[libvirt PATCH 22/28] network: turn on auto-rollback for the rules added for virtual networks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

So far this will only affect what happens if there is some failure
while applying the firewall rules; the rollback rules aren't yet
persistent beyond that time. More work is needed to remember the
rollback rules while the network is active, and use those rules to
remove the firewall for the network when it is destroyed.

Note that the test case data changed because enabling auto-rollback
will cause the nftables backend to add "-ae" to each commandline in
order to retrieve the handle for the newly created table/chain/rule.
(in our simplistic unit-test world, the handle is always "5309").

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
 src/network/bridge_driver_linux.c             | 15 +----
 .../nat-default-linux.nftables                | 36 +++++-----
 .../nat-ipv6-linux.nftables                   | 58 ++++++++--------
 .../nat-ipv6-masquerade-linux.nftables        | 66 +++++++++----------
 .../nat-many-ips-linux.nftables               | 64 +++++++++---------
 .../nat-no-dhcp-linux.nftables                | 58 ++++++++--------
 .../nat-tftp-linux.nftables                   | 40 +++++------
 .../route-default-linux.nftables              | 26 ++++----
 tests/networkxml2firewalltest.c               |  9 ++-
 9 files changed, 185 insertions(+), 187 deletions(-)

diff --git a/src/network/bridge_driver_linux.c b/src/network/bridge_driver_linux.c
index 058cfa1d80..f6bae334aa 100644
--- a/src/network/bridge_driver_linux.c
+++ b/src/network/bridge_driver_linux.c
@@ -915,7 +915,7 @@ networkAddFirewallRules(virNetworkDef *def,
         }
     }
 
-    virFirewallStartTransaction(fw, 0);
+    virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK);
 
     networkAddGeneralFirewallRules(fw, def);
 
@@ -926,17 +926,8 @@ networkAddFirewallRules(virNetworkDef *def,
             return -1;
     }
 
-    virFirewallStartRollback(fw, 0);
-
-    for (i = 0;
-         (ipdef = virNetworkDefGetIPByIndex(def, AF_UNSPEC, i));
-         i++) {
-        if (networkRemoveIPSpecificFirewallRules(fw, def, ipdef) < 0)
-            return -1;
-    }
-    networkRemoveGeneralFirewallRules(fw, def);
-
-    virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
+    virFirewallStartTransaction(fw, (VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS
+                                     | VIR_FIREWALL_TRANSACTION_AUTO_ROLLBACK));
     networkAddChecksumFirewallRules(fw, def);
 
     return virFirewallApply(fw);
diff --git a/tests/networkxml2firewalldata/nat-default-linux.nftables b/tests/networkxml2firewalldata/nat-default-linux.nftables
index 7e01ceba97..7d3c767cc4 100644
--- a/tests/networkxml2firewalldata/nat-default-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-default-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -113,7 +113,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -123,7 +123,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -135,7 +135,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -148,7 +148,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -164,7 +164,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -179,7 +179,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -199,7 +199,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -219,7 +219,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -233,7 +233,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
index 3a75dfced7..1fcfd8f709 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -113,7 +113,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -123,7 +123,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -135,7 +135,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -145,7 +145,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -155,7 +155,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -167,7 +167,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -180,7 +180,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -193,7 +193,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -206,7 +206,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -219,7 +219,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -232,7 +232,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -245,7 +245,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -258,7 +258,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -274,7 +274,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -289,7 +289,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -309,7 +309,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -329,7 +329,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -343,7 +343,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -357,7 +357,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -370,7 +370,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
diff --git a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
index 5959a920ff..c0594e8817 100644
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -113,7 +113,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -123,7 +123,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -135,7 +135,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -145,7 +145,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -155,7 +155,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -167,7 +167,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -180,7 +180,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -193,7 +193,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -206,7 +206,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -219,7 +219,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -232,7 +232,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -245,7 +245,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -258,7 +258,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -274,7 +274,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -289,7 +289,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -309,7 +309,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -329,7 +329,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -343,7 +343,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -357,7 +357,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -370,7 +370,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -386,7 +386,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -401,7 +401,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -421,7 +421,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -441,7 +441,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
diff --git a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
index 7cf989e040..ac9b3fcfbb 100644
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -113,7 +113,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -123,7 +123,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -135,7 +135,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -148,7 +148,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -164,7 +164,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -179,7 +179,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -199,7 +199,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -219,7 +219,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -233,7 +233,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -247,7 +247,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -260,7 +260,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -276,7 +276,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -291,7 +291,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -311,7 +311,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -331,7 +331,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -345,7 +345,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -359,7 +359,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -372,7 +372,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -388,7 +388,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -403,7 +403,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -423,7 +423,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -443,7 +443,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -457,7 +457,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
diff --git a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
index 3a75dfced7..1fcfd8f709 100644
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -113,7 +113,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -123,7 +123,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -135,7 +135,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -145,7 +145,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -155,7 +155,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -167,7 +167,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -180,7 +180,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -193,7 +193,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -206,7 +206,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -219,7 +219,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -232,7 +232,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -245,7 +245,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -258,7 +258,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -274,7 +274,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -289,7 +289,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -309,7 +309,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -329,7 +329,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -343,7 +343,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -357,7 +357,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
@@ -370,7 +370,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip6 \
 libvirt \
diff --git a/tests/networkxml2firewalldata/nat-tftp-linux.nftables b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
index 15ac92c46a..2102aa97bc 100644
--- a/tests/networkxml2firewalldata/nat-tftp-linux.nftables
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -116,7 +116,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -129,7 +129,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -139,7 +139,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -149,7 +149,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -161,7 +161,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -174,7 +174,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -190,7 +190,7 @@ related,established \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -205,7 +205,7 @@ daddr \
 counter \
 masquerade
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -225,7 +225,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -245,7 +245,7 @@ masquerade \
 to \
 :1024-65535
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -259,7 +259,7 @@ daddr \
 counter \
 return
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
diff --git a/tests/networkxml2firewalldata/route-default-linux.nftables b/tests/networkxml2firewalldata/route-default-linux.nftables
index f56cc2d0bc..834f6366ae 100644
--- a/tests/networkxml2firewalldata/route-default-linux.nftables
+++ b/tests/networkxml2firewalldata/route-default-linux.nftables
@@ -1,5 +1,5 @@
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -12,7 +12,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -25,7 +25,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -38,7 +38,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -51,7 +51,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -64,7 +64,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -77,7 +77,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -90,7 +90,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -103,7 +103,7 @@ dport \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -113,7 +113,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -123,7 +123,7 @@ virbr0 \
 counter \
 reject
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -135,7 +135,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
@@ -148,7 +148,7 @@ virbr0 \
 counter \
 accept
 nft \
-insert \
+-ae insert \
 rule \
 ip \
 libvirt \
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index ab1c7b217d..6e9eca0832 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -79,7 +79,14 @@ testCommandDryRun(const char *const*args G_GNUC_UNUSED,
                   void *opaque G_GNUC_UNUSED)
 {
     *status = 0;
-    *output = g_strdup("");
+    /* if arg[1] is -ae then this is an nft command,
+     * and the caller requested to get the handle
+     * of the newly added object in stdout
+     */
+    if (STREQ_NULLABLE(args[1], "-ae"))
+        *output = g_strdup("# handle 5309");
+    else
+        *output = g_strdup("");
     *error = g_strdup("");
 }
 
-- 
2.39.2
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux