From nobody Tue Mar 3 04:52:38 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1771239169; cv=none; d=zohomail.com; s=zohoarc; b=UWzJIKSnqTjjA0VPa8lAlMTTcSJqzzQ8Rv0LTwkAg1Kd2kzH8zvvO2PT/JXPZVUjBr6bh5D0OveZUUJH/hV9kHeEwLXYrYPCArY3Dx+t4+Sp8+k4SmL9H6F0+hhJ15cjinUmzP2hI895xVJHyTF95TGee+OEnnYK0pmHoxj3xmw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1771239169; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=OvgT3QADueXzwE/GVfgWZh8MkSYdjRg5ywKd6cfCbkg=; b=U+UK06apXmM+e2VDLXiMOveTjomY6vk4zQPCTgDSwGQsjmU4U7qwTTT+PI84/e0pyp3Qy8H+WfAXjcqV+PaBxC8CC1XAx5W0G9tibcxJFoRm6exAyS819SF3zSZRafRpF5uH4e4G9jCC3tLnM2sQv2ArM82eclLufVkN0xzfOwg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1771239169646709.5007539319339; Mon, 16 Feb 2026 02:52:49 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 9FD683F8A0; Mon, 16 Feb 2026 05:52:48 -0500 (EST) Received: from [172.19.199.9] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 3BBF7417FE; Mon, 16 Feb 2026 05:43:20 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id EDF8241903; Mon, 16 Feb 2026 05:43:12 -0500 (EST) Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 4DB6B3F89F for ; Mon, 16 Feb 2026 05:42:48 -0500 (EST) Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-b8f97c626aaso444597366b.2 for ; Mon, 16 Feb 2026 02:42:48 -0800 (PST) Received: from thinkiepadje.home (2a02-a470-a384-0-45c6-7fd5-bf82-783e.fixed6.kpn.net. [2a02:a470:a384:0:45c6:7fd5:bf82:783e]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b8fc70b628csm249620566b.0.2026.02.16.02.42.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Feb 2026 02:42:45 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771238567; x=1771843367; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OvgT3QADueXzwE/GVfgWZh8MkSYdjRg5ywKd6cfCbkg=; b=HlpZUOhnd1AjL0hLTYRLT3lCOwHYNs4mIKhcq+66tvpxi7g3RSApqvVuwyZp65/Baa QZwDJ+wLGyncNFBi9hhalHeEmLYoxqqwHMQ7IrcEwv2fBuWo4FT7AxjobSXD7cYdd2PI 6eCik/6Z/7ydtZCTH4ynG4lGIGeDs/qxc/C50hDRwwTZYY1ro7wws2yXiLrT4oOweLg6 T9wH7yleb95GccYN0T6rfkM6VIPI8VUJVz5BpKlUlE5NvdKLyZTqaxZ3KUDWPoTkTpk2 F7Ia7Vzn1+K9K7mtiVjQxPYQjpmsEaGNlrK5EzecxUWaKzY/SKv2oD59HCkpYC8fM6ql L1Pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771238567; x=1771843367; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=OvgT3QADueXzwE/GVfgWZh8MkSYdjRg5ywKd6cfCbkg=; b=nDi4kp+sl+zLoKMQu8kAIqtlo9zio0DxwMJqSG3gimIaygO9IrDCHdO5GXHowYtG5f /rbYV1Y4cR9OzEvHoeNb1LWylhW+4dO2SrBYQul3qMTUNgKMseldcmIdXeRlUChO+mDT N8TL8yjjLJHTRnhzbWSzzKis6sOvqUg/TRcZr/HoR1+RkXVPiiwPuqM2fsDa0cHGlf8X 3CXRfq7tMwMQyZA9cmCGsNOMIFglzLu/Ycw8ju+nHW+OAoNsEzTVU285Nq6H1GFMBdSu WjfPqVYLrDM+cpLFI0j4WKnYO9vLPXVm5STltFw1iadw86PSsUfMAPut7VFIAmvY3U6w iGEA== X-Gm-Message-State: AOJu0YxTMyKuTUP1AKvauQUjWbOuslZ+DTLYPCwsDaxB+gJcOa2biY+f kSiah+tKmCXjOek8OcoOnAtRouzRW58OaYgpAm6Jv8qR76jRTPycoKGmupF6 X-Gm-Gg: AZuq6aI5btL4RwGvtUaJmUhaagUH45pLtLHFNc6X0+1RBIWVbdpVx+67ldpvnxNzDi/ UTb30cXew7XdlcJMkndzBbxJs3OxxvHynXEu6MPXblLowtAJ2UUZaivYYM2U7ZnoTitfeZZnWv3 7DXHtKHAlpiIakOekhSrRg0jmWjmuZH/ocK6QNCknX238EwDKupRMiZjtDR3Y5NqH7/Q+IX5foZ zxoIsAlQttyS9KzVh+eoOMccI5mjuWshCP/7JBnysCBHaKfpMDSh65bNCXQU6UVRZRZHOws9HUf 6PIWIE5MqlC4C2wY5urA94ME23qNrsnbHzht5Gt0OL9IaVc74QOtSIFl0DL9NXW+1dlD0U52RgY 9S9MPYDy47Y7XdkvUWxkHE42jzWQWRBsVgQ5XNrsAN+PqJZ0LtUGtTr7VRPfssPBmBXaOjYLW6r ghwEWHW9mrPuSFNNMLJ3yu/EgXCUY3YdJGAD+sKPex+zj65bGrYg2jGziorQbOnwVve6L1axWKy alki2nqeQ5HAbXIx3Oju3fP9g== X-Received: by 2002:a17:907:728c:b0:b8d:bfb9:aefc with SMTP id a640c23a62f3a-b8fb416018cmr457412966b.11.1771238566081; Mon, 16 Feb 2026 02:42:46 -0800 (PST) From: Dion Bosschieter To: devel@lists.libvirt.org Subject: [PATCH v5 3/3] nwfilter: add unit tests and test data for nwfilter nftables driver Date: Mon, 16 Feb 2026 11:42:39 +0100 Message-ID: <20260216104239.90941-4-dionbosschieter@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260216104239.90941-1-dionbosschieter@gmail.com> References: <20260216104239.90941-1-dionbosschieter@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: LIBN5IAYYVGRNWVEEBZJ5KHBOEWWTCXL X-Message-ID-Hash: LIBN5IAYYVGRNWVEEBZJ5KHBOEWWTCXL X-MailFrom: dionbosschieter@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: jean-louis@dupond.be, Dion Bosschieter X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1771239173119154100 Content-Type: text/plain; charset="utf-8" Add unit test files nwfilternftablestest.c and nwfilterxml2nftfirewalltest.c, including data files in existing nwfilterxml2firewalldata directory. Tests follow same style and structure like the ebiptables driver for nwfilter. Signed-off-by: Dion Bosschieter --- tests/meson.build | 2 + tests/nwfilternftablestest.c | 426 ++ .../ah-ipv6-linux.nftables.args | 310 ++ .../ah-linux.nftables.args | 304 ++ .../all-ipv6-linux.nftables.args | 292 ++ .../all-linux.nftables.args | 286 ++ .../arp-linux.nftables.args | 231 + .../nwfilterxml2firewalldata/arp.nftables.xml | 27 + .../comment-linux.nftables.args | 510 +++ .../conntrack-linux.nftables.args | 198 + .../esp-ipv6-linux.nftables.args | 310 ++ .../esp-linux.nftables.args | 304 ++ .../example-1-linux.nftables.args | 268 ++ .../example-2-linux.nftables.args | 352 ++ .../hex-data-linux.nftables.args | 384 ++ .../icmp-direction-linux.nftables.args | 238 ++ .../icmp-direction2-linux.nftables.args | 238 ++ .../icmp-direction3-linux.nftables.args | 184 + .../icmp-linux.nftables.args | 256 ++ .../icmpv6-linux.nftables.args | 328 ++ .../igmp-linux.nftables.args | 304 ++ .../ip-linux.nftables.args | 205 + .../ipt-no-macspoof-linux.nftables.args | 172 + .../ipv6-linux.nftables.args | 511 +++ .../iter1-linux.nftables.args | 304 ++ .../iter2-linux.nftables.args | 3760 +++++++++++++++++ .../iter3-linux.nftables.args | 430 ++ .../mac-linux.nftables.args | 184 + .../rarp-linux.nftables.args | 215 + .../sctp-ipv6-linux.nftables.args | 328 ++ .../sctp-linux.nftables.args | 328 ++ .../target-linux.nftables.args | 466 ++ .../target2-linux.nftables.args | 322 ++ .../tcp-ipv6-linux.nftables.args | 328 ++ .../tcp-linux.nftables.args | 476 +++ .../udp-ipv6-linux.nftables.args | 328 ++ .../udp-linux.nftables.args | 328 ++ .../udplite-ipv6-linux.nftables.args | 310 ++ .../udplite-linux.nftables.args | 304 ++ .../vlan-linux.nftables.args | 271 ++ .../ah-ipv6-linux.args | 304 ++ .../nwfilterxml2nftfirewalldata/ah-linux.args | 298 ++ .../all-ipv6-linux.args | 286 ++ .../all-linux.args | 280 ++ .../arp-linux.args | 215 + tests/nwfilterxml2nftfirewalldata/arp.xml | 27 + .../comment-linux.args | 483 +++ .../conntrack-linux.args | 198 + .../esp-ipv6-linux.args | 304 ++ .../esp-linux.args | 298 ++ .../example-1-linux.args | 266 ++ .../example-2-linux.args | 348 ++ .../hex-data-linux.args | 357 ++ .../icmp-direction-linux.args | 238 ++ .../icmp-direction2-linux.args | 238 ++ .../icmp-direction3-linux.args | 184 + .../icmp-linux.args | 252 ++ .../icmpv6-linux.args | 322 ++ .../igmp-linux.args | 298 ++ .../nwfilterxml2nftfirewalldata/ip-linux.args | 198 + .../ipt-no-macspoof-linux.args | 169 + .../ipv6-linux.args | 474 +++ .../iter1-linux.args | 298 ++ .../iter2-linux.args | 3598 ++++++++++++++++ .../iter3-linux.args | 418 ++ .../mac-linux.args | 180 + .../rarp-linux.args | 215 + .../sctp-ipv6-linux.args | 314 ++ .../sctp-linux.args | 314 ++ .../target-linux.args | 452 ++ .../target2-linux.args | 316 ++ .../tcp-ipv6-linux.args | 314 ++ .../tcp-linux.args | 468 ++ .../udp-ipv6-linux.args | 314 ++ .../udp-linux.args | 314 ++ .../udplite-ipv6-linux.args | 304 ++ .../udplite-linux.args | 298 ++ .../vlan-linux.args | 264 ++ tests/nwfilterxml2nftfirewalltest.c | 438 ++ 79 files changed, 30178 insertions(+) create mode 100644 tests/nwfilternftablestest.c create mode 100755 tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.a= rgs create mode 100755 tests/nwfilterxml2firewalldata/ah-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.= args create mode 100755 tests/nwfilterxml2firewalldata/all-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/arp-linux.nftables.args create mode 100644 tests/nwfilterxml2firewalldata/arp.nftables.xml create mode 100755 tests/nwfilterxml2firewalldata/comment-linux.nftables.a= rgs create mode 100755 tests/nwfilterxml2firewalldata/conntrack-linux.nftables= .args create mode 100755 tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.= args create mode 100755 tests/nwfilterxml2firewalldata/esp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/example-1-linux.nftables= .args create mode 100755 tests/nwfilterxml2firewalldata/example-2-linux.nftables= .args create mode 100755 tests/nwfilterxml2firewalldata/hex-data-linux.nftables.= args create mode 100755 tests/nwfilterxml2firewalldata/icmp-direction-linux.nft= ables.args create mode 100755 tests/nwfilterxml2firewalldata/icmp-direction2-linux.nf= tables.args create mode 100755 tests/nwfilterxml2firewalldata/icmp-direction3-linux.nf= tables.args create mode 100755 tests/nwfilterxml2firewalldata/icmp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.ar= gs create mode 100755 tests/nwfilterxml2firewalldata/igmp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/ip-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nf= tables.args create mode 100755 tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/iter1-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/iter2-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/iter3-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/mac-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/rarp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables= .args create mode 100755 tests/nwfilterxml2firewalldata/sctp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/target-linux.nftables.ar= gs create mode 100755 tests/nwfilterxml2firewalldata/target2-linux.nftables.a= rgs create mode 100755 tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.= args create mode 100755 tests/nwfilterxml2firewalldata/tcp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.= args create mode 100755 tests/nwfilterxml2firewalldata/udp-linux.nftables.args create mode 100755 tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftab= les.args create mode 100755 tests/nwfilterxml2firewalldata/udplite-linux.nftables.a= rgs create mode 100755 tests/nwfilterxml2firewalldata/vlan-linux.nftables.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ah-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/all-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/arp-linux.args create mode 100644 tests/nwfilterxml2nftfirewalldata/arp.xml create mode 100755 tests/nwfilterxml2nftfirewalldata/comment-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/conntrack-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/esp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/example-1-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/example-2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/hex-data-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.= args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/igmp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ip-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux= .args create mode 100755 tests/nwfilterxml2nftfirewalldata/ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter1-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/iter3-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/mac-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/rarp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/sctp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/target-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/target2-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/tcp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udp-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.ar= gs create mode 100755 tests/nwfilterxml2nftfirewalldata/udplite-linux.args create mode 100755 tests/nwfilterxml2nftfirewalldata/vlan-linux.args create mode 100644 tests/nwfilterxml2nftfirewalltest.c diff --git a/tests/meson.build b/tests/meson.build index b28ad4a65b..91c8f24d77 100644 --- a/tests/meson.build +++ b/tests/meson.build @@ -442,7 +442,9 @@ endif if conf.has('WITH_NWFILTER') tests +=3D [ { 'name': 'nwfilterebiptablestest', 'link_with': [ nwfilter_driver_imp= l ] }, + { 'name': 'nwfilternftablestest', 'link_with': [ nwfilter_driver_impl = ] }, { 'name': 'nwfilterxml2ebipfirewalltest', 'link_with': [ nwfilter_driv= er_impl ] }, + { 'name': 'nwfilterxml2nftfirewalltest', 'link_with': [ nwfilter_drive= r_impl ] }, ] endif =20 diff --git a/tests/nwfilternftablestest.c b/tests/nwfilternftablestest.c new file mode 100644 index 0000000000..a2480ec971 --- /dev/null +++ b/tests/nwfilternftablestest.c @@ -0,0 +1,426 @@ +/* + * nwfilternftablestest.c: Test nftables rule generation + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#include "testutils.h" +#include "nwfilter/nwfilter_nftables_driver.h" +#include "virbuffer.h" + +#define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW +#include "vircommandpriv.h" + +#define VIR_FROM_THIS VIR_FROM_NONE + +#define EXISTING_TABLE \ + "table bridge %s { # handle 562\n" \ + " comment \"this table is managed by libvirt\"\n" \ + " map vmap-oif { # handle 1\n" \ + " type iface_index : verdict\n" \ + " elements =3D { \"vnet0\" : jump vnet0-in }\n" \ + " }\n" \ + "\n" \ + " map vmap-iif { # handle 2\n" \ + " type iface_index : verdict\n" \ + " elements =3D { \"vnet0\" : jump vnet0-out }\n" \ + " }\n" \ + "\n" \ + " chain postrouting { # handle 3\n" \ + " type filter hook postrouting priority 1; policy accept;\n" \ + " meta nftrace set 1 # handle 4\n" \ + " oif vmap @vmap-oif # handle 7\n" \ + " }\n" \ + "\n" \ + " chain prerouting { # handle 5\n" \ + " type filter hook prerouting priority 1; policy accept;\n" \ + " meta nftrace set 1 # handle 6\n" \ + " iif vmap @vmap-iif # handle 8\n" \ + " }\n" \ + "\n" \ + " chain n-vnet0-in { # handle 880\n" \ + " ether type ip jump vnet0-ipv4-in # handle 893\n" \ + " ether type ip6 jump vnet0-ipv6-in # handle 897\n" \ + " }\n" \ + "\n" \ + " chain vnet0-in { # handle 880\n" \ + " ether type ip jump vnet0-ipv4-in # handle 893\n" \ + " ether type ip6 jump vnet0-ipv6-in # handle 897\n" \ + " }\n" \ + "\n" \ + " chain vnet0-out { # handle 881\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct directio= n original drop comment \"priority=3D100\" # handle 882\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 tcp dport 587-587 ct directio= n original drop comment \"priority=3D100\" # handle 883\n" \ + " ip saddr 192.168.1.2 tcp dport 25-25 ct direction original dr= op comment \"priority=3D100\" # handle 884\n" \ + " ip saddr 192.168.1.2 tcp dport 587-587 ct direction original = drop comment \"priority=3D100\" # handle 885\n" \ + " ether type ip tcp dport 25-25 ct direction original drop comm= ent \"priority=3D100\" # handle 886\n" \ + " ether type ip6 tcp dport 25-25 ct direction original drop com= ment \"priority=3D100\" # handle 887\n" \ + " ip6 daddr 2a01:7c8:e100:1::78e2 tcp dport 465-465 ct directio= n original accept comment \"priority=3D100\" # handle 888\n" \ + " ip6 saddr 2a01:7c8:e100:1::78e2 udp dport 587-587 ct directio= n original drop comment \"priority=3D100\" # handle 889\n" \ + " ip saddr 192.168.1.2 udp dport 25-25 ct direction original co= ntinue comment \"priority=3D100\" # handle 890\n" \ + " ether type ip ct direction original continue comment \"priori= ty=3D100\" # handle 891\n" \ + " ether type ip jump vnet0-ipv4-out # handle 895\n" \ + " ether type ip6 jump vnet0-ipv6-out # handle 899\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv4-in { # handle 892\n" \ + " ip saddr 192.168.1.1 tcp dport 4444 ct direction reply ct sta= te established,new accept comment \"priority=3D302\" # handle 902\n" \ + " ether type ip meta l4proto tcp ct direction reply drop commen= t \"priority=3D601\" # handle 904\n" \ + " ether type ip meta l4proto udp ct direction reply drop commen= t \"priority=3D603\" # handle 905\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv4-out { # handle 894\n" \ + " ip protocol icmp ct count over 42 drop comment \"priority=3D4= 00\" # handle 903\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv6-in { # handle 896\n" \ + " ip6 daddr fe80::5054:ff:fe60:baae udp sport 547 udp dport 546= ct direction reply accept comment \"priority=3D111\" # handle 901\n" \ + " }\n" \ + "\n" \ + " chain vnet0-ipv6-out { # handle 898\n" \ + " ip6 saddr fe80::5054:ff:fe60:baae ip6 daddr ff02::1:2 udp spo= rt 546 udp dport 547 ct direction original accept comment \"priority=3D110\= " # handle 900\n" \ + " }\n" \ + "}\n" + +#define OLD_REMOVES \ + "nft -a list table bridge libvirt_nwfilter_ethernet\n" \ + "nft -a list table bridge libvirt_nwfilter_inet\n" \ + "nft delete element bridge libvirt_nwfilter_ethernet vmap-oif '{' '\"v= net0\"' '}'\n" \ + "nft delete element bridge libvirt_nwfilter_ethernet vmap-iif '{' '\"v= net0\"' '}'\n" \ + "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-in\n" \ + "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-out\n" \ + "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv4-in\n" \ + "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv4-out\n" \ + "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv6-in\n" \ + "nft delete chain bridge libvirt_nwfilter_ethernet vnet0-ipv6-out\n" \ + "nft delete element bridge libvirt_nwfilter_inet vmap-oif '{' '\"vnet0= \"' '}'\n" \ + "nft delete element bridge libvirt_nwfilter_inet vmap-iif '{' '\"vnet0= \"' '}'\n" \ + "nft delete chain bridge libvirt_nwfilter_inet vnet0-in\n" \ + "nft delete chain bridge libvirt_nwfilter_inet vnet0-out\n" \ + "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv4-in\n" \ + "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv4-out\n" \ + "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv6-in\n" \ + "nft delete chain bridge libvirt_nwfilter_inet vnet0-ipv6-out\n" + +static void +testCommandDryRunCallback(const char *const*args, + const char *const*env G_GNUC_UNUSED, + const char *input G_GNUC_UNUSED, + char **output, + char **error G_GNUC_UNUSED, + int *status, + void *opaque G_GNUC_UNUSED) +{ + size_t argc =3D 0; + const char *table; + + while (args[argc] !=3D NULL) + argc++; + + if (STRNEQ(args[0], "nft")) { + *status =3D EXIT_FAILURE; + return; + } + + /* simulate an empty existing set rules */ + if (argc =3D=3D 6 && STREQ(args[1], "-a") && STREQ(args[2], "list")) { + table =3D args[argc-1]; + *output =3D g_strdup_printf(EXISTING_TABLE, table); + *status =3D EXIT_SUCCESS; + } +} + + +static int +testNWFilterNFTablesAllTeardown(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D OLD_REMOVES; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.allTeardown("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesTearOldRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft -a list table bridge libvirt_nwfilter_ethernet\n" + "nft -a list table bridge libvirt_nwfilter_inet\n" + OLD_REMOVES + "nft rename chain bridge libvirt_nwfilter_ethernet n-vnet0-in vnet= 0-in\n" + "nft rename chain bridge libvirt_nwfilter_inet n-vnet0-in vnet0-in= \n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.tearOldRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D OLD_REMOVES; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.removeBasicRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesTearNewRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft -a list table bridge libvirt_nwfilter_ethernet\n" + "nft -a list table bridge libvirt_nwfilter_inet\n"\ + "nft delete chain bridge libvirt_nwfilter_ethernet n-vnet0-in\n" + "nft delete chain bridge libvirt_nwfilter_inet n-vnet0-in\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.tearNewRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft list tables\n" + OLD_REMOVES + "nft add chain bridge libvirt_nwfilter_ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt_nwfilter_inet vnet0-in '{ }'\n" + "nft add chain bridge libvirt_nwfilter_ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt_nwfilter_inet vnet0-out '{ }'\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether sad= dr '!=3D' 10:20:30:40:50:60 drop\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether typ= e ip accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether typ= e arp accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out accept\n" + "nft delete element bridge libvirt_nwfilter_inet vmap-oif '{' vnet= 0 '}'\n" + "nft add element bridge libvirt_nwfilter_inet vmap-oif '{' vnet0 := jump vnet0-in '}'\n" + "nft delete element bridge libvirt_nwfilter_ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt_nwfilter_ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt_nwfilter_inet vmap-iif '{' vnet= 0 '}'\n" + "nft add element bridge libvirt_nwfilter_inet vmap-iif '{' vnet0 := jump vnet0-out '}'\n" + "nft delete element bridge libvirt_nwfilter_ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt_nwfilter_ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyBasicRules("vnet0", &mac) < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +testNWFilterNFTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft list tables\n" + OLD_REMOVES + "nft add chain bridge libvirt_nwfilter_ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt_nwfilter_inet vnet0-in '{ }'\n" + "nft add chain bridge libvirt_nwfilter_ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt_nwfilter_inet vnet0-out '{ }'\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out ether sad= dr 10:20:30:40:50:60 ether type ip udp sport 68 udp dport 67 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out drop\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 192.168.122.1 udp sport 67 udp d= port 68 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 192.168.122.1 udp sport 67 udp d= port 68 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.1 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether dadd= r 10:20:30:40:50:60 ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in ether dadd= r ff:ff:ff:ff:ff:ff ether type ip ip saddr 10.0.0.2 udp sport 67 udp dport = 68 accept\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in drop\n" + "nft delete element bridge libvirt_nwfilter_inet vmap-oif '{' vnet= 0 '}'\n" + "nft add element bridge libvirt_nwfilter_inet vmap-oif '{' vnet0 := jump vnet0-in '}'\n" + "nft delete element bridge libvirt_nwfilter_ethernet vmap-oif '{' = vnet0 '}'\n" + "nft add element bridge libvirt_nwfilter_ethernet vmap-oif '{' vne= t0 : jump vnet0-in '}'\n" + "nft delete element bridge libvirt_nwfilter_inet vmap-iif '{' vnet= 0 '}'\n" + "nft add element bridge libvirt_nwfilter_inet vmap-iif '{' vnet0 := jump vnet0-out '}'\n" + "nft delete element bridge libvirt_nwfilter_ethernet vmap-iif '{' = vnet0 '}'\n" + "nft add element bridge libvirt_nwfilter_ethernet vmap-iif '{' vne= t0 : jump vnet0-out '}'\n"; + g_autofree char *actual =3D NULL; + virMacAddr mac =3D { .addr =3D { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } = }; + const char *servers[] =3D { "192.168.122.1", "10.0.0.1", "10.0.0.2" }; + virNWFilterVarValue val =3D { + .valType =3D NWFILTER_VALUE_TYPE_ARRAY, + .u =3D { + .array =3D { + .values =3D (char **)servers, + .nValues =3D 3, + } + } + }; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyDHCPOnlyRules("vnet0", &mac, &val, false) < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + + +static int +testNWFilterNFTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED) +{ + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + const char *expected =3D + "nft list tables\n" + OLD_REMOVES + "nft add chain bridge libvirt_nwfilter_ethernet vnet0-in '{ }'\n" + "nft add chain bridge libvirt_nwfilter_inet vnet0-in '{ }'\n" + "nft add chain bridge libvirt_nwfilter_ethernet vnet0-out '{ }'\n" + "nft add chain bridge libvirt_nwfilter_inet vnet0-out '{ }'\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-out drop\n" + "nft add rule bridge libvirt_nwfilter_ethernet vnet0-in drop\n" + "nft add rule bridge libvirt_nwfilter_ethernet postrouting oifname= vnet0 jump vnet0-in\n" + "nft add rule bridge libvirt_nwfilter_ethernet prerouting iifname = vnet0 jump vnet0-out\n"; + g_autofree char *actual =3D NULL; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, false, true, testCommandDryRunC= allback, NULL); + + if (nftables_driver.applyDropAllRules("vnet0") < 0) + return -1; + + actual =3D virBufferContentAndReset(&buf); + + if (virTestCompareToString(expected, actual) < 0) { + return -1; + } + + return 0; +} + + +static int +mymain(void) +{ + int ret =3D 0; + + if (virTestRun("nftablesAllTeardown", + testNWFilterNFTablesAllTeardown, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesTearOldRules", + testNWFilterNFTablesTearOldRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesRemoveBasicRules", + testNWFilterNFTablesRemoveBasicRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesTearNewRules", + testNWFilterNFTablesTearNewRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyBasicRules", + testNWFilterNFTablesApplyBasicRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyDHCPOnlyRules", + testNWFilterNFTablesApplyDHCPOnlyRules, + NULL) < 0) + ret =3D -1; + + if (virTestRun("nftablesApplyDropAllRules", + testNWFilterNFTablesApplyDropAllRules, + NULL) < 0) + ret =3D -1; + + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args b/t= ests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args new file mode 100755 index 0000000000..f480df70ad --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.nftables.args @@ -0,0 +1,310 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/ah-linux.nftables.args b/tests/= nwfilterxml2firewalldata/ah-linux.nftables.args new file mode 100755 index 0000000000..19d600b95a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ah-linux.nftables.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args b/= tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args new file mode 100755 index 0000000000..d06e8da89f --- /dev/null +++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.nftables.args @@ -0,0 +1,292 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/all-linux.nftables.args b/tests= /nwfilterxml2firewalldata/all-linux.nftables.args new file mode 100755 index 0000000000..474665edec --- /dev/null +++ b/tests/nwfilterxml2firewalldata/all-linux.nftables.args @@ -0,0 +1,286 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/arp-linux.nftables.args b/tests= /nwfilterxml2firewalldata/arp-linux.nftables.args new file mode 100755 index 0000000000..0a3c42472a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/arp-linux.nftables.args @@ -0,0 +1,231 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +arp \ +htype \ +12 \ +arp \ +ptype \ +0x22 \ +arp \ +operation \ +1 \ +arp \ +saddr \ +ether \ +01:02:03:04:05:06 \ +arp \ +daddr \ +ether \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +arp \ +htype \ +255 \ +arp \ +ptype \ +0xff \ +arp \ +operation \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +arp \ +htype \ +256 \ +arp \ +ptype \ +0x100 \ +arp \ +operation \ +11 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +arp \ +htype \ +65535 \ +arp \ +ptype \ +0xffff \ +arp \ +operation \ +65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/arp.nftables.xml b/tests/nwfilt= erxml2firewalldata/arp.nftables.xml new file mode 100644 index 0000000000..ba68f6d7cc --- /dev/null +++ b/tests/nwfilterxml2firewalldata/arp.nftables.xml @@ -0,0 +1,27 @@ + + 5c6d49af-b071-6127-b4ec-6f8ed4b55335 + + + + + + + + + + + + + + + + diff --git a/tests/nwfilterxml2firewalldata/comment-linux.nftables.args b/t= ests/nwfilterxml2firewalldata/comment-linux.nftables.args new file mode 100755 index 0000000000..9734ed6227 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/comment-linux.nftables.args @@ -0,0 +1,510 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +protocol \ +17 \ +th \ +sport \ +291-564 \ +th \ +dport \ +13398-17767 \ +ip \ +dscp \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +ip6 \ +nexthdr \ +6 \ +th \ +sport \ +273-400 \ +th \ +dport \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +arp \ +htype \ +18 \ +arp \ +ptype \ +0x56 \ +arp \ +operation \ +1 \ +arp \ +saddr \ +ether \ +01:02:03:04:05:06 \ +arp \ +daddr \ +ether \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +udp \ +dport \ +564-1092 \ +udp \ +sport \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +udp \ +sport \ +564-1092 \ +udp \ +dport \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +tcp \ +dport \ +256-4369 \ +tcp \ +sport \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +tcp \ +sport \ +256-4369 \ +tcp \ +dport \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args b= /tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args new file mode 100755 index 0000000000..50077ddda7 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/conntrack-linux.nftables.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +count \ +over \ +1 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ct \ +count \ +over \ +2 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args b/= tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args new file mode 100755 index 0000000000..4a9bf63f35 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.nftables.args @@ -0,0 +1,310 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/esp-linux.nftables.args b/tests= /nwfilterxml2firewalldata/esp-linux.nftables.args new file mode 100755 index 0000000000..2fb1cff4e5 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/esp-linux.nftables.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.nftables.args b= /tests/nwfilterxml2firewalldata/example-1-linux.nftables.args new file mode 100755 index 0000000000..d0a00a3ac0 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/example-1-linux.nftables.args @@ -0,0 +1,268 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +dport \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +sport \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.nftables.args b= /tests/nwfilterxml2firewalldata/example-2-linux.nftables.args new file mode 100755 index 0000000000..d4a2269990 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/example-2-linux.nftables.args @@ -0,0 +1,352 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +dport \ +21-22 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +sport \ +21-22 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +udp \ +dport \ +53 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +udp \ +sport \ +53 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args b/= tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args new file mode 100755 index 0000000000..fde908e968 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/hex-data-linux.nftables.args @@ -0,0 +1,384 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +protocol \ +17 \ +th \ +sport \ +291-564 \ +th \ +dport \ +13398-17767 \ +ip \ +dscp \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +ip6 \ +nexthdr \ +6 \ +th \ +sport \ +273-400 \ +th \ +dport \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +arp \ +htype \ +18 \ +arp \ +ptype \ +0x56 \ +arp \ +operation \ +1 \ +arp \ +saddr \ +ether \ +01:02:03:04:05:06 \ +arp \ +daddr \ +ether \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +udp \ +dport \ +564-1092 \ +udp \ +sport \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +udp \ +sport \ +564-1092 \ +udp \ +dport \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +tcp \ +dport \ +256-4369 \ +tcp \ +sport \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +tcp \ +sport \ +256-4369 \ +tcp \ +dport \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.a= rgs b/tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.args new file mode 100755 index 0000000000..1369a0d43a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.nftables.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.= args b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.args new file mode 100755 index 0000000000..d471e9cb13 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.nftables.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.= args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.args new file mode 100755 index 0000000000..3b3ebabef5 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.nftables.args @@ -0,0 +1,184 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.nftables.args b/test= s/nwfilterxml2firewalldata/icmp-linux.nftables.args new file mode 100755 index 0000000000..4773764699 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-linux.nftables.args @@ -0,0 +1,256 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.args b/te= sts/nwfilterxml2firewalldata/icmpv6-linux.nftables.args new file mode 100755 index 0000000000..623babc59a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.nftables.args @@ -0,0 +1,328 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.nftables.args b/test= s/nwfilterxml2firewalldata/igmp-linux.nftables.args new file mode 100755 index 0000000000..8c9c788855 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/igmp-linux.nftables.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/ip-linux.nftables.args b/tests/= nwfilterxml2firewalldata/ip-linux.nftables.args new file mode 100755 index 0000000000..771c0654cb --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ip-linux.nftables.args @@ -0,0 +1,205 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +protocol \ +17 \ +th \ +sport \ +20-22 \ +th \ +dport \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/17 \ +ip \ +daddr \ +10.1.2.3/24 \ +ip \ +protocol \ +17 \ +ip \ +dscp \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/31 \ +ip \ +daddr \ +10.1.2.3/25 \ +ip \ +protocol \ +255 \ +ip \ +dscp \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.= args b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.args new file mode 100755 index 0000000000..f9fa9408a9 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.nftables.args @@ -0,0 +1,172 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +'!=3D' \ +aa:aa:aa:aa:aa:aa \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args b/test= s/nwfilterxml2firewalldata/ipv6-linux.nftables.args new file mode 100755 index 0000000000..d479e6efb6 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipv6-linux.nftables.args @@ -0,0 +1,511 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +ip6 \ +nexthdr \ +17 \ +th \ +sport \ +20-22 \ +th \ +dport \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +6 \ +th \ +sport \ +20-22 \ +th \ +dport \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +6 \ +th \ +dport \ +20-22 \ +th \ +sport \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +6 \ +th \ +sport \ +255-256 \ +th \ +dport \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +6 \ +th \ +dport \ +255-256 \ +th \ +sport \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +type \ +1 \ +icmpv6 \ +code \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +type \ +1 \ +icmpv6 \ +code \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +type \ +1 \ +icmpv6 \ +code \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +type \ +1 \ +icmpv6 \ +code \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +code \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +code \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +type \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +ip6 \ +nexthdr \ +58 \ +icmpv6 \ +type \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.nftables.args b/tes= ts/nwfilterxml2firewalldata/iter1-linux.nftables.args new file mode 100755 index 0000000000..ce66023df0 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter1-linux.nftables.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.nftables.args b/tes= ts/nwfilterxml2firewalldata/iter2-linux.nftables.args new file mode 100755 index 0000000000..9eb373c6c1 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter2-linux.nftables.args @@ -0,0 +1,3760 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1080 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1080 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1080 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1080 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1080 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1080 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1090 \ +sctp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1090 \ +sctp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1090 \ +sctp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1090 \ +sctp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1090 \ +sctp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1090 \ +sctp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1100 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1100 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1100 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1100 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1100 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1100 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1110 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1110 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1110 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1110 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1110 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1110 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1080 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1080 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1080 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1080 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1080 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1080 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1080 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1080 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1080 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1080 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1080 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1080 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1090 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1090 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1090 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1090 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1090 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1090 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1090 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1090 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1090 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1090 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1090 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1090 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1100 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1100 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1100 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1100 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1100 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1100 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1100 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1100 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1100 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1100 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1100 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1100 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1110 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1110 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1110 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1110 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1110 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1110 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1110 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1110 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1110 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1110 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +dport \ +1110 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +tcp \ +sport \ +1110 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.nftables.args b/tes= ts/nwfilterxml2firewalldata/iter3-linux.nftables.args new file mode 100755 index 0000000000..6407bf5875 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter3-linux.nftables.args @@ -0,0 +1,430 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +tcp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +tcp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +tcp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +tcp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +sport \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +udp \ +dport \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +dport \ +1100 \ +sctp \ +sport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +sctp \ +sport \ +1100 \ +sctp \ +dport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/mac-linux.nftables.args b/tests= /nwfilterxml2firewalldata/mac-linux.nftables.args new file mode 100755 index 0000000000..7b64d79068 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/mac-linux.nftables.args @@ -0,0 +1,184 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x600 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.nftables.args b/test= s/nwfilterxml2firewalldata/rarp-linux.nftables.args new file mode 100755 index 0000000000..633c5b7e6d --- /dev/null +++ b/tests/nwfilterxml2firewalldata/rarp-linux.nftables.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8035 \ +@nh,0,16 \ +0xc \ +@nh,40,16 \ +0x22 \ +@nh,48,16 \ +0x1 \ +@nh,64,48 \ +0x010203040506 \ +@nh,144,48 \ +0x0a0b0c0d0e0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +@nh,0,16 \ +0xff \ +@nh,40,16 \ +0xff \ +@nh,48,16 \ +0x1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +@nh,0,16 \ +0x100 \ +@nh,40,16 \ +0x100 \ +@nh,48,16 \ +0xb \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +@nh,0,16 \ +0xffff \ +@nh,40,16 \ +0xffff \ +@nh,48,16 \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args b= /tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args new file mode 100755 index 0000000000..a60b5cecd4 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.nftables.args @@ -0,0 +1,328 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +sctp \ +dport \ +100-1111 \ +sctp \ +sport \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +sctp \ +sport \ +100-1111 \ +sctp \ +dport \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +sctp \ +dport \ +65535-65535 \ +sctp \ +sport \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +sctp \ +sport \ +65535-65535 \ +sctp \ +dport \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.nftables.args b/test= s/nwfilterxml2firewalldata/sctp-linux.nftables.args new file mode 100755 index 0000000000..9ef83ef25c --- /dev/null +++ b/tests/nwfilterxml2firewalldata/sctp-linux.nftables.args @@ -0,0 +1,328 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +sctp \ +dport \ +100-1111 \ +sctp \ +sport \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +sctp \ +sport \ +100-1111 \ +sctp \ +dport \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +sctp \ +dport \ +65535-65535 \ +sctp \ +sport \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +sctp \ +sport \ +65535-65535 \ +sctp \ +dport \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/target-linux.nftables.args b/te= sts/nwfilterxml2firewalldata/target-linux.nftables.args new file mode 100755 index 0000000000..0e3c480e36 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/target-linux.nftables.args @@ -0,0 +1,466 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/target2-linux.nftables.args b/t= ests/nwfilterxml2firewalldata/target2-linux.nftables.args new file mode 100755 index 0000000000..a8dbb3585a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/target2-linux.nftables.args @@ -0,0 +1,322 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +dport \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +sport \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +sport \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +dport \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +dport \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +sport \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args b/= tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args new file mode 100755 index 0000000000..8e172b4e21 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.nftables.args @@ -0,0 +1,328 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +tcp \ +dport \ +100-1111 \ +tcp \ +sport \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +tcp \ +sport \ +100-1111 \ +tcp \ +dport \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +tcp \ +dport \ +65535-65535 \ +tcp \ +sport \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +tcp \ +sport \ +65535-65535 \ +tcp \ +dport \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.nftables.args b/tests= /nwfilterxml2firewalldata/tcp-linux.nftables.args new file mode 100755 index 0000000000..895b464652 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/tcp-linux.nftables.args @@ -0,0 +1,476 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +tcp \ +dport \ +100-1111 \ +tcp \ +sport \ +20-21 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +tcp \ +dport \ +65535-65535 \ +tcp \ +sport \ +255-256 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args b/= tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args new file mode 100755 index 0000000000..2b1773ab45 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.nftables.args @@ -0,0 +1,328 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +udp \ +dport \ +100-1111 \ +udp \ +sport \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +udp \ +sport \ +100-1111 \ +udp \ +dport \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +udp \ +dport \ +65535-65535 \ +udp \ +sport \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +udp \ +sport \ +65535-65535 \ +udp \ +dport \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/udp-linux.nftables.args b/tests= /nwfilterxml2firewalldata/udp-linux.nftables.args new file mode 100755 index 0000000000..5538fb7a22 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udp-linux.nftables.args @@ -0,0 +1,328 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +udp \ +dport \ +100-1111 \ +udp \ +sport \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +udp \ +sport \ +100-1111 \ +udp \ +dport \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +udp \ +dport \ +65535-65535 \ +udp \ +sport \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +udp \ +sport \ +65535-65535 \ +udp \ +dport \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.arg= s b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.args new file mode 100755 index 0000000000..4dbad5f690 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.nftables.args @@ -0,0 +1,310 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.nftables.args b/t= ests/nwfilterxml2firewalldata/udplite-linux.nftables.args new file mode 100755 index 0000000000..d7345a8bd6 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udplite-linux.nftables.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +ether \ +saddr \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.nftables.args b/test= s/nwfilterxml2firewalldata/vlan-linux.nftables.args new file mode 100755 index 0000000000..6770ca3708 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/vlan-linux.nftables.args @@ -0,0 +1,271 @@ +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +id \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +id \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +id \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +id \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +id \ +291 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +type \ +2054 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +vlan \ +type \ +4660 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_inet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt_nwfilter_ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_inet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt_nwfilter_ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args b/tests/n= wfilterxml2nftfirewalldata/ah-ipv6-linux.args new file mode 100755 index 0000000000..4a59213758 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ah-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ah-linux.args b/tests/nwfilt= erxml2nftfirewalldata/ah-linux.args new file mode 100755 index 0000000000..2cd4ea4604 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ah-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +ah \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/all-ipv6-linux.args new file mode 100755 index 0000000000..426169a28d --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/all-ipv6-linux.args @@ -0,0 +1,286 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/all-linux.args b/tests/nwfil= terxml2nftfirewalldata/all-linux.args new file mode 100755 index 0000000000..ff8509e85e --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/all-linux.args @@ -0,0 +1,280 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/arp-linux.args b/tests/nwfil= terxml2nftfirewalldata/arp-linux.args new file mode 100755 index 0000000000..254e635294 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/arp-linux.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +12 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x22 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +255 \ +'arp operation' \ +1 \ +'arp ptype' \ +0xff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +256 \ +'arp operation' \ +11 \ +'arp ptype' \ +0x100 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x806 \ +'arp htype' \ +65535 \ +'arp operation' \ +65535 \ +'arp ptype' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/arp.xml b/tests/nwfilterxml2= nftfirewalldata/arp.xml new file mode 100644 index 0000000000..ba68f6d7cc --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/arp.xml @@ -0,0 +1,27 @@ + + 5c6d49af-b071-6127-b4ec-6f8ed4b55335 + + + + + + + + + + + + + + + + diff --git a/tests/nwfilterxml2nftfirewalldata/comment-linux.args b/tests/n= wfilterxml2nftfirewalldata/comment-linux.args new file mode 100755 index 0000000000..ef6c4ed68b --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/comment-linux.args @@ -0,0 +1,483 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +'ether type' \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +291-564 \ +'th dport' \ +13398-17767 \ +'ip dscp' \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +273-400 \ +'th dport' \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +18 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x56 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp dport' \ +564-1092 \ +'udp sport' \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp sport' \ +564-1092 \ +'udp dport' \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dudp rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp dport' \ +256-4369 \ +'tcp sport' \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp sport' \ +256-4369 \ +'tcp dport' \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtcp/ipv6 rule"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3D`ls`;${COLUMNS};$(ls);'\''test'\'';&'\''3 = spaces'\''"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dcomment with lone '\'', `, '\'', `, \, $x, = and two spaces"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +ah \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Dtmp=3D`mktemp`; echo ${RANDOM} > ${tmp} ; c= at < ${tmp}; rm -f ${tmp}"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args b/tests= /nwfilterxml2nftfirewalldata/conntrack-linux.args new file mode 100755 index 0000000000..e5e22a3460 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/conntrack-linux.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +count \ +over \ +1 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ct \ +count \ +over \ +2 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/esp-ipv6-linux.args new file mode 100755 index 0000000000..ede39e4c4b --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/esp-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/esp-linux.args b/tests/nwfil= terxml2nftfirewalldata/esp-linux.args new file mode 100755 index 0000000000..500d069b80 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/esp-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +esp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/example-1-linux.args b/tests= /nwfilterxml2nftfirewalldata/example-1-linux.args new file mode 100755 index 0000000000..963d77b7c9 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/example-1-linux.args @@ -0,0 +1,266 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D200"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D300"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/example-2-linux.args b/tests= /nwfilterxml2nftfirewalldata/example-2-linux.args new file mode 100755 index 0000000000..ffff3f1628 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/example-2-linux.args @@ -0,0 +1,348 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established,related \ +accept \ +comment \ +'"priority=3D100,usercomment=3Dout: existing and related (ftp) connections= "' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D100,usercomment=3Din: existing connections"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +21-22 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +21-22 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D200,usercomment=3Din: ftp and ssh"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Din: icmp"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'udp dport' \ +53 \ +ct \ +direction \ +original \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'udp sport' \ +53 \ +ct \ +direction \ +reply \ +ct \ +state \ +new \ +accept \ +comment \ +'"priority=3D300,usercomment=3Dout: DNS lookups"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D1000,usercomment=3Dinout: drop all non-accepted traffic"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args b/tests/= nwfilterxml2nftfirewalldata/hex-data-linux.args new file mode 100755 index 0000000000..c14b85460a --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/hex-data-linux.args @@ -0,0 +1,357 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +'ether type' \ +0x1234 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +291-564 \ +'th dport' \ +13398-17767 \ +'ip dscp' \ +0x32 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +273-400 \ +'th dport' \ +13107-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x806 \ +'arp htype' \ +18 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x56 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp dport' \ +564-1092 \ +'udp sport' \ +291-400 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +34 \ +'udp sport' \ +564-1092 \ +'udp dport' \ +291-400 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp dport' \ +256-4369 \ +'tcp sport' \ +32-33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +57 \ +'tcp sport' \ +256-4369 \ +'tcp dport' \ +32-33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args b/= tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args new file mode 100755 index 0000000000..cfa1afd466 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction-linux.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args b= /tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args new file mode 100755 index 0000000000..56c30766ac --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction2-linux.args @@ -0,0 +1,238 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +8 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +icmp \ +type \ +0 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args b= /tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args new file mode 100755 index 0000000000..6de47f0994 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-direction3-linux.args @@ -0,0 +1,184 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D600"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/icmp-linux.args new file mode 100755 index 0000000000..a5aba05334 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmp-linux.args @@ -0,0 +1,252 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +icmp \ +type \ +12 \ +icmp \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +protocol \ +icmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +icmp \ +type \ +255 \ +icmp \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args b/tests/nw= filterxml2nftfirewalldata/icmpv6-linux.args new file mode 100755 index 0000000000..baaab3a720 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/icmpv6-linux.args @@ -0,0 +1,322 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +icmpv6 \ +type \ +12 \ +icmpv6 \ +code \ +11 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +nexthdr \ +icmpv6 \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +icmpv6 \ +type \ +255 \ +icmpv6 \ +code \ +255 \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/igmp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/igmp-linux.args new file mode 100755 index 0000000000..4f8de57a39 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/igmp-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +igmp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ip-linux.args b/tests/nwfilt= erxml2nftfirewalldata/ip-linux.args new file mode 100755 index 0000000000..c4951b0d45 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ip-linux.args @@ -0,0 +1,198 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +daddr \ +10.1.2.3/32 \ +'ip protocol' \ +17 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/17 \ +ip \ +daddr \ +10.1.2.3/24 \ +'ip protocol' \ +17 \ +'ip dscp' \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip \ +ip \ +saddr \ +10.1.2.3/31 \ +ip \ +daddr \ +10.1.2.3/25 \ +'ip protocol' \ +255 \ +'ip dscp' \ +0x3f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args b= /tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args new file mode 100755 index 0000000000..2646905c98 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ipt-no-macspoof-linux.args @@ -0,0 +1,169 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +12:34:56:78:9a:bc \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +'!=3D' \ +aa:aa:aa:aa:aa:aa \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args b/tests/nwfi= lterxml2nftfirewalldata/ipv6-linux.args new file mode 100755 index 0000000000..5b1715f687 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/ipv6-linux.args @@ -0,0 +1,474 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:fe =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:80 =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/22 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/113 \ +'ip6 nexthdr' \ +17 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +20-22 \ +'th dport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th dport' \ +20-22 \ +'th sport' \ +100-101 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th sport' \ +255-256 \ +'th dport' \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +6 \ +'th dport' \ +255-256 \ +'th sport' \ +65535-65535 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +18 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 code' \ +10 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +ip6 \ +saddr \ +1::2/128 \ +ip6 \ +daddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +ip6 \ +daddr \ +1::2/128 \ +ip6 \ +saddr \ +a:b:c::/65 \ +'ip6 nexthdr' \ +58 \ +'icmpv6 type' \ +1 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter1-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter1-linux.args new file mode 100755 index 0000000000..18a8c2e166 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter1-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter2-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter2-linux.args new file mode 100755 index 0000000000..8391f933d5 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter2-linux.args @@ -0,0 +1,3598 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1080 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1080 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1090 \ +'sctp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1090 \ +'sctp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1110 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1110 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1080 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1080 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1090 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1090 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1100 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1100 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp dport' \ +1110 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +4 \ +'tcp sport' \ +1110 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +5 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +3.3.3.3 \ +ip \ +saddr \ +3.3.3.3 \ +ip \ +dscp \ +6 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/iter3-linux.args b/tests/nwf= ilterxml2nftfirewalldata/iter3-linux.args new file mode 100755 index 0000000000..d4446f13ed --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/iter3-linux.args @@ -0,0 +1,418 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +ip \ +daddr \ +1.1.1.1 \ +ip \ +dscp \ +1 \ +'tcp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp sport' \ +90 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +2 \ +'udp dport' \ +90 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +saddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp dport' \ +1100 \ +'sctp sport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +ip \ +daddr \ +2.2.2.2 \ +ip \ +dscp \ +3 \ +'sctp sport' \ +1100 \ +'sctp dport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/mac-linux.args b/tests/nwfil= terxml2nftfirewalldata/mac-linux.args new file mode 100755 index 0000000000..d5a7083019 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/mac-linux.args @@ -0,0 +1,180 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x600 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/rarp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/rarp-linux.args new file mode 100755 index 0000000000..fbeae86d98 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/rarp-linux.args @@ -0,0 +1,215 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +12 \ +'arp operation' \ +1 \ +'arp ptype' \ +0x22 \ +'ether saddr' \ +01:02:03:04:05:06 \ +'ether daddr' \ +0a:0b:0c:0d:0e:0f \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +255 \ +'arp operation' \ +1 \ +'arp ptype' \ +0xff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +256 \ +'arp operation' \ +11 \ +'arp ptype' \ +0x100 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +type \ +0x8035 \ +'arp htype' \ +65535 \ +'arp operation' \ +65535 \ +'arp ptype' \ +0xffff \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args b/tests= /nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args new file mode 100755 index 0000000000..0898cdcb82 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/sctp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'sctp dport' \ +100-1111 \ +'sctp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'sctp sport' \ +100-1111 \ +'sctp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'sctp dport' \ +65535-65535 \ +'sctp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'sctp sport' \ +65535-65535 \ +'sctp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/sctp-linux.args b/tests/nwfi= lterxml2nftfirewalldata/sctp-linux.args new file mode 100755 index 0000000000..34bffb804a --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/sctp-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'sctp dport' \ +100-1111 \ +'sctp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'sctp sport' \ +100-1111 \ +'sctp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'sctp dport' \ +65535-65535 \ +'sctp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +sctp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'sctp sport' \ +65535-65535 \ +'sctp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/target-linux.args b/tests/nw= filterxml2nftfirewalldata/target-linux.args new file mode 100755 index 0000000000..d4b0c0f70f --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/target-linux.args @@ -0,0 +1,452 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir out"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir in"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500,usercomment=3Daccept rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Ddrop rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500,usercomment=3Dreject rule -- dir inout"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +'ether type' \ +0x806 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +'ether type' \ +0x800 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/target2-linux.args b/tests/n= wfilterxml2nftfirewalldata/target2-linux.args new file mode 100755 index 0000000000..33fb4351ca --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/target2-linux.args @@ -0,0 +1,316 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +22 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +22 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp dport' \ +80 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'tcp sport' \ +80 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args new file mode 100755 index 0000000000..47dbed5a14 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/tcp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'tcp dport' \ +100-1111 \ +'tcp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +'tcp sport' \ +100-1111 \ +'tcp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'tcp dport' \ +65535-65535 \ +'tcp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'tcp sport' \ +65535-65535 \ +'tcp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/tcp-linux.args b/tests/nwfil= terxml2nftfirewalldata/tcp-linux.args new file mode 100755 index 0000000000..6ccc0fd7dc --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/tcp-linux.args @@ -0,0 +1,468 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'tcp dport' \ +100-1111 \ +'tcp sport' \ +20-21 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'tcp dport' \ +65535-65535 \ +'tcp sport' \ +255-256 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +'*' \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +syn \ +=3D=3D \ +'{' \ +syn,ack \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +rst \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +tcp \ +tcp \ +flags \ +'&' \ +psh \ +=3D=3D \ +'{' \ +0 \ +'}' \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args b/tests/= nwfilterxml2nftfirewalldata/udp-ipv6-linux.args new file mode 100755 index 0000000000..7bb8813ed8 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udp-ipv6-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +'udp dport' \ +100-1111 \ +'udp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::a:b:c/128 \ +ip6 \ +dscp \ +33 \ +'udp sport' \ +100-1111 \ +'udp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'udp dport' \ +65535-65535 \ +'udp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +63 \ +'udp sport' \ +65535-65535 \ +'udp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udp-linux.args b/tests/nwfil= terxml2nftfirewalldata/udp-linux.args new file mode 100755 index 0000000000..bff4d8ad97 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udp-linux.args @@ -0,0 +1,314 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'udp dport' \ +100-1111 \ +'udp sport' \ +20-21 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +33 \ +'udp sport' \ +100-1111 \ +'udp dport' \ +20-21 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'udp dport' \ +65535-65535 \ +'udp sport' \ +255-256 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udp \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +63 \ +'udp sport' \ +65535-65535 \ +'udp dport' \ +255-256 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args b/te= sts/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args new file mode 100755 index 0000000000..354cf9e251 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udplite-ipv6-linux.args @@ -0,0 +1,304 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +f:e:d::c:b:a/127 \ +ip6 \ +daddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +f:e:d::c:b:a/127 \ +ip6 \ +saddr \ +a:b:c::d:e:f/128 \ +ip6 \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +a:b:c::/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +saddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip6 \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip6 \ +daddr \ +::ffff:10.1.2.3/128 \ +ip6 \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/udplite-linux.args b/tests/n= wfilterxml2nftfirewalldata/udplite-linux.args new file mode 100755 index 0000000000..97e06609aa --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/udplite-linux.args @@ -0,0 +1,298 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/32 \ +ip \ +dscp \ +2 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-in \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +saddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +original \ +ct \ +state \ +new,established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +n-vnet0-out \ +ether \ +type \ +ip \ +meta \ +l4proto \ +udplite \ +'ether saddr' \ +01:02:03:04:05:06 \ +ip \ +daddr \ +10.1.2.3/22 \ +ip \ +dscp \ +33 \ +ct \ +direction \ +reply \ +ct \ +state \ +established \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalldata/vlan-linux.args b/tests/nwfi= lterxml2nftfirewalldata/vlan-linux.args new file mode 100755 index 0000000000..8075637e4c --- /dev/null +++ b/tests/nwfilterxml2nftfirewalldata/vlan-linux.args @@ -0,0 +1,264 @@ +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +continue \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +1234 \ +return \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-in \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan id' \ +291 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan type' \ +2054 \ +drop \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +n-vnet0-out \ +ether \ +saddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D 01:02:03:04:05:06' \ +ether \ +daddr \ +'& ff:ff:ff:ff:ff:ff =3D=3D aa:bb:cc:dd:ee:ff' \ +ether \ +type \ +0x8100 \ +'vlan type' \ +4660 \ +accept \ +comment \ +'"priority=3D500"' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +postrouting \ +oif \ +vnet0 \ +jump \ +n-vnet0-in +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-oif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-in \ +'}' +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-other \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +add \ +rule \ +bridge \ +libvirt-nwfilter-ethernet \ +prerouting \ +iif \ +vnet0 \ +jump \ +n-vnet0-out +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-other \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' +nft \ +delete \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +'}' +nft \ +add \ +element \ +bridge \ +libvirt-nwfilter-ethernet \ +vmap-iif \ +'{' \ +vnet0 \ +: \ +jump \ +n-vnet0-out \ +'}' diff --git a/tests/nwfilterxml2nftfirewalltest.c b/tests/nwfilterxml2nftfir= ewalltest.c new file mode 100644 index 0000000000..657c8306b9 --- /dev/null +++ b/tests/nwfilterxml2nftfirewalltest.c @@ -0,0 +1,438 @@ +/* + * nwfilterxml2nftfirewalltest.c: Test iptables rule generation + * + * Copyright (C) 2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * . + * + */ + +#include + +#if defined (__linux__) + +# include "testutils.h" +# include "nwfilter/nwfilter_nftables_driver.h" +# include "virbuffer.h" + +# define LIBVIRT_VIRCOMMANDPRIV_H_ALLOW +# include "vircommandpriv.h" + +# define VIR_FROM_THIS VIR_FROM_NONE + +# ifdef __linux__ +# define RULESTYPE "linux" +# else +# error "test case not ported to this platform" +# endif + +typedef struct _virNWFilterInst virNWFilterInst; +struct _virNWFilterInst { + virNWFilterDef **filters; + size_t nfilters; + virNWFilterRuleInst **rules; + size_t nrules; +}; + +/* + * Some sets of rules that will be common to all test files, + * so we don't bother including them in the test data files + * as that would just bloat them + */ + +static const char *commonRules[] =3D { + "nft \\\nlist \\\ntables\n" + "nft \\\nlist \\\nchains\n" + "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\n'{= comment \"Managed by libvirt for network filters: https://libvirt.org/fire= wall.html#the-network-filter-driver\"; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nvmap= -oif \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nvmap= -iif \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\npo= strouting \\\n'{ type filter hook postrouting priority 0; policy accept; }= '\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\npr= erouting \\\n'{ type filter hook prerouting priority 0; policy accept; }'\= n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\npos= trouting \\\noif \\\nvmap \\\n@vmap-oif\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\npre= routing \\\niif \\\nvmap \\\n@vmap-iif\n" + "nft \\\nadd \\\ntable \\\nbridge \\\nlibvirt_nwfilter_inet \\\n'{ com= ment \"Managed by libvirt for network filters: https://libvirt.org/firewall= .html#the-network-filter-driver\"; }'\n" + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_inet \\\nvmap-oif= \\\n'{ type iface_index: verdict; }'\n", + "nft \\\nadd \\\nmap \\\nbridge \\\nlibvirt_nwfilter_inet \\\nvmap-iif= \\\n'{ type iface_index: verdict; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\npostro= uting \\\n'{ type filter hook postrouting priority 1; policy accept; }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\nprerou= ting \\\n'{ type filter hook prerouting priority 1; policy accept; }'\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_inet \\\npostrou= ting \\\noif \\\nvmap \\\n@vmap-oif\n" + "nft \\\nadd \\\nrule \\\nbridge \\\nlibvirt_nwfilter_inet \\\nprerout= ing \\\niif \\\nvmap \\\n@vmap-iif\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nn-= vnet0-in \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\nn-vnet= 0-in \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_ethernet \\\nn-= vnet0-out \\\n'{ }'\n" + "nft \\\nadd \\\nchain \\\nbridge \\\nlibvirt_nwfilter_inet \\\nn-vnet= 0-out \\\n'{ }'\n", +}; + + +static GHashTable * +virNWFilterCreateVarsFrom(GHashTable *vars1, + GHashTable *vars2) +{ + g_autoptr(GHashTable) res =3D virHashNew(virNWFilterVarValueHashFree); + + if (virNWFilterHashTablePutAll(vars1, res) < 0) + return NULL; + + if (virNWFilterHashTablePutAll(vars2, res) < 0) + return NULL; + + return g_steal_pointer(&res); +} + + +static void +virNWFilterRuleInstFree(virNWFilterRuleInst *inst) +{ + if (!inst) + return; + + g_clear_pointer(&inst->vars, g_hash_table_unref); + g_free(inst); +} + + +static void +virNWFilterInstReset(virNWFilterInst *inst) +{ + size_t i; + + for (i =3D 0; i < inst->nfilters; i++) + virNWFilterDefFree(inst->filters[i]); + VIR_FREE(inst->filters); + inst->nfilters =3D 0; + + for (i =3D 0; i < inst->nrules; i++) + virNWFilterRuleInstFree(inst->rules[i]); + VIR_FREE(inst->rules); + inst->nrules =3D 0; +} + + +static int +virNWFilterDefToInst(const char *xml, + GHashTable *vars, + virNWFilterInst *inst); + +static int +virNWFilterRuleDefToRuleInst(virNWFilterDef *def, + virNWFilterRuleDef *rule, + GHashTable *vars, + virNWFilterInst *inst) +{ + virNWFilterRuleInst *ruleinst; + int ret =3D -1; + + ruleinst =3D g_new0(virNWFilterRuleInst, 1); + + ruleinst->chainSuffix =3D def->chainsuffix; + ruleinst->chainPriority =3D def->chainPriority; + ruleinst->def =3D rule; + ruleinst->priority =3D rule->priority; + ruleinst->vars =3D virHashNew(virNWFilterVarValueHashFree); + + if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0) + goto cleanup; + + VIR_APPEND_ELEMENT(inst->rules, inst->nrules, ruleinst); + + ret =3D 0; + cleanup: + virNWFilterRuleInstFree(ruleinst); + return ret; +} + + +static int +virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDef *inc, + GHashTable *vars, + virNWFilterInst *inst) +{ + g_autoptr(GHashTable) tmpvars =3D NULL; + int ret =3D -1; + g_autofree char *xml =3D NULL; + + xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", abs_srcd= ir, + inc->filterref); + + /* create a temporary hashmap for depth-first tree traversal */ + if (!(tmpvars =3D virNWFilterCreateVarsFrom(inc->params, + vars))) + goto cleanup; + + if (virNWFilterDefToInst(xml, + tmpvars, + inst) < 0) + goto cleanup; + + ret =3D 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + +static int +virNWFilterDefToInst(const char *xml, + GHashTable *vars, + virNWFilterInst *inst) +{ + size_t i; + int ret =3D -1; + virNWFilterDef *def =3D virNWFilterDefParse(NULL, xml, 0); + + if (!def) + return -1; + + VIR_APPEND_ELEMENT_COPY(inst->filters, inst->nfilters, def); + + for (i =3D 0; i < def->nentries; i++) { + if (def->filterEntries[i]->rule) { + if (virNWFilterRuleDefToRuleInst(def, + def->filterEntries[i]->rule, + vars, + inst) < 0) + goto cleanup; + } else if (def->filterEntries[i]->include) { + if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->inc= lude, + vars, + inst) < 0) + goto cleanup; + } + } + + ret =3D 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + + +static void testRemoveCommonRules(char *rules) +{ + size_t i; + char *offset =3D rules; + + for (i =3D 0; i < G_N_ELEMENTS(commonRules); i++) { + char *tmp =3D strstr(offset, commonRules[i]); + size_t len =3D strlen(commonRules[i]); + if (tmp) { + memmove(tmp, tmp + len, (strlen(tmp) + 1) - len); + offset =3D tmp; + } + } +} + + +static int testSetOneParameter(GHashTable *vars, + const char *name, + const char *value) +{ + virNWFilterVarValue *val; + + if ((val =3D virHashLookup(vars, name)) =3D=3D NULL) { + val =3D virNWFilterVarValueCreateSimpleCopyValue(value); + if (!val) + return -1; + if (virHashUpdateEntry(vars, name, val) < 0) { + virNWFilterVarValueFree(val); + return -1; + } + } else { + if (virNWFilterVarValueAddValueCopy(val, value) < 0) + return -1; + } + + return 0; +} + +static int testSetDefaultParameters(GHashTable *vars) +{ + if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 || + testSetOneParameter(vars, "A", "1.1.1.1") || + testSetOneParameter(vars, "A", "2.2.2.2") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "90") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "C", "1080") || + testSetOneParameter(vars, "C", "1090") || + testSetOneParameter(vars, "C", "1100") || + testSetOneParameter(vars, "C", "1110")) + return -1; + return 0; +} + +static void +testCommandDryRunCallback(const char *const*args, + const char *const*env G_GNUC_UNUSED, + const char *input G_GNUC_UNUSED, + char **output, + char **error G_GNUC_UNUSED, + int *status, + void *opaque G_GNUC_UNUSED) +{ + if (STRNEQ(args[0], "nft")) { + return; + } + + /* simulate an empty existing set rules */ + if (STREQ(args[1], "list") && STREQ(args[2], "tables")) { + *output =3D g_strdup("table nothing\n"); + *status =3D EXIT_SUCCESS; + } else if (STREQ(args[1], "list") && STREQ(args[2], "chains")) { + *output =3D g_strdup("chain nothing\n"); + *status =3D EXIT_SUCCESS; + } +} + +static int testCompareXMLToArgvFiles(const char *xml, + const char *cmdline) +{ + g_autofree char *actualargv =3D NULL; + g_auto(virBuffer) buf =3D VIR_BUFFER_INITIALIZER; + g_autoptr(GHashTable) vars =3D virHashNew(virNWFilterVarValueHashFree); + virNWFilterInst inst =3D { 0 }; + int ret =3D -1; + g_autoptr(virCommandDryRunToken) dryRunToken =3D virCommandDryRunToken= New(); + + virCommandSetDryRun(dryRunToken, &buf, true, true, testCommandDryRunCa= llback, NULL); + + if (testSetDefaultParameters(vars) < 0) + goto cleanup; + + if (virNWFilterDefToInst(xml, + vars, + &inst) < 0) + goto cleanup; + + if (nftables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < = 0) + goto cleanup; + + actualargv =3D virBufferContentAndReset(&buf); + + testRemoveCommonRules(actualargv); + + if (virTestCompareToFileFull(actualargv, cmdline, false) < 0) + goto cleanup; + + ret =3D 0; + + cleanup: + virNWFilterInstReset(&inst); + return ret; +} + +struct testInfo { + const char *name; +}; + + +static int +testCompareXMLToIPTablesHelper(const void *data) +{ + int result =3D -1; + const struct testInfo *info =3D data; + g_autofree char *xml =3D NULL; + g_autofree char *override_xml =3D NULL; + g_autofree char *args =3D NULL; + + override_xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.nftab= les.xml", + abs_srcdir, info->name); + + if (virFileExists(override_xml)) { + xml =3D g_strdup(override_xml); + } else { + xml =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s.xml", + abs_srcdir, info->name); + } + + args =3D g_strdup_printf("%s/nwfilterxml2firewalldata/%s-%s.nftables.a= rgs", + abs_srcdir, info->name, RULESTYPE); + + result =3D testCompareXMLToArgvFiles(xml, args); + + return result; +} + + +static int +mymain(void) +{ + int ret =3D 0; + +# define DO_TEST(name) \ + do { \ + static struct testInfo info =3D { \ + name, \ + }; \ + if (virTestRun("NWFilter XML-2-firewall " name, \ + testCompareXMLToIPTablesHelper, &info) < 0) \ + ret =3D -1; \ + } while (0) + + DO_TEST("ah"); + DO_TEST("ah-ipv6"); + DO_TEST("all"); + DO_TEST("all-ipv6"); + DO_TEST("arp"); + DO_TEST("comment"); + DO_TEST("conntrack"); + DO_TEST("esp"); + DO_TEST("esp-ipv6"); + DO_TEST("example-1"); + DO_TEST("example-2"); + DO_TEST("hex-data"); + DO_TEST("icmp-direction2"); + DO_TEST("icmp-direction3"); + DO_TEST("icmp-direction"); + DO_TEST("icmp"); + DO_TEST("icmpv6"); + DO_TEST("igmp"); + DO_TEST("ip"); + DO_TEST("ipt-no-macspoof"); + DO_TEST("ipv6"); + DO_TEST("iter1"); + DO_TEST("iter2"); + DO_TEST("iter3"); + DO_TEST("mac"); + DO_TEST("rarp"); + DO_TEST("sctp"); + DO_TEST("sctp-ipv6"); + DO_TEST("target2"); + DO_TEST("target"); + DO_TEST("tcp"); + DO_TEST("tcp-ipv6"); + DO_TEST("udp"); + DO_TEST("udp-ipv6"); + DO_TEST("udplite"); + DO_TEST("udplite-ipv6"); + DO_TEST("vlan"); + + return ret =3D=3D 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIR_TEST_MAIN_PRELOAD(mymain, VIR_TEST_MOCK("virfirewall")) + +#else /* ! defined (__linux__) */ + +int main(void) +{ + return EXIT_AM_SKIP; +} + +#endif /* ! defined (__linux__) */ --=20 2.43.0