From nobody Fri Dec 12 15:16:11 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1761913598; cv=none; d=zohomail.com; s=zohoarc; b=a3teOdc7pOIBCPegtUNVhndeL/tFjPVK/6W6maZ61Fn58vsia3Bj5F9rdCuZGvfK1+zi/TR9QPidygenc7Y7fiekLwFmMGCXXKg0cHt3Pmnd5DnA9YU8/stxaN0Cw0AgJzU1NbruwgdbPsE/nJy7dB5zPU52bih/dPZ8r3sFuUQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1761913598; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=oVU0EQl1UVFP+HJniBuj/CGD7w1q6Auow1di1C5FU5o=; b=Na4cBPBOnAxMvKNm6Q32kFSarNwxV1lwzE42tt9V1iWHk+G/XBagGo2q48wjAw29tThhNTsTklDYXda+NYQetfrEBgeST7dt6hqSZv8tVQDHceLZ2949pxMmUDSh4ne33GNEq5EmZI8HaVmXUANfn3W7mawMImJmGX7Hmy1ETNA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1761913598661438.23116540968056; Fri, 31 Oct 2025 05:26:38 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 6B0A943EAE; Fri, 31 Oct 2025 08:26:33 -0400 (EDT) Received: from [172.19.199.29] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 5A17B44016; Fri, 31 Oct 2025 08:08:35 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id E254843E93; Fri, 31 Oct 2025 08:07:55 -0400 (EDT) Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id D3C5041C5C for ; Fri, 31 Oct 2025 08:07:52 -0400 (EDT) Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-b3d196b7eeeso463213166b.0 for ; Fri, 31 Oct 2025 05:07:52 -0700 (PDT) Received: from thinkiepadje.home (2a02-a470-a384-0-62ef-bf5-dc71-bd78.fixed6.kpn.net. [2a02:a470:a384:0:62ef:bf5:dc71:bd78]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b70779ddf48sm158255866b.32.2025.10.31.05.07.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 31 Oct 2025 05:07:50 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761912472; x=1762517272; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oVU0EQl1UVFP+HJniBuj/CGD7w1q6Auow1di1C5FU5o=; b=gV8DSM1+2KYQfawpon6oEH4gwZQVSZ+NoOAxm5ha/i5XVgAkBVqiEuXmsZuFTvf3Yj aj8Y3Oldh7lwHqU0+tk9c6IASMz6CWt65eOHjIm+D6qnxhNZYmf3ArayYHPKUHN8pb2G yhsRHoZDAqeTwSA7oEYA4r+HDVv3H3imqGCy/A0cksQaWlWDvurBMmlJwkb/ZmrD+7D1 RwKeBqV5DZTYpgKEh1DOjP714Vsn4pLE5vSOr1yZWzom8/xO9VrUiCPvCCz03alQ2S2I kalHK+wKAYad/0tjlcOBICf+USEEphnc0fHOQ5Yw8Qs4/PmvZllhw6AMDvRbP4lOy+A5 US4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761912472; x=1762517272; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oVU0EQl1UVFP+HJniBuj/CGD7w1q6Auow1di1C5FU5o=; b=Svthr2AmyO9RaZGymFJFbcAiuRZSibWjQP9uOdehw0msRKJ5MS47CRcAsrkSrdOu8Z eAhrNDltDRZxeHE3eN4PqYo1NypJ042B7n7STSu8iG9JsJIRVRZCBAxd81AgeWhiwCi7 uvXoNjdFjc5G9eSkrdnoei89Fgp8JM86o7yM8DMwi2BkX8wRekiIQVsT6mxhpiLhpb4R iAvWM9+7at+Wiu5iv+VvvhxPTCgS0+6a53rsxl2X5A7+ZVJbwrA7kS/rj2+abI0cjePD b7c8d0ifdGCjeIF1Fk9+0NZpmsuUhgCg+bCTcJ+XONjnmPxKx5FIej0OS74uz+O1zd0n HO/A== X-Gm-Message-State: AOJu0YxsestH6CzOI6z5rY+C9oKOjjuiLtsCI/irDpVDAkmNntVttiMu aRMB4ca3tRX8B9QengjR1a69yBmCIoODkstDAIelOoprkhRSut0DWC91l5Q7rWeRoA== X-Gm-Gg: ASbGncsQJltVeQEXqvdJ0+ygwIUjM5Fvjc3kVYRNVumjcO1+ppXCefoH7+QGsSYz2+n liP7lORQajPp5KLSLBO5uf7jQAAzMOT7k9HoMBQEv7QnGhwzL0ZuTvUUnZ9SG4i4Q88udgseR2o k/Tu1GotRmNYlCkCFGWwG6wjmmJ09anFuJMhC49iY+YUtWuO0z5Wp5zU/YtRj+oR45eba+sUCkC RlDwr/VLhjncdgFSb2zf3QpRChrAAH9iHMxaFhmtsIhKPSiMSwiIk4Tsf6dU3Jnv5cLaDcjqZv6 ELz1NJxnNl039DEy2n9P8SChfNXC2vDKRFCTIRzdySnyBUrR6q3t5w3siQjt2mYnQV04i3lI27c VitrchY6bz2dP2+j87RNoVy0EbLLHnC5QiFlPQF3wY6EkL8Wt69nGUUsgdL7IbfbcZwJfYmRofM +YeBJH5g7YuxkVL2kBk+bX8BwRJVl1TraZZedEhSVn/f4dct3vJBQ8iGKcsR9v6rtbb0LlxX4= X-Google-Smtp-Source: AGHT+IFGPvgrgo+U8siJW8lXOJCI461Tkw7iO63DCVPdOg4GqkH1Ga+OjI5dkzSJyprlZLqgZo9iFw== X-Received: by 2002:a17:907:6d08:b0:b6d:3a00:983a with SMTP id a640c23a62f3a-b70705ea59dmr328722866b.38.1761912470544; Fri, 31 Oct 2025 05:07:50 -0700 (PDT) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH 5/5] nwfilter: add unit tests and test data for nwfilter nftables driver Date: Fri, 31 Oct 2025 13:05:45 +0100 Message-ID: <20251031120546.942126-6-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251031120546.942126-1-dionbosschieter@gmail.com> References: <20251031120546.942126-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: JWAVOGUF75KV22BMBPLEKOTB5KFREBWW X-Message-ID-Hash: JWAVOGUF75KV22BMBPLEKOTB5KFREBWW X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1761913600644158500 Content-Type: text/plain; charset="utf-8" Add unit test files nwfilternftablestest.c and nwfilterxml2nftfirewalltest.c, including data files in a new nwfilterxml2nftfirewalldata directory. Tests follow same style and structure like the ebiptables driver for nwfilter. Signed-off-by: Dion Bosschieter --- tests/meson.build | 2 + tests/nwfilternftablestest.c | 428 ++ .../ah-ipv6-linux.args | 304 ++ .../nwfilterxml2nftfirewalldata/ah-linux.args | 298 ++ .../all-ipv6-linux.args | 286 ++ .../all-linux.args | 280 ++ .../arp-linux.args | 215 + tests/nwfilterxml2nftfirewalldata/arp.xml | 27 + .../comment-linux.args | 483 +++ .../conntrack-linux.args | 198 + .../esp-ipv6-linux.args | 304 ++ .../esp-linux.args | 298 ++ .../example-1-linux.args | 266 ++ .../example-2-linux.args | 348 ++ .../hex-data-linux.args | 357 ++ .../icmp-direction-linux.args | 238 ++ .../icmp-direction2-linux.args | 238 ++ .../icmp-direction3-linux.args | 184 + .../icmp-linux.args | 252 ++ .../icmpv6-linux.args | 322 ++ .../igmp-linux.args | 298 ++ .../nwfilterxml2nftfirewalldata/ip-linux.args | 198 + .../ipt-no-macspoof-linux.args | 169 + .../ipv6-linux.args | 474 +++ .../iter1-linux.args | 298 ++ .../iter2-linux.args | 3598 +++++++++++++++++ .../iter3-linux.args | 418 ++ .../mac-linux.args | 180 + .../rarp-linux.args | 215 + .../sctp-ipv6-linux.args | 314 ++ .../sctp-linux.args | 314 ++ .../target-linux.args | 452 +++ .../target2-linux.args | 316 ++ .../tcp-ipv6-linux.args | 314 ++ .../tcp-linux.args | 468 +++ .../udp-ipv6-linux.args | 314 ++ .../udp-linux.args | 314 ++ .../udplite-ipv6-linux.args | 304 ++ .../udplite-linux.args | 298 ++ .../vlan-linux.args | 264 ++ tests/nwfilterxml2nftfirewalltest.c | 438 ++ 41 files changed, 15286 insertions(+) create mode 100644 tests/nwfilternftablestest.c create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/all-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/arp-linux.args create mode 100644 tests/nwfilterxml2nftfirewalldata/arp.xml create mode 100755 tests/nwfilterxml2nftfirewalldata/comment-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/conntrack-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/example-1-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/example-2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/hex-data-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.= args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/igmp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ip-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter1-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter3-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/mac-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/rarp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/target-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/target2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.ar= gs create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/vlan-linux.args create mode 100644 tests/nwfilterxml2nftfirewalltest.c diff --git a/tests/meson.build b/tests/meson.build index 383a38a6ea..2bc81ba7e2 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -436,7 +436,9 @@ endif if conf.has('WITH_NWFILTER') tests +=3D [ { 'name': 'nwfilterebiptablestest', 'link_with': [ nwfilter_driver_imp= l ] }, + { 'name': 'nwfilternftablestest', 'link_with': [ nwfilter_driver_impl = ] }, { 'name': 'nwfilterxml2ebipfirewalltest', 'link_with': [ nwfilter_driv= er_impl ] }, + { 'name': 'nwfilterxml2nftfirewalltest', 'link_with': [ nwfilter_drive= r_impl ] }, ] endif =20 diff --git a/tests/nwfilternftablestest.c b/tests/nwfilternftablestest.c new file mode 100644 index 0000000000..8dfaec73d7 --- /dev/null +++ b/tests/nwfilternftablestest.c @@ -0,0 +1,428 @@ +/* + * nwfilternftablestest.c: Test nftables rule generation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#include "testutils.h" +#include "nwfilter/nwfilter_nftables_driver.h" +#include "virbuffer.h" + +#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW +#include "vircommandpriv.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define EXISTING_TABLE \ + "table bridge %s { # handle 562\n" \ + " comment \"this table is managed by libvirt\"\n" \ + " map vmap-oif { # handle 1\n" \ + " type iface_index : verdict\n" \ + " elements =3D { \"vnet0\" : jump n-vnet0-in }\n" \ + " }\n" \ + "\n" \ + " map vmap-iif { # handle 2\n" \ + " type iface_index : verdict\n" \ + " elements =3D { \"vnet0\" : jump vnet0-out }\n" \ + " }\n" \ + "\n" \ + " chain postrouting { # handle 3\n" \ + " type filter hook postrouting priority 1; policy accept;\n" \ + " meta nftrace set 1 # handle 4\n" \ + " oif vmap @vmap-oif # handle 7\n" \ + " }\n" \ + "\n" \ + " chain prerouting { # handle 5\n" \ + " type filter hook prerouting priority 1; policy accept;\n" \ + " meta nftrace set 1 # handle 6\n" \ + " iif vmap @vmap-iif # handle 8\n" \ + " }\n" \ + "\n" \ + " chain n-vnet0-in { # handle 880\n" \ + " ether type ip jump vnet0-ipv4-in # handle 893\n" \ + " ether type ip6 jump vnet0-ipv6-in # handle 897\n" \ + " }\n" \ + "\n" \ + " chain vnet0-in { # handle 880\n" \ + " ether type ip jump vnet0-ipv4-in # handle 893\n" \ + " ether type ip6 jump vnet0-ipv6-in # handle 897\n" \ + " }\n" \ + "\n" \ + " chain vnet0-out { # handle 881\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct directio= n original drop comment \"priority=3D100\" # handle 882\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 587-587 ct directio= n original drop comment \"priority=3D100\" # handle 883\n" \ + " ip saddr 192.168.1.2 tcp dport 25-25 ct direction original dr= op comment \"priority=3D100\" # handle 884\n" \ + " ip saddr 192.168.1.2 tcp dport 587-587 ct direction original = drop comment \"priority=3D100\" # handle 885\n" \ + " ether type ip tcp dport 25-25 ct direction original drop comm= ent \"priority=3D100\" # handle 886\n" \ + " ether type ip6 tcp dport 25-25 ct direction original drop com= ment \"priority=3D100\" # handle 887\n" \ + " ip6 daddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct directio= n original accept comment \"priority=3D100\" # handle 888\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 udp dport 587-587 ct directio= n original drop comment \"priority=3D100\" # handle 889\n" \ + " ip saddr 192.168.1.2 udp dport 25-25 ct direction original co= ntinue comment \"priority=3D100\" # handle 890\n" \ + " ether type ip ct direction original continue comment \"priori= ty=3D100\" # handle 891\n" \ + " ether type ip jump vnet0-ipv4-out # handle 895\n" \ + " ether type ip6 jump vnet0-ipv6-out # handle 899\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv4-in { # handle 892\n" \ + " ip saddr 192.168.1.1 tcp dport 4444 ct direction reply ct sta= te established,new accept comment \"priority=3D302\" # handle 902\n" \ + " ether type ip meta l4proto tcp ct direction reply drop commen= t \"priority=3D601\" # handle 904\n" \ + " ether type ip meta l4proto udp ct direction reply drop commen= t \"priority=3D603\" # handle 905\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv4-out { # handle 894\n" \ + " ip protocol icmp ct count over 42 drop comment \"priority=3D4= 00\" # handle 903\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv6-in { # handle 896\n" \ + " ip6 daddr fe80::5054:ff:fe60:baae udp sport 547 udp dport 546= ct direction reply accept comment \"priority=3D111\" # handle 901\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv6-out { # handle 898\n" \ + " ip6 saddr fe80::5054:ff:fe60:baae ip6 daddr ff02::1:2 udp spo= rt 546 udp dport 547 ct direction original accept comment \"priority=3D110\= " # handle 900\n" \ + " }\n" \ + "}\n" + +#define OLD_REMOVES \ + "nft -a list table bridge libvirt-nwfilter-ethernet\n" \ + "nft -a list table bridge libvirt-nwfilter-other\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-in\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-out\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv4-in\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv4-out\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv6-in\n" \ + "nft delete chain bridge libvirt-nwfilter-ethernet vnet0-ipv6-out\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-in\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-out\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv4-in\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv4-out\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv6-in\n" \ + "nft delete chain bridge libvirt-nwfilter-other vnet0-ipv6-out\n" + +static void +testCommandDryRunCallback(const char *const*args, + const char *const*env G_GNUC_UNUSED, + const char *input G_GNUC_UNUSED, + char **output, + char **error G_GNUC_UNUSED, + int *status, + void *opaque G_GNUC_UNUSED) +{ + size_t argc =3D 0; + const char *table; + + while (args[argc] !=3D NULL) + argc++; + + if (STRNEQ(args[0], "nft")) { + *status =3D EXIT_FAILURE; + return; + } + + /* simulate an empty existing set rules */ + if (argc =3D=3D 6 && STREQ(args[1], "-a") && STREQ(args[2], "list")) { + table =3D args[argc-1]; + *output =3D g_strdup_printf(EXISTING_TABLE, table); + *status =3D EXIT_SUCCESS; + } +} + + +static int +testNWFilterNFTablesAllTeardown(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D OLD_REMOVES; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.allTeardown("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesTearOldRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft -a list table bridge libvirt-nwfilter-ethernet\n" + "nft -a list table bridge libvirt-nwfilter-other\n" + OLD_REMOVES + "nft rename chain bridge libvirt-nwfilter-ethernet n-vnet0-in vnet= 0-in\n" + "nft rename chain bridge libvirt-nwfilter-other n-vnet0-in vnet0-i= n\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.tearOldRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D OLD_REMOVES; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.removeBasicRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesTearNewRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft -a list table bridge libvirt-nwfilter-ethernet\n" + "nft -a list table bridge libvirt-nwfilter-other\n"\ + "nft delete chain bridge libvirt-nwfilter-ethernet n-vnet0-in\n" + "nft delete chain bridge libvirt-nwfilter-other n-vnet0-in\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.tearNewRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + OLD_REMOVES + "nft list tables\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether sad= dr '!=3D' 10:20:30:40:50:60 drop\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether typ= e ip accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether typ= e arp accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out accept\n" + "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 = : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 = : jump vnet0-out '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyBasicRules("vnet0", &mac) < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + OLD_REMOVES + "nft list tables\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out ether sad= dr 10:20:30:40:50:60 ether type ip udp sport 68 udp dport 67 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out drop\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 192.168.122.1 udp sport 67 udp d= port 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 192.168.122.1 udp sport 67 udp d= port 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in drop\n" + "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 = : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 = : jump vnet0-out '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; + const char *servers[] =3D { "192.168.122.1", "10.0.0.1", "10.0.0.2" }; + virNWFilterVarValue val =3D { + .valType =3D NWFILTER_VALUE_TYPE_ARRAY, + .u =3D { + .array =3D { + .values =3D (char **)servers, + .nValues =3D 3, + } + } + }; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + + +static int +testNWFilterNFTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + OLD_REMOVES + "nft list tables\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-in '{ }'\n" + "nft add chain bridge libvirt-nwfilter-ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt-nwfilter-other vnet0-out '{ }'\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-out drop\n" + "nft add rule bridge libvirt-nwfilter-ethernet vnet0-in drop\n" + "nft delete element bridge libvirt-nwfilter-other vmap-oif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-oif '{' vnet0 = : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt-nwfilter-other vmap-iif '{' vne= t0 '}'\n" + "nft add element bridge libvirt-nwfilter-other vmap-iif '{' vnet0 = : jump vnet0-out '}'\n" + "nft delete element bridge libvirt-nwfilter-ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt-nwfilter-ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyDropAllRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +mymain(void) +{ + int ret =3D 0; + + if (virTestRun("nftablesAllTeardown", + testNWFilterNFTablesAllTeardown, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesTearOldRules", + testNWFilterNFTablesTearOldRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesRemoveBasicRules", + testNWFilterNFTablesRemoveBasicRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesTearNewRules", + testNWFilterNFTablesTearNewRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyBasicRules", + testNWFilterNFTablesApplyBasicRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyDHCPOnlyRules", + testNWFilterNFTablesApplyDHCPOnlyRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyDropAllRules", + testNWFilterNFTablesApplyDropAllRules, + NULL) < 0) + ret =3D -1; + + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) diff --git a/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args b/tests/n= wfilterxml2nftfirewalldata/ah-ipv6-linux.args new file mode 100755 index 0000000000..4a59213758 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ah-linux.args b/tests/nwfilt= erxml2nftfirewalldata/ah-linux.args new file mode 100755 index 0000000000..2cd4ea4604 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ah-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/all-ipv6-linux.args new file mode 100755 index 0000000000..426169a28d --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args @@ -0,0 +1,286 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/all-linux.args b/tests/nwfil= terxml2nftfirewalldata/all-linux.args new file mode 100755 index 0000000000..ff8509e85e --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/all-linux.args @@ -0,0 +1,280 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/arp-linux.args b/tests/nwfil= terxml2nftfirewalldata/arp-linux.args new file mode 100755 index 0000000000..254e635294 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/arp-linux.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +12 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x22 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +255 \ +'arp operation' \ +1 \ +'arp ptype' \ +0xff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +256 \ +'arp operation' \ +11 \ +'arp ptype' \ +0x100 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +65535 \ +'arp operation' \ +65535 \ +'arp ptype' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/arp.xml b/tests/nwfilterxml2= nftfirewalldata/arp.xml new file mode 100644 index 0000000000..ba68f6d7cc --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/arp.xml @@ -0,0 +1,27 @@ + + 5c6d49af-b071-6127-b4ec-6f8ed4b55335 + + + + + + + + + + + + + + + + diff --git a/tests/nwfilterxml2nftfirewalldata/comment-linux.args b/tests/n= wfilterxml2nftfirewalldata/comment-linux.args new file mode 100755 index 0000000000..ef6c4ed68b --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/comment-linux.args @@ -0,0 +1,483 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +'ether type' \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +291-564 \ +'th dport' \ +13398-17767 \ +'ip dscp' \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +273-400 \ +'th dport' \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +18 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x56 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp dport' \ +564-1092 \ +'udp sport' \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp sport' \ +564-1092 \ +'udp dport' \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp dport' \ +256-4369 \ +'tcp sport' \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp sport' \ +256-4369 \ +'tcp dport' \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args b/tests= /nwfilterxml2nftfirewalldata/conntrack-linux.args new file mode 100755 index 0000000000..e5e22a3460 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +count \ +over \ +1 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ct \ +count \ +over \ +2 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/esp-ipv6-linux.args new file mode 100755 index 0000000000..ede39e4c4b --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/esp-linux.args b/tests/nwfil= terxml2nftfirewalldata/esp-linux.args new file mode 100755 index 0000000000..500d069b80 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/esp-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/example-1-linux.args b/tests= /nwfilterxml2nftfirewalldata/example-1-linux.args new file mode 100755 index 0000000000..963d77b7c9 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/example-1-linux.args @@ -0,0 +1,266 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/example-2-linux.args b/tests= /nwfilterxml2nftfirewalldata/example-2-linux.args new file mode 100755 index 0000000000..ffff3f1628 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/example-2-linux.args @@ -0,0 +1,348 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +21-22 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +21-22 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'udp dport' \ +53 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'udp sport' \ +53 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args b/tests/= nwfilterxml2nftfirewalldata/hex-data-linux.args new file mode 100755 index 0000000000..c14b85460a --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args @@ -0,0 +1,357 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +'ether type' \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +291-564 \ +'th dport' \ +13398-17767 \ +'ip dscp' \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +273-400 \ +'th dport' \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +18 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x56 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp dport' \ +564-1092 \ +'udp sport' \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp sport' \ +564-1092 \ +'udp dport' \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp dport' \ +256-4369 \ +'tcp sport' \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp sport' \ +256-4369 \ +'tcp dport' \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args b/= tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args new file mode 100755 index 0000000000..cfa1afd466 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args b= /tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args new file mode 100755 index 0000000000..56c30766ac --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args b= /tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args new file mode 100755 index 0000000000..6de47f0994 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args @@ -0,0 +1,184 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/icmp-linux.args new file mode 100755 index 0000000000..a5aba05334 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-linux.args @@ -0,0 +1,252 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args b/tests/nw= filterxml2nftfirewalldata/icmpv6-linux.args new file mode 100755 index 0000000000..baaab3a720 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args @@ -0,0 +1,322 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/igmp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/igmp-linux.args new file mode 100755 index 0000000000..4f8de57a39 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/igmp-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ip-linux.args b/tests/nwfilt= erxml2nftfirewalldata/ip-linux.args new file mode 100755 index 0000000000..c4951b0d45 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ip-linux.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/17 \ +ip \ +daddr \ +10.1.2.3/24 \ +'ip protocol' \ +17 \ +'ip dscp' \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/31 \ +ip \ +daddr \ +10.1.2.3/25 \ +'ip protocol' \ +255 \ +'ip dscp' \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args b= /tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args new file mode 100755 index 0000000000..2646905c98 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args @@ -0,0 +1,169 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +aa:aa:aa:aa:aa:aa \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args b/tests/nwfi= lterxml2nftfirewalldata/ipv6-linux.args new file mode 100755 index 0000000000..5b1715f687 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args @@ -0,0 +1,474 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +17 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th dport' \ +20-22 \ +'th sport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +255-256 \ +'th dport' \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th dport' \ +255-256 \ +'th sport' \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter1-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter1-linux.args new file mode 100755 index 0000000000..18a8c2e166 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter1-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter2-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter2-linux.args new file mode 100755 index 0000000000..8391f933d5 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter2-linux.args @@ -0,0 +1,3598 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter3-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter3-linux.args new file mode 100755 index 0000000000..d4446f13ed --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter3-linux.args @@ -0,0 +1,418 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/mac-linux.args b/tests/nwfil= terxml2nftfirewalldata/mac-linux.args new file mode 100755 index 0000000000..d5a7083019 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/mac-linux.args @@ -0,0 +1,180 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x600 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/rarp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/rarp-linux.args new file mode 100755 index 0000000000..fbeae86d98 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/rarp-linux.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +12 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x22 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +255 \ +'arp operation' \ +1 \ +'arp ptype' \ +0xff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +256 \ +'arp operation' \ +11 \ +'arp ptype' \ +0x100 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +65535 \ +'arp operation' \ +65535 \ +'arp ptype' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args b/tests= /nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args new file mode 100755 index 0000000000..0898cdcb82 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'sctp dport' \ +100-1111 \ +'sctp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'sctp sport' \ +100-1111 \ +'sctp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'sctp dport' \ +65535-65535 \ +'sctp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'sctp sport' \ +65535-65535 \ +'sctp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/sctp-linux.args new file mode 100755 index 0000000000..34bffb804a --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/sctp-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'sctp dport' \ +100-1111 \ +'sctp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'sctp sport' \ +100-1111 \ +'sctp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'sctp dport' \ +65535-65535 \ +'sctp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'sctp sport' \ +65535-65535 \ +'sctp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/target-linux.args b/tests/nw= filterxml2nftfirewalldata/target-linux.args new file mode 100755 index 0000000000..d4b0c0f70f --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/target-linux.args @@ -0,0 +1,452 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/target2-linux.args b/tests/n= wfilterxml2nftfirewalldata/target2-linux.args new file mode 100755 index 0000000000..33fb4351ca --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/target2-linux.args @@ -0,0 +1,316 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args new file mode 100755 index 0000000000..47dbed5a14 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'tcp dport' \ +100-1111 \ +'tcp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'tcp sport' \ +100-1111 \ +'tcp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'tcp dport' \ +65535-65535 \ +'tcp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'tcp sport' \ +65535-65535 \ +'tcp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-linux.args b/tests/nwfil= terxml2nftfirewalldata/tcp-linux.args new file mode 100755 index 0000000000..6ccc0fd7dc --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/tcp-linux.args @@ -0,0 +1,468 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'tcp dport' \ +100-1111 \ +'tcp sport' \ +20-21 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'tcp dport' \ +65535-65535 \ +'tcp sport' \ +255-256 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/udp-ipv6-linux.args new file mode 100755 index 0000000000..7bb8813ed8 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +'udp dport' \ +100-1111 \ +'udp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +'udp sport' \ +100-1111 \ +'udp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'udp dport' \ +65535-65535 \ +'udp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'udp sport' \ +65535-65535 \ +'udp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udp-linux.args b/tests/nwfil= terxml2nftfirewalldata/udp-linux.args new file mode 100755 index 0000000000..bff4d8ad97 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udp-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'udp dport' \ +100-1111 \ +'udp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'udp sport' \ +100-1111 \ +'udp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'udp dport' \ +65535-65535 \ +'udp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'udp sport' \ +65535-65535 \ +'udp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args b/te= sts/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args new file mode 100755 index 0000000000..354cf9e251 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-linux.args b/tests/n= wfilterxml2nftfirewalldata/udplite-linux.args new file mode 100755 index 0000000000..97e06609aa --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udplite-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/vlan-linux.args b/tests/nwfi= lterxml2nftfirewalldata/vlan-linux.args new file mode 100755 index 0000000000..8075637e4c --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/vlan-linux.args @@ -0,0 +1,264 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan type' \ +2054 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan type' \ +4660 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalltest.c b/tests/nwfilterxml2nftfir= ewalltest.c new file mode 100644 index 0000000000..b65a346646 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalltest.c @@ -0,0 +1,438 @@ +/* + * nwfilterxml2nftfirewalltest.c: Test iptables rule generation + * + * Copyright (C) 2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#if defined (__linux__) + +# include "testutils.h" +# include "nwfilter/nwfilter_nftables_driver.h" +# include "virbuffer.h" + +# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW +# include "vircommandpriv.h" + +# define VIR_FROM_THIS VIR_FROM_NONE + +# ifdef __linux__ +# define RULESTYPE "linux" +# else +# error "test case not ported to this platform" +# endif + +typedef struct _virNWFilterInst virNWFilterInst; +struct _virNWFilterInst { + virNWFilterDef **filters; + size_t nfilters; + virNWFilterRuleInst **rules; + size_t nrules; +}; + +/* + * Some sets of rules that will be common to all test files, + * so we don't bother including them in the test data files + * as that would just bloat them + */ + +static const char *commonRules[] =3D { + "nft \\\nlist \\\ntables\n" + "nft \\\nlist \\\nchains\n" + "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\n'{= comment \"this table is managed by libvirt\"; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nvmap= -oif \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nvmap= -iif \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npo= strouting \\\n'{ type filter hook postrouting priority 0; policy accept; }= '\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npr= erouting \\\n'{ type filter hook prerouting priority 0; policy accept; }'\= n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npos= trouting \\\noif \\\nvmap \\\n@vmap-oif\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\npre= routing \\\niif \\\nvmap \\\n@vmap-iif\n" + "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt-nwfilter-other \\\n'{ co= mment \"this table is managed by libvirt\"; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-other \\\nvmap-oi= f \\\n'{ type iface_index: verdict; }'\n", + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt-nwfilter-other \\\nvmap-ii= f \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\npostr= outing \\\n'{ type filter hook postrouting priority 1; policy accept; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nprero= uting \\\n'{ type filter hook prerouting priority 1; policy accept; }'\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-other \\\npostro= uting \\\noif \\\nvmap \\\n@vmap-oif\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt-nwfilter-other \\\nprerou= ting \\\niif \\\nvmap \\\n@vmap-iif\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nn-= vnet0-in \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nn-vne= t0-in \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-ethernet \\\nn-= vnet0-out \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt-nwfilter-other \\\nn-vne= t0-out \\\n'{ }'\n", +}; + + +static GHashTable * +virNWFilterCreateVarsFrom(GHashTable *vars1, + GHashTable *vars2) +{ + g_autoptr(GHashTable) res =3D virHashNew(virNWFilterVarValueHashFree); + + if (virNWFilterHashTablePutAll(vars1, res) < 0) + return NULL; + + if (virNWFilterHashTablePutAll(vars2, res) < 0) + return NULL; + + return g_steal_pointer(&res); +} + + +static void +virNWFilterRuleInstFree(virNWFilterRuleInst *inst) +{ + if (!inst) + return; + + g_clear_pointer(&inst->vars, g_hash_table_unref); + g_free(inst); +} + + +static void +virNWFilterInstReset(virNWFilterInst *inst) +{ + size_t i; + + for (i =3D 0; i < inst->nfilters; i++) + virNWFilterDefFree(inst->filters[i]); + VIR_FREE(inst->filters); + inst->nfilters =3D 0; + + for (i =3D 0; i < inst->nrules; i++) + virNWFilterRuleInstFree(inst->rules[i]); + VIR_FREE(inst->rules); + inst->nrules =3D 0; +} + + +static int +virNWFilterDefToInst(const char *xml, + GHashTable *vars, + virNWFilterInst *inst); + +static int +virNWFilterRuleDefToRuleInst(virNWFilterDef *def, + virNWFilterRuleDef *rule, + GHashTable *vars, + virNWFilterInst *inst) +{ + virNWFilterRuleInst *ruleinst; + int ret =3D -1; + + ruleinst =3D g_new0(virNWFilterRuleInst, 1); + + ruleinst->chainSuffix =3D def->chainsuffix; + ruleinst->chainPriority =3D def->chainPriority; + ruleinst->def =3D rule; + ruleinst->priority =3D rule->priority; + ruleinst->vars =3D virHashNew(virNWFilterVarValueHashFree); + + if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0) + goto cleanup; + + VIR_APPEND_ELEMENT(inst->rules, inst->nrules, ruleinst); + + ret =3D 0; + cleanup: + virNWFilterRuleInstFree(ruleinst); + return ret; +} + + +static int +virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDef *inc, + GHashTable *vars, + virNWFilterInst *inst) +{ + g_autoptr(GHashTable) tmpvars =3D NULL; + int ret =3D -1; + g_autofree char *xml =3D NULL; + + xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcd= ir, + inc->filterref); + + /* create a temporary hashmap for depth-first tree traversal */ + if (!(tmpvars =3D virNWFilterCreateVarsFrom(inc->params, + vars))) + goto cleanup; + + if (virNWFilterDefToInst(xml, + tmpvars, + inst) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + +static int +virNWFilterDefToInst(const char *xml, + GHashTable *vars, + virNWFilterInst *inst) +{ + size_t i; + int ret =3D -1; + virNWFilterDef *def =3D virNWFilterDefParse(NULL, xml, 0); + + if (!def) + return -1; + + VIR_APPEND_ELEMENT_COPY(inst->filters, inst->nfilters, def); + + for (i =3D 0; i < def->nentries; i++) { + if (def->filterEntries[i]->rule) { + if (virNWFilterRuleDefToRuleInst(def, + def->filterEntries[i]->rule, + vars, + inst) < 0) + goto cleanup; + } else if (def->filterEntries[i]->include) { + if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->inc= lude, + vars, + inst) < 0) + goto cleanup; + } + } + + ret =3D 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + + +static void testRemoveCommonRules(char *rules) +{ + size_t i; + char *offset =3D rules; + + for (i =3D 0; i < G_N_ELEMENTS(commonRules); i++) { + char *tmp =3D strstr(offset, commonRules[i]); + size_t len =3D strlen(commonRules[i]); + if (tmp) { + memmove(tmp, tmp + len, (strlen(tmp) + 1) - len); + offset =3D tmp; + } + } +} + + +static int testSetOneParameter(GHashTable *vars, + const char *name, + const char *value) +{ + virNWFilterVarValue *val; + + if ((val =3D virHashLookup(vars, name)) =3D=3D NULL) { + val =3D virNWFilterVarValueCreateSimpleCopyValue(value); + if (!val) + return -1; + if (virHashUpdateEntry(vars, name, val) < 0) { + virNWFilterVarValueFree(val); + return -1; + } + } else { + if (virNWFilterVarValueAddValueCopy(val, value) < 0) + return -1; + } + + return 0; +} + +static int testSetDefaultParameters(GHashTable *vars) +{ + if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 || + testSetOneParameter(vars, "A", "1.1.1.1") || + testSetOneParameter(vars, "A", "2.2.2.2") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "90") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "C", "1080") || + testSetOneParameter(vars, "C", "1090") || + testSetOneParameter(vars, "C", "1100") || + testSetOneParameter(vars, "C", "1110")) + return -1; + return 0; +} + +static void +testCommandDryRunCallback(const char *const*args, + const char *const*env G_GNUC_UNUSED, + const char *input G_GNUC_UNUSED, + char **output, + char **error G_GNUC_UNUSED, + int *status, + void *opaque G_GNUC_UNUSED) +{ + if (STRNEQ(args[0], "nft")) { + return; + } + + /* simulate an empty existing set rules */ + if (STREQ(args[1], "list") && STREQ(args[2], "tables")) { + *output =3D g_strdup("table nothing\n"); + *status =3D EXIT_SUCCESS; + } else if (STREQ(args[1], "list") && STREQ(args[2], "chains")) { + *output =3D g_strdup("chain nothing\n"); + *status =3D EXIT_SUCCESS; + } +} + +static int testCompareXMLToArgvFiles(const char *xml, + const char *cmdline) +{ + g_autofree char *actualargv =3D NULL; + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + g_autoptr(GHashTable) vars =3D virHashNew(virNWFilterVarValueHashFree); + virNWFilterInst inst =3D { 0 }; + int ret =3D -1; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRunCa= llback, NULL); + + if (testSetDefaultParameters(vars) < 0) + goto cleanup; + + if (virNWFilterDefToInst(xml, + vars, + &inst) < 0) + goto cleanup; + + if (nftables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < = 0) + goto cleanup; + + actualargv =3D virBufferContentAndReset(&buf); + + testRemoveCommonRules(actualargv); + + if (virTestCompareToFileFull(actualargv, cmdline, false) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + virNWFilterInstReset(&inst); + return ret; +} + +struct testInfo { + const char *name; +}; + + +static int +testCompareXMLToIPTablesHelper(const void *data) +{ + int result =3D -1; + const struct testInfo *info =3D data; + g_autofree char *xml =3D NULL; + g_autofree char *override_xml =3D NULL; + g_autofree char *args =3D NULL; + + override_xml =3D g_strdup_printf("%s/nwfilterxml2nftfirewalldata/%s.xm= l", + abs_srcdir, info->name); + + if (virFileExists(override_xml)) { + xml =3D g_strdup(override_xml); + } else { + xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", + abs_srcdir, info->name); + } + + args =3D g_strdup_printf("%s/nwfilterxml2nftfirewalldata/%s-%s.args", + abs_srcdir, info->name, RULESTYPE); + + result =3D testCompareXMLToArgvFiles(xml, args); + + return result; +} + + +static int +mymain(void) +{ + int ret =3D 0; + +# define DO_TEST(name) \ + do { \ + static struct testInfo info =3D { \ + name, \ + }; \ + if (virTestRun("NWFilter XML-2-firewall " name, \ + testCompareXMLToIPTablesHelper, &info) < 0) \ + ret =3D -1; \ + } while (0) + + DO_TEST("ah"); + DO_TEST("ah-ipv6"); + DO_TEST("all"); + DO_TEST("all-ipv6"); + DO_TEST("arp"); + DO_TEST("comment"); + DO_TEST("conntrack"); + DO_TEST("esp"); + DO_TEST("esp-ipv6"); + DO_TEST("example-1"); + DO_TEST("example-2"); + DO_TEST("hex-data"); + DO_TEST("icmp-direction2"); + DO_TEST("icmp-direction3"); + DO_TEST("icmp-direction"); + DO_TEST("icmp"); + DO_TEST("icmpv6"); + DO_TEST("igmp"); + DO_TEST("ip"); + DO_TEST("ipt-no-macspoof"); + DO_TEST("ipv6"); + DO_TEST("iter1"); + DO_TEST("iter2"); + DO_TEST("iter3"); + DO_TEST("mac"); + DO_TEST("rarp"); + DO_TEST("sctp"); + DO_TEST("sctp-ipv6"); + DO_TEST("target2"); + DO_TEST("target"); + DO_TEST("tcp"); + DO_TEST("tcp-ipv6"); + DO_TEST("udp"); + DO_TEST("udp-ipv6"); + DO_TEST("udplite"); + DO_TEST("udplite-ipv6"); + DO_TEST("vlan"); + + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) + +#else /* ! defined (__linux__) */ + +int main(void) +{ + return EXIT_AM_SKIP; +} + +#endif /* ! defined (__linux__) */ --=20 2.43.0