tests: test cases for nftables backend

Run all the networkxml2firewall tests twice - once with iptables
backend, and once with the nftables backend.

The results files for the existing iptables tests were previously
named *.args. That has been changed to *.iptables, and the results
files for the new nftables tests are named *.nftables.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2firewalldata/base.args
deleted file mode 100644 (file)
index 056ee12..0000000
--- a/tests/networkxml2firewalldata/base.args
+++ /dev/null
@@ -1,150 +0,0 @@
-iptables \
--w \
---table filter \
---list-rules
-iptables \
--w \
---table nat \
---list-rules
-iptables \
--w \
---table mangle \
---list-rules
-iptables \
--w \
---table filter \
---new-chain LIBVIRT_INP
-iptables \
--w \
---table filter \
---insert INPUT \
---jump LIBVIRT_INP
-iptables \
--w \
---table filter \
---new-chain LIBVIRT_OUT
-iptables \
--w \
---table filter \
---insert OUTPUT \
---jump LIBVIRT_OUT
-iptables \
--w \
---table filter \
---new-chain LIBVIRT_FWO
-iptables \
--w \
---table filter \
---insert FORWARD \
---jump LIBVIRT_FWO
-iptables \
--w \
---table filter \
---new-chain LIBVIRT_FWI
-iptables \
--w \
---table filter \
---insert FORWARD \
---jump LIBVIRT_FWI
-iptables \
--w \
---table filter \
---new-chain LIBVIRT_FWX
-iptables \
--w \
---table filter \
---insert FORWARD \
---jump LIBVIRT_FWX
-iptables \
--w \
---table nat \
---new-chain LIBVIRT_PRT
-iptables \
--w \
---table nat \
---insert POSTROUTING \
---jump LIBVIRT_PRT
-iptables \
--w \
---table mangle \
---new-chain LIBVIRT_PRT
-iptables \
--w \
---table mangle \
---insert POSTROUTING \
---jump LIBVIRT_PRT
-ip6tables \
--w \
---table filter \
---list-rules
-ip6tables \
--w \
---table nat \
---list-rules
-ip6tables \
--w \
---table mangle \
---list-rules
-ip6tables \
--w \
---table filter \
---new-chain LIBVIRT_INP
-ip6tables \
--w \
---table filter \
---insert INPUT \
---jump LIBVIRT_INP
-ip6tables \
--w \
---table filter \
---new-chain LIBVIRT_OUT
-ip6tables \
--w \
---table filter \
---insert OUTPUT \
---jump LIBVIRT_OUT
-ip6tables \
--w \
---table filter \
---new-chain LIBVIRT_FWO
-ip6tables \
--w \
---table filter \
---insert FORWARD \
---jump LIBVIRT_FWO
-ip6tables \
--w \
---table filter \
---new-chain LIBVIRT_FWI
-ip6tables \
--w \
---table filter \
---insert FORWARD \
---jump LIBVIRT_FWI
-ip6tables \
--w \
---table filter \
---new-chain LIBVIRT_FWX
-ip6tables \
--w \
---table filter \
---insert FORWARD \
---jump LIBVIRT_FWX
-ip6tables \
--w \
---table nat \
---new-chain LIBVIRT_PRT
-ip6tables \
--w \
---table nat \
---insert POSTROUTING \
---jump LIBVIRT_PRT
-ip6tables \
--w \
---table mangle \
---new-chain LIBVIRT_PRT
-ip6tables \
--w \
---table mangle \
---insert POSTROUTING \
---jump LIBVIRT_PRT

diff --git a/tests/networkxml2firewalldata/base.iptables b/tests/networkxml2firewalldata/base.iptables
new file mode 100644 (file)
index 0000000..056ee12
--- /dev/null
+++ b/tests/networkxml2firewalldata/base.iptables
@@ -0,0 +1,150 @@
+iptables \
+-w \
+--table filter \
+--list-rules
+iptables \
+-w \
+--table nat \
+--list-rules
+iptables \
+-w \
+--table mangle \
+--list-rules
+iptables \
+-w \
+--table filter \
+--new-chain LIBVIRT_INP
+iptables \
+-w \
+--table filter \
+--insert INPUT \
+--jump LIBVIRT_INP
+iptables \
+-w \
+--table filter \
+--new-chain LIBVIRT_OUT
+iptables \
+-w \
+--table filter \
+--insert OUTPUT \
+--jump LIBVIRT_OUT
+iptables \
+-w \
+--table filter \
+--new-chain LIBVIRT_FWO
+iptables \
+-w \
+--table filter \
+--insert FORWARD \
+--jump LIBVIRT_FWO
+iptables \
+-w \
+--table filter \
+--new-chain LIBVIRT_FWI
+iptables \
+-w \
+--table filter \
+--insert FORWARD \
+--jump LIBVIRT_FWI
+iptables \
+-w \
+--table filter \
+--new-chain LIBVIRT_FWX
+iptables \
+-w \
+--table filter \
+--insert FORWARD \
+--jump LIBVIRT_FWX
+iptables \
+-w \
+--table nat \
+--new-chain LIBVIRT_PRT
+iptables \
+-w \
+--table nat \
+--insert POSTROUTING \
+--jump LIBVIRT_PRT
+iptables \
+-w \
+--table mangle \
+--new-chain LIBVIRT_PRT
+iptables \
+-w \
+--table mangle \
+--insert POSTROUTING \
+--jump LIBVIRT_PRT
+ip6tables \
+-w \
+--table filter \
+--list-rules
+ip6tables \
+-w \
+--table nat \
+--list-rules
+ip6tables \
+-w \
+--table mangle \
+--list-rules
+ip6tables \
+-w \
+--table filter \
+--new-chain LIBVIRT_INP
+ip6tables \
+-w \
+--table filter \
+--insert INPUT \
+--jump LIBVIRT_INP
+ip6tables \
+-w \
+--table filter \
+--new-chain LIBVIRT_OUT
+ip6tables \
+-w \
+--table filter \
+--insert OUTPUT \
+--jump LIBVIRT_OUT
+ip6tables \
+-w \
+--table filter \
+--new-chain LIBVIRT_FWO
+ip6tables \
+-w \
+--table filter \
+--insert FORWARD \
+--jump LIBVIRT_FWO
+ip6tables \
+-w \
+--table filter \
+--new-chain LIBVIRT_FWI
+ip6tables \
+-w \
+--table filter \
+--insert FORWARD \
+--jump LIBVIRT_FWI
+ip6tables \
+-w \
+--table filter \
+--new-chain LIBVIRT_FWX
+ip6tables \
+-w \
+--table filter \
+--insert FORWARD \
+--jump LIBVIRT_FWX
+ip6tables \
+-w \
+--table nat \
+--new-chain LIBVIRT_PRT
+ip6tables \
+-w \
+--table nat \
+--insert POSTROUTING \
+--jump LIBVIRT_PRT
+ip6tables \
+-w \
+--table mangle \
+--new-chain LIBVIRT_PRT
+ip6tables \
+-w \
+--table mangle \
+--insert POSTROUTING \
+--jump LIBVIRT_PRT

diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables
new file mode 100644 (file)
index 0000000..4f1f475
--- /dev/null
+++ b/tests/networkxml2firewalldata/base.nftables
@@ -0,0 +1,256 @@
+nft \
+list \
+table \
+ip \
+libvirt
+nft \
+add \
+table \
+ip \
+libvirt
+nft \
+add \
+chain \
+ip \
+libvirt \
+INPUT \
+'{ type filter hook input priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+FORWARD \
+'{ type filter hook forward priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+OUTPUT \
+'{ type filter hook output priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_INP
+nft \
+insert \
+rule \
+ip \
+libvirt \
+INPUT \
+counter \
+jump \
+LIBVIRT_INP
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_OUT
+nft \
+insert \
+rule \
+ip \
+libvirt \
+OUTPUT \
+counter \
+jump \
+LIBVIRT_OUT
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWO
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWO
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWI
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWI
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_FWX
+nft \
+insert \
+rule \
+ip \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWX
+nft \
+add \
+chain \
+ip \
+libvirt \
+POSTROUTING \
+'{ type nat hook postrouting priority 100; policy accept; }'
+nft \
+add \
+chain \
+ip \
+libvirt \
+LIBVIRT_PRT
+nft \
+insert \
+rule \
+ip \
+libvirt \
+POSTROUTING \
+counter \
+jump \
+LIBVIRT_PRT
+nft \
+list \
+table \
+ip6 \
+libvirt
+nft \
+add \
+table \
+ip6 \
+libvirt
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+INPUT \
+'{ type filter hook input priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+FORWARD \
+'{ type filter hook forward priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+OUTPUT \
+'{ type filter hook output priority 0; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_INP
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+INPUT \
+counter \
+jump \
+LIBVIRT_INP
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_OUT
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+OUTPUT \
+counter \
+jump \
+LIBVIRT_OUT
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWO
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWO
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWI
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWI
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_FWX
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+FORWARD \
+counter \
+jump \
+LIBVIRT_FWX
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+POSTROUTING \
+'{ type nat hook postrouting priority 100; policy accept; }'
+nft \
+add \
+chain \
+ip6 \
+libvirt \
+LIBVIRT_PRT
+nft \
+insert \
+rule \
+ip6 \
+libvirt \
+POSTROUTING \
+counter \
+jump \
+LIBVIRT_PRT

diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
deleted file mode 100644 (file)
index 3cfa613..0000000
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ /dev/null
@@ -1,147 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p udp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p tcp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-iptables \
--w \
---table mangle \
---insert LIBVIRT_PRT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump CHECKSUM \
---checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-default-linux.iptables b/tests/networkxml2firewalldata/nat-default-linux.iptables
new file mode 100644 (file)
index 0000000..3cfa613
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.iptables
@@ -0,0 +1,147 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
new file mode 100644 (file)
index 0000000..2dafe07
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -0,0 +1,248 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return

diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
deleted file mode 100644 (file)
index ce295cb..0000000
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ /dev/null
@@ -1,228 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 547 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 546 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p udp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p tcp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 2001:db8:ca2:2::/64 \
---in-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 2001:db8:ca2:2::/64 \
---out-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table mangle \
---insert LIBVIRT_PRT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump CHECKSUM \
---checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
new file mode 100644 (file)
index 0000000..ce295cb
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables
@@ -0,0 +1,228 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 547 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 546 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
new file mode 100644 (file)
index 0000000..63d4d8e
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -0,0 +1,384 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oifname \
+virbr0 \
+counter \
+accept

diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
deleted file mode 100644 (file)
index d78537d..0000000
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
+++ /dev/null
@@ -1,262 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 547 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 546 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p udp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p tcp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 2001:db8:ca2:2::/64 \
---in-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 2001:db8:ca2:2::/64 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-ip6tables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 2001:db8:ca2:2::/64 '!' \
---destination 2001:db8:ca2:2::/64 \
---jump MASQUERADE
-ip6tables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 2001:db8:ca2:2::/64 \
--p udp '!' \
---destination 2001:db8:ca2:2::/64 \
---jump MASQUERADE \
---to-ports 1024-65535
-ip6tables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 2001:db8:ca2:2::/64 \
--p tcp '!' \
---destination 2001:db8:ca2:2::/64 \
---jump MASQUERADE \
---to-ports 1024-65535
-ip6tables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 2001:db8:ca2:2::/64 \
---destination ff02::/16 \
---jump RETURN
-iptables \
--w \
---table mangle \
---insert LIBVIRT_PRT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump CHECKSUM \
---checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
new file mode 100644 (file)
index 0000000..d78537d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
@@ -0,0 +1,262 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 547 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 546 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 '!' \
+--destination 2001:db8:ca2:2::/64 \
+--jump MASQUERADE
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 \
+-p udp '!' \
+--destination 2001:db8:ca2:2::/64 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 \
+-p tcp '!' \
+--destination 2001:db8:ca2:2::/64 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 \
+--destination ff02::/16 \
+--jump RETURN
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
new file mode 100644 (file)
index 0000000..e6d5dea
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -0,0 +1,456 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_PRT \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+ff02::/16 \
+counter \
+return

diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
deleted file mode 100644 (file)
index ba7f234..0000000
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ /dev/null
@@ -1,257 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p udp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p tcp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.128.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.128.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.128.0/24 '!' \
---destination 192.168.128.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.128.0/24 \
--p udp '!' \
---destination 192.168.128.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.128.0/24 \
--p tcp '!' \
---destination 192.168.128.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.128.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.128.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.150.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.150.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.150.0/24 '!' \
---destination 192.168.150.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.150.0/24 \
--p udp '!' \
---destination 192.168.150.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.150.0/24 \
--p tcp '!' \
---destination 192.168.150.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.150.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.150.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-iptables \
--w \
---table mangle \
---insert LIBVIRT_PRT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump CHECKSUM \
---checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.iptables b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
new file mode 100644 (file)
index 0000000..ba7f234
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables
@@ -0,0 +1,257 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.128.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.128.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+-p udp '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+-p tcp '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.150.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.150.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.150.0/24 '!' \
+--destination 192.168.150.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.150.0/24 \
+-p udp '!' \
+--destination 192.168.150.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.150.0/24 \
+-p tcp '!' \
+--destination 192.168.150.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.150.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.150.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
new file mode 100644 (file)
index 0000000..e636916
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -0,0 +1,472 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.128.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.128.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.150.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.150.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.150.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.150.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return

diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
deleted file mode 100644 (file)
index 1e5aa05..0000000
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ /dev/null
@@ -1,219 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 547 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 546 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p udp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p tcp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 2001:db8:ca2:2::/64 \
---in-interface virbr0 \
---jump ACCEPT
-ip6tables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 2001:db8:ca2:2::/64 \
---out-interface virbr0 \
---jump ACCEPT

diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
new file mode 100644 (file)
index 0000000..1e5aa05
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
@@ -0,0 +1,219 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 547 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 546 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 \
+--jump ACCEPT

diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
new file mode 100644 (file)
index 0000000..63d4d8e
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -0,0 +1,384 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+547 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+546 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWO \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt \
+LIBVIRT_FWI \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oifname \
+virbr0 \
+counter \
+accept

diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
deleted file mode 100644 (file)
index 565fff7..0000000
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ /dev/null
@@ -1,163 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 69 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 69 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---match conntrack \
---ctstate ESTABLISHED,RELATED \
---jump ACCEPT
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p udp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
--p tcp '!' \
---destination 192.168.122.0/24 \
---jump MASQUERADE \
---to-ports 1024-65535
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 255.255.255.255/32 \
---jump RETURN
-iptables \
--w \
---table nat \
---insert LIBVIRT_PRT \
---source 192.168.122.0/24 \
---destination 224.0.0.0/24 \
---jump RETURN
-iptables \
--w \
---table mangle \
---insert LIBVIRT_PRT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump CHECKSUM \
---checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.iptables b/tests/networkxml2firewalldata/nat-tftp-linux.iptables
new file mode 100644 (file)
index 0000000..565fff7
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.iptables
@@ -0,0 +1,163 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 69 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 69 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill

diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
new file mode 100644 (file)
index 0000000..bb0598d
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -0,0 +1,274 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+69 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+69 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_PRT \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return

diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
deleted file mode 100644 (file)
index a7b969c..0000000
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ /dev/null
@@ -1,106 +0,0 @@
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 67 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_INP \
---in-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol tcp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_OUT \
---out-interface virbr0 \
---protocol udp \
---destination-port 53 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---in-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---out-interface virbr0 \
---jump REJECT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWX \
---in-interface virbr0 \
---out-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWO \
---source 192.168.122.0/24 \
---in-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table filter \
---insert LIBVIRT_FWI \
---destination 192.168.122.0/24 \
---out-interface virbr0 \
---jump ACCEPT
-iptables \
--w \
---table mangle \
---insert LIBVIRT_PRT \
---out-interface virbr0 \
---protocol udp \
---destination-port 68 \
---jump CHECKSUM \
---checksum-fill

diff --git a/tests/networkxml2firewalldata/route-default-linux.iptables b/tests/networkxml2firewalldata/route-default-linux.iptables
new file mode 100644 (file)
index 0000000..a7b969c
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.iptables
@@ -0,0 +1,106 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill

diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
new file mode 100644 (file)
index 0000000..834f636
--- /dev/null
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -0,0 +1,162 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+67 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+68 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_INP \
+iifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+tcp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_OUT \
+oifname \
+virbr0 \
+udp \
+dport \
+53 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+iifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+oifname \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWX \
+iifname \
+virbr0 \
+oifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWO \
+ip \
+saddr \
+192.168.122.0/24 \
+iifname \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt \
+LIBVIRT_FWI \
+ip \
+daddr \
+192.168.122.0/24 \
+oifname \
+virbr0 \
+counter \
+accept

diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 082979e5dcefb6352bdc30d556a8702a5b8f35bd..4cabe39d1d2d981962e3bfd57b264678107f809e 100644 (file)
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -79,13 +79,21 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
                   void *opaque G_GNUC_UNUSED)
 {
     *status = 0;
-    *output = g_strdup("");
+    /* if arg[1] is -ae then this is an nft command,
+     * and the caller requested to get the handle
+     * of the newly added object in stdout
+     */
+    if (STREQ_NULLABLE(args[1], "-ae"))
+        *output = g_strdup("# handle 5309");
+    else
+        *output = g_strdup("");
     *error = g_strdup("");
 }
 
 static int testCompareXMLToArgvFiles(const char *xml,
                                      const char *cmdline,
-                                     const char *baseargs)
+                                     const char *baseargs,
+                                     virFirewallBackend backend)
 {
     g_autofree char *actualargv = NULL;
     g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
@@ -98,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
     if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
         return -1;
 
-    if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0)
+    if (networkAddFirewallRules(def, backend, NULL) < 0)
         return -1;
 
     actual = actualargv = virBufferContentAndReset(&buf);
@@ -119,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
 struct testInfo {
     const char *name;
     const char *baseargs;
+    virFirewallBackend backend;
 };
 
 
@@ -132,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data)
 
     xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml",
                           abs_srcdir, info->name);
-    args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args",
-                           abs_srcdir, info->name, RULESTYPE);
+    args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s",
+                           abs_srcdir, info->name, RULESTYPE,
+                           virFirewallBackendTypeToString(info->backend));
 
-    result = testCompareXMLToArgvFiles(xml, args, info->baseargs);
+    result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend);
 
     return result;
 }
@@ -145,24 +155,42 @@ static int
 mymain(void)
 {
     int ret = 0;
-    g_autofree char *basefile = NULL;
-    g_autofree char *baseargs = NULL;
+    g_autofree char *basefileIptables = NULL;
+    g_autofree char *basefileNftables = NULL;
+    g_autofree char *baseargsIptables = NULL;
+    g_autofree char *baseargsNftables = NULL;
+    const char *baseargs[VIR_FIREWALL_BACKEND_LAST];
 
-# define DO_TEST(name) \
+# define DO_TEST_FOR_BACKEND(name, backend) \
     do { \
         struct testInfo info = { \
-            name, baseargs, \
+            name, baseargs[backend], backend \
         }; \
-        if (virTestRun("Network XML-2-iptables " name, \
-                       testCompareXMLToIPTablesHelper, &info) < 0) \
+        g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \
+                                                 virFirewallBackendTypeToString(backend), \
+                                                 name); \
+        if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \
             ret = -1; \
     } while (0)
 
-    basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args", abs_srcdir);
+# define DO_TEST(name) \
+    DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \
+    DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES);
 
-    if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0)
+
+    basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir);
+    if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0)
         return EXIT_FAILURE;
 
+    baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables;
+
+    basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir);
+    if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0)
+        return EXIT_FAILURE;
+
+    baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables;
+
+
     DO_TEST("nat-default");
     DO_TEST("nat-tftp");
     DO_TEST("nat-many-ips");