forked from rpms/libvirt
6498 lines
153 KiB
Diff
6498 lines
153 KiB
Diff
From 4dcb98488fe7049c914a9e2bd82d2fcae834bba5 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <4dcb98488fe7049c914a9e2bd82d2fcae834bba5@dist-git>
|
|
From: Laine Stump <laine@redhat.com>
|
|
Date: Fri, 15 Jan 2021 22:51:45 -0500
|
|
Subject: [PATCH] util/tests: enable locking on iptables/ebtables commandlines
|
|
in unit tests
|
|
|
|
All the unit tests that use iptables/ip6tables/ebtables have been
|
|
written to omit the locking/exclusive use primitive on the generated
|
|
commandlines. Even though none of the tests actually execute those
|
|
commands (and so it doesn't matter for purposes of the test whether or
|
|
not the commands support these options), it still made sense when some
|
|
systems had these locking options and some didn't.
|
|
|
|
We are now at a point where every supported Linux distro has supported
|
|
the locking options on these commands for quite a long time, and are
|
|
going to make their use non-optional. As a first step, this patch uses
|
|
the virFirewallSetLockOverride() function, which is called at the
|
|
beginning of all firewall-related tests, to set all the bools
|
|
controlling whether or not the locking options are used to true. This
|
|
means that all the test cases must be updated to include the proper
|
|
locking option in their commandlines.
|
|
|
|
The change to make actual execs of the commands unconditionally use
|
|
the locking option will be in an upcoming patch - this one affects
|
|
only the unit tests.
|
|
|
|
https://bugzilla.redhat.com/1607929
|
|
|
|
Signed-off-by: Laine Stump <laine@redhat.com>
|
|
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
|
|
(cherry picked from commit e66451f685e29ffe4be5a060ef64b19961ad4bb5)
|
|
|
|
Conflicts:
|
|
tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args:
|
|
exists only upstream
|
|
|
|
tests/virfirewalltest.c:
|
|
minor merge conflict due to glib conversion upstream.
|
|
|
|
Signed-off-by: Laine Stump <laine@redhat.com>
|
|
Message-Id: <20210116035151.1066734-3-laine@redhat.com>
|
|
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
---
|
|
src/util/virfirewall.c | 6 +
|
|
tests/networkxml2firewalldata/base.args | 34 ++
|
|
.../nat-default-linux.args | 19 +
|
|
.../nat-ipv6-linux.args | 30 ++
|
|
.../nat-many-ips-linux.args | 33 ++
|
|
.../nat-no-dhcp-linux.args | 29 ++
|
|
.../nat-tftp-linux.args | 21 +
|
|
.../route-default-linux.args | 14 +
|
|
tests/nwfilterebiptablestest.c | 464 +++++++++---------
|
|
.../ah-ipv6-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/ah-linux.args | 9 +
|
|
.../all-ipv6-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/all-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/arp-linux.args | 5 +
|
|
.../comment-linux.args | 19 +
|
|
.../conntrack-linux.args | 7 +
|
|
.../esp-ipv6-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/esp-linux.args | 9 +
|
|
.../example-1-linux.args | 12 +
|
|
.../example-2-linux.args | 10 +
|
|
.../hex-data-linux.args | 10 +
|
|
.../icmp-direction-linux.args | 6 +
|
|
.../icmp-direction2-linux.args | 6 +
|
|
.../icmp-direction3-linux.args | 6 +
|
|
.../nwfilterxml2firewalldata/icmp-linux.args | 3 +
|
|
.../icmpv6-linux.args | 4 +
|
|
.../nwfilterxml2firewalldata/igmp-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/ip-linux.args | 3 +
|
|
.../nwfilterxml2firewalldata/ipset-linux.args | 18 +
|
|
.../ipt-no-macspoof-linux.args | 2 +
|
|
.../nwfilterxml2firewalldata/ipv6-linux.args | 15 +
|
|
.../nwfilterxml2firewalldata/iter1-linux.args | 9 +
|
|
.../nwfilterxml2firewalldata/iter2-linux.args | 171 +++++++
|
|
.../nwfilterxml2firewalldata/iter3-linux.args | 15 +
|
|
tests/nwfilterxml2firewalldata/mac-linux.args | 4 +
|
|
.../nwfilterxml2firewalldata/rarp-linux.args | 6 +
|
|
.../sctp-ipv6-linux.args | 9 +
|
|
.../nwfilterxml2firewalldata/sctp-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/stp-linux.args | 11 +
|
|
.../target-linux.args | 33 ++
|
|
.../target2-linux.args | 12 +
|
|
.../tcp-ipv6-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/tcp-linux.args | 13 +
|
|
.../udp-ipv6-linux.args | 9 +
|
|
tests/nwfilterxml2firewalldata/udp-linux.args | 9 +
|
|
.../udplite-ipv6-linux.args | 9 +
|
|
.../udplite-linux.args | 9 +
|
|
.../nwfilterxml2firewalldata/vlan-linux.args | 7 +
|
|
tests/nwfilterxml2firewalltest.c | 144 +++---
|
|
tests/virfirewalltest.c | 112 +++--
|
|
50 files changed, 1081 insertions(+), 358 deletions(-)
|
|
|
|
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
|
|
index ee72b579e4..c2de2bccae 100644
|
|
--- a/src/util/virfirewall.c
|
|
+++ b/src/util/virfirewall.c
|
|
@@ -106,6 +106,12 @@ void
|
|
virFirewallSetLockOverride(bool avoid)
|
|
{
|
|
lockOverride = avoid;
|
|
+ if (avoid) {
|
|
+ /* add the lock option to all commands */
|
|
+ iptablesUseLock = true;
|
|
+ ip6tablesUseLock = true;
|
|
+ ebtablesUseLock = true;
|
|
+ }
|
|
}
|
|
|
|
static void
|
|
diff --git a/tests/networkxml2firewalldata/base.args b/tests/networkxml2firewalldata/base.args
|
|
index 0e71bf3a64..056ee12758 100644
|
|
--- a/tests/networkxml2firewalldata/base.args
|
|
+++ b/tests/networkxml2firewalldata/base.args
|
|
@@ -1,116 +1,150 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--list-rules
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--list-rules
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--list-rules
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_INP
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert INPUT \
|
|
--jump LIBVIRT_INP
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_OUT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert OUTPUT \
|
|
--jump LIBVIRT_OUT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_FWO
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert FORWARD \
|
|
--jump LIBVIRT_FWO
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_FWI
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert FORWARD \
|
|
--jump LIBVIRT_FWI
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_FWX
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert FORWARD \
|
|
--jump LIBVIRT_FWX
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--new-chain LIBVIRT_PRT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert POSTROUTING \
|
|
--jump LIBVIRT_PRT
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--new-chain LIBVIRT_PRT
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert POSTROUTING \
|
|
--jump LIBVIRT_PRT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--list-rules
|
|
ip6tables \
|
|
+-w \
|
|
--table nat \
|
|
--list-rules
|
|
ip6tables \
|
|
+-w \
|
|
--table mangle \
|
|
--list-rules
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_INP
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert INPUT \
|
|
--jump LIBVIRT_INP
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_OUT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert OUTPUT \
|
|
--jump LIBVIRT_OUT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_FWO
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert FORWARD \
|
|
--jump LIBVIRT_FWO
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_FWI
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert FORWARD \
|
|
--jump LIBVIRT_FWI
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--new-chain LIBVIRT_FWX
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert FORWARD \
|
|
--jump LIBVIRT_FWX
|
|
ip6tables \
|
|
+-w \
|
|
--table nat \
|
|
--new-chain LIBVIRT_PRT
|
|
ip6tables \
|
|
+-w \
|
|
--table nat \
|
|
--insert POSTROUTING \
|
|
--jump LIBVIRT_PRT
|
|
ip6tables \
|
|
+-w \
|
|
--table mangle \
|
|
--new-chain LIBVIRT_PRT
|
|
ip6tables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert POSTROUTING \
|
|
--jump LIBVIRT_PRT
|
|
diff --git a/tests/networkxml2firewalldata/nat-default-linux.args b/tests/networkxml2firewalldata/nat-default-linux.args
|
|
index ab18f30bd0..3cfa61333c 100644
|
|
--- a/tests/networkxml2firewalldata/nat-default-linux.args
|
|
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -20,6 +23,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -27,6 +31,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -34,6 +39,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -41,6 +47,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -48,6 +55,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -55,28 +63,33 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.122.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.122.0/24 \
|
|
@@ -85,12 +98,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 '!' \
|
|
--destination 192.168.122.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -99,6 +114,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -107,18 +123,21 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert LIBVIRT_PRT \
|
|
--out-interface virbr0 \
|
|
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.args b/tests/networkxml2firewalldata/nat-ipv6-linux.args
|
|
index 05d9ee33ca..ce295cbc6d 100644
|
|
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
|
|
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -20,6 +23,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -27,6 +31,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -34,6 +39,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -41,6 +47,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -48,6 +55,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -55,38 +63,45 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -94,6 +109,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -101,6 +117,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -108,6 +125,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -115,6 +133,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -122,6 +141,7 @@ ip6tables \
|
|
--destination-port 547 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -129,12 +149,14 @@ ip6tables \
|
|
--destination-port 546 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.122.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.122.0/24 \
|
|
@@ -143,12 +165,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 '!' \
|
|
--destination 192.168.122.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -157,6 +181,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -165,30 +190,35 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 2001:db8:ca2:2::/64 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 2001:db8:ca2:2::/64 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert LIBVIRT_PRT \
|
|
--out-interface virbr0 \
|
|
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.args b/tests/networkxml2firewalldata/nat-many-ips-linux.args
|
|
index 82e1380f51..ba7f234b82 100644
|
|
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
|
|
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -20,6 +23,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -27,6 +31,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -34,6 +39,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -41,6 +47,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -48,6 +55,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -55,28 +63,33 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.122.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.122.0/24 \
|
|
@@ -85,12 +98,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 '!' \
|
|
--destination 192.168.122.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -99,6 +114,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -107,24 +123,28 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.128.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.128.0/24 \
|
|
@@ -133,12 +153,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.128.0/24 '!' \
|
|
--destination 192.168.128.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.128.0/24 \
|
|
@@ -147,6 +169,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.128.0/24 \
|
|
@@ -155,24 +178,28 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.128.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.128.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.150.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.150.0/24 \
|
|
@@ -181,12 +208,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.150.0/24 '!' \
|
|
--destination 192.168.150.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.150.0/24 \
|
|
@@ -195,6 +224,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.150.0/24 \
|
|
@@ -203,18 +233,21 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.150.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.150.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert LIBVIRT_PRT \
|
|
--out-interface virbr0 \
|
|
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
|
|
index 8954cc5473..1e5aa05231 100644
|
|
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
|
|
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -20,6 +23,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -27,6 +31,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -34,6 +39,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -41,6 +47,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -48,6 +55,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -55,38 +63,45 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -94,6 +109,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -101,6 +117,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -108,6 +125,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -115,6 +133,7 @@ ip6tables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -122,6 +141,7 @@ ip6tables \
|
|
--destination-port 547 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -129,12 +149,14 @@ ip6tables \
|
|
--destination-port 546 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.122.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.122.0/24 \
|
|
@@ -143,12 +165,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 '!' \
|
|
--destination 192.168.122.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -157,6 +181,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -165,24 +190,28 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 2001:db8:ca2:2::/64 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 2001:db8:ca2:2::/64 \
|
|
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.args b/tests/networkxml2firewalldata/nat-tftp-linux.args
|
|
index 88e9929b62..565fff737c 100644
|
|
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
|
|
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -20,6 +23,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -27,6 +31,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -34,6 +39,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -41,6 +47,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -48,6 +55,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -55,6 +63,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -62,6 +71,7 @@ iptables \
|
|
--destination-port 69 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -69,28 +79,33 @@ iptables \
|
|
--destination-port 69 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.122.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.122.0/24 \
|
|
@@ -99,12 +114,14 @@ iptables \
|
|
--ctstate ESTABLISHED,RELATED \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 '!' \
|
|
--destination 192.168.122.0/24 \
|
|
--jump MASQUERADE
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -113,6 +130,7 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
@@ -121,18 +139,21 @@ iptables \
|
|
--jump MASQUERADE \
|
|
--to-ports 1024-65535
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 255.255.255.255/32 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table nat \
|
|
--insert LIBVIRT_PRT \
|
|
--source 192.168.122.0/24 \
|
|
--destination 224.0.0.0/24 \
|
|
--jump RETURN
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert LIBVIRT_PRT \
|
|
--out-interface virbr0 \
|
|
diff --git a/tests/networkxml2firewalldata/route-default-linux.args b/tests/networkxml2firewalldata/route-default-linux.args
|
|
index c427d9602d..a7b969c077 100644
|
|
--- a/tests/networkxml2firewalldata/route-default-linux.args
|
|
+++ b/tests/networkxml2firewalldata/route-default-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--destination-port 67 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -20,6 +23,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -27,6 +31,7 @@ iptables \
|
|
--destination-port 68 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -34,6 +39,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_INP \
|
|
--in-interface virbr0 \
|
|
@@ -41,6 +47,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -48,6 +55,7 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_OUT \
|
|
--out-interface virbr0 \
|
|
@@ -55,34 +63,40 @@ iptables \
|
|
--destination-port 53 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--in-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--out-interface virbr0 \
|
|
--jump REJECT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWX \
|
|
--in-interface virbr0 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWO \
|
|
--source 192.168.122.0/24 \
|
|
--in-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table filter \
|
|
--insert LIBVIRT_FWI \
|
|
--destination 192.168.122.0/24 \
|
|
--out-interface virbr0 \
|
|
--jump ACCEPT
|
|
iptables \
|
|
+-w \
|
|
--table mangle \
|
|
--insert LIBVIRT_PRT \
|
|
--out-interface virbr0 \
|
|
diff --git a/tests/nwfilterebiptablestest.c b/tests/nwfilterebiptablestest.c
|
|
index 3e6c335d4e..e70f0e2400 100644
|
|
--- a/tests/nwfilterebiptablestest.c
|
|
+++ b/tests/nwfilterebiptablestest.c
|
|
@@ -36,34 +36,34 @@
|
|
|
|
|
|
#define VIR_NWFILTER_NEW_RULES_TEARDOWN \
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
|
|
- "iptables -F FP-vnet0\n" \
|
|
- "iptables -X FP-vnet0\n" \
|
|
- "iptables -F FJ-vnet0\n" \
|
|
- "iptables -X FJ-vnet0\n" \
|
|
- "iptables -F HJ-vnet0\n" \
|
|
- "iptables -X HJ-vnet0\n" \
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
|
|
- "ip6tables -F FP-vnet0\n" \
|
|
- "ip6tables -X FP-vnet0\n" \
|
|
- "ip6tables -F FJ-vnet0\n" \
|
|
- "ip6tables -X FJ-vnet0\n" \
|
|
- "ip6tables -F HJ-vnet0\n" \
|
|
- "ip6tables -X HJ-vnet0\n" \
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
|
|
- "ebtables -t nat -L libvirt-J-vnet0\n" \
|
|
- "ebtables -t nat -L libvirt-P-vnet0\n" \
|
|
- "ebtables -t nat -F libvirt-J-vnet0\n" \
|
|
- "ebtables -t nat -X libvirt-J-vnet0\n" \
|
|
- "ebtables -t nat -F libvirt-P-vnet0\n" \
|
|
- "ebtables -t nat -X libvirt-P-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
|
|
+ "iptables -w -F FP-vnet0\n" \
|
|
+ "iptables -w -X FP-vnet0\n" \
|
|
+ "iptables -w -F FJ-vnet0\n" \
|
|
+ "iptables -w -X FJ-vnet0\n" \
|
|
+ "iptables -w -F HJ-vnet0\n" \
|
|
+ "iptables -w -X HJ-vnet0\n" \
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
|
|
+ "ip6tables -w -F FP-vnet0\n" \
|
|
+ "ip6tables -w -X FP-vnet0\n" \
|
|
+ "ip6tables -w -F FJ-vnet0\n" \
|
|
+ "ip6tables -w -X FJ-vnet0\n" \
|
|
+ "ip6tables -w -F HJ-vnet0\n" \
|
|
+ "ip6tables -w -X HJ-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -F libvirt-J-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -X libvirt-J-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -F libvirt-P-vnet0\n" \
|
|
+ "ebtables --concurrent -t nat -X libvirt-P-vnet0\n"
|
|
|
|
static int
|
|
testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
|
|
@@ -71,36 +71,36 @@ testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
const char *expected =
|
|
VIR_NWFILTER_NEW_RULES_TEARDOWN
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "iptables -F FO-vnet0\n"
|
|
- "iptables -X FO-vnet0\n"
|
|
- "iptables -F FI-vnet0\n"
|
|
- "iptables -X FI-vnet0\n"
|
|
- "iptables -F HI-vnet0\n"
|
|
- "iptables -X HI-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "ip6tables -F FO-vnet0\n"
|
|
- "ip6tables -X FO-vnet0\n"
|
|
- "ip6tables -F FI-vnet0\n"
|
|
- "ip6tables -X FI-vnet0\n"
|
|
- "ip6tables -F HI-vnet0\n"
|
|
- "ip6tables -X HI-vnet0\n"
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-O-vnet0\n";
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "iptables -w -F FO-vnet0\n"
|
|
+ "iptables -w -X FO-vnet0\n"
|
|
+ "iptables -w -F FI-vnet0\n"
|
|
+ "iptables -w -X FI-vnet0\n"
|
|
+ "iptables -w -F HI-vnet0\n"
|
|
+ "iptables -w -X HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "ip6tables -w -F FO-vnet0\n"
|
|
+ "ip6tables -w -X FO-vnet0\n"
|
|
+ "ip6tables -w -F FI-vnet0\n"
|
|
+ "ip6tables -w -X FI-vnet0\n"
|
|
+ "ip6tables -w -F HI-vnet0\n"
|
|
+ "ip6tables -w -X HI-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n";
|
|
char *actual = NULL;
|
|
int ret = -1;
|
|
|
|
@@ -131,44 +131,44 @@ testNWFilterEBIPTablesTearOldRules(const void *opaque G_GNUC_UNUSED)
|
|
{
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
const char *expected =
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "iptables -F FO-vnet0\n"
|
|
- "iptables -X FO-vnet0\n"
|
|
- "iptables -F FI-vnet0\n"
|
|
- "iptables -X FI-vnet0\n"
|
|
- "iptables -F HI-vnet0\n"
|
|
- "iptables -X HI-vnet0\n"
|
|
- "iptables -E FP-vnet0 FO-vnet0\n"
|
|
- "iptables -E FJ-vnet0 FI-vnet0\n"
|
|
- "iptables -E HJ-vnet0 HI-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "ip6tables -F FO-vnet0\n"
|
|
- "ip6tables -X FO-vnet0\n"
|
|
- "ip6tables -F FI-vnet0\n"
|
|
- "ip6tables -X FI-vnet0\n"
|
|
- "ip6tables -F HI-vnet0\n"
|
|
- "ip6tables -X HI-vnet0\n"
|
|
- "ip6tables -E FP-vnet0 FO-vnet0\n"
|
|
- "ip6tables -E FJ-vnet0 FI-vnet0\n"
|
|
- "ip6tables -E HJ-vnet0 HI-vnet0\n"
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "iptables -w -F FO-vnet0\n"
|
|
+ "iptables -w -X FO-vnet0\n"
|
|
+ "iptables -w -F FI-vnet0\n"
|
|
+ "iptables -w -X FI-vnet0\n"
|
|
+ "iptables -w -F HI-vnet0\n"
|
|
+ "iptables -w -X HI-vnet0\n"
|
|
+ "iptables -w -E FP-vnet0 FO-vnet0\n"
|
|
+ "iptables -w -E FJ-vnet0 FI-vnet0\n"
|
|
+ "iptables -w -E HJ-vnet0 HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "ip6tables -w -F FO-vnet0\n"
|
|
+ "ip6tables -w -X FO-vnet0\n"
|
|
+ "ip6tables -w -F FI-vnet0\n"
|
|
+ "ip6tables -w -X FI-vnet0\n"
|
|
+ "ip6tables -w -F HI-vnet0\n"
|
|
+ "ip6tables -w -X HI-vnet0\n"
|
|
+ "ip6tables -w -E FP-vnet0 FO-vnet0\n"
|
|
+ "ip6tables -w -E FJ-vnet0 FI-vnet0\n"
|
|
+ "ip6tables -w -E HJ-vnet0 HI-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
|
char *actual = NULL;
|
|
int ret = -1;
|
|
|
|
@@ -199,22 +199,22 @@ testNWFilterEBIPTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED)
|
|
{
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
const char *expected =
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-P-vnet0\n";
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-P-vnet0\n";
|
|
char *actual = NULL;
|
|
int ret = -1;
|
|
|
|
@@ -277,43 +277,43 @@ testNWFilterEBIPTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED)
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
const char *expected =
|
|
VIR_NWFILTER_NEW_RULES_TEARDOWN
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "iptables -F FO-vnet0\n"
|
|
- "iptables -X FO-vnet0\n"
|
|
- "iptables -F FI-vnet0\n"
|
|
- "iptables -X FI-vnet0\n"
|
|
- "iptables -F HI-vnet0\n"
|
|
- "iptables -X HI-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "ip6tables -F FO-vnet0\n"
|
|
- "ip6tables -X FO-vnet0\n"
|
|
- "ip6tables -F FI-vnet0\n"
|
|
- "ip6tables -X FI-vnet0\n"
|
|
- "ip6tables -F HI-vnet0\n"
|
|
- "ip6tables -X HI-vnet0\n"
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -N libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
|
|
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "iptables -w -F FO-vnet0\n"
|
|
+ "iptables -w -X FO-vnet0\n"
|
|
+ "iptables -w -F FI-vnet0\n"
|
|
+ "iptables -w -X FI-vnet0\n"
|
|
+ "iptables -w -F HI-vnet0\n"
|
|
+ "iptables -w -X HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "ip6tables -w -F FO-vnet0\n"
|
|
+ "ip6tables -w -X FO-vnet0\n"
|
|
+ "ip6tables -w -F FI-vnet0\n"
|
|
+ "ip6tables -w -X FI-vnet0\n"
|
|
+ "ip6tables -w -F HI-vnet0\n"
|
|
+ "ip6tables -w -X HI-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
|
|
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
|
|
char *actual = NULL;
|
|
int ret = -1;
|
|
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
|
|
@@ -346,51 +346,51 @@ testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED)
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
const char *expected =
|
|
VIR_NWFILTER_NEW_RULES_TEARDOWN
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "iptables -F FO-vnet0\n"
|
|
- "iptables -X FO-vnet0\n"
|
|
- "iptables -F FI-vnet0\n"
|
|
- "iptables -X FI-vnet0\n"
|
|
- "iptables -F HI-vnet0\n"
|
|
- "iptables -X HI-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "ip6tables -F FO-vnet0\n"
|
|
- "ip6tables -X FO-vnet0\n"
|
|
- "ip6tables -F FI-vnet0\n"
|
|
- "ip6tables -X FI-vnet0\n"
|
|
- "ip6tables -F HI-vnet0\n"
|
|
- "ip6tables -X HI-vnet0\n"
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -N libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -N libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
|
|
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "iptables -w -F FO-vnet0\n"
|
|
+ "iptables -w -X FO-vnet0\n"
|
|
+ "iptables -w -F FI-vnet0\n"
|
|
+ "iptables -w -X FI-vnet0\n"
|
|
+ "iptables -w -F HI-vnet0\n"
|
|
+ "iptables -w -X HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "ip6tables -w -F FO-vnet0\n"
|
|
+ "ip6tables -w -X FO-vnet0\n"
|
|
+ "ip6tables -w -F FI-vnet0\n"
|
|
+ "ip6tables -w -X FI-vnet0\n"
|
|
+ "ip6tables -w -F HI-vnet0\n"
|
|
+ "ip6tables -w -X HI-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
|
|
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
|
char *actual = NULL;
|
|
int ret = -1;
|
|
virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
|
|
@@ -434,44 +434,44 @@ testNWFilterEBIPTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED)
|
|
virBuffer buf = VIR_BUFFER_INITIALIZER;
|
|
const char *expected =
|
|
VIR_NWFILTER_NEW_RULES_TEARDOWN
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "iptables -F FO-vnet0\n"
|
|
- "iptables -X FO-vnet0\n"
|
|
- "iptables -F FI-vnet0\n"
|
|
- "iptables -X FI-vnet0\n"
|
|
- "iptables -F HI-vnet0\n"
|
|
- "iptables -X HI-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "ip6tables -F FO-vnet0\n"
|
|
- "ip6tables -X FO-vnet0\n"
|
|
- "ip6tables -F FI-vnet0\n"
|
|
- "ip6tables -X FI-vnet0\n"
|
|
- "ip6tables -F HI-vnet0\n"
|
|
- "ip6tables -X HI-vnet0\n"
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-O-vnet0\n"
|
|
- "ebtables -t nat -N libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -N libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
|
|
- "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
|
|
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
|
- "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "iptables -w -F FO-vnet0\n"
|
|
+ "iptables -w -X FO-vnet0\n"
|
|
+ "iptables -w -F FI-vnet0\n"
|
|
+ "iptables -w -X FI-vnet0\n"
|
|
+ "iptables -w -F HI-vnet0\n"
|
|
+ "iptables -w -X HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "ip6tables -w -F FO-vnet0\n"
|
|
+ "ip6tables -w -X FO-vnet0\n"
|
|
+ "ip6tables -w -F FI-vnet0\n"
|
|
+ "ip6tables -w -X FI-vnet0\n"
|
|
+ "ip6tables -w -F HI-vnet0\n"
|
|
+ "ip6tables -w -X HI-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
|
|
+ "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
|
|
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
|
|
char *actual = NULL;
|
|
int ret = -1;
|
|
|
|
diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
|
|
index 35c9de38b8..77f0532fd2 100644
|
|
--- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -11,6 +12,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
--destination f:e:d::c:b:a/127 \
|
|
@@ -21,6 +23,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -33,6 +36,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
--destination a:b:c::/128 \
|
|
@@ -42,6 +46,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -53,6 +58,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
--destination a:b:c::/128 \
|
|
@@ -62,6 +68,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -71,6 +78,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -82,6 +90,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterxml2firewalldata/ah-linux.args
|
|
index 269636754e..c7e5c1eb17 100644
|
|
--- a/tests/nwfilterxml2firewalldata/ah-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -50,6 +55,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -68,6 +75,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
-m mac \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
--destination 10.1.2.3/22 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
|
|
index 2f84c1bfea..d86908663c 100644
|
|
--- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -11,6 +12,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--destination f:e:d::c:b:a/127 \
|
|
@@ -21,6 +23,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -33,6 +36,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination a:b:c::/128 \
|
|
@@ -42,6 +46,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -53,6 +58,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination a:b:c::/128 \
|
|
@@ -62,6 +68,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -71,6 +78,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -82,6 +90,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilterxml2firewalldata/all-linux.args
|
|
index 7ea769f74f..187d9ed9ca 100644
|
|
--- a/tests/nwfilterxml2firewalldata/all-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -50,6 +55,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -68,6 +75,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/arp-linux.args b/tests/nwfilterxml2firewalldata/arp-linux.args
|
|
index b1360175c4..ef9f44d7bb 100644
|
|
--- a/tests/nwfilterxml2firewalldata/arp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/arp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -11,6 +12,7 @@ ebtables \
|
|
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -20,6 +22,7 @@ ebtables \
|
|
--arp-ptype 0xff \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -29,6 +32,7 @@ ebtables \
|
|
--arp-ptype 0x100 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -38,6 +42,7 @@ ebtables \
|
|
--arp-ptype 0xffff \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p 0x806 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfilterxml2firewalldata/comment-linux.args
|
|
index 462b2e2177..6233ccf9f5 100644
|
|
--- a/tests/nwfilterxml2firewalldata/comment-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
|
|
@@ -1,9 +1,11 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p 0x1234 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -17,6 +19,7 @@ ebtables \
|
|
--ip-tos 0x32 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
|
|
@@ -29,6 +32,7 @@ ebtables \
|
|
--ip6-destination-port 13107:65535 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -41,6 +45,7 @@ ebtables \
|
|
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -56,6 +61,7 @@ iptables \
|
|
--comment 'udp rule' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -69,6 +75,7 @@ iptables \
|
|
--comment 'udp rule' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -84,6 +91,7 @@ iptables \
|
|
--comment 'udp rule' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination a:b:c::/128 \
|
|
@@ -97,6 +105,7 @@ ip6tables \
|
|
--comment 'tcp/ipv6 rule' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -112,6 +121,7 @@ ip6tables \
|
|
--comment 'tcp/ipv6 rule' \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination a:b:c::/128 \
|
|
@@ -125,6 +135,7 @@ ip6tables \
|
|
--comment 'tcp/ipv6 rule' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
-m state \
|
|
@@ -133,6 +144,7 @@ ip6tables \
|
|
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
-m state \
|
|
@@ -141,6 +153,7 @@ ip6tables \
|
|
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
-m state \
|
|
@@ -149,6 +162,7 @@ ip6tables \
|
|
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
-m state \
|
|
@@ -157,6 +171,7 @@ ip6tables \
|
|
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
-m state \
|
|
@@ -165,6 +180,7 @@ ip6tables \
|
|
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
-m state \
|
|
@@ -173,6 +189,7 @@ ip6tables \
|
|
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p ah \
|
|
-m state \
|
|
@@ -182,6 +199,7 @@ ip6tables \
|
|
-f ${tmp}' \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p ah \
|
|
-m state \
|
|
@@ -191,6 +209,7 @@ ip6tables \
|
|
-f ${tmp}' \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p ah \
|
|
-m state \
|
|
diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nwfilterxml2firewalldata/conntrack-linux.args
|
|
index c653049e8e..78495598a1 100644
|
|
--- a/tests/nwfilterxml2firewalldata/conntrack-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
|
|
@@ -1,40 +1,47 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
-m connlimit \
|
|
--connlimit-above 1 \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
-m connlimit \
|
|
--connlimit-above 1 \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
-m connlimit \
|
|
--connlimit-above 2 \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
-m connlimit \
|
|
--connlimit-above 2 \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
|
|
index 51cf74815b..22dad0b412 100644
|
|
--- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -11,6 +12,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p esp \
|
|
--destination f:e:d::c:b:a/127 \
|
|
@@ -21,6 +23,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -33,6 +36,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p esp \
|
|
--destination a:b:c::/128 \
|
|
@@ -42,6 +46,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -53,6 +58,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p esp \
|
|
--destination a:b:c::/128 \
|
|
@@ -62,6 +68,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p esp \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -71,6 +78,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -82,6 +90,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p esp \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilterxml2firewalldata/esp-linux.args
|
|
index 17acb8133c..7cd70afaa1 100644
|
|
--- a/tests/nwfilterxml2firewalldata/esp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p esp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p esp \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -50,6 +55,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p esp \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p esp \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -68,6 +75,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p esp \
|
|
-m mac \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p esp \
|
|
--destination 10.1.2.3/22 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nwfilterxml2firewalldata/example-1-linux.args
|
|
index c5549f8dd6..1cc3746d40 100644
|
|
--- a/tests/nwfilterxml2firewalldata/example-1-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--sport 22 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--dport 22 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--sport 22 \
|
|
@@ -20,50 +23,59 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args b/tests/nwfilterxml2firewalldata/example-2-linux.args
|
|
index 2db58f1e0f..87462ad954 100644
|
|
--- a/tests/nwfilterxml2firewalldata/example-2-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -7,6 +8,7 @@ iptables \
|
|
--comment 'out: existing and related (ftp) connections' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -15,6 +17,7 @@ iptables \
|
|
--comment 'out: existing and related (ftp) connections' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -23,6 +26,7 @@ iptables \
|
|
--comment 'in: existing connections' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--dport 21:22 \
|
|
@@ -32,6 +36,7 @@ iptables \
|
|
--comment 'in: ftp and ssh' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
@@ -40,6 +45,7 @@ iptables \
|
|
--comment 'in: icmp' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--dport 53 \
|
|
@@ -49,6 +55,7 @@ iptables \
|
|
--comment 'out: DNS lookups' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--dport 53 \
|
|
@@ -58,18 +65,21 @@ iptables \
|
|
--comment 'out: DNS lookups' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'inout: drop all non-accepted traffic' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'inout: drop all non-accepted traffic' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwfilterxml2firewalldata/hex-data-linux.args
|
|
index f1a1f588f2..3c04e1c23d 100644
|
|
--- a/tests/nwfilterxml2firewalldata/hex-data-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
|
|
@@ -1,9 +1,11 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p 0x1234 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -17,6 +19,7 @@ ebtables \
|
|
--ip-tos 0x32 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
|
|
@@ -29,6 +32,7 @@ ebtables \
|
|
--ip6-destination-port 13107:65535 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -41,6 +45,7 @@ ebtables \
|
|
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -54,6 +59,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -65,6 +71,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -78,6 +85,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination a:b:c::/128 \
|
|
@@ -89,6 +97,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -102,6 +111,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination a:b:c::/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
|
|
index 9f481fa831..7548aaeba5 100644
|
|
--- a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
--icmp-type 0 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
--icmp-type 8 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
--icmp-type 8 \
|
|
@@ -20,14 +23,17 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
-j DROP
|
|
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
|
|
index 1faa3d880a..026702caee 100644
|
|
--- a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
--icmp-type 8 \
|
|
@@ -6,6 +7,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
--icmp-type 0 \
|
|
@@ -13,6 +15,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
--icmp-type 0 \
|
|
@@ -20,14 +23,17 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
-j DROP
|
|
diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
|
|
index 6cc8e132d9..6ee6a4f84a 100644
|
|
--- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
|
|
@@ -1,30 +1,36 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args b/tests/nwfilterxml2firewalldata/icmp-linux.args
|
|
index d808f0ea60..d688e29213 100644
|
|
--- a/tests/nwfilterxml2firewalldata/icmp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmp \
|
|
-m mac \
|
|
@@ -11,6 +12,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmp \
|
|
-m mac \
|
|
@@ -23,6 +25,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmp \
|
|
-m mac \
|
|
diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
|
|
index 92190eb311..6e2110fb81 100644
|
|
--- a/tests/nwfilterxml2firewalldata/icmpv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p icmpv6 \
|
|
-m mac \
|
|
@@ -12,6 +13,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p icmpv6 \
|
|
-m mac \
|
|
@@ -25,6 +27,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmpv6 \
|
|
-m mac \
|
|
@@ -37,6 +40,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p icmpv6 \
|
|
-m mac \
|
|
diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilterxml2firewalldata/igmp-linux.args
|
|
index 727463a62d..b954b0ae99 100644
|
|
--- a/tests/nwfilterxml2firewalldata/igmp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p igmp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p igmp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p igmp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p igmp \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p igmp \
|
|
-m mac \
|
|
@@ -50,6 +55,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p igmp \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p igmp \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -68,6 +75,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p igmp \
|
|
-m mac \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p igmp \
|
|
--destination 10.1.2.3/22 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/ip-linux.args b/tests/nwfilterxml2firewalldata/ip-linux.args
|
|
index 399a47491e..8e64839678 100644
|
|
--- a/tests/nwfilterxml2firewalldata/ip-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/ip-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -11,6 +12,7 @@ ebtables \
|
|
--ip-destination-port 100:101 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv4 \
|
|
@@ -20,6 +22,7 @@ ebtables \
|
|
--ip-tos 0x3f \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv4 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilterxml2firewalldata/ipset-linux.args
|
|
index 0fe0739962..5cdb151354 100644
|
|
--- a/tests/nwfilterxml2firewalldata/ipset-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -7,6 +8,7 @@ iptables \
|
|
--match-set tck_test src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -15,6 +17,7 @@ iptables \
|
|
--match-set tck_test dst,src \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -23,6 +26,7 @@ iptables \
|
|
--match-set tck_test src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
@@ -31,6 +35,7 @@ iptables \
|
|
--comment in+NONE \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
@@ -39,6 +44,7 @@ iptables \
|
|
--comment out+NONE \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
@@ -47,6 +53,7 @@ iptables \
|
|
--comment out+NONE \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -55,6 +62,7 @@ iptables \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -63,6 +71,7 @@ iptables \
|
|
--match-set tck_test src,dst,src \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -71,6 +80,7 @@ iptables \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -79,6 +89,7 @@ iptables \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -87,6 +98,7 @@ iptables \
|
|
--match-set tck_test src,dst,src \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -95,6 +107,7 @@ iptables \
|
|
--match-set tck_test dst,src,dst \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -103,6 +116,7 @@ iptables \
|
|
--match-set tck_test dst,src \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -111,6 +125,7 @@ iptables \
|
|
--match-set tck_test src,dst \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m state \
|
|
@@ -119,6 +134,7 @@ iptables \
|
|
--match-set tck_test dst,src \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
@@ -127,6 +143,7 @@ iptables \
|
|
--comment inout \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
@@ -135,6 +152,7 @@ iptables \
|
|
--comment inout \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m set \
|
|
diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
|
|
index 86ab228fb8..c35fa1e488 100644
|
|
--- a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
|
|
@@ -1,10 +1,12 @@
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac '!' \
|
|
--mac-source 12:34:56:78:9a:bc \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac '!' \
|
|
diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilterxml2firewalldata/ipv6-linux.args
|
|
index 6fba19f2eb..87db9c2979 100644
|
|
--- a/tests/nwfilterxml2firewalldata/ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
|
|
@@ -11,6 +12,7 @@ ebtables \
|
|
--ip6-destination-port 100:101 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -21,6 +23,7 @@ ebtables \
|
|
--ip6-source-port 100:101 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
@@ -31,6 +34,7 @@ ebtables \
|
|
--ip6-destination-port 100:101 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -41,6 +45,7 @@ ebtables \
|
|
--ip6-source-port 65535:65535 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
@@ -51,6 +56,7 @@ ebtables \
|
|
--ip6-destination-port 65535:65535 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -59,6 +65,7 @@ ebtables \
|
|
--ip6-protocol 18 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
@@ -67,6 +74,7 @@ ebtables \
|
|
--ip6-protocol 18 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -76,6 +84,7 @@ ebtables \
|
|
--ip6-icmp-type 1:11/10:11 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
@@ -85,6 +94,7 @@ ebtables \
|
|
--ip6-icmp-type 1:11/10:11 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -94,6 +104,7 @@ ebtables \
|
|
--ip6-icmp-type 1:1/10:10 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
@@ -103,6 +114,7 @@ ebtables \
|
|
--ip6-icmp-type 1:1/10:10 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -112,6 +124,7 @@ ebtables \
|
|
--ip6-icmp-type 0:255/10:10 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
@@ -121,6 +134,7 @@ ebtables \
|
|
--ip6-icmp-type 0:255/10:10 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-p ipv6 \
|
|
@@ -130,6 +144,7 @@ ebtables \
|
|
--ip6-icmp-type 1:1/0:255 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-p ipv6 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilterxml2firewalldata/iter1-linux.args
|
|
index 31f37cf537..9bdad18748 100644
|
|
--- a/tests/nwfilterxml2firewalldata/iter1-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -9,6 +10,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -29,6 +32,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -49,6 +54,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -69,6 +76,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilterxml2firewalldata/iter2-linux.args
|
|
index 4230a9d524..b088350ee5 100644
|
|
--- a/tests/nwfilterxml2firewalldata/iter2-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -9,6 +10,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -29,6 +32,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -49,6 +54,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -69,6 +76,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -89,6 +98,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -99,6 +109,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 1.1.1.1 \
|
|
@@ -109,6 +120,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -119,6 +131,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -129,6 +142,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -139,6 +153,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -149,6 +164,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -159,6 +175,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 3.3.3.3 \
|
|
@@ -169,6 +186,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -179,6 +197,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -189,6 +208,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 1.1.1.1 \
|
|
@@ -199,6 +219,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -209,6 +230,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -219,6 +241,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -229,6 +252,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -239,6 +263,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -249,6 +274,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 3.3.3.3 \
|
|
@@ -259,6 +285,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -269,6 +296,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -280,6 +308,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 1.1.1.1 \
|
|
@@ -291,6 +320,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -302,6 +332,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -313,6 +344,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 2.2.2.2 \
|
|
@@ -324,6 +356,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -335,6 +368,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -346,6 +380,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 3.3.3.3 \
|
|
@@ -357,6 +392,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -368,6 +404,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -379,6 +416,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 1.1.1.1 \
|
|
@@ -390,6 +428,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -401,6 +440,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -412,6 +452,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 2.2.2.2 \
|
|
@@ -423,6 +464,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -434,6 +476,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -445,6 +488,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 3.3.3.3 \
|
|
@@ -456,6 +500,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -467,6 +512,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -478,6 +524,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 1.1.1.1 \
|
|
@@ -489,6 +536,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -500,6 +548,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -511,6 +560,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 2.2.2.2 \
|
|
@@ -522,6 +572,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -533,6 +584,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -544,6 +596,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 3.3.3.3 \
|
|
@@ -555,6 +608,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -566,6 +620,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -577,6 +632,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 1.1.1.1 \
|
|
@@ -588,6 +644,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -599,6 +656,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -610,6 +668,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 2.2.2.2 \
|
|
@@ -621,6 +680,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -632,6 +692,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -643,6 +704,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 3.3.3.3 \
|
|
@@ -654,6 +716,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -665,6 +728,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -676,6 +740,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -687,6 +752,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -698,6 +764,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -709,6 +776,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -720,6 +788,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -731,6 +800,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -742,6 +812,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -753,6 +824,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -764,6 +836,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -775,6 +848,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -786,6 +860,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -797,6 +872,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -808,6 +884,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -819,6 +896,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -830,6 +908,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -841,6 +920,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -852,6 +932,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -863,6 +944,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -874,6 +956,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -885,6 +968,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -896,6 +980,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -907,6 +992,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -918,6 +1004,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -929,6 +1016,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -940,6 +1028,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -951,6 +1040,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -962,6 +1052,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -973,6 +1064,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -984,6 +1076,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -995,6 +1088,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1006,6 +1100,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1017,6 +1112,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1028,6 +1124,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1039,6 +1136,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1050,6 +1148,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1061,6 +1160,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1072,6 +1172,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1083,6 +1184,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1094,6 +1196,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1105,6 +1208,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1116,6 +1220,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1127,6 +1232,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1138,6 +1244,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1149,6 +1256,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1160,6 +1268,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1171,6 +1280,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1182,6 +1292,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1193,6 +1304,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1204,6 +1316,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1215,6 +1328,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1226,6 +1340,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1237,6 +1352,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1248,6 +1364,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1259,6 +1376,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1270,6 +1388,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1281,6 +1400,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1292,6 +1412,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1303,6 +1424,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1314,6 +1436,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1325,6 +1448,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1336,6 +1460,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1347,6 +1472,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1358,6 +1484,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1369,6 +1496,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1380,6 +1508,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -1391,6 +1520,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1402,6 +1532,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1413,6 +1544,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 2.2.2.2 \
|
|
@@ -1424,6 +1556,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1435,6 +1568,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1446,6 +1580,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 3.3.3.3 \
|
|
@@ -1457,6 +1592,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -1467,6 +1603,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1477,6 +1614,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -1487,6 +1625,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -1497,6 +1636,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1507,6 +1647,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -1517,6 +1658,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -1527,6 +1669,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1537,6 +1680,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -1547,6 +1691,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -1557,6 +1702,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1567,6 +1713,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -1577,6 +1724,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -1587,6 +1735,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1597,6 +1746,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -1607,6 +1757,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -1617,6 +1768,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1627,6 +1779,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -1637,6 +1790,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -1647,6 +1801,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1657,6 +1812,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 1.1.1.1 \
|
|
@@ -1667,6 +1823,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -1677,6 +1834,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1687,6 +1845,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -1697,6 +1856,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -1707,6 +1867,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1717,6 +1878,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 3.3.3.3 \
|
|
@@ -1727,6 +1889,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -1737,6 +1900,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 1.1.1.1 \
|
|
@@ -1747,6 +1911,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 1.1.1.1 \
|
|
@@ -1757,6 +1922,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -1767,6 +1933,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 2.2.2.2 \
|
|
@@ -1777,6 +1944,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -1787,6 +1955,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
@@ -1797,6 +1966,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 3.3.3.3 \
|
|
@@ -1807,6 +1977,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 3.3.3.3 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilterxml2firewalldata/iter3-linux.args
|
|
index 0b16577992..cc6d442c75 100644
|
|
--- a/tests/nwfilterxml2firewalldata/iter3-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -9,6 +10,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -29,6 +32,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--destination 1.1.1.1 \
|
|
@@ -49,6 +54,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--source 1.1.1.1 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -69,6 +76,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -89,6 +98,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -99,6 +109,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--destination 2.2.2.2 \
|
|
@@ -109,6 +120,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--source 2.2.2.2 \
|
|
@@ -119,6 +131,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
@@ -130,6 +143,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--destination 2.2.2.2 \
|
|
@@ -141,6 +155,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--source 2.2.2.2 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/mac-linux.args b/tests/nwfilterxml2firewalldata/mac-linux.args
|
|
index 0fd9dbccc0..cc3aab2b92 100644
|
|
--- a/tests/nwfilterxml2firewalldata/mac-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/mac-linux.args
|
|
@@ -1,22 +1,26 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x600 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.args b/tests/nwfilterxml2firewalldata/rarp-linux.args
|
|
index f5fd6433bd..3e2441818c 100644
|
|
--- a/tests/nwfilterxml2firewalldata/rarp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/rarp-linux.args
|
|
@@ -1,7 +1,9 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-N libvirt-J-vnet0
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -14,6 +16,7 @@ ebtables \
|
|
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -23,6 +26,7 @@ ebtables \
|
|
--arp-ptype 0xff \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -32,6 +36,7 @@ ebtables \
|
|
--arp-ptype 0x100 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -41,6 +46,7 @@ ebtables \
|
|
--arp-ptype 0xffff \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A PREROUTING \
|
|
-i vnet0 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
|
|
index 959c4e8e0f..fbe6f39198 100644
|
|
--- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--source a:b:c::d:e:f/128 \
|
|
@@ -19,6 +21,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--destination a:b:c::/128 \
|
|
@@ -41,6 +45,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -54,6 +59,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--destination a:b:c::/128 \
|
|
@@ -65,6 +71,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -76,6 +83,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -89,6 +97,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilterxml2firewalldata/sctp-linux.args
|
|
index 671fc0480f..a3c5a7a72d 100644
|
|
--- a/tests/nwfilterxml2firewalldata/sctp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -41,6 +45,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -54,6 +59,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -65,6 +71,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p sctp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -76,6 +83,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p sctp \
|
|
-m mac \
|
|
@@ -89,6 +97,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p sctp \
|
|
--destination 10.1.2.3/32 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/stp-linux.args b/tests/nwfilterxml2firewalldata/stp-linux.args
|
|
index e3114ac622..76f5321856 100644
|
|
--- a/tests/nwfilterxml2firewalldata/stp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/stp-linux.args
|
|
@@ -1,32 +1,41 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-F J-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-X J-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-N J-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-d 01:80:c2:00:00:00 \
|
|
-j J-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-F P-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-X P-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-N P-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d 01:80:c2:00:00:00 \
|
|
-j P-vnet0-stp-xyz
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A P-vnet0-stp-xyz \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -35,6 +44,7 @@ ebtables \
|
|
--stp-flags 68 \
|
|
-j CONTINUE
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A J-vnet0-stp-xyz \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -44,6 +54,7 @@ ebtables \
|
|
--stp-root-cost 287454020:573785173 \
|
|
-j RETURN
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A P-vnet0-stp-xyz \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfilterxml2firewalldata/target-linux.args
|
|
index d219877716..5216c709dd 100644
|
|
--- a/tests/nwfilterxml2firewalldata/target-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
|
|
@@ -1,40 +1,47 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j DROP
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j DROP
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j DROP
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -49,6 +56,7 @@ iptables \
|
|
-- dir out' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
@@ -61,6 +69,7 @@ iptables \
|
|
-- dir out' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -75,6 +84,7 @@ iptables \
|
|
-- dir out' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -87,6 +97,7 @@ iptables \
|
|
-- dir out' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
@@ -97,6 +108,7 @@ iptables \
|
|
-- dir out' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -109,6 +121,7 @@ iptables \
|
|
-- dir out' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -121,6 +134,7 @@ iptables \
|
|
-- dir out' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
@@ -131,6 +145,7 @@ iptables \
|
|
-- dir out' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -143,6 +158,7 @@ iptables \
|
|
-- dir out' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -155,6 +171,7 @@ iptables \
|
|
-- dir in' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -169,6 +186,7 @@ iptables \
|
|
-- dir in' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -181,6 +199,7 @@ iptables \
|
|
-- dir in' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -191,6 +210,7 @@ iptables \
|
|
-- dir in' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -203,6 +223,7 @@ iptables \
|
|
-- dir in' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -213,6 +234,7 @@ iptables \
|
|
-- dir in' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -223,6 +245,7 @@ iptables \
|
|
-- dir in' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
@@ -235,6 +258,7 @@ iptables \
|
|
-- dir in' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -245,6 +269,7 @@ iptables \
|
|
-- dir in' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -252,6 +277,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -259,6 +285,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -266,6 +293,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -273,6 +301,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -280,6 +309,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -287,6 +317,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -294,6 +325,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
@@ -301,6 +333,7 @@ iptables \
|
|
-- dir inout' \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfilterxml2firewalldata/target2-linux.args
|
|
index cfa4f589d6..c774f6f24a 100644
|
|
--- a/tests/nwfilterxml2firewalldata/target2-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
|
|
@@ -1,19 +1,23 @@
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--dport 22 \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--sport 22 \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--sport 22 \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--sport 80 \
|
|
@@ -21,6 +25,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--dport 80 \
|
|
@@ -28,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--sport 80 \
|
|
@@ -35,26 +41,32 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
-j REJECT
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-j DROP
|
|
diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
|
|
index e6f8de3fca..8fa5e24eff 100644
|
|
--- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--source a:b:c::d:e:f/128 \
|
|
@@ -19,6 +21,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination a:b:c::/128 \
|
|
@@ -41,6 +45,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -54,6 +59,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination a:b:c::/128 \
|
|
@@ -65,6 +71,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -76,6 +83,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -89,6 +97,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilterxml2firewalldata/tcp-linux.args
|
|
index 195bfc01e6..74ac4a6733 100644
|
|
--- a/tests/nwfilterxml2firewalldata/tcp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--sport 100:1111 \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -50,6 +55,7 @@ iptables \
|
|
--dport 100:1111 \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--sport 100:1111 \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -68,6 +75,7 @@ iptables \
|
|
--sport 65535:65535 \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
-m mac \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--dport 65535:65535 \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p tcp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -88,21 +97,25 @@ iptables \
|
|
--sport 65535:65535 \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags SYN ALL \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags SYN SYN,ACK \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags RST NONE \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p tcp \
|
|
--tcp-flags PSH NONE \
|
|
diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
|
|
index 9183c08753..59367ed3d3 100644
|
|
--- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--source a:b:c::d:e:f/128 \
|
|
@@ -19,6 +21,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--destination ::a:b:c/128 \
|
|
@@ -41,6 +45,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -54,6 +59,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--destination ::a:b:c/128 \
|
|
@@ -65,6 +71,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -76,6 +83,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -89,6 +97,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilterxml2firewalldata/udp-linux.args
|
|
index 910d648a8a..32a8f56dfc 100644
|
|
--- a/tests/nwfilterxml2firewalldata/udp-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -41,6 +45,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -54,6 +59,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -65,6 +71,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udp \
|
|
--destination 10.1.2.3/32 \
|
|
@@ -76,6 +83,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udp \
|
|
-m mac \
|
|
@@ -89,6 +97,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udp \
|
|
--destination 10.1.2.3/32 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
|
|
index 9eb38d7e6d..de564aee36 100644
|
|
--- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -11,6 +12,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udplite \
|
|
--destination f:e:d::c:b:a/127 \
|
|
@@ -21,6 +23,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -33,6 +36,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udplite \
|
|
--destination a:b:c::/128 \
|
|
@@ -42,6 +46,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -53,6 +58,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udplite \
|
|
--destination a:b:c::/128 \
|
|
@@ -62,6 +68,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udplite \
|
|
--destination ::10.1.2.3/128 \
|
|
@@ -71,6 +78,7 @@ ip6tables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
ip6tables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -82,6 +90,7 @@ ip6tables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
ip6tables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udplite \
|
|
--destination ::10.1.2.3/128 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfilterxml2firewalldata/udplite-linux.args
|
|
index 53bc667459..8f3a9e8f24 100644
|
|
--- a/tests/nwfilterxml2firewalldata/udplite-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -10,6 +11,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udplite \
|
|
--source 10.1.2.3/32 \
|
|
@@ -19,6 +21,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -30,6 +33,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udplite \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -39,6 +43,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -50,6 +55,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udplite \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -59,6 +65,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FJ-vnet0 \
|
|
-p udplite \
|
|
--destination 10.1.2.3/22 \
|
|
@@ -68,6 +75,7 @@ iptables \
|
|
--state ESTABLISHED \
|
|
-j RETURN
|
|
iptables \
|
|
+-w \
|
|
-A FP-vnet0 \
|
|
-p udplite \
|
|
-m mac \
|
|
@@ -79,6 +87,7 @@ iptables \
|
|
--state NEW,ESTABLISHED \
|
|
-j ACCEPT
|
|
iptables \
|
|
+-w \
|
|
-A HJ-vnet0 \
|
|
-p udplite \
|
|
--destination 10.1.2.3/22 \
|
|
diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.args b/tests/nwfilterxml2firewalldata/vlan-linux.args
|
|
index 0a8204c4dc..a93c09cfbd 100644
|
|
--- a/tests/nwfilterxml2firewalldata/vlan-linux.args
|
|
+++ b/tests/nwfilterxml2firewalldata/vlan-linux.args
|
|
@@ -1,4 +1,5 @@
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -7,6 +8,7 @@ ebtables \
|
|
--vlan-id 291 \
|
|
-j CONTINUE
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -15,6 +17,7 @@ ebtables \
|
|
--vlan-id 291 \
|
|
-j CONTINUE
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -23,6 +26,7 @@ ebtables \
|
|
--vlan-id 1234 \
|
|
-j RETURN
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -31,6 +35,7 @@ ebtables \
|
|
--vlan-id 1234 \
|
|
-j RETURN
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -39,6 +44,7 @@ ebtables \
|
|
--vlan-id 291 \
|
|
-j DROP
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
@@ -47,6 +53,7 @@ ebtables \
|
|
--vlan-encap 2054 \
|
|
-j DROP
|
|
ebtables \
|
|
+--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c
|
|
index da86ec9463..c97f83b24a 100644
|
|
--- a/tests/nwfilterxml2firewalltest.c
|
|
+++ b/tests/nwfilterxml2firewalltest.c
|
|
@@ -58,90 +58,90 @@ struct _virNWFilterInst {
|
|
|
|
static const char *commonRules[] = {
|
|
/* Dropping ebtables rules */
|
|
- "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -L libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -F libvirt-P-vnet0\n"
|
|
- "ebtables -t nat -X libvirt-P-vnet0\n",
|
|
+ "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -X libvirt-P-vnet0\n",
|
|
|
|
/* Creating ebtables chains */
|
|
- "ebtables -t nat -N libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -N libvirt-P-vnet0\n",
|
|
+ "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -N libvirt-P-vnet0\n",
|
|
|
|
/* Dropping iptables rules */
|
|
- "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
- "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
|
|
- "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
- "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
- "iptables -F FP-vnet0\n"
|
|
- "iptables -X FP-vnet0\n"
|
|
- "iptables -F FJ-vnet0\n"
|
|
- "iptables -X FJ-vnet0\n"
|
|
- "iptables -F HJ-vnet0\n"
|
|
- "iptables -X HJ-vnet0\n",
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
+ "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
|
|
+ "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
+ "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
+ "iptables -w -F FP-vnet0\n"
|
|
+ "iptables -w -X FP-vnet0\n"
|
|
+ "iptables -w -F FJ-vnet0\n"
|
|
+ "iptables -w -X FJ-vnet0\n"
|
|
+ "iptables -w -F HJ-vnet0\n"
|
|
+ "iptables -w -X HJ-vnet0\n",
|
|
|
|
/* Creating iptables chains */
|
|
- "iptables -N libvirt-in\n"
|
|
- "iptables -N libvirt-out\n"
|
|
- "iptables -N libvirt-in-post\n"
|
|
- "iptables -N libvirt-host-in\n"
|
|
- "iptables -D FORWARD -j libvirt-in\n"
|
|
- "iptables -D FORWARD -j libvirt-out\n"
|
|
- "iptables -D FORWARD -j libvirt-in-post\n"
|
|
- "iptables -D INPUT -j libvirt-host-in\n"
|
|
- "iptables -I FORWARD 1 -j libvirt-in\n"
|
|
- "iptables -I FORWARD 2 -j libvirt-out\n"
|
|
- "iptables -I FORWARD 3 -j libvirt-in-post\n"
|
|
- "iptables -I INPUT 1 -j libvirt-host-in\n"
|
|
- "iptables -N FP-vnet0\n"
|
|
- "iptables -N FJ-vnet0\n"
|
|
- "iptables -N HJ-vnet0\n"
|
|
- "iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
- "iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
- "iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
- "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
|
|
+ "iptables -w -N libvirt-in\n"
|
|
+ "iptables -w -N libvirt-out\n"
|
|
+ "iptables -w -N libvirt-in-post\n"
|
|
+ "iptables -w -N libvirt-host-in\n"
|
|
+ "iptables -w -D FORWARD -j libvirt-in\n"
|
|
+ "iptables -w -D FORWARD -j libvirt-out\n"
|
|
+ "iptables -w -D FORWARD -j libvirt-in-post\n"
|
|
+ "iptables -w -D INPUT -j libvirt-host-in\n"
|
|
+ "iptables -w -I FORWARD 1 -j libvirt-in\n"
|
|
+ "iptables -w -I FORWARD 2 -j libvirt-out\n"
|
|
+ "iptables -w -I FORWARD 3 -j libvirt-in-post\n"
|
|
+ "iptables -w -I INPUT 1 -j libvirt-host-in\n"
|
|
+ "iptables -w -N FP-vnet0\n"
|
|
+ "iptables -w -N FJ-vnet0\n"
|
|
+ "iptables -w -N HJ-vnet0\n"
|
|
+ "iptables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
+ "iptables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
+ "iptables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
+ "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "iptables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
|
|
|
|
/* Dropping ip6tables rules */
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
- "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
|
|
- "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
- "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
- "ip6tables -F FP-vnet0\n"
|
|
- "ip6tables -X FP-vnet0\n"
|
|
- "ip6tables -F FJ-vnet0\n"
|
|
- "ip6tables -X FJ-vnet0\n"
|
|
- "ip6tables -F HJ-vnet0\n"
|
|
- "ip6tables -X HJ-vnet0\n",
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
+ "ip6tables -w -F FP-vnet0\n"
|
|
+ "ip6tables -w -X FP-vnet0\n"
|
|
+ "ip6tables -w -F FJ-vnet0\n"
|
|
+ "ip6tables -w -X FJ-vnet0\n"
|
|
+ "ip6tables -w -F HJ-vnet0\n"
|
|
+ "ip6tables -w -X HJ-vnet0\n",
|
|
|
|
/* Creating ip6tables chains */
|
|
- "ip6tables -N libvirt-in\n"
|
|
- "ip6tables -N libvirt-out\n"
|
|
- "ip6tables -N libvirt-in-post\n"
|
|
- "ip6tables -N libvirt-host-in\n"
|
|
- "ip6tables -D FORWARD -j libvirt-in\n"
|
|
- "ip6tables -D FORWARD -j libvirt-out\n"
|
|
- "ip6tables -D FORWARD -j libvirt-in-post\n"
|
|
- "ip6tables -D INPUT -j libvirt-host-in\n"
|
|
- "ip6tables -I FORWARD 1 -j libvirt-in\n"
|
|
- "ip6tables -I FORWARD 2 -j libvirt-out\n"
|
|
- "ip6tables -I FORWARD 3 -j libvirt-in-post\n"
|
|
- "ip6tables -I INPUT 1 -j libvirt-host-in\n"
|
|
- "ip6tables -N FP-vnet0\n"
|
|
- "ip6tables -N FJ-vnet0\n"
|
|
- "ip6tables -N HJ-vnet0\n"
|
|
- "ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
- "ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
- "ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
- "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
- "ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
|
|
+ "ip6tables -w -N libvirt-in\n"
|
|
+ "ip6tables -w -N libvirt-out\n"
|
|
+ "ip6tables -w -N libvirt-in-post\n"
|
|
+ "ip6tables -w -N libvirt-host-in\n"
|
|
+ "ip6tables -w -D FORWARD -j libvirt-in\n"
|
|
+ "ip6tables -w -D FORWARD -j libvirt-out\n"
|
|
+ "ip6tables -w -D FORWARD -j libvirt-in-post\n"
|
|
+ "ip6tables -w -D INPUT -j libvirt-host-in\n"
|
|
+ "ip6tables -w -I FORWARD 1 -j libvirt-in\n"
|
|
+ "ip6tables -w -I FORWARD 2 -j libvirt-out\n"
|
|
+ "ip6tables -w -I FORWARD 3 -j libvirt-in-post\n"
|
|
+ "ip6tables -w -I INPUT 1 -j libvirt-host-in\n"
|
|
+ "ip6tables -w -N FP-vnet0\n"
|
|
+ "ip6tables -w -N FJ-vnet0\n"
|
|
+ "ip6tables -w -N HJ-vnet0\n"
|
|
+ "ip6tables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
|
|
+ "ip6tables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
|
|
+ "ip6tables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
|
|
+ "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
|
|
+ "ip6tables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
|
|
|
|
/* Inserting ebtables rules */
|
|
- "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
- "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
|
|
+ "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
|
|
+ "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
|
|
};
|
|
|
|
|
|
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
|
|
index 8aba127610..195163a985 100644
|
|
--- a/tests/virfirewalltest.c
|
|
+++ b/tests/virfirewalltest.c
|
|
@@ -147,17 +147,19 @@ VIR_MOCK_WRAP_RET_ARGS(dbus_connection_send_with_reply_and_block,
|
|
"org.firewalld.error",
|
|
"something bad happened");
|
|
} else {
|
|
- if (nargs == 1 &&
|
|
+ if (nargs == 2 &&
|
|
STREQ(type, "ipv4") &&
|
|
- STREQ(args[0], "-L")) {
|
|
+ STREQ(args[0], "-w") &&
|
|
+ STREQ(args[1], "-L")) {
|
|
if (virDBusCreateReply(&reply,
|
|
"s", TEST_FILTER_TABLE_LIST) < 0)
|
|
goto error;
|
|
- } else if (nargs == 3 &&
|
|
+ } else if (nargs == 4 &&
|
|
STREQ(type, "ipv4") &&
|
|
- STREQ(args[0], "-t") &&
|
|
- STREQ(args[1], "nat") &&
|
|
- STREQ(args[2], "-L")) {
|
|
+ STREQ(args[0], "-w") &&
|
|
+ STREQ(args[1], "-t") &&
|
|
+ STREQ(args[2], "nat") &&
|
|
+ STREQ(args[3], "-L")) {
|
|
if (virDBusCreateReply(&reply,
|
|
"s", TEST_NAT_TABLE_LIST) < 0)
|
|
goto error;
|
|
@@ -204,8 +206,8 @@ testFirewallSingleGroup(const void *opaque)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -260,8 +262,8 @@ testFirewallRemoveRule(const void *opaque)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
virFirewallRulePtr fwrule;
|
|
|
|
@@ -323,10 +325,10 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
|
|
- IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A OUTPUT --jump DROP\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -414,10 +416,10 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A OUTPUT --jump DROP\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -486,10 +488,10 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A OUTPUT --jump DROP\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -557,8 +559,8 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -621,11 +623,11 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -705,10 +707,10 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -792,14 +794,14 @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
- IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
fwDisabled = data->fwDisabled;
|
|
@@ -938,12 +940,14 @@ testFirewallQueryHook(const char *const*args,
|
|
void *opaque G_GNUC_UNUSED)
|
|
{
|
|
if (STREQ(args[0], IPTABLES_PATH) &&
|
|
- STREQ(args[1], "-L")) {
|
|
+ STREQ(args[1], "-w") &&
|
|
+ STREQ(args[2], "-L")) {
|
|
*output = g_strdup(TEST_FILTER_TABLE_LIST);
|
|
} else if (STREQ(args[0], IPTABLES_PATH) &&
|
|
- STREQ(args[1], "-t") &&
|
|
- STREQ(args[2], "nat") &&
|
|
- STREQ(args[3], "-L")) {
|
|
+ STREQ(args[1], "-w") &&
|
|
+ STREQ(args[2], "-t") &&
|
|
+ STREQ(args[3], "nat") &&
|
|
+ STREQ(args[4], "-L")) {
|
|
*output = g_strdup(TEST_NAT_TABLE_LIST);
|
|
}
|
|
}
|
|
@@ -986,15 +990,15 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
|
|
int ret = -1;
|
|
const char *actual = NULL;
|
|
const char *expected =
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
|
|
- IPTABLES_PATH " -L\n"
|
|
- IPTABLES_PATH " -t nat -L\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
|
|
- IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -L\n"
|
|
+ IPTABLES_PATH " -w -t nat -L\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
|
|
+ IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
|
|
const struct testFirewallData *data = opaque;
|
|
|
|
expectedLineNum = 0;
|
|
--
|
|
2.30.0
|
|
|