NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

tests: test cases for nftables backend

Browse Source 
Run all the networkxml2firewall tests twice - once with iptables
backend, and once with the nftables backend.

The results files for the existing iptables tests were previously
named *.args. That has been changed to *.iptables, and the results
files for the new nftables tests are named *.nftables.

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Laine Stump 2024-04-19 22:19:43 -04:00
parent b89c4991da
commit f341bdee8d
17 changed files with 2678 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
tests/networkxml2firewalldata/base.args → tests/networkxml2firewalldata/base.iptables
View File

256
tests/networkxml2firewalldata/base.nftables Normal file
View File

@ -0,0 +1,256 @@
nft \
list \
table \
ip \
libvirt
nft \
add \
table \
ip \
libvirt
nft \
add \
chain \
ip \
libvirt \
INPUT \
'{ type filter hook input priority 0; policy accept; }'
nft \
add \
chain \
ip \
libvirt \
FORWARD \
'{ type filter hook forward priority 0; policy accept; }'
nft \
add \
chain \
ip \
libvirt \
OUTPUT \
'{ type filter hook output priority 0; policy accept; }'
nft \
add \
chain \
ip \
libvirt \
LIBVIRT_INP
nft \
insert \
rule \
ip \
libvirt \
INPUT \
counter \
jump \
LIBVIRT_INP
nft \
add \
chain \
ip \
libvirt \
LIBVIRT_OUT
nft \
insert \
rule \
ip \
libvirt \
OUTPUT \
counter \
jump \
LIBVIRT_OUT
nft \
add \
chain \
ip \
libvirt \
LIBVIRT_FWO
nft \
insert \
rule \
ip \
libvirt \
FORWARD \
counter \
jump \
LIBVIRT_FWO
nft \
add \
chain \
ip \
libvirt \
LIBVIRT_FWI
nft \
insert \
rule \
ip \
libvirt \
FORWARD \
counter \
jump \
LIBVIRT_FWI
nft \
add \
chain \
ip \
libvirt \
LIBVIRT_FWX
nft \
insert \
rule \
ip \
libvirt \
FORWARD \
counter \
jump \
LIBVIRT_FWX
nft \
add \
chain \
ip \
libvirt \
POSTROUTING \
'{ type nat hook postrouting priority 100; policy accept; }'
nft \
add \
chain \
ip \
libvirt \
LIBVIRT_PRT
nft \
insert \
rule \
ip \
libvirt \
POSTROUTING \
counter \
jump \
LIBVIRT_PRT
nft \
list \
table \
ip6 \
libvirt
nft \
add \
table \
ip6 \
libvirt
nft \
add \
chain \
ip6 \
libvirt \
INPUT \
'{ type filter hook input priority 0; policy accept; }'
nft \
add \
chain \
ip6 \
libvirt \
FORWARD \
'{ type filter hook forward priority 0; policy accept; }'
nft \
add \
chain \
ip6 \
libvirt \
OUTPUT \
'{ type filter hook output priority 0; policy accept; }'
nft \
add \
chain \
ip6 \
libvirt \
LIBVIRT_INP
nft \
insert \
rule \
ip6 \
libvirt \
INPUT \
counter \
jump \
LIBVIRT_INP
nft \
add \
chain \
ip6 \
libvirt \
LIBVIRT_OUT
nft \
insert \
rule \
ip6 \
libvirt \
OUTPUT \
counter \
jump \
LIBVIRT_OUT
nft \
add \
chain \
ip6 \
libvirt \
LIBVIRT_FWO
nft \
insert \
rule \
ip6 \
libvirt \
FORWARD \
counter \
jump \
LIBVIRT_FWO
nft \
add \
chain \
ip6 \
libvirt \
LIBVIRT_FWI
nft \
insert \
rule \
ip6 \
libvirt \
FORWARD \
counter \
jump \
LIBVIRT_FWI
nft \
add \
chain \
ip6 \
libvirt \
LIBVIRT_FWX
nft \
insert \
rule \
ip6 \
libvirt \
FORWARD \
counter \
jump \
LIBVIRT_FWX
nft \
add \
chain \
ip6 \
libvirt \
POSTROUTING \
'{ type nat hook postrouting priority 100; policy accept; }'
nft \
add \
chain \
ip6 \
libvirt \
LIBVIRT_PRT
nft \
insert \
rule \
ip6 \
libvirt \
POSTROUTING \
counter \
jump \
LIBVIRT_PRT

0
tests/networkxml2firewalldata/nat-default-linux.args → tests/networkxml2firewalldata/nat-default-linux.iptables
View File

248
tests/networkxml2firewalldata/nat-default-linux.nftables Normal file
View File

@ -0,0 +1,248 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return

0
tests/networkxml2firewalldata/nat-ipv6-linux.args → tests/networkxml2firewalldata/nat-ipv6-linux.iptables
View File

384
tests/networkxml2firewalldata/nat-ipv6-linux.nftables Normal file
View File

@ -0,0 +1,384 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
547 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
546 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWO \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWI \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
oifname \
virbr0 \
counter \
accept

0
tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args → tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.iptables
View File

456
tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables Normal file
View File

@ -0,0 +1,456 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
547 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
546 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWO \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_PRT \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
'!=' \
2001:db8:ca2:2::/64 \
counter \
masquerade
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
'!=' \
2001:db8:ca2:2::/64 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
'!=' \
2001:db8:ca2:2::/64 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_PRT \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
ff02::/16 \
counter \
return

0
tests/networkxml2firewalldata/nat-many-ips-linux.args → tests/networkxml2firewalldata/nat-many-ips-linux.iptables
View File

472
tests/networkxml2firewalldata/nat-many-ips-linux.nftables Normal file
View File

@ -0,0 +1,472 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.128.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.128.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.150.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.150.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.150.0/24 \
ip \
daddr \
'!=' \
192.168.150.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.150.0/24 \
ip \
daddr \
'!=' \
192.168.150.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.150.0/24 \
ip \
daddr \
'!=' \
192.168.150.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.150.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.150.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return

0
tests/networkxml2firewalldata/nat-no-dhcp-linux.args → tests/networkxml2firewalldata/nat-no-dhcp-linux.iptables
View File

384
tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables Normal file
View File

@ -0,0 +1,384 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
547 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
546 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWO \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt \
LIBVIRT_FWI \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
oifname \
virbr0 \
counter \
accept

0
tests/networkxml2firewalldata/nat-tftp-linux.args → tests/networkxml2firewalldata/nat-tftp-linux.iptables
View File

274
tests/networkxml2firewalldata/nat-tftp-linux.nftables Normal file
View File

@ -0,0 +1,274 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
69 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
69 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_PRT \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return

0
tests/networkxml2firewalldata/route-default-linux.args → tests/networkxml2firewalldata/route-default-linux.iptables
View File

162
tests/networkxml2firewalldata/route-default-linux.nftables Normal file
View File

@ -0,0 +1,162 @@
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
67 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
68 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_INP \
iifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
tcp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_OUT \
oifname \
virbr0 \
udp \
dport \
53 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
iifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
oifname \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWX \
iifname \
virbr0 \
oifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWO \
ip \
saddr \
192.168.122.0/24 \
iifname \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt \
LIBVIRT_FWI \
ip \
daddr \
192.168.122.0/24 \
oifname \
virbr0 \
counter \
accept

56
tests/networkxml2firewalltest.c
View File

@ -79,13 +79,21 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
void *opaque G_GNUC_UNUSED) void *opaque G_GNUC_UNUSED)
{ {
*status = 0; *status = 0;
*output = g_strdup(""); /* if arg[1] is -ae then this is an nft command,
* and the caller requested to get the handle
* of the newly added object in stdout
*/
if (STREQ_NULLABLE(args[1], "-ae"))
*output = g_strdup("# handle 5309");
else
*output = g_strdup("");
*error = g_strdup(""); *error = g_strdup("");
} }
static int testCompareXMLToArgvFiles(const char *xml, static int testCompareXMLToArgvFiles(const char *xml,
const char *cmdline, const char *cmdline,
const char *baseargs) const char *baseargs,
virFirewallBackend backend)
{ {
g_autofree char *actualargv = NULL; g_autofree char *actualargv = NULL;
g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER; g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
@ -98,7 +106,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
if (!(def = virNetworkDefParse(NULL, xml, NULL, false))) if (!(def = virNetworkDefParse(NULL, xml, NULL, false)))
return -1; return -1;
if (networkAddFirewallRules(def, VIR_FIREWALL_BACKEND_IPTABLES, NULL) < 0) if (networkAddFirewallRules(def, backend, NULL) < 0)
return -1; return -1;
actual = actualargv = virBufferContentAndReset(&buf); actual = actualargv = virBufferContentAndReset(&buf);
@ -119,6 +127,7 @@ static int testCompareXMLToArgvFiles(const char *xml,
struct testInfo { struct testInfo {
const char *name; const char *name;
const char *baseargs; const char *baseargs;
virFirewallBackend backend;
}; };
@ -132,10 +141,11 @@ testCompareXMLToIPTablesHelper(const void *data)
xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml", xml = g_strdup_printf("%s/networkxml2firewalldata/%s.xml",
abs_srcdir, info->name); abs_srcdir, info->name);
args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.args", args = g_strdup_printf("%s/networkxml2firewalldata/%s-%s.%s",
abs_srcdir, info->name, RULESTYPE); abs_srcdir, info->name, RULESTYPE,
virFirewallBackendTypeToString(info->backend));
result = testCompareXMLToArgvFiles(xml, args, info->baseargs); result = testCompareXMLToArgvFiles(xml, args, info->baseargs, info->backend);
return result; return result;
} }
@ -145,24 +155,42 @@ static int
mymain(void) mymain(void)
{ {
int ret = 0; int ret = 0;
g_autofree char *basefile = NULL; g_autofree char *basefileIptables = NULL;
g_autofree char *baseargs = NULL; g_autofree char *basefileNftables = NULL;
g_autofree char *baseargsIptables = NULL;
g_autofree char *baseargsNftables = NULL;
const char *baseargs[VIR_FIREWALL_BACKEND_LAST];
# define DO_TEST(name) \ # define DO_TEST_FOR_BACKEND(name, backend) \
do { \ do { \
struct testInfo info = { \ struct testInfo info = { \
name, baseargs, \ name, baseargs[backend], backend \
}; \ }; \
if (virTestRun("Network XML-2-iptables " name, \ g_autofree char *label = g_strdup_printf("Network XML-2-%s %s", \
testCompareXMLToIPTablesHelper, &info) < 0) \ virFirewallBackendTypeToString(backend), \
name); \
if (virTestRun(label, testCompareXMLToIPTablesHelper, &info) < 0) \
ret = -1; \ ret = -1; \
} while (0) } while (0)
basefile = g_strdup_printf("%s/networkxml2firewalldata/base.args", abs_srcdir); # define DO_TEST(name) \
DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_IPTABLES); \
DO_TEST_FOR_BACKEND(name, VIR_FIREWALL_BACKEND_NFTABLES);
if (virFileReadAll(basefile, INT_MAX, &baseargs) < 0)
basefileIptables = g_strdup_printf("%s/networkxml2firewalldata/base.iptables", abs_srcdir);
if (virFileReadAll(basefileIptables, INT_MAX, &baseargsIptables) < 0)
return EXIT_FAILURE; return EXIT_FAILURE;
baseargs[VIR_FIREWALL_BACKEND_IPTABLES] = baseargsIptables;
basefileNftables = g_strdup_printf("%s/networkxml2firewalldata/base.nftables", abs_srcdir);
if (virFileReadAll(basefileNftables, INT_MAX, &baseargsNftables) < 0)
return EXIT_FAILURE;
baseargs[VIR_FIREWALL_BACKEND_NFTABLES] = baseargsNftables;
DO_TEST("nat-default"); DO_TEST("nat-default");
DO_TEST("nat-tftp"); DO_TEST("nat-tftp");
DO_TEST("nat-many-ips"); DO_TEST("nat-many-ips");