F9rdCuZGvfK1+zi/TR9QPidygenc7Y7fiekLwFmMGCXXKg0cHt3Pmnd5DnA9YU8/stxaN0Cw0AgJzU1NbruwgdbPsE/nJy7dB5zPU52bih/dPZ8r3sFuUQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761913598; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=oVU0EQl1UVFP+HJniBuj/CGD7w1q6Auow1di1C5FU5o=; b=Na4cBPBOnAxMvKNm6Q32kFSarNwxV1lwzE42tt9V1iWHk+G/XBagGo2q48wjAw29tThhNTsTklDYXda+NYQetfrEBgeST7dt6hqSZv8tVQDHceLZ2949pxMmUDSh4ne33GNEq5EmZI8HaVmXUANfn3W7mawMImJmGX7Hmy1ETNA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1761913598661438.23116540968056; Fri, 31 Oct 2025 05:26:38 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 6B0A943EAE; Fri, 31 Oct 2025 08:26:33 -0400 (EDT) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 5A17B44016; Fri, 31 Oct 2025 08:08:35 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id E254843E93; Fri, 31 Oct 2025 08:07:55 -0400 (EDT) Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id D3C5041C5C for ; Fri, 31 Oct 2025 08:07:52 -0400 (EDT) Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-b3d196b7eeeso463213166b.0 for ; Fri, 31 Oct 2025 05:07:52 -0700 (PDT) Received: from thinkiepadje.home (2a02-a470-a384-0-62ef-bf5-dc71-bd78.fixed6.kpn.net. [2a02:a470:a384:0:62ef:bf5:dc71:bd78]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b70779ddf48sm158255866b.32.2025.10.31.05.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Oct 2025 05:07:50 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761912472; x=1762517272; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oVU0EQl1UVFP+HJniBuj/CGD7w1q6Auow1di1C5FU5o=; b=gV8DSM1+2KYQfawpon6oEH4gwZQVSZ+NoOAxm5ha/i5XVgAkBVqiEuXmsZuFTvf3Yj aj8Y3Oldh7lwHqU0+tk9c6IASMz6CWt65eOHjIm+D6qnxhNZYmf3ArayYHPKUHN8pb2G yhsRHoZDAqeTwSA7oEYA4r+HDVv3H3imqGCy/A0cksQaWlWDvurBMmlJwkb/ZmrD+7D1 RwKeBqV5DZTYpgKEh1DOjP714Vsn4pLE5vSOr1yZWzom8/xO9VrUiCPvCCz03alQ2S2I kalHK+wKAYad/0tjlcOBICf+USEEphnc0fHOQ5Yw8Qs4/PmvZllhw6AMDvRbP4lOy+A5 US4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761912472; x=1762517272; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oVU0EQl1UVFP+HJniBuj/CGD7w1q6Auow1di1C5FU5o=; b=Svthr2AmyO9RaZGymFJFbcAiuRZSibWjQP9uOdehw0msRKJ5MS47CRcAsrkSrdOu8Z eAhrNDltDRZxeHE3eN4PqYo1NypJ042B7n7STSu8iG9JsJIRVRZCBAxd81AgeWhiwCi7 uvXoNjdFjc5G9eSkrdnoei89Fgp8JM86o7yM8DMwi2BkX8wRekiIQVsT6mxhpiLhpb4R iAvWM9+7at+Wiu5iv+VvvhxPTCgS0+6a53rsxl2X5A7+ZVJbwrA7kS/rj2+abI0cjePD b7c8d0ifdGCjeIF1Fk9+0NZpmsuUhgCg+bCTcJ+XONjnmPxKx5FIej0OS74uz+O1zd0n HO/A== X-Gm-Message-State: AOJu0YxsestH6CzOI6z5rY+C9oKOjjuiLtsCI/irDpVDAkmNntVttiMu aRMB4ca3tRX8B9QengjR1a69yBmCIoODkstDAIelOoprkhRSut0DWC91l5Q7rWeRoA== X-Gm-Gg: ASbGncsQJltVeQEXqvdJ0+ygwIUjM5Fvjc3kVYRNVumjcO1+ppXCefoH7+QGsSYz2+n liP7lORQajPp5KLSLBO5uf7jQAAzMOT7k9HoMBQEv7QnGhwzL0ZuTvUUnZ9SG4i4Q88udgseR2o k/Tu1GotRmNYlCkCFGWwG6wjmmJ09anFuJMhC49iY+YUtWuO0z5Wp5zU/YtRj+oR45eba+sUCkC RlDwr/VLhjncdgFSb2zf3QpRChrAAH9iHMxaFhmtsIhKPSiMSwiIk4Tsf6dU3Jnv5cLaDcjqZv6 ELz1NJxnNl039DEy2n9P8SChfNXC2vDKRFCTIRzdySnyBUrR6q3t5w3siQjt2mYnQV04i3lI27c VitrchY6bz2dP2+j87RNoVy0EbLLHnC5QiFlPQF3wY6EkL8Wt69nGUUsgdL7IbfbcZwJfYmRofM +YeBJH5g7YuxkVL2kBk+bX8BwRJVl1TraZZedEhSVn/f4dct3vJBQ8iGKcsR9v6rtbb0LlxX4= X-Google-Smtp-Source: AGHT+IFGPvgrgo+U8siJW8lXOJCI461Tkw7iO63DCVPdOg4GqkH1Ga+OjI5dkzSJyprlZLqgZo9iFw== X-Received: by 2002:a17:907:6d08:b0:b6d:3a00:983a with SMTP id a640c23a62f3a-b70705ea59dmr328722866b.38.1761912470544; Fri, 31 Oct 2025 05:07:50 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH 5/5] nwfilter: add unit tests and test data for nwfilter nftables driver Date: Fri, 31 Oct 2025 13:05:45 +0100 Message-ID: <20251031120546.942126-6-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031120546.942126-1-dionbosschieter@gmail.com> References: <20251031120546.942126-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: JWAVOGUF75KV22BMBPLEKOTB5KFREBWW X-Message-ID-Hash: JWAVOGUF75KV22BMBPLEKOTB5KFREBWW X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1761913600644158500 Content-Type: text/plain; charset="utf-8" Add unit test files nwfilternftablestest.c and nwfilterxml2nftfirewalltest.c, including data files in a new nwfilterxml2nftfirewalldata directory. Tests follow same style and structure like the ebiptables driver for nwfilter. Signed-off-by: Dion Bosschieter --- tests/meson.build | 2 + tests/nwfilternftablestest.c | 428 ++ .../ah-ipv6-linux.args | 304 ++ .../nwfilterxml2nftfirewalldata/ah-linux.args | 298 ++ .../all-ipv6-linux.args | 286 ++ .../all-linux.args | 280 ++ .../arp-linux.args | 215 + tests/nwfilterxml2nftfirewalldata/arp.xml | 27 + .../comment-linux.args | 483 +++ .../conntrack-linux.args | 198 + .../esp-ipv6-linux.args | 304 ++ .../esp-linux.args | 298 ++ .../example-1-linux.args | 266 ++ .../example-2-linux.args | 348 ++ .../hex-data-linux.args | 357 ++ .../icmp-direction-linux.args | 238 ++ .../icmp-direction2-linux.args | 238 ++ .../icmp-direction3-linux.args | 184 + .../icmp-linux.args | 252 ++ .../icmpv6-linux.args | 322 ++ .../igmp-linux.args | 298 ++ .../nwfilterxml2nftfirewalldata/ip-linux.args | 198 + .../ipt-no-macspoof-linux.args | 169 + .../ipv6-linux.args | 474 +++ .../iter1-linux.args | 298 ++ .../iter2-linux.args | 3598 +++++++++++++++++ .../iter3-linux.args | 418 ++ .../mac-linux.args | 180 + .../rarp-linux.args | 215 + .../sctp-ipv6-linux.args | 314 ++ .../sctp-linux.args | 314 ++ .../target-linux.args | 452 +++ .../target2-linux.args | 316 ++ .../tcp-ipv6-linux.args | 314 ++ .../tcp-linux.args | 468 +++ .../udp-ipv6-linux.args | 314 ++ .../udp-linux.args | 314 ++ .../udplite-ipv6-linux.args | 304 ++ .../udplite-linux.args | 298 ++ .../vlan-linux.args | 264 ++ tests/nwfilterxml2nftfirewalltest.c | 438 ++ 41 files changed, 15286 insertions(+) create mode 100644 tests/nwfilternftablestest.c create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/all-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/arp-linux.args create mode 100644 tests/nwfilterxml2nftfirewalldata/arp.xml create mode 100755 tests/nwfilterxml2nftfirewalldata/comment-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/conntrack-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/example-1-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/example-2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/hex-data-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.= args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/igmp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ip-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter1-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter3-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/mac-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/rarp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/target-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/target2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.ar= gs create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/vlan-linux.args create mode 100644 tests/nwfilterxml2nftfirewalltest.c diff --git a/tests/meson.build b/tests/meson.build index 383a38a6ea..2bc81ba7e2 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -436,7 +436,9 @@ endif if conf.has('WITH_NWFILTER') tests +=3D [ { 'name': 'nwfilterebiptablestest', 'link_with': [ nwfilter_driver_imp= l ] }, + { 'name': 'nwfilternftablestest', 'link_with': [ nwfilter_driver_impl = ] }, { 'name': 'nwfilterxml2ebipfirewalltest', 'link_with': [ nwfilter_driv= er_impl ] }, + { 'name': 'nwfilterxml2nftfirewalltest', 'link_with': [ nwfilter_drive= r_impl ] }, ] endif =20 diff --git a/tests/nwfilternftablestest.c b/tests/nwfilternftablestest.c new file mode 100644 index 0000000000..8dfaec73d7 --- /dev/null +++ b/tests/nwfilternftablestest.c @@ -0,0 +1,428 @@ +/* + * nwfilternftablestest.c: Test nftables rule generation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#include "testutils.h" +#include "nwfilter/nwfilter_nftables_driver.h" +#include "virbuffer.h" + +#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW +#include "vircommandpriv.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define EXISTING_TABLE \ + "table bridge %s { # handle 562\n" \ + " comment \"this table is managed by libvirt\"\n" \ + " map vmap-oif { # handle 1\n" \ + " type iface_index : verdict\n" \ + " elements =3D { \"vnet0\" : jump n-vnet0-in }\n" \ + " }\n" \ + "\n" \ + " map vmap-iif { # handle 2\n" \ + " type iface_index : verdict\n" \ + " elements =3D { \"vnet0\" : jump vnet0-out }\n" \ + " }\n" \ + "\n" \ + " chain postrouting { # handle 3\n" \ + " type filter hook postrouting priority 1; policy accept;\n" \ + " meta nftrace set 1 # handle 4\n" \ + " oif vmap @vmap-oif # handle 7\n" \ + " }\n" \ + "\n" \ + " chain prerouting { # handle 5\n" \ + " type filter hook prerouting priority 1; policy accept;\n" \ + " meta nftrace set 1 # handle 6\n" \ + " iif vmap @vmap-iif # handle 8\n" \ + " }\n" \ + "\n" \ + " chain n-vnet0-in { # handle 880\n" \ + " ether type ip jump vnet0-ipv4-in # handle 893\n" \ + " ether type ip6 jump vnet0-ipv6-in # handle 897\n" \ + " }\n" \ + "\n" \ + " chain vnet0-in { # handle 880\n" \ + " ether type ip jump vnet0-ipv4-in # handle 893\n" \ + " ether type ip6 jump vnet0-ipv6-in # handle 897\n" \ + " }\n" \ + "\n" \ + " chain vnet0-out { # handle 881\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct directio= n original drop comment \"priority=3D100\" # handle 882\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 587-587 ct directio= n original drop comment \"priority=3D100\" # handle 883\n" \ + " ip saddr 192.168.1.2 tcp dport 25-25 ct direction original dr= op comment \"priority=3D100\" # handle 884\n" \ + " ip saddr 192.168.1.2 tcp dport 587-587 ct direction original = drop comment \"priority=3D100\" # handle 885\n" \ + " ether type ip tcp dport 25-25 ct direction original drop comm= ent \"priority=3D100\" # handle 886\n" \ + " ether type ip6 tcp dport 25-25 ct direction original drop com= ment \"priority=3D100\" # handle 887\n" \ + " ip6 daddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct directio= n original accept comment \"priority=3D100\" # handle 888\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 udp dport 587-587 ct directio= n original drop comment \"priority=3D100\" # handle 889\n" \ + " ip saddr 192.168.1.2 udp dport 25-25 ct direction original co= ntinue comment \"priority=3D100\" # handle 890\n" \ + " ether type ip ct direction original continue comment \"priori= ty=3D100\" # handle 891\n" \ + " ether type ip jump vnet0-ipv4-out # handle 895\n" \ + " ether type ip6 jump vnet0-ipv6-out # handle 899\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv4-in { # handle 892\n" \ + " ip saddr 192.168.1.1 tcp dport 4444 ct direction reply ct sta= te established,new accept comment \"priority=3D302\" # handle 902\n" \ + " ether type ip meta l4proto tcp ct direction reply drop commen= t \"priority=3D601\" # handle 904\n" \ + " ether type ip meta l4proto udp ct direction reply drop commen= t \"priority=3D603\" # handle 905\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv4-out { # handle 894\n" \ + " ip protocol icmp ct count over 42 drop comment \"priority=3D4= 00\" # handle 903\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv6-in { # handle 896\n" \ + " ip6 daddr fe80::5054:ff:fe60:baae udp sport 547 udp dport 546= ct direction reply accept comment \"priority=3D111\" # handle 901\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv6-out { # handle 898\n" \ + " ip6 saddr fe80::5054:ff:fe60:baae ip6 daddr ff02::1:2 udp spo= rt 546 udp dport 547 ct direction original accept comment \"priority=3D110\= " # handle 900\n" \ + " }\n" \ + "}\n" + +#define OLD_REMOVES \ + "nft -a list table bridge libvirt-nwfilter-ethernet\n" \ + "nft -a list table bridge libvirt-nwfilter-other\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-in\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-out\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv4-in\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv4-out\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv6-in\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv6-out\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-in\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-out\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv4-in\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv4-out\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv6-in\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv6-out\n" + +static void +testCommandDryRunCallback(const char *const*args, + const char *const*env G_GNUC_UNUSED, + const char *input G_GNUC_UNUSED, + char **output, + char **error G_GNUC_UNUSED, + int *status, + void *opaque G_GNUC_UNUSED) +{ + size_t argc =3D 0; + const char *table; + + while (args[argc] !=3D NULL) + argc++; + + if (STRNEQ(args[0], "nft")) { + *status =3D EXIT_FAILURE; + return; + } + + /* simulate an empty existing set rules */ + if (argc =3D=3D 6 && STREQ(args[1], "-a") && STREQ(args[2], "list")) { + table =3D args[argc-1]; + *output =3D g_strdup_printf(EXISTING_TABLE, table); + *status =3D EXIT_SUCCESS; + } +} + + +static int +testNWFilterNFTablesAllTeardown(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D OLD_REMOVES; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.allTeardown("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesTearOldRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft -a list table bridge libvirt-nwfilter-ethernet\n" + "nft -a list table bridge libvirt-nwfilter-other\n" + OLD_REMOVES + "nft rename chain bridge libvirt-nwfilter-ethernet n-vnet0-in vnet= 0-in\n" + "nft rename chain bridge libvirt-nwfilter-other n-vnet0-in vnet0-i= n\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.tearOldRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D OLD_REMOVES; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.removeBasicRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesTearNewRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft -a list table bridge libvirt-nwfilter-ethernet\n" + "nft -a list table bridge libvirt-nwfilter-other\n"\ + "nft delete chain bridge libvirt-nwfilter-ethernet n-vnet0-in\n" + "nft delete chain bridge libvirt-nwfilter-other n-vnet0-in\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.tearNewRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + OLD_REMOVES + "nft list tables\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether sad= dr '!=3D' 10:20:30:40:50:60 drop\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether typ= e ip accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether typ= e arp accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out accept\n" + "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 = : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 = : jump vnet0-out '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyBasicRules("vnet0", &mac) < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + OLD_REMOVES + "nft list tables\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether sad= dr 10:20:30:40:50:60 ether type ip udp sport 68 udp dport 67 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out drop\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 192.168.122.1 udp sport 67 udp d= port 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 192.168.122.1 udp sport 67 udp d= port 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in drop\n" + "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 = : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 = : jump vnet0-out '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; + const char *servers[] =3D { "192.168.122.1", "10.0.0.1", "10.0.0.2" }; + virNWFilterVarValue val =3D { + .valType =3D NWFILTER_VALUE_TYPE_ARRAY, + .u =3D { + .array =3D { + .values =3D (char **)servers, + .nValues =3D 3, + } + } + }; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + + +static int +testNWFilterNFTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + OLD_REMOVES + "nft list tables\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out drop\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in drop\n" + "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 = : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 = : jump vnet0-out '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyDropAllRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +mymain(void) +{ + int ret =3D 0; + + if (virTestRun("nftablesAllTeardown", + testNWFilterNFTablesAllTeardown, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesTearOldRules", + testNWFilterNFTablesTearOldRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesRemoveBasicRules", + testNWFilterNFTablesRemoveBasicRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesTearNewRules", + testNWFilterNFTablesTearNewRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyBasicRules", + testNWFilterNFTablesApplyBasicRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyDHCPOnlyRules", + testNWFilterNFTablesApplyDHCPOnlyRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyDropAllRules", + testNWFilterNFTablesApplyDropAllRules, + NULL) < 0) + ret =3D -1; + + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) diff --git a/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args b/tests/n= wfilterxml2nftfirewalldata/ah-ipv6-linux.args new file mode 100755 index 0000000000..4a59213758 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ah-linux.args b/tests/nwfilt= erxml2nftfirewalldata/ah-linux.args new file mode 100755 index 0000000000..2cd4ea4604 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ah-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/all-ipv6-linux.args new file mode 100755 index 0000000000..426169a28d --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args @@ -0,0 +1,286 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/all-linux.args b/tests/nwfil= terxml2nftfirewalldata/all-linux.args new file mode 100755 index 0000000000..ff8509e85e --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/all-linux.args @@ -0,0 +1,280 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/arp-linux.args b/tests/nwfil= terxml2nftfirewalldata/arp-linux.args new file mode 100755 index 0000000000..254e635294 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/arp-linux.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +12 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x22 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +255 \ +'arp operation' \ +1 \ +'arp ptype' \ +0xff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +256 \ +'arp operation' \ +11 \ +'arp ptype' \ +0x100 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +65535 \ +'arp operation' \ +65535 \ +'arp ptype' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/arp.xml b/tests/nwfilterxml2= nftfirewalldata/arp.xml new file mode 100644 index 0000000000..ba68f6d7cc --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/arp.xml @@ -0,0 +1,27 @@ + + 5c6d49af-b071-6127-b4ec-6f8ed4b55335 + + + + + + + + + + + + + + + + diff --git a/tests/nwfilterxml2nftfirewalldata/comment-linux.args b/tests/n= wfilterxml2nftfirewalldata/comment-linux.args new file mode 100755 index 0000000000..ef6c4ed68b --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/comment-linux.args @@ -0,0 +1,483 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +'ether type' \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +291-564 \ +'th dport' \ +13398-17767 \ +'ip dscp' \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +273-400 \ +'th dport' \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +18 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x56 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp dport' \ +564-1092 \ +'udp sport' \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp sport' \ +564-1092 \ +'udp dport' \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp dport' \ +256-4369 \ +'tcp sport' \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp sport' \ +256-4369 \ +'tcp dport' \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args b/tests= /nwfilterxml2nftfirewalldata/conntrack-linux.args new file mode 100755 index 0000000000..e5e22a3460 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +count \ +over \ +1 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ct \ +count \ +over \ +2 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/esp-ipv6-linux.args new file mode 100755 index 0000000000..ede39e4c4b --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/esp-linux.args b/tests/nwfil= terxml2nftfirewalldata/esp-linux.args new file mode 100755 index 0000000000..500d069b80 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/esp-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/example-1-linux.args b/tests= /nwfilterxml2nftfirewalldata/example-1-linux.args new file mode 100755 index 0000000000..963d77b7c9 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/example-1-linux.args @@ -0,0 +1,266 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/example-2-linux.args b/tests= /nwfilterxml2nftfirewalldata/example-2-linux.args new file mode 100755 index 0000000000..ffff3f1628 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/example-2-linux.args @@ -0,0 +1,348 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +21-22 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +21-22 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'udp dport' \ +53 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'udp sport' \ +53 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args b/tests/= nwfilterxml2nftfirewalldata/hex-data-linux.args new file mode 100755 index 0000000000..c14b85460a --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args @@ -0,0 +1,357 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +'ether type' \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +291-564 \ +'th dport' \ +13398-17767 \ +'ip dscp' \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +273-400 \ +'th dport' \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +18 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x56 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp dport' \ +564-1092 \ +'udp sport' \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp sport' \ +564-1092 \ +'udp dport' \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp dport' \ +256-4369 \ +'tcp sport' \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp sport' \ +256-4369 \ +'tcp dport' \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args b/= tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args new file mode 100755 index 0000000000..cfa1afd466 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args b= /tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args new file mode 100755 index 0000000000..56c30766ac --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args b= /tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args new file mode 100755 index 0000000000..6de47f0994 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args @@ -0,0 +1,184 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/icmp-linux.args new file mode 100755 index 0000000000..a5aba05334 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-linux.args @@ -0,0 +1,252 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args b/tests/nw= filterxml2nftfirewalldata/icmpv6-linux.args new file mode 100755 index 0000000000..baaab3a720 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args @@ -0,0 +1,322 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/igmp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/igmp-linux.args new file mode 100755 index 0000000000..4f8de57a39 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/igmp-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ip-linux.args b/tests/nwfilt= erxml2nftfirewalldata/ip-linux.args new file mode 100755 index 0000000000..c4951b0d45 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ip-linux.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/17 \ +ip \ +daddr \ +10.1.2.3/24 \ +'ip protocol' \ +17 \ +'ip dscp' \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/31 \ +ip \ +daddr \ +10.1.2.3/25 \ +'ip protocol' \ +255 \ +'ip dscp' \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args b= /tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args new file mode 100755 index 0000000000..2646905c98 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args @@ -0,0 +1,169 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +aa:aa:aa:aa:aa:aa \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args b/tests/nwfi= lterxml2nftfirewalldata/ipv6-linux.args new file mode 100755 index 0000000000..5b1715f687 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args @@ -0,0 +1,474 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +17 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th dport' \ +20-22 \ +'th sport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +255-256 \ +'th dport' \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th dport' \ +255-256 \ +'th sport' \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter1-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter1-linux.args new file mode 100755 index 0000000000..18a8c2e166 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter1-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter2-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter2-linux.args new file mode 100755 index 0000000000..8391f933d5 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter2-linux.args @@ -0,0 +1,3598 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter3-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter3-linux.args new file mode 100755 index 0000000000..d4446f13ed --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter3-linux.args @@ -0,0 +1,418 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/mac-linux.args b/tests/nwfil= terxml2nftfirewalldata/mac-linux.args new file mode 100755 index 0000000000..d5a7083019 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/mac-linux.args @@ -0,0 +1,180 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x600 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/rarp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/rarp-linux.args new file mode 100755 index 0000000000..fbeae86d98 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/rarp-linux.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +12 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x22 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +255 \ +'arp operation' \ +1 \ +'arp ptype' \ +0xff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +256 \ +'arp operation' \ +11 \ +'arp ptype' \ +0x100 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +65535 \ +'arp operation' \ +65535 \ +'arp ptype' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args b/tests= /nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args new file mode 100755 index 0000000000..0898cdcb82 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'sctp dport' \ +100-1111 \ +'sctp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'sctp sport' \ +100-1111 \ +'sctp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'sctp dport' \ +65535-65535 \ +'sctp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'sctp sport' \ +65535-65535 \ +'sctp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/sctp-linux.args new file mode 100755 index 0000000000..34bffb804a --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/sctp-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'sctp dport' \ +100-1111 \ +'sctp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'sctp sport' \ +100-1111 \ +'sctp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'sctp dport' \ +65535-65535 \ +'sctp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'sctp sport' \ +65535-65535 \ +'sctp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/target-linux.args b/tests/nw= filterxml2nftfirewalldata/target-linux.args new file mode 100755 index 0000000000..d4b0c0f70f --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/target-linux.args @@ -0,0 +1,452 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/target2-linux.args b/tests/n= wfilterxml2nftfirewalldata/target2-linux.args new file mode 100755 index 0000000000..33fb4351ca --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/target2-linux.args @@ -0,0 +1,316 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args new file mode 100755 index 0000000000..47dbed5a14 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'tcp dport' \ +100-1111 \ +'tcp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'tcp sport' \ +100-1111 \ +'tcp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'tcp dport' \ +65535-65535 \ +'tcp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'tcp sport' \ +65535-65535 \ +'tcp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-linux.args b/tests/nwfil= terxml2nftfirewalldata/tcp-linux.args new file mode 100755 index 0000000000..6ccc0fd7dc --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/tcp-linux.args @@ -0,0 +1,468 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'tcp dport' \ +100-1111 \ +'tcp sport' \ +20-21 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'tcp dport' \ +65535-65535 \ +'tcp sport' \ +255-256 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/udp-ipv6-linux.args new file mode 100755 index 0000000000..7bb8813ed8 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +'udp dport' \ +100-1111 \ +'udp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +'udp sport' \ +100-1111 \ +'udp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'udp dport' \ +65535-65535 \ +'udp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'udp sport' \ +65535-65535 \ +'udp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udp-linux.args b/tests/nwfil= terxml2nftfirewalldata/udp-linux.args new file mode 100755 index 0000000000..bff4d8ad97 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udp-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'udp dport' \ +100-1111 \ +'udp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'udp sport' \ +100-1111 \ +'udp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'udp dport' \ +65535-65535 \ +'udp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'udp sport' \ +65535-65535 \ +'udp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args b/te= sts/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args new file mode 100755 index 0000000000..354cf9e251 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-linux.args b/tests/n= wfilterxml2nftfirewalldata/udplite-linux.args new file mode 100755 index 0000000000..97e06609aa --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udplite-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/vlan-linux.args b/tests/nwfi= lterxml2nftfirewalldata/vlan-linux.args new file mode 100755 index 0000000000..8075637e4c --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/vlan-linux.args @@ -0,0 +1,264 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan type' \ +2054 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan type' \ +4660 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalltest.c b/tests/nwfilterxml2nftfir= ewalltest.c new file mode 100644 index 0000000000..b65a346646 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalltest.c @@ -0,0 +1,438 @@ +/* + * nwfilterxml2nftfirewalltest.c: Test iptables rule generation + * + * Copyright (C) 2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#if defined (__linux__) + +# include "testutils.h" +# include "nwfilter/nwfilter_nftables_driver.h" +# include "virbuffer.h" + +# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW +# include "vircommandpriv.h" + +# define VIR_FROM_THIS VIR_FROM_NONE + +# ifdef __linux__ +# define RULESTYPE "linux" +# else +# error "test case not ported to this platform" +# endif + +typedef struct _virNWFilterInst virNWFilterInst; +struct _virNWFilterInst { + virNWFilterDef **filters; + size_t nfilters; + virNWFilterRuleInst **rules; + size_t nrules; +}; + +/* + * Some sets of rules that will be common to all test files, + * so we don't bother including them in the test data files + * as that would just bloat them + */ + +static const char *commonRules[] =3D { + "nft \\\nlist \\\ntables\n" + "nft \\\nlist \\\nchains\n" + "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\n'{= comment \"this table is managed by libvirt\"; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nvmap= -oif \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nvmap= -iif \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npo= strouting \\\n'{ type filter hook postrouting priority 0; policy accept; }= '\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npr= erouting \\\n'{ type filter hook prerouting priority 0; policy accept; }'\= n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npos= trouting \\\noif \\\nvmap \\\n@vmap-oif\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npre= routing \\\niif \\\nvmap \\\n@vmap-iif\n" + "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt-nwfilter-other \\\n'{ co= mment \"this table is managed by libvirt\"; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-other \\\nvmap-oi= f \\\n'{ type iface_index: verdict; }'\n", + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-other \\\nvmap-ii= f \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\npostr= outing \\\n'{ type filter hook postrouting priority 1; policy accept; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nprero= uting \\\n'{ type filter hook prerouting priority 1; policy accept; }'\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-other \\\npostro= uting \\\noif \\\nvmap \\\n@vmap-oif\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-other \\\nprerou= ting \\\niif \\\nvmap \\\n@vmap-iif\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nn-= vnet0-in \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nn-vne= t0-in \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nn-= vnet0-out \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nn-vne= t0-out \\\n'{ }'\n", +}; + + +static GHashTable * +virNWFilterCreateVarsFrom(GHashTable *vars1, + GHashTable *vars2) +{ + g_autoptr(GHashTable) res =3D virHashNew(virNWFilterVarValueHashFree); + + if (virNWFilterHashTablePutAll(vars1, res) < 0) + return NULL; + + if (virNWFilterHashTablePutAll(vars2, res) < 0) + return NULL; + + return g_steal_pointer(&res); +} + + +static void +virNWFilterRuleInstFree(virNWFilterRuleInst *inst) +{ + if (!inst) + return; + + g_clear_pointer(&inst->vars, g_hash_table_unref); + g_free(inst); +} + + +static void +virNWFilterInstReset(virNWFilterInst *inst) +{ + size_t i; + + for (i =3D 0; i < inst->nfilters; i++) + virNWFilterDefFree(inst->filters[i]); + VIR_FREE(inst->filters); + inst->nfilters =3D 0; + + for (i =3D 0; i < inst->nrules; i++) + virNWFilterRuleInstFree(inst->rules[i]); + VIR_FREE(inst->rules); + inst->nrules =3D 0; +} + + +static int +virNWFilterDefToInst(const char *xml, + GHashTable *vars, + virNWFilterInst *inst); + +static int +virNWFilterRuleDefToRuleInst(virNWFilterDef *def, + virNWFilterRuleDef *rule, + GHashTable *vars, + virNWFilterInst *inst) +{ + virNWFilterRuleInst *ruleinst; + int ret =3D -1; + + ruleinst =3D g_new0(virNWFilterRuleInst, 1); + + ruleinst->chainSuffix =3D def->chainsuffix; + ruleinst->chainPriority =3D def->chainPriority; + ruleinst->def =3D rule; + ruleinst->priority =3D rule->priority; + ruleinst->vars =3D virHashNew(virNWFilterVarValueHashFree); + + if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0) + goto cleanup; + + VIR_APPEND_ELEMENT(inst->rules, inst->nrules, ruleinst); + + ret =3D 0; + cleanup: + virNWFilterRuleInstFree(ruleinst); + return ret; +} + + +static int +virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDef *inc, + GHashTable *vars, + virNWFilterInst *inst) +{ + g_autoptr(GHashTable) tmpvars =3D NULL; + int ret =3D -1; + g_autofree char *xml =3D NULL; + + xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcd= ir, + inc->filterref); + + /* create a temporary hashmap for depth-first tree traversal */ + if (!(tmpvars =3D virNWFilterCreateVarsFrom(inc->params, + vars))) + goto cleanup; + + if (virNWFilterDefToInst(xml, + tmpvars, + inst) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + +static int +virNWFilterDefToInst(const char *xml, + GHashTable *vars, + virNWFilterInst *inst) +{ + size_t i; + int ret =3D -1; + virNWFilterDef *def =3D virNWFilterDefParse(NULL, xml, 0); + + if (!def) + return -1; + + VIR_APPEND_ELEMENT_COPY(inst->filters, inst->nfilters, def); + + for (i =3D 0; i < def->nentries; i++) { + if (def->filterEntries[i]->rule) { + if (virNWFilterRuleDefToRuleInst(def, + def->filterEntries[i]->rule, + vars, + inst) < 0) + goto cleanup; + } else if (def->filterEntries[i]->include) { + if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->inc= lude, + vars, + inst) < 0) + goto cleanup; + } + } + + ret =3D 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + + +static void testRemoveCommonRules(char *rules) +{ + size_t i; + char *offset =3D rules; + + for (i =3D 0; i < G_N_ELEMENTS(commonRules); i++) { + char *tmp =3D strstr(offset, commonRules[i]); + size_t len =3D strlen(commonRules[i]); + if (tmp) { + memmove(tmp, tmp + len, (strlen(tmp) + 1) - len); + offset =3D tmp; + } + } +} + + +static int testSetOneParameter(GHashTable *vars, + const char *name, + const char *value) +{ + virNWFilterVarValue *val; + + if ((val =3D virHashLookup(vars, name)) =3D=3D NULL) { + val =3D virNWFilterVarValueCreateSimpleCopyValue(value); + if (!val) + return -1; + if (virHashUpdateEntry(vars, name, val) < 0) { + virNWFilterVarValueFree(val); + return -1; + } + } else { + if (virNWFilterVarValueAddValueCopy(val, value) < 0) + return -1; + } + + return 0; +} + +static int testSetDefaultParameters(GHashTable *vars) +{ + if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 || + testSetOneParameter(vars, "A", "1.1.1.1") || + testSetOneParameter(vars, "A", "2.2.2.2") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "90") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "C", "1080") || + testSetOneParameter(vars, "C", "1090") || + testSetOneParameter(vars, "C", "1100") || + testSetOneParameter(vars, "C", "1110")) + return -1; + return 0; +} + +static void +testCommandDryRunCallback(const char *const*args, + const char *const*env G_GNUC_UNUSED, + const char *input G_GNUC_UNUSED, + char **output, + char **error G_GNUC_UNUSED, + int *status, + void *opaque G_GNUC_UNUSED) +{ + if (STRNEQ(args[0], "nft")) { + return; + } + + /* simulate an empty existing set rules */ + if (STREQ(args[1], "list") && STREQ(args[2], "tables")) { + *output =3D g_strdup("table nothing\n"); + *status =3D EXIT_SUCCESS; + } else if (STREQ(args[1], "list") && STREQ(args[2], "chains")) { + *output =3D g_strdup("chain nothing\n"); + *status =3D EXIT_SUCCESS; + } +} + +static int testCompareXMLToArgvFiles(const char *xml, + const char *cmdline) +{ + g_autofree char *actualargv =3D NULL; + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + g_autoptr(GHashTable) vars =3D virHashNew(virNWFilterVarValueHashFree); + virNWFilterInst inst =3D { 0 }; + int ret =3D -1; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRunCa= llback, NULL); + + if (testSetDefaultParameters(vars) < 0) + goto cleanup; + + if (virNWFilterDefToInst(xml, + vars, + &inst) < 0) + goto cleanup; + + if (nftables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < = 0) + goto cleanup; + + actualargv =3D virBufferContentAndReset(&buf); + + testRemoveCommonRules(actualargv); + + if (virTestCompareToFileFull(actualargv, cmdline, false) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + virNWFilterInstReset(&inst); + return ret; +} + +struct testInfo { + const char *name; +}; + + +static int +testCompareXMLToIPTablesHelper(const void *data) +{ + int result =3D -1; + const struct testInfo *info =3D data; + g_autofree char *xml =3D NULL; + g_autofree char *override_xml =3D NULL; + g_autofree char *args =3D NULL; + + override_xml =3D g_strdup_printf("%s/nwfilterxml2nftfirewalldata/%s.xm= l", + abs_srcdir, info->name); + + if (virFileExists(override_xml)) { + xml =3D g_strdup(override_xml); + } else { + xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", + abs_srcdir, info->name); + } + + args =3D g_strdup_printf("%s/nwfilterxml2nftfirewalldata/%s-%s.args", + abs_srcdir, info->name, RULESTYPE); + + result =3D testCompareXMLToArgvFiles(xml, args); + + return result; +} + + +static int +mymain(void) +{ + int ret =3D 0; + +# define DO_TEST(name) \ + do { \ + static struct testInfo info =3D { \ + name, \ + }; \ + if (virTestRun("NWFilter XML-2-firewall " name, \ + testCompareXMLToIPTablesHelper, &info) < 0) \ + ret =3D -1; \ + } while (0) + + DO_TEST("ah"); + DO_TEST("ah-ipv6"); + DO_TEST("all"); + DO_TEST("all-ipv6"); + DO_TEST("arp"); + DO_TEST("comment"); + DO_TEST("conntrack"); + DO_TEST("esp"); + DO_TEST("esp-ipv6"); + DO_TEST("example-1"); + DO_TEST("example-2"); + DO_TEST("hex-data"); + DO_TEST("icmp-direction2"); + DO_TEST("icmp-direction3"); + DO_TEST("icmp-direction"); + DO_TEST("icmp"); + DO_TEST("icmpv6"); + DO_TEST("igmp"); + DO_TEST("ip"); + DO_TEST("ipt-no-macspoof"); + DO_TEST("ipv6"); + DO_TEST("iter1"); + DO_TEST("iter2"); + DO_TEST("iter3"); + DO_TEST("mac"); + DO_TEST("rarp"); + DO_TEST("sctp"); + DO_TEST("sctp-ipv6"); + DO_TEST("target2"); + DO_TEST("target"); + DO_TEST("tcp"); + DO_TEST("tcp-ipv6"); + DO_TEST("udp"); + DO_TEST("udp-ipv6"); + DO_TEST("udplite"); + DO_TEST("udplite-ipv6"); + DO_TEST("vlan"); + + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) + +#else /* ! defined (__linux__) */ + +int main(void) +{ + return EXIT_AM_SKIP; +} + +#endif /* ! defined (__linux__) */ --=20 2.43.0