From: Laine Stump Date: Sat, 20 Apr 2024 02:19:43 +0000 (-0400) Subject: tests: test cases for nftables backend X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=f341bdee8d26980371405988ff2681b719c3a513;p=libvirt.git tests: test cases for nftables backend Run all the networkxml2firewall tests twice - once with iptables backend, and once with the nftables backend. The results files for the existing iptables tests were previously named *.args. That has been changed to *.iptables, and the results files for the new nftables tests are named *.nftables. Signed-off-by: Laine Stump Reviewed-by: Daniel P. Berrangé --- diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2firewalldata/base.args deleted file mode 100644 index 056ee12758..0000000000 --- a/tests/networkxml2firewalldata/base.args +++ /dev/null @@ -1,150 +0,0 @@ -iptables \ --w \ ---table filter \ ---list-rules -iptables \ --w \ ---table nat \ ---list-rules -iptables \ --w \ ---table mangle \ ---list-rules -iptables \ --w \ ---table filter \ ---new-chain LIBVIRT_INP -iptables \ --w \ ---table filter \ ---insert INPUT \ ---jump LIBVIRT_INP -iptables \ --w \ ---table filter \ ---new-chain LIBVIRT_OUT -iptables \ --w \ ---table filter \ ---insert OUTPUT \ ---jump LIBVIRT_OUT -iptables \ --w \ ---table filter \ ---new-chain LIBVIRT_FWO -iptables \ --w \ ---table filter \ ---insert FORWARD \ ---jump LIBVIRT_FWO -iptables \ --w \ ---table filter \ ---new-chain LIBVIRT_FWI -iptables \ --w \ ---table filter \ ---insert FORWARD \ ---jump LIBVIRT_FWI -iptables \ --w \ ---table filter \ ---new-chain LIBVIRT_FWX -iptables \ --w \ ---table filter \ ---insert FORWARD \ ---jump LIBVIRT_FWX -iptables \ --w \ ---table nat \ ---new-chain LIBVIRT_PRT -iptables \ --w \ ---table nat \ ---insert POSTROUTING \ ---jump LIBVIRT_PRT -iptables \ --w \ ---table mangle \ ---new-chain LIBVIRT_PRT -iptables \ --w \ ---table mangle \ ---insert POSTROUTING \ ---jump LIBVIRT_PRT -ip6tables \ --w \ ---table filter \ ---list-rules -ip6tables \ --w \ ---table nat \ ---list-rules -ip6tables \ --w \ ---table mangle \ ---list-rules -ip6tables \ --w \ ---table filter \ ---new-chain LIBVIRT_INP -ip6tables \ --w \ ---table filter \ ---insert INPUT \ ---jump LIBVIRT_INP -ip6tables \ --w \ ---table filter \ ---new-chain LIBVIRT_OUT -ip6tables \ --w \ ---table filter \ ---insert OUTPUT \ ---jump LIBVIRT_OUT -ip6tables \ --w \ ---table filter \ ---new-chain LIBVIRT_FWO -ip6tables \ --w \ ---table filter \ ---insert FORWARD \ ---jump LIBVIRT_FWO -ip6tables \ --w \ ---table filter \ ---new-chain LIBVIRT_FWI -ip6tables \ --w \ ---table filter \ ---insert FORWARD \ ---jump LIBVIRT_FWI -ip6tables \ --w \ ---table filter \ ---new-chain LIBVIRT_FWX -ip6tables \ --w \ ---table filter \ ---insert FORWARD \ ---jump LIBVIRT_FWX -ip6tables \ --w \ ---table nat \ ---new-chain LIBVIRT_PRT -ip6tables \ --w \ ---table nat \ ---insert POSTROUTING \ ---jump LIBVIRT_PRT -ip6tables \ --w \ ---table mangle \ ---new-chain LIBVIRT_PRT -ip6tables \ --w \ ---table mangle \ ---insert POSTROUTING \ ---jump LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/base.iptables b/tests/networkxml2firewalldata/base.iptables new file mode 100644 index 0000000000..056ee12758 --- /dev/null +++ b/tests/networkxml2firewalldata/base.iptables @@ -0,0 +1,150 @@ +iptables \ +-w \ +--table filter \ +--list-rules +iptables \ +-w \ +--table nat \ +--list-rules +iptables \ +-w \ +--table mangle \ +--list-rules +iptables \ +-w \ +--table filter \ +--new-chain LIBVIRT_INP +iptables \ +-w \ +--table filter \ +--insert INPUT \ +--jump LIBVIRT_INP +iptables \ +-w \ +--table filter \ +--new-chain LIBVIRT_OUT +iptables \ +-w \ +--table filter \ +--insert OUTPUT \ +--jump LIBVIRT_OUT +iptables \ +-w \ +--table filter \ +--new-chain LIBVIRT_FWO +iptables \ +-w \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWO +iptables \ +-w \ +--table filter \ +--new-chain LIBVIRT_FWI +iptables \ +-w \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWI +iptables \ +-w \ +--table filter \ +--new-chain LIBVIRT_FWX +iptables \ +-w \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWX +iptables \ +-w \ +--table nat \ +--new-chain LIBVIRT_PRT +iptables \ +-w \ +--table nat \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +iptables \ +-w \ +--table mangle \ +--new-chain LIBVIRT_PRT +iptables \ +-w \ +--table mangle \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +ip6tables \ +-w \ +--table filter \ +--list-rules +ip6tables \ +-w \ +--table nat \ +--list-rules +ip6tables \ +-w \ +--table mangle \ +--list-rules +ip6tables \ +-w \ +--table filter \ +--new-chain LIBVIRT_INP +ip6tables \ +-w \ +--table filter \ +--insert INPUT \ +--jump LIBVIRT_INP +ip6tables \ +-w \ +--table filter \ +--new-chain LIBVIRT_OUT +ip6tables \ +-w \ +--table filter \ +--insert OUTPUT \ +--jump LIBVIRT_OUT +ip6tables \ +-w \ +--table filter \ +--new-chain LIBVIRT_FWO +ip6tables \ +-w \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWO +ip6tables \ +-w \ +--table filter \ +--new-chain LIBVIRT_FWI +ip6tables \ +-w \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWI +ip6tables \ +-w \ +--table filter \ +--new-chain LIBVIRT_FWX +ip6tables \ +-w \ +--table filter \ +--insert FORWARD \ +--jump LIBVIRT_FWX +ip6tables \ +-w \ +--table nat \ +--new-chain LIBVIRT_PRT +ip6tables \ +-w \ +--table nat \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT +ip6tables \ +-w \ +--table mangle \ +--new-chain LIBVIRT_PRT +ip6tables \ +-w \ +--table mangle \ +--insert POSTROUTING \ +--jump LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/base.nftables b/tests/networkxml2firewalldata/base.nftables new file mode 100644 index 0000000000..4f1f475a85 --- /dev/null +++ b/tests/networkxml2firewalldata/base.nftables @@ -0,0 +1,256 @@ +nft \ +list \ +table \ +ip \ +libvirt +nft \ +add \ +table \ +ip \ +libvirt +nft \ +add \ +chain \ +ip \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT +nft \ +list \ +table \ +ip6 \ +libvirt +nft \ +add \ +table \ +ip6 \ +libvirt +nft \ +add \ +chain \ +ip6 \ +libvirt \ +INPUT \ +'{ type filter hook input priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +FORWARD \ +'{ type filter hook forward priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +OUTPUT \ +'{ type filter hook output priority 0; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_INP +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +INPUT \ +counter \ +jump \ +LIBVIRT_INP +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_OUT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +OUTPUT \ +counter \ +jump \ +LIBVIRT_OUT +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWO +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWO +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWI +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWI +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_FWX +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +FORWARD \ +counter \ +jump \ +LIBVIRT_FWX +nft \ +add \ +chain \ +ip6 \ +libvirt \ +POSTROUTING \ +'{ type nat hook postrouting priority 100; policy accept; }' +nft \ +add \ +chain \ +ip6 \ +libvirt \ +LIBVIRT_PRT +nft \ +insert \ +rule \ +ip6 \ +libvirt \ +POSTROUTING \ +counter \ +jump \ +LIBVIRT_PRT diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args deleted file mode 100644 index 3cfa61333c..0000000000 --- a/tests/networkxml2firewalldata/nat-default-linux.args +++ /dev/null @@ -1,147 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p udp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p tcp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -iptables \ --w \ ---table mangle \ ---insert LIBVIRT_PRT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump CHECKSUM \ ---checksum-fill diff --git a/tests/networkxml2firewalldata/nat-default-linux.iptables b/tests/networkxml2firewalldata/nat-default-linux.iptables new file mode 100644 index 0000000000..3cfa61333c --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.iptables @@ -0,0 +1,147 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables new file mode 100644 index 0000000000..2dafe078a1 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-default-linux.nftables @@ -0,0 +1,248 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args deleted file mode 100644 index ce295cbc6d..0000000000 --- a/tests/networkxml2firewalldata/nat-ipv6-linux.args +++ /dev/null @@ -1,228 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 547 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 546 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p udp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p tcp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 2001:db8:ca2:2::/64 \ ---in-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 2001:db8:ca2:2::/64 \ ---out-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table mangle \ ---insert LIBVIRT_PRT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump CHECKSUM \ ---checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables new file mode 100644 index 0000000000..ce295cbc6d --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.iptables @@ -0,0 +1,228 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables new file mode 100644 index 0000000000..63d4d8e2a5 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables @@ -0,0 +1,384 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args deleted file mode 100644 index d78537dc5c..0000000000 --- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args +++ /dev/null @@ -1,262 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 547 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 546 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p udp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p tcp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 2001:db8:ca2:2::/64 \ ---in-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 2001:db8:ca2:2::/64 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -ip6tables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 2001:db8:ca2:2::/64 '!' \ ---destination 2001:db8:ca2:2::/64 \ ---jump MASQUERADE -ip6tables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 2001:db8:ca2:2::/64 \ --p udp '!' \ ---destination 2001:db8:ca2:2::/64 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -ip6tables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 2001:db8:ca2:2::/64 \ --p tcp '!' \ ---destination 2001:db8:ca2:2::/64 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -ip6tables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 2001:db8:ca2:2::/64 \ ---destination ff02::/16 \ ---jump RETURN -iptables \ --w \ ---table mangle \ ---insert LIBVIRT_PRT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump CHECKSUM \ ---checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables new file mode 100644 index 0000000000..d78537dc5c --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables @@ -0,0 +1,262 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p udp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +-p tcp '!' \ +--destination 2001:db8:ca2:2::/64 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +ip6tables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 2001:db8:ca2:2::/64 \ +--destination ff02::/16 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables new file mode 100644 index 0000000000..e6d5dea661 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables @@ -0,0 +1,456 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +'!=' \ +2001:db8:ca2:2::/64 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_PRT \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +ip6 \ +daddr \ +ff02::/16 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args deleted file mode 100644 index ba7f234b82..0000000000 --- a/tests/networkxml2firewalldata/nat-many-ips-linux.args +++ /dev/null @@ -1,257 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p udp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p tcp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.128.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.128.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.128.0/24 '!' \ ---destination 192.168.128.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.128.0/24 \ --p udp '!' \ ---destination 192.168.128.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.128.0/24 \ --p tcp '!' \ ---destination 192.168.128.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.128.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.128.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.150.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.150.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.150.0/24 '!' \ ---destination 192.168.150.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.150.0/24 \ --p udp '!' \ ---destination 192.168.150.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.150.0/24 \ --p tcp '!' \ ---destination 192.168.150.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.150.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.150.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -iptables \ --w \ ---table mangle \ ---insert LIBVIRT_PRT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump CHECKSUM \ ---checksum-fill diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.iptables b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables new file mode 100644 index 0000000000..ba7f234b82 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.iptables @@ -0,0 +1,257 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.128.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.128.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p udp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +-p tcp '!' \ +--destination 192.168.128.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.128.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.150.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.150.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.150.0/24 '!' \ +--destination 192.168.150.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.150.0/24 \ +-p udp '!' \ +--destination 192.168.150.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.150.0/24 \ +-p tcp '!' \ +--destination 192.168.150.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.150.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.150.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables new file mode 100644 index 0000000000..e636916c7e --- /dev/null +++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables @@ -0,0 +1,472 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.128.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.128.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.128.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.128.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.150.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.150.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.150.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.150.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args deleted file mode 100644 index 1e5aa05231..0000000000 --- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args +++ /dev/null @@ -1,219 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 547 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 546 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p udp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p tcp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 2001:db8:ca2:2::/64 \ ---in-interface virbr0 \ ---jump ACCEPT -ip6tables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 2001:db8:ca2:2::/64 \ ---out-interface virbr0 \ ---jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables new file mode 100644 index 0000000000..1e5aa05231 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables @@ -0,0 +1,219 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 547 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 546 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 2001:db8:ca2:2::/64 \ +--in-interface virbr0 \ +--jump ACCEPT +ip6tables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 2001:db8:ca2:2::/64 \ +--out-interface virbr0 \ +--jump ACCEPT diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables new file mode 100644 index 0000000000..63d4d8e2a5 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables @@ -0,0 +1,384 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +547 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +546 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWO \ +ip6 \ +saddr \ +2001:db8:ca2:2::/64 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip6 \ +libvirt \ +LIBVIRT_FWI \ +ip6 \ +daddr \ +2001:db8:ca2:2::/64 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args deleted file mode 100644 index 565fff737c..0000000000 --- a/tests/networkxml2firewalldata/nat-tftp-linux.args +++ /dev/null @@ -1,163 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 69 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 69 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---match conntrack \ ---ctstate ESTABLISHED,RELATED \ ---jump ACCEPT -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p udp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ --p tcp '!' \ ---destination 192.168.122.0/24 \ ---jump MASQUERADE \ ---to-ports 1024-65535 -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 255.255.255.255/32 \ ---jump RETURN -iptables \ --w \ ---table nat \ ---insert LIBVIRT_PRT \ ---source 192.168.122.0/24 \ ---destination 224.0.0.0/24 \ ---jump RETURN -iptables \ --w \ ---table mangle \ ---insert LIBVIRT_PRT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump CHECKSUM \ ---checksum-fill diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.iptables b/tests/networkxml2firewalldata/nat-tftp-linux.iptables new file mode 100644 index 0000000000..565fff737c --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.iptables @@ -0,0 +1,163 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 69 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 69 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--match conntrack \ +--ctstate ESTABLISHED,RELATED \ +--jump ACCEPT +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p udp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +-p tcp '!' \ +--destination 192.168.122.0/24 \ +--jump MASQUERADE \ +--to-ports 1024-65535 +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 255.255.255.255/32 \ +--jump RETURN +iptables \ +-w \ +--table nat \ +--insert LIBVIRT_PRT \ +--source 192.168.122.0/24 \ +--destination 224.0.0.0/24 \ +--jump RETURN +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables new file mode 100644 index 0000000000..bb0598d011 --- /dev/null +++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables @@ -0,0 +1,274 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +69 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +ip \ +daddr \ +192.168.122.0/24 \ +ct \ +state \ +related,established \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +udp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +meta \ +l4proto \ +tcp \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +'!=' \ +192.168.122.0/24 \ +counter \ +masquerade \ +to \ +:1024-65535 +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +255.255.255.255/32 \ +counter \ +return +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_PRT \ +ip \ +saddr \ +192.168.122.0/24 \ +ip \ +daddr \ +224.0.0.0/24 \ +counter \ +return diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args deleted file mode 100644 index a7b969c077..0000000000 --- a/tests/networkxml2firewalldata/route-default-linux.args +++ /dev/null @@ -1,106 +0,0 @@ -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 67 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_INP \ ---in-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol tcp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_OUT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 53 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---in-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---out-interface virbr0 \ ---jump REJECT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWX \ ---in-interface virbr0 \ ---out-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWO \ ---source 192.168.122.0/24 \ ---in-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table filter \ ---insert LIBVIRT_FWI \ ---destination 192.168.122.0/24 \ ---out-interface virbr0 \ ---jump ACCEPT -iptables \ --w \ ---table mangle \ ---insert LIBVIRT_PRT \ ---out-interface virbr0 \ ---protocol udp \ ---destination-port 68 \ ---jump CHECKSUM \ ---checksum-fill diff --git a/tests/networkxml2firewalldata/route-default-linux.iptables b/tests/networkxml2firewalldata/route-default-linux.iptables new file mode 100644 index 0000000000..a7b969c077 --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.iptables @@ -0,0 +1,106 @@ +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 67 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_INP \ +--in-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol tcp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_OUT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 53 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--in-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--out-interface virbr0 \ +--jump REJECT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWX \ +--in-interface virbr0 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWO \ +--source 192.168.122.0/24 \ +--in-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table filter \ +--insert LIBVIRT_FWI \ +--destination 192.168.122.0/24 \ +--out-interface virbr0 \ +--jump ACCEPT +iptables \ +-w \ +--table mangle \ +--insert LIBVIRT_PRT \ +--out-interface virbr0 \ +--protocol udp \ +--destination-port 68 \ +--jump CHECKSUM \ +--checksum-fill diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables new file mode 100644 index 0000000000..834f6366ae --- /dev/null +++ b/tests/networkxml2firewalldata/route-default-linux.nftables @@ -0,0 +1,162 @@ +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +67 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +68 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_INP \ +iifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +tcp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_OUT \ +oifname \ +virbr0 \ +udp \ +dport \ +53 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +iifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +oifname \ +virbr0 \ +counter \ +reject +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWX \ +iifname \ +virbr0 \ +oifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWO \ +ip \ +saddr \ +192.168.122.0/24 \ +iifname \ +virbr0 \ +counter \ +accept +nft \ +-ae insert \ +rule \ +ip \ +libvirt \ +LIBVIRT_FWI \ +ip \ +daddr \ +192.168.122.0/24 \ +oifname \ +virbr0 \ +counter \ +accept diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c index 082979e5dc..4cabe39d1d 100644 --- a/tests/networkxml2firewalltest.c +++ b/tests/networkxml2firewalltest.c @@ -79,13 +79,21 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED, void *opaque G_GNUC_UNUSED) { *status = 0; - *output = g_strdup(""); + /* if arg[1] is -ae then this is an nft command, + * and the caller requested to get the handle + * of the newly added object in stdout + */ + if (STREQ_NULLABLE(args[1], "-ae")) + *output = g_strdup("# handle 5309"); + else + *output = g_strdup(""); *error = g_strdup(""); } static int testCompareXMLToArgvFiles(const char *xml, const char *cmdline, - const char *baseargs) + const char *baseargs, + virFirewallBackend backend) { g_autofree char *actualargv = NULL; g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; @@ -98,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml, if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) return -1; - if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0) + if (networkAddFirewallRules(def, backend, NULL) < 0) return -1; actual = actualargv = virBufferContentAndReset(&buf); @@ -119,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml, struct testInfo { const char *name; const char *baseargs; + virFirewallBackend backend; }; @@ -132,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data) xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml", abs_srcdir, info->name); - args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", - abs_srcdir, info->name, RULESTYPE); + args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s", + abs_srcdir, info->name, RULESTYPE, + virFirewallBackendTypeToString(info->backend)); - result = testCompareXMLToArgvFiles(xml, args, info->baseargs); + result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend); return result; } @@ -145,24 +155,42 @@ static int mymain(void) { int ret = 0; - g_autofree char *basefile = NULL; - g_autofree char *baseargs = NULL; + g_autofree char *basefileIptables = NULL; + g_autofree char *basefileNftables = NULL; + g_autofree char *baseargsIptables = NULL; + g_autofree char *baseargsNftables = NULL; + const char *baseargs[VIR_FIREWALL_BACKEND_LAST]; -# define DO_TEST(name) \ +# define DO_TEST_FOR_BACKEND(name, backend) \ do { \ struct testInfo info = { \ - name, baseargs, \ + name, baseargs[backend], backend \ }; \ - if (virTestRun("Network XML-2-iptables " name, \ - testCompareXMLToIPTablesHelper, &info) < 0) \ + g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \ + virFirewallBackendTypeToString(backend), \ + name); \ + if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \ ret = -1; \ } while (0) - basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args", abs_srcdir); +# define DO_TEST(name) \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \ + DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES); - if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0) + + basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir); + if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0) return EXIT_FAILURE; + baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables; + + basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir); + if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0) + return EXIT_FAILURE; + + baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables; + + DO_TEST("nat-default"); DO_TEST("nat-tftp"); DO_TEST("nat-many-ips");