util: move virtual network firwall rules into private chains

The previous commit created new chains to hold the firewall rules. This
commit changes the code that creates rules to place them in the new
private chains instead of the builtin top level chains.

With two networks running, the rules in the filter table now look like

  -N LIBVIRT_FWI
  -N LIBVIRT_FWO
  -N LIBVIRT_FWX
  -N LIBVIRT_INP
  -N LIBVIRT_OUT
  -A INPUT -j LIBVIRT_INP
  -A FORWARD -j LIBVIRT_FWX
  -A FORWARD -j LIBVIRT_FWI
  -A FORWARD -j LIBVIRT_FWO
  -A OUTPUT -j LIBVIRT_OUT
  -A LIBVIRT_FWI -d 192.168.0.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWI -d 192.168.1.0/24 -o virbr1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWO -s 192.168.0.0/24 -i virbr0 -j ACCEPT
  -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWO -s 192.168.1.0/24 -i virbr1 -j ACCEPT
  -A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
  -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
  -A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
  -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
  -A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
  -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
  -A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT

While in the nat table:

  -N LIBVIRT_PRT
  -A POSTROUTING -j LIBVIRT_PRT
  -A LIBVIRT_PRT -s 192.168.0.0/24 -d 224.0.0.0/24 -j RETURN
  -A LIBVIRT_PRT -s 192.168.0.0/24 -d 255.255.255.255/32 -j RETURN
  -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.0.0/24 ! -d 192.168.0.0/24 -j MASQUERADE
  -A LIBVIRT_PRT -s 192.168.1.0/24 -d 224.0.0.0/24 -j RETURN
  -A LIBVIRT_PRT -s 192.168.1.0/24 -d 255.255.255.255/32 -j RETURN
  -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
  -A LIBVIRT_PRT -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE

And finally the mangle table:

  -N LIBVIRT_PRT
  -A POSTROUTING -j LIBVIRT_PRT
  -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
  -A LIBVIRT_PRT -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

src/libvirt_private.syms

@@ -2077,6 +2077,7 @@ iptablesRemoveOutputFixUdpChecksum;
 iptablesRemoveTcpInput;
 iptablesRemoveUdpInput;
 iptablesRemoveUdpOutput;
+iptablesSetDeletePrivate;
 iptablesSetupPrivateChains;
 
 

src/network/bridge_driver_linux.c

@@ -34,17 +34,35 @@ VIR_LOG_INIT("network.bridge_driver_linux");
 
 #define PROC_NET_ROUTE "/proc/net/route"
 
-int networkPreReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
+int networkPreReloadFirewallRules(bool startup)
 {
     int ret = iptablesSetupPrivateChains();
     if (ret < 0)
         return -1;
+
+    /*
+     * If this is initial startup, and we just created the
+     * top level private chains we either
+     *
+     *   - upgraded from old libvirt
+     *   - freshly booted from clean state
+     *
+     * In the first case we must delete the old rules from
+     * the built-in chains, instead of our new private chains.
+     * In the second case it doesn't matter, since no existing
+     * rules will be present. Thus we can safely just tell it
+     * to always delete from the builin chain
+     */
+    if (startup && ret == 1)
+        iptablesSetDeletePrivate(false);
+
     return 0;
 }
 
 
 void networkPostReloadFirewallRules(bool startup ATTRIBUTE_UNUSED)
 {
+    iptablesSetDeletePrivate(true);
 }
 
 

src/util/viriptables.c

@@ -48,6 +48,7 @@ enum {
     REMOVE
 };
 
+static bool deletePrivate = true;
 
 typedef struct {
     const char *parent;
@@ -179,9 +180,17 @@ iptablesSetupPrivateChains(void)
 }
 
 
+void
+iptablesSetDeletePrivate(bool pvt)
+{
+    deletePrivate = pvt;
+}
+
+
 static void
 iptablesInput(virFirewallPtr fw,
               virFirewallLayer layer,
+              bool pvt,
               const char *iface,
               int port,
               int action,
@@ -194,7 +203,8 @@ iptablesInput(virFirewallPtr fw,
 
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete", "INPUT",
+                       action == ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_INP" : "INPUT",
                        "--in-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -205,6 +215,7 @@ iptablesInput(virFirewallPtr fw,
 static void
 iptablesOutput(virFirewallPtr fw,
                virFirewallLayer layer,
+               bool pvt,
                const char *iface,
                int port,
                int action,
@@ -217,7 +228,8 @@ iptablesOutput(virFirewallPtr fw,
 
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete", "OUTPUT",
+                       action == ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_OUT" : "OUTPUT",
                        "--out-interface", iface,
                        "--protocol", tcp ? "tcp" : "udp",
                        "--destination-port", portstr,
@@ -240,7 +252,7 @@ iptablesAddTcpInput(virFirewallPtr fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, iface, port, ADD, 1);
+    iptablesInput(fw, layer, true, iface, port, ADD, 1);
 }
 
 /**
@@ -258,7 +270,7 @@ iptablesRemoveTcpInput(virFirewallPtr fw,
                        const char *iface,
                        int port)
 {
-    iptablesInput(fw, layer, iface, port, REMOVE, 1);
+    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 1);
 }
 
 /**
@@ -276,7 +288,7 @@ iptablesAddUdpInput(virFirewallPtr fw,
                     const char *iface,
                     int port)
 {
-    iptablesInput(fw, layer, iface, port, ADD, 0);
+    iptablesInput(fw, layer, true, iface, port, ADD, 0);
 }
 
 /**
@@ -294,7 +306,7 @@ iptablesRemoveUdpInput(virFirewallPtr fw,
                        const char *iface,
                        int port)
 {
-    return iptablesInput(fw, layer, iface, port, REMOVE, 0);
+    iptablesInput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
 }
 
 /**
@@ -312,7 +324,7 @@ iptablesAddUdpOutput(virFirewallPtr fw,
                      const char *iface,
                      int port)
 {
-    iptablesOutput(fw, layer, iface, port, ADD, 0);
+    iptablesOutput(fw, layer, true, iface, port, ADD, 0);
 }
 
 /**
@@ -330,7 +342,7 @@ iptablesRemoveUdpOutput(virFirewallPtr fw,
                         const char *iface,
                         int port)
 {
-    iptablesOutput(fw, layer, iface, port, REMOVE, 0);
+    iptablesOutput(fw, layer, deletePrivate, iface, port, REMOVE, 0);
 }
 
 
@@ -370,6 +382,7 @@ static char *iptablesFormatNetwork(virSocketAddr *netaddr,
  */
 static int
 iptablesForwardAllowOut(virFirewallPtr fw,
+                        bool pvt,
                         virSocketAddr *netaddr,
                         unsigned int prefix,
                         const char *iface,
@@ -386,7 +399,8 @@ iptablesForwardAllowOut(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete", "FORWARD",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWO" : "FORWARD",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--out-interface", physdev,
@@ -395,7 +409,8 @@ iptablesForwardAllowOut(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete", "FORWARD",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWO" : "FORWARD",
                            "--source", networkstr,
                            "--in-interface", iface,
                            "--jump", "ACCEPT",
@@ -424,7 +439,7 @@ iptablesAddForwardAllowOut(virFirewallPtr fw,
                            const char *iface,
                            const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowOut(fw, true, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -447,7 +462,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
                               const char *iface,
                               const char *physdev)
 {
-    return iptablesForwardAllowOut(fw, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowOut(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 
@@ -456,6 +471,7 @@ iptablesRemoveForwardAllowOut(virFirewallPtr fw,
  */
 static int
 iptablesForwardAllowRelatedIn(virFirewallPtr fw,
+                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *iface,
@@ -472,7 +488,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete", "FORWARD",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -483,7 +500,8 @@ iptablesForwardAllowRelatedIn(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete", "FORWARD",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--match", "conntrack",
@@ -514,7 +532,7 @@ iptablesAddForwardAllowRelatedIn(virFirewallPtr fw,
                                  const char *iface,
                                  const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowRelatedIn(fw, true, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -537,13 +555,14 @@ iptablesRemoveForwardAllowRelatedIn(virFirewallPtr fw,
                                     const char *iface,
                                     const char *physdev)
 {
-    return iptablesForwardAllowRelatedIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowRelatedIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 /* Allow all traffic destined to the bridge, with a valid network address
  */
 static int
 iptablesForwardAllowIn(virFirewallPtr fw,
+                       bool pvt,
                        virSocketAddr *netaddr,
                        unsigned int prefix,
                        const char *iface,
@@ -560,7 +579,8 @@ iptablesForwardAllowIn(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete", "FORWARD",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--in-interface", physdev,
                            "--out-interface", iface,
@@ -569,7 +589,8 @@ iptablesForwardAllowIn(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, layer,
                            "--table", "filter",
-                           action == ADD ? "--insert" : "--delete", "FORWARD",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_FWI" : "FORWARD",
                            "--destination", networkstr,
                            "--out-interface", iface,
                            "--jump", "ACCEPT",
@@ -597,7 +618,7 @@ iptablesAddForwardAllowIn(virFirewallPtr fw,
                           const char *iface,
                           const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, ADD);
+    return iptablesForwardAllowIn(fw, true, netaddr, prefix, iface, physdev, ADD);
 }
 
 /**
@@ -620,18 +641,20 @@ iptablesRemoveForwardAllowIn(virFirewallPtr fw,
                              const char *iface,
                              const char *physdev)
 {
-    return iptablesForwardAllowIn(fw, netaddr, prefix, iface, physdev, REMOVE);
+    return iptablesForwardAllowIn(fw, deletePrivate, netaddr, prefix, iface, physdev, REMOVE);
 }
 
 static void
 iptablesForwardAllowCross(virFirewallPtr fw,
                           virFirewallLayer layer,
+                          bool pvt,
                           const char *iface,
                           int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete", "FORWARD",
+                       action == ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_FWX" : "FORWARD",
                        "--in-interface", iface,
                        "--out-interface", iface,
                        "--jump", "ACCEPT",
@@ -654,7 +677,7 @@ iptablesAddForwardAllowCross(virFirewallPtr fw,
                              virFirewallLayer layer,
                              const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, iface, ADD);
+    iptablesForwardAllowCross(fw, layer, true, iface, ADD);
 }
 
 /**
@@ -673,18 +696,20 @@ iptablesRemoveForwardAllowCross(virFirewallPtr fw,
                                 virFirewallLayer layer,
                                 const char *iface)
 {
-    iptablesForwardAllowCross(fw, layer, iface, REMOVE);
+    iptablesForwardAllowCross(fw, layer, deletePrivate, iface, REMOVE);
 }
 
 static void
 iptablesForwardRejectOut(virFirewallPtr fw,
                          virFirewallLayer layer,
+                         bool pvt,
                          const char *iface,
                          int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "delete", "FORWARD",
+                       action == ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_FWO" : "FORWARD",
                        "--in-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -705,7 +730,7 @@ iptablesAddForwardRejectOut(virFirewallPtr fw,
                             virFirewallLayer layer,
                             const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, iface, ADD);
+    iptablesForwardRejectOut(fw, layer, true, iface, ADD);
 }
 
 /**
@@ -723,19 +748,21 @@ iptablesRemoveForwardRejectOut(virFirewallPtr fw,
                                virFirewallLayer layer,
                                const char *iface)
 {
-    iptablesForwardRejectOut(fw, layer, iface, REMOVE);
+    iptablesForwardRejectOut(fw, layer, deletePrivate, iface, REMOVE);
 }
 
 
 static void
 iptablesForwardRejectIn(virFirewallPtr fw,
                         virFirewallLayer layer,
+                        bool pvt,
                         const char *iface,
                         int action)
 {
     virFirewallAddRule(fw, layer,
                        "--table", "filter",
-                       action == ADD ? "--insert" : "--delete", "FORWARD",
+                       action == ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_FWI" : "FORWARD",
                        "--out-interface", iface,
                        "--jump", "REJECT",
                        NULL);
@@ -756,7 +783,7 @@ iptablesAddForwardRejectIn(virFirewallPtr fw,
                            virFirewallLayer layer,
                            const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, iface, ADD);
+    iptablesForwardRejectIn(fw, layer, true, iface, ADD);
 }
 
 /**
@@ -774,7 +801,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
                               virFirewallLayer layer,
                               const char *iface)
 {
-    iptablesForwardRejectIn(fw, layer, iface, REMOVE);
+    iptablesForwardRejectIn(fw, layer, deletePrivate, iface, REMOVE);
 }
 
 
@@ -783,6 +810,7 @@ iptablesRemoveForwardRejectIn(virFirewallPtr fw,
  */
 static int
 iptablesForwardMasquerade(virFirewallPtr fw,
+                          bool pvt,
                           virSocketAddr *netaddr,
                           unsigned int prefix,
                           const char *physdev,
@@ -821,7 +849,8 @@ iptablesForwardMasquerade(virFirewallPtr fw,
     if (protocol && protocol[0]) {
         rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                                   "--table", "nat",
-                                  action == ADD ? "--insert" : "--delete", "POSTROUTING",
+                                  action == ADD ? "--insert" : "--delete",
+                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                                   "--source", networkstr,
                                   "-p", protocol,
                                   "!", "--destination", networkstr,
@@ -829,7 +858,8 @@ iptablesForwardMasquerade(virFirewallPtr fw,
     } else {
         rule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                                   "--table", "nat",
-                                  action == ADD ? "--insert" : "--delete", "POSTROUTING",
+                                  action == ADD ? "--insert" : "--delete",
+                                  pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                                   "--source", networkstr,
                                   "!", "--destination", networkstr,
                                   NULL);
@@ -907,8 +937,8 @@ iptablesAddForwardMasquerade(virFirewallPtr fw,
                              virPortRangePtr port,
                              const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
+    return iptablesForwardMasquerade(fw, true, netaddr, prefix,
-                                     protocol, ADD);
+                                     physdev, addr, port, protocol, ADD);
 }
 
 /**
@@ -933,8 +963,8 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
                                 virPortRangePtr port,
                                 const char *protocol)
 {
-    return iptablesForwardMasquerade(fw, netaddr, prefix, physdev, addr, port,
+    return iptablesForwardMasquerade(fw, deletePrivate, netaddr, prefix,
-                                     protocol, REMOVE);
+                                     physdev, addr, port, protocol, REMOVE);
 }
 
 
@@ -943,6 +973,7 @@ iptablesRemoveForwardMasquerade(virFirewallPtr fw,
  */
 static int
 iptablesForwardDontMasquerade(virFirewallPtr fw,
+                              bool pvt,
                               virSocketAddr *netaddr,
                               unsigned int prefix,
                               const char *physdev,
@@ -965,7 +996,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
     if (physdev && physdev[0])
         virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                            "--table", "nat",
-                           action == ADD ? "--insert" : "--delete", "POSTROUTING",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                            "--out-interface", physdev,
                            "--source", networkstr,
                            "--destination", destaddr,
@@ -974,7 +1006,8 @@ iptablesForwardDontMasquerade(virFirewallPtr fw,
     else
         virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                            "--table", "nat",
-                           action == ADD ? "--insert" : "--delete", "POSTROUTING",
+                           action == ADD ? "--insert" : "--delete",
+                           pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                            "--source", networkstr,
                            "--destination", destaddr,
                            "--jump", "RETURN",
@@ -1004,8 +1037,8 @@ iptablesAddDontMasquerade(virFirewallPtr fw,
                           const char *physdev,
                           const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
+    return iptablesForwardDontMasquerade(fw, true, netaddr, prefix,
-                                         ADD);
+                                         physdev, destaddr, ADD);
 }
 
 /**
@@ -1029,13 +1062,14 @@ iptablesRemoveDontMasquerade(virFirewallPtr fw,
                              const char *physdev,
                              const char *destaddr)
 {
-    return iptablesForwardDontMasquerade(fw, netaddr, prefix, physdev, destaddr,
+    return iptablesForwardDontMasquerade(fw, deletePrivate, netaddr, prefix,
-                                         REMOVE);
+                                         physdev, destaddr, REMOVE);
 }
 
 
 static void
 iptablesOutputFixUdpChecksum(virFirewallPtr fw,
+                             bool pvt,
                              const char *iface,
                              int port,
                              int action)
@@ -1047,7 +1081,8 @@ iptablesOutputFixUdpChecksum(virFirewallPtr fw,
 
     virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
                        "--table", "mangle",
-                       action == ADD ? "--insert" : "--delete", "POSTROUTING",
+                       action == ADD ? "--insert" : "--delete",
+                       pvt ? "LIBVIRT_PRT" : "POSTROUTING",
                        "--out-interface", iface,
                        "--protocol", "udp",
                        "--destination-port", portstr,
@@ -1071,7 +1106,7 @@ iptablesAddOutputFixUdpChecksum(virFirewallPtr fw,
                                 const char *iface,
                                 int port)
 {
-    iptablesOutputFixUdpChecksum(fw, iface, port, ADD);
+    iptablesOutputFixUdpChecksum(fw, true, iface, port, ADD);
 }
 
 /**
@@ -1088,5 +1123,5 @@ iptablesRemoveOutputFixUdpChecksum(virFirewallPtr fw,
                                    const char *iface,
                                    int port)
 {
-    iptablesOutputFixUdpChecksum(fw, iface, port, REMOVE);
+    iptablesOutputFixUdpChecksum(fw, deletePrivate, iface, port, REMOVE);
 }

src/util/viriptables.h

@@ -26,6 +26,8 @@
 
 int              iptablesSetupPrivateChains      (void);
 
+void             iptablesSetDeletePrivate        (bool pvt);
+
 void             iptablesAddTcpInput             (virFirewallPtr fw,
                                                   virFirewallLayer layer,
                                                   const char *iface,

tests/networkxml2firewalldata/nat-default-linux.args

@@ -1,63 +1,63 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -65,13 +65,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -87,19 +87,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \

tests/networkxml2firewalldata/nat-ipv6-linux.args

@@ -1,100 +1,100 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 547 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -102,13 +102,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -124,31 +124,31 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \

tests/networkxml2firewalldata/nat-many-ips-linux.args

@@ -1,63 +1,63 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -65,13 +65,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -79,7 +79,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -87,25 +87,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.128.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.128.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -113,13 +113,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 '!' \
 --destination 192.168.128.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 -p udp '!' \
 --destination 192.168.128.0/24 \
@@ -127,7 +127,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 -p tcp '!' \
 --destination 192.168.128.0/24 \
@@ -135,25 +135,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.150.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.150.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -161,13 +161,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 '!' \
 --destination 192.168.150.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 -p udp '!' \
 --destination 192.168.150.0/24 \
@@ -175,7 +175,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 -p tcp '!' \
 --destination 192.168.150.0/24 \
@@ -183,19 +183,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \

tests/networkxml2firewalldata/nat-no-dhcp-linux.args

@@ -1,100 +1,100 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 547 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -102,13 +102,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -116,7 +116,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -124,25 +124,25 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT

tests/networkxml2firewalldata/nat-tftp-linux.args

@@ -1,70 +1,70 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 69 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --match conntrack \
@@ -72,13 +72,13 @@ iptables \
 --jump ACCEPT
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p udp '!' \
 --destination 192.168.122.0/24 \
@@ -86,7 +86,7 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 -p tcp '!' \
 --destination 192.168.122.0/24 \
@@ -94,19 +94,19 @@ iptables \
 --to-ports 1024-65535
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
 --table nat \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \

tests/networkxml2firewalldata/route-default-linux.args

@@ -1,69 +1,69 @@
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert OUTPUT \
+--insert LIBVIRT_OUT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol tcp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert INPUT \
+--insert LIBVIRT_INP \
 --in-interface virbr0 \
 --protocol udp \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table filter \
---insert FORWARD \
+--insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
 --table mangle \
---insert POSTROUTING \
+--insert LIBVIRT_PRT \
 --out-interface virbr0 \
 --protocol udp \
 --destination-port 68 \