[PATCH v2 05/27] util: change name of virFirewallRule to virFirewallCmd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



These objects aren't rules, they are commands that are executed that
may create a firewall rule, delete a firewall rule, or simply list the
existing firewall rules. It's confusing for the objects to be called
"Rule" (especially in the case of the function
virFirewallRemoveRule(), which doesn't remove a rule from the
firewall, it takes one of the objects out of the list of commands to
execute! In order to remove a rule from the host's firewall, you have
to Add a "rule" (now "cmd" aka command) to the list that will, when
applied/run, remove a rule from the host firewall.)

Changing the name to virFirewallCmd makes it all much less confusing.

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---
 src/libvirt_private.syms                  |  16 +-
 src/network/network_iptables.c            | 286 +++----
 src/nwfilter/nwfilter_ebiptables_driver.c | 988 +++++++++++-----------
 src/util/virebtables.c                    |  32 +-
 src/util/virfirewall.c                    | 223 +++--
 src/util/virfirewall.h                    |  54 +-
 tests/virfirewalltest.c                   | 404 ++++-----
 7 files changed, 1000 insertions(+), 1003 deletions(-)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index e4fbb905d4..a9462197e0 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2402,17 +2402,17 @@ virFileCacheSetPriv;
 
 
 # util/virfirewall.h
-virFirewallAddRuleFull;
+virFirewallAddCmdFull;
 virFirewallApply;
+virFirewallCmdAddArg;
+virFirewallCmdAddArgFormat;
+virFirewallCmdAddArgList;
+virFirewallCmdAddArgSet;
+virFirewallCmdGetArgCount;
+virFirewallCmdToString;
 virFirewallFree;
 virFirewallNew;
-virFirewallRemoveRule;
-virFirewallRuleAddArg;
-virFirewallRuleAddArgFormat;
-virFirewallRuleAddArgList;
-virFirewallRuleAddArgSet;
-virFirewallRuleGetArgCount;
-virFirewallRuleToString;
+virFirewallRemoveCmd;
 virFirewallStartRollback;
 virFirewallStartTransaction;
 
diff --git a/src/network/network_iptables.c b/src/network/network_iptables.c
index 45907dd2da..31af9e0db6 100644
--- a/src/network/network_iptables.c
+++ b/src/network/network_iptables.c
@@ -99,18 +99,18 @@ iptablesPrivateChainCreate(virFirewall *fw,
     for (i = 0; i < data->nchains; i++) {
         const char *from;
         if (!virHashLookup(chains, data->chains[i].child)) {
-            virFirewallAddRule(fw, layer,
-                               "--table", data->table,
-                               "--new-chain", data->chains[i].child, NULL);
+            virFirewallAddCmd(fw, layer,
+                              "--table", data->table,
+                              "--new-chain", data->chains[i].child, NULL);
             *data->changed = true;
         }
 
         from = virHashLookup(links, data->chains[i].child);
         if (!from || STRNEQ(from, data->chains[i].parent))
-            virFirewallAddRule(fw, layer,
-                               "--table", data->table,
-                               "--insert", data->chains[i].parent,
-                               "--jump", data->chains[i].child, NULL);
+            virFirewallAddCmd(fw, layer,
+                              "--table", data->table,
+                              "--insert", data->chains[i].parent,
+                              "--jump", data->chains[i].child, NULL);
     }
 
     return 0;
@@ -152,10 +152,10 @@ iptablesSetupPrivateChains(virFirewallLayer layer)
     virFirewallStartTransaction(fw, 0);
 
     for (i = 0; i < G_N_ELEMENTS(data); i++)
-        virFirewallAddRuleFull(fw, data[i].layer,
-                               false, iptablesPrivateChainCreate,
-                               &(data[i]), "--table", data[i].table,
-                               "--list-rules", NULL);
+        virFirewallAddCmdFull(fw, data[i].layer,
+                              false, iptablesPrivateChainCreate,
+                              &(data[i]), "--table", data[i].table,
+                              "--list-rules", NULL);
 
     if (virFirewallApply(fw) < 0)
         return -1;
@@ -174,15 +174,15 @@ iptablesInput(virFirewall *fw,
 {
     g_autofree char *portstr = g_strdup_printf("%d", port);
 
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                       VIR_IPTABLES_INPUT_CHAIN,
-                       "--in-interface", iface,
-                       "--protocol", tcp ? "tcp" : "udp",
-                       "--destination-port", portstr,
-                       "--jump", "ACCEPT",
-                       NULL);
+    virFirewallAddCmd(fw, layer,
+                      "--table", "filter",
+                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      VIR_IPTABLES_INPUT_CHAIN,
+                      "--in-interface", iface,
+                      "--protocol", tcp ? "tcp" : "udp",
+                      "--destination-port", portstr,
+                      "--jump", "ACCEPT",
+                      NULL);
 }
 
 static void
@@ -195,15 +195,15 @@ iptablesOutput(virFirewall *fw,
 {
     g_autofree char *portstr = g_strdup_printf("%d", port);
 
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                       VIR_IPTABLES_OUTPUT_CHAIN,
-                       "--out-interface", iface,
-                       "--protocol", tcp ? "tcp" : "udp",
-                       "--destination-port", portstr,
-                       "--jump", "ACCEPT",
-                       NULL);
+    virFirewallAddCmd(fw, layer,
+                      "--table", "filter",
+                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      VIR_IPTABLES_OUTPUT_CHAIN,
+                      "--out-interface", iface,
+                      "--protocol", tcp ? "tcp" : "udp",
+                      "--destination-port", portstr,
+                      "--jump", "ACCEPT",
+                      NULL);
 }
 
 /**
@@ -370,24 +370,24 @@ iptablesForwardAllowOut(virFirewall *fw,
         return -1;
 
     if (physdev && physdev[0])
-        virFirewallAddRule(fw, layer,
-                           "--table", "filter",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_FWD_OUT_CHAIN,
-                           "--source", networkstr,
-                           "--in-interface", iface,
-                           "--out-interface", physdev,
-                           "--jump", "ACCEPT",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "filter",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_FWD_OUT_CHAIN,
+                          "--source", networkstr,
+                          "--in-interface", iface,
+                          "--out-interface", physdev,
+                          "--jump", "ACCEPT",
+                          NULL);
     else
-        virFirewallAddRule(fw, layer,
-                           "--table", "filter",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_FWD_OUT_CHAIN,
-                           "--source", networkstr,
-                           "--in-interface", iface,
-                           "--jump", "ACCEPT",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "filter",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_FWD_OUT_CHAIN,
+                          "--source", networkstr,
+                          "--in-interface", iface,
+                          "--jump", "ACCEPT",
+                          NULL);
 
     return 0;
 }
@@ -460,28 +460,28 @@ iptablesForwardAllowRelatedIn(virFirewall *fw,
         return -1;
 
     if (physdev && physdev[0])
-        virFirewallAddRule(fw, layer,
-                           "--table", "filter",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_FWD_IN_CHAIN,
-                           "--destination", networkstr,
-                           "--in-interface", physdev,
-                           "--out-interface", iface,
-                           "--match", "conntrack",
-                           "--ctstate", "ESTABLISHED,RELATED",
-                           "--jump", "ACCEPT",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "filter",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_FWD_IN_CHAIN,
+                          "--destination", networkstr,
+                          "--in-interface", physdev,
+                          "--out-interface", iface,
+                          "--match", "conntrack",
+                          "--ctstate", "ESTABLISHED,RELATED",
+                          "--jump", "ACCEPT",
+                          NULL);
     else
-        virFirewallAddRule(fw, layer,
-                           "--table", "filter",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_FWD_IN_CHAIN,
-                           "--destination", networkstr,
-                           "--out-interface", iface,
-                           "--match", "conntrack",
-                           "--ctstate", "ESTABLISHED,RELATED",
-                           "--jump", "ACCEPT",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "filter",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_FWD_IN_CHAIN,
+                          "--destination", networkstr,
+                          "--out-interface", iface,
+                          "--match", "conntrack",
+                          "--ctstate", "ESTABLISHED,RELATED",
+                          "--jump", "ACCEPT",
+                          NULL);
 
     return 0;
 }
@@ -552,24 +552,24 @@ iptablesForwardAllowIn(virFirewall *fw,
         return -1;
 
     if (physdev && physdev[0])
-        virFirewallAddRule(fw, layer,
-                           "--table", "filter",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_FWD_IN_CHAIN,
-                           "--destination", networkstr,
-                           "--in-interface", physdev,
-                           "--out-interface", iface,
-                           "--jump", "ACCEPT",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "filter",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_FWD_IN_CHAIN,
+                          "--destination", networkstr,
+                          "--in-interface", physdev,
+                          "--out-interface", iface,
+                          "--jump", "ACCEPT",
+                          NULL);
     else
-        virFirewallAddRule(fw, layer,
-                           "--table", "filter",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_FWD_IN_CHAIN,
-                           "--destination", networkstr,
-                           "--out-interface", iface,
-                           "--jump", "ACCEPT",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "filter",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_FWD_IN_CHAIN,
+                          "--destination", networkstr,
+                          "--out-interface", iface,
+                          "--jump", "ACCEPT",
+                          NULL);
     return 0;
 }
 
@@ -627,14 +627,14 @@ iptablesForwardAllowCross(virFirewall *fw,
                           const char *iface,
                           int action)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                       VIR_IPTABLES_FWD_X_CHAIN,
-                       "--in-interface", iface,
-                       "--out-interface", iface,
-                       "--jump", "ACCEPT",
-                       NULL);
+    virFirewallAddCmd(fw, layer,
+                      "--table", "filter",
+                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      VIR_IPTABLES_FWD_X_CHAIN,
+                      "--in-interface", iface,
+                      "--out-interface", iface,
+                      "--jump", "ACCEPT",
+                      NULL);
 }
 
 /**
@@ -681,13 +681,13 @@ iptablesForwardRejectOut(virFirewall *fw,
                          const char *iface,
                          int action)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                       VIR_IPTABLES_FWD_OUT_CHAIN,
-                       "--in-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    virFirewallAddCmd(fw, layer,
+                      "--table", "filter",
+                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      VIR_IPTABLES_FWD_OUT_CHAIN,
+                      "--in-interface", iface,
+                      "--jump", "REJECT",
+                      NULL);
 }
 
 /**
@@ -733,13 +733,13 @@ iptablesForwardRejectIn(virFirewall *fw,
                         const char *iface,
                         int action)
 {
-    virFirewallAddRule(fw, layer,
-                       "--table", "filter",
-                       action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                       VIR_IPTABLES_FWD_IN_CHAIN,
-                       "--out-interface", iface,
-                       "--jump", "REJECT",
-                       NULL);
+    virFirewallAddCmd(fw, layer,
+                      "--table", "filter",
+                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      VIR_IPTABLES_FWD_IN_CHAIN,
+                      "--out-interface", iface,
+                      "--jump", "REJECT",
+                      NULL);
 }
 
 /**
@@ -797,7 +797,7 @@ iptablesForwardMasquerade(virFirewall *fw,
     g_autofree char *addrEndStr = NULL;
     g_autofree char *portRangeStr = NULL;
     g_autofree char *natRangeStr = NULL;
-    virFirewallRule *rule;
+    virFirewallCmd *fwCmd;
     int af = VIR_SOCKET_ADDR_FAMILY(netaddr);
     virFirewallLayer layer = af == AF_INET ?
         VIR_FIREWALL_LAYER_IPV4 : VIR_FIREWALL_LAYER_IPV6;
@@ -815,7 +815,7 @@ iptablesForwardMasquerade(virFirewall *fw,
     }
 
     if (protocol && protocol[0]) {
-        rule = virFirewallAddRule(fw, layer,
+        fwCmd = virFirewallAddCmd(fw, layer,
                                   "--table", "nat",
                                   action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
                                   VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@@ -824,7 +824,7 @@ iptablesForwardMasquerade(virFirewall *fw,
                                   "!", "--destination", networkstr,
                                   NULL);
     } else {
-        rule = virFirewallAddRule(fw, layer,
+        fwCmd = virFirewallAddCmd(fw, layer,
                                   "--table", "nat",
                                   action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
                                   VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
@@ -834,7 +834,7 @@ iptablesForwardMasquerade(virFirewall *fw,
     }
 
     if (physdev && physdev[0])
-        virFirewallRuleAddArgList(fw, rule, "--out-interface", physdev, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd, "--out-interface", physdev, NULL);
 
     if (protocol && protocol[0]) {
         if (port->start == 0 && port->end == 0) {
@@ -862,16 +862,16 @@ iptablesForwardMasquerade(virFirewall *fw,
                                           portRangeStr ? portRangeStr : "");
         }
 
-        virFirewallRuleAddArgList(fw, rule,
-                                  "--jump", "SNAT",
-                                  "--to-source", natRangeStr, NULL);
+        virFirewallCmdAddArgList(fw, fwCmd,
+                                 "--jump", "SNAT",
+                                 "--to-source", natRangeStr, NULL);
     } else {
-        virFirewallRuleAddArgList(fw, rule,
-                                  "--jump", "MASQUERADE", NULL);
+        virFirewallCmdAddArgList(fw, fwCmd,
+                                 "--jump", "MASQUERADE", NULL);
 
         if (portRangeStr && portRangeStr[0])
-            virFirewallRuleAddArgList(fw, rule,
-                                      "--to-ports", &portRangeStr[1], NULL);
+            virFirewallCmdAddArgList(fw, fwCmd,
+                                     "--to-ports", &portRangeStr[1], NULL);
     }
 
     return 0;
@@ -951,24 +951,24 @@ iptablesForwardDontMasquerade(virFirewall *fw,
         return -1;
 
     if (physdev && physdev[0])
-        virFirewallAddRule(fw, layer,
-                           "--table", "nat",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
-                           "--out-interface", physdev,
-                           "--source", networkstr,
-                           "--destination", destaddr,
-                           "--jump", "RETURN",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "nat",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+                          "--out-interface", physdev,
+                          "--source", networkstr,
+                          "--destination", destaddr,
+                          "--jump", "RETURN",
+                          NULL);
     else
-        virFirewallAddRule(fw, layer,
-                           "--table", "nat",
-                           action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                           VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
-                           "--source", networkstr,
-                           "--destination", destaddr,
-                           "--jump", "RETURN",
-                           NULL);
+        virFirewallAddCmd(fw, layer,
+                          "--table", "nat",
+                          action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                          VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+                          "--source", networkstr,
+                          "--destination", destaddr,
+                          "--jump", "RETURN",
+                          NULL);
 
     return 0;
 }
@@ -1033,15 +1033,15 @@ iptablesOutputFixUdpChecksum(virFirewall *fw,
 {
     g_autofree char *portstr = g_strdup_printf("%d", port);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "--table", "mangle",
-                       action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
-                       VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
-                       "--out-interface", iface,
-                       "--protocol", "udp",
-                       "--destination-port", portstr,
-                       "--jump", "CHECKSUM", "--checksum-fill",
-                       NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "--table", "mangle",
+                      action == VIR_NETFILTER_INSERT ? "--insert" : "--delete",
+                      VIR_IPTABLES_NAT_POSTROUTE_CHAIN,
+                      "--out-interface", iface,
+                      "--protocol", "udp",
+                      "--destination-port", portstr,
+                      "--jump", "CHECKSUM", "--checksum-fill",
+                      NULL);
 }
 
 /**
diff --git a/src/nwfilter/nwfilter_ebiptables_driver.c b/src/nwfilter/nwfilter_ebiptables_driver.c
index 56bddb9097..3ef1bb576e 100644
--- a/src/nwfilter/nwfilter_ebiptables_driver.c
+++ b/src/nwfilter/nwfilter_ebiptables_driver.c
@@ -334,7 +334,7 @@ printDataTypeAsHex(virNWFilterVarCombIter *vars,
 
 static int
 ebtablesHandleEthHdr(virFirewall *fw,
-                     virFirewallRule *fwrule,
+                     virFirewallCmd *fwrule,
                      virNWFilterVarCombIter *vars,
                      ethHdrDataDef *ethHdr,
                      bool reverse)
@@ -348,11 +348,11 @@ ebtablesHandleEthHdr(virFirewall *fw,
                           &ethHdr->dataSrcMACAddr) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  reverse ? "-d" : "-s",
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 reverse ? "-d" : "-s",
+                                 NULL);
         if (ENTRY_WANT_NEG_SIGN(&ethHdr->dataSrcMACAddr))
-            virFirewallRuleAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, "!");
 
         if (HAS_ENTRY_ITEM(&ethHdr->dataSrcMACMask)) {
             if (printDataType(vars,
@@ -360,10 +360,10 @@ ebtablesHandleEthHdr(virFirewall *fw,
                               &ethHdr->dataSrcMACMask) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s/%s", macaddr, macmask);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s/%s", macaddr, macmask);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, macaddr);
+            virFirewallCmdAddArg(fw, fwrule, macaddr);
         }
     }
 
@@ -373,11 +373,11 @@ ebtablesHandleEthHdr(virFirewall *fw,
                           &ethHdr->dataDstMACAddr) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  reverse ? "-s" : "-d",
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 reverse ? "-s" : "-d",
+                                 NULL);
         if (ENTRY_WANT_NEG_SIGN(&ethHdr->dataDstMACAddr))
-            virFirewallRuleAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, "!");
 
         if (HAS_ENTRY_ITEM(&ethHdr->dataDstMACMask)) {
             if (printDataType(vars,
@@ -385,10 +385,10 @@ ebtablesHandleEthHdr(virFirewall *fw,
                               &ethHdr->dataDstMACMask) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s/%s", macaddr, macmask);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s/%s", macaddr, macmask);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, macaddr);
+            virFirewallCmdAddArg(fw, fwrule, macaddr);
         }
     }
 
@@ -403,38 +403,38 @@ static void
 iptablesCreateBaseChainsFW(virFirewall *fw,
                            virFirewallLayer layer)
 {
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-N", VIRT_IN_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-N", VIRT_OUT_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-N", VIRT_IN_POST_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-N", HOST_IN_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL);
-    virFirewallAddRule(fw, layer,
-                       "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL);
-    virFirewallAddRule(fw, layer,
-                       "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL);
-    virFirewallAddRule(fw, layer,
-                       "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL);
-    virFirewallAddRule(fw, layer,
-                       "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-N", VIRT_IN_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-N", VIRT_OUT_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-N", VIRT_IN_POST_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-N", HOST_IN_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-D", "FORWARD", "-j", VIRT_IN_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-D", "FORWARD", "-j", VIRT_OUT_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-D", "FORWARD", "-j", VIRT_IN_POST_CHAIN, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-D", "INPUT", "-j", HOST_IN_CHAIN, NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-I", "FORWARD", "1", "-j", VIRT_IN_CHAIN, NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-I", "FORWARD", "2", "-j", VIRT_OUT_CHAIN, NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-I", "FORWARD", "3", "-j", VIRT_IN_POST_CHAIN, NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-I", "INPUT", "1", "-j", HOST_IN_CHAIN, NULL);
 }
 
 
@@ -453,8 +453,8 @@ iptablesCreateTmpRootChainFW(virFirewall *fw,
 
     PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRule(fw, layer,
-                       "-N", chain, NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-N", chain, NULL);
 }
 
 
@@ -490,12 +490,12 @@ _iptablesRemoveRootChainFW(virFirewall *fw,
 
     PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-F", chain, NULL);
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-X", chain, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-F", chain, NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-X", chain, NULL);
 }
 
 
@@ -561,17 +561,17 @@ iptablesLinkTmpRootChainFW(virFirewall *fw,
     PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
     if (incoming)
-        virFirewallAddRule(fw, layer,
-                           "-A", basechain,
-                           MATCH_PHYSDEV_IN_FW,
-                           ifname,
-                           "-g", chain, NULL);
+        virFirewallAddCmd(fw, layer,
+                          "-A", basechain,
+                          MATCH_PHYSDEV_IN_FW,
+                          ifname,
+                          "-g", chain, NULL);
     else
-        virFirewallAddRule(fw, layer,
-                           "-A", basechain,
-                           MATCH_PHYSDEV_OUT_FW,
-                           ifname,
-                           "-g", chain, NULL);
+        virFirewallAddCmd(fw, layer,
+                          "-A", basechain,
+                          MATCH_PHYSDEV_OUT_FW,
+                          ifname,
+                          "-g", chain, NULL);
 }
 
 
@@ -591,15 +591,15 @@ iptablesSetupVirtInPostFW(virFirewall *fw G_GNUC_UNUSED,
                           virFirewallLayer layer G_GNUC_UNUSED,
                           const char *ifname G_GNUC_UNUSED)
 {
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-D", VIRT_IN_POST_CHAIN,
-                           MATCH_PHYSDEV_IN_FW,
-                           ifname, "-j", "ACCEPT", NULL);
-    virFirewallAddRule(fw, layer,
-                       "-A", VIRT_IN_POST_CHAIN,
-                       MATCH_PHYSDEV_IN_FW,
-                       ifname, "-j", "ACCEPT", NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-D", VIRT_IN_POST_CHAIN,
+                          MATCH_PHYSDEV_IN_FW,
+                          ifname, "-j", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-A", VIRT_IN_POST_CHAIN,
+                      MATCH_PHYSDEV_IN_FW,
+                      ifname, "-j", "ACCEPT", NULL);
 }
 
 
@@ -608,11 +608,11 @@ iptablesClearVirtInPostFW(virFirewall *fw,
                           virFirewallLayer layer,
                           const char *ifname)
 {
-    virFirewallAddRuleFull(fw, layer,
-                           true, NULL, NULL,
-                           "-D", VIRT_IN_POST_CHAIN,
-                           MATCH_PHYSDEV_IN_FW,
-                           ifname, "-j", "ACCEPT", NULL);
+    virFirewallAddCmdFull(fw, layer,
+                          true, NULL, NULL,
+                          "-D", VIRT_IN_POST_CHAIN,
+                          MATCH_PHYSDEV_IN_FW,
+                          ifname, "-j", "ACCEPT", NULL);
 }
 
 
@@ -638,19 +638,19 @@ _iptablesUnlinkRootChainFW(virFirewall *fw,
     PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
     if (incoming)
-        virFirewallAddRuleFull(fw, layer,
-                               true, NULL, NULL,
-                               "-D", basechain,
-                               MATCH_PHYSDEV_IN_FW, ifname,
-                               "-g", chain,
-                               NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-D", basechain,
+                              MATCH_PHYSDEV_IN_FW, ifname,
+                              "-g", chain,
+                              NULL);
     else
-        virFirewallAddRuleFull(fw, layer,
-                               true, NULL, NULL,
-                               "-D", basechain,
-                               MATCH_PHYSDEV_OUT_FW, ifname,
-                               "-g", chain,
-                               NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-D", basechain,
+                              MATCH_PHYSDEV_OUT_FW, ifname,
+                              "-g", chain,
+                              NULL);
 
     /*
      * Previous versions of libvirt may have created a rule
@@ -658,12 +658,12 @@ _iptablesUnlinkRootChainFW(virFirewall *fw,
      * as well.
      */
     if (!incoming)
-        virFirewallAddRuleFull(fw, layer,
-                               true, NULL, NULL,
-                               "-D", basechain,
-                               MATCH_PHYSDEV_OUT_OLD_FW, ifname,
-                               "-g", chain,
-                               NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-D", basechain,
+                              MATCH_PHYSDEV_OUT_OLD_FW, ifname,
+                              "-g", chain,
+                              NULL);
 }
 
 
@@ -735,8 +735,8 @@ iptablesRenameTmpRootChainFW(virFirewall *fw,
     PRINT_IPT_ROOT_CHAIN(tmpchain, tmpChainPrefix, ifname);
     PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRule(fw, layer,
-                       "-E", tmpchain, chain, NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-E", tmpchain, chain, NULL);
 }
 
 
@@ -753,7 +753,7 @@ iptablesRenameTmpRootChainsFW(virFirewall *fw,
 
 static int
 iptablesHandleSrcMacAddr(virFirewall *fw,
-                         virFirewallRule *fwrule,
+                         virFirewallCmd *fwrule,
                          virNWFilterVarCombIter *vars,
                          nwItemDesc *srcMacAddr,
                          bool directionIn,
@@ -774,15 +774,15 @@ iptablesHandleSrcMacAddr(virFirewall *fw,
                           srcMacAddr) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "mac",
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "mac",
+                                 NULL);
         if (ENTRY_WANT_NEG_SIGN(srcMacAddr))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "--mac-source",
-                                  macaddr,
-                                  NULL);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "--mac-source",
+                                 macaddr,
+                                 NULL);
     }
 
     return 0;
@@ -791,7 +791,7 @@ iptablesHandleSrcMacAddr(virFirewall *fw,
 
 static int
 iptablesHandleIPHdr(virFirewall *fw,
-                    virFirewallRule *fwrule,
+                    virFirewallCmd *fwrule,
                     virNWFilterVarCombIter *vars,
                     ipHdrDataDef *ipHdr,
                     bool directionIn,
@@ -819,8 +819,8 @@ iptablesHandleIPHdr(virFirewall *fw,
             return -1;
 
         if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPAddr))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArg(fw, fwrule, src);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArg(fw, fwrule, src);
 
         if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPMask)) {
 
@@ -829,10 +829,10 @@ iptablesHandleIPHdr(virFirewall *fw,
                               &ipHdr->dataSrcIPMask) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s/%s", ipaddr, number);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s/%s", ipaddr, number);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, ipaddr);
+            virFirewallCmdAddArg(fw, fwrule, ipaddr);
         }
     } else if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPFrom)) {
         if (printDataType(vars,
@@ -840,12 +840,12 @@ iptablesHandleIPHdr(virFirewall *fw,
                           &ipHdr->dataSrcIPFrom) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "iprange",
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "iprange",
+                                 NULL);
         if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataSrcIPFrom))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArg(fw, fwrule, srcrange);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArg(fw, fwrule, srcrange);
 
         if (HAS_ENTRY_ITEM(&ipHdr->dataSrcIPTo)) {
 
@@ -854,10 +854,10 @@ iptablesHandleIPHdr(virFirewall *fw,
                               &ipHdr->dataSrcIPTo) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s-%s", ipaddr, ipaddralt);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s-%s", ipaddr, ipaddralt);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, ipaddr);
+            virFirewallCmdAddArg(fw, fwrule, ipaddr);
         }
     }
 
@@ -868,8 +868,8 @@ iptablesHandleIPHdr(virFirewall *fw,
            return -1;
 
         if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPAddr))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArg(fw, fwrule, dst);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArg(fw, fwrule, dst);
 
         if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPMask)) {
             if (printDataType(vars,
@@ -877,10 +877,10 @@ iptablesHandleIPHdr(virFirewall *fw,
                               &ipHdr->dataDstIPMask) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s/%s", ipaddr, number);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s/%s", ipaddr, number);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, ipaddr);
+            virFirewallCmdAddArg(fw, fwrule, ipaddr);
         }
     } else if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPFrom)) {
         if (printDataType(vars,
@@ -888,12 +888,12 @@ iptablesHandleIPHdr(virFirewall *fw,
                           &ipHdr->dataDstIPFrom) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "iprange",
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "iprange",
+                                 NULL);
         if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDstIPFrom))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArg(fw, fwrule, dstrange);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArg(fw, fwrule, dstrange);
 
         if (HAS_ENTRY_ITEM(&ipHdr->dataDstIPTo)) {
             if (printDataType(vars,
@@ -901,10 +901,10 @@ iptablesHandleIPHdr(virFirewall *fw,
                               &ipHdr->dataDstIPTo) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s-%s", ipaddr, ipaddralt);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s-%s", ipaddr, ipaddralt);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, ipaddr);
+            virFirewallCmdAddArg(fw, fwrule, ipaddr);
         }
     }
 
@@ -914,14 +914,14 @@ iptablesHandleIPHdr(virFirewall *fw,
                           &ipHdr->dataDSCP) < 0)
            return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "dscp",
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "dscp",
+                                 NULL);
         if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataDSCP))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "--dscp", number,
-                                  NULL);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "--dscp", number,
+                                 NULL);
     }
 
     if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
@@ -939,7 +939,7 @@ iptablesHandleIPHdr(virFirewall *fw,
 
 static int
 iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
-                                   virFirewallRule *fwrule,
+                                   virFirewallCmd *fwrule,
                                    virNWFilterVarCombIter *vars,
                                    ipHdrDataDef *ipHdr,
                                    bool directionIn)
@@ -955,17 +955,17 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
                           &ipHdr->dataIPSet) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "set",
-                                  "--match-set", str,
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "set",
+                                 "--match-set", str,
+                                 NULL);
 
         if (printDataTypeDirection(vars,
                                    str, sizeof(str),
                                    &ipHdr->dataIPSetFlags, directionIn) < 0)
             return -1;
 
-        virFirewallRuleAddArg(fw, fwrule, str);
+        virFirewallCmdAddArg(fw, fwrule, str);
     }
 
     if (HAS_ENTRY_ITEM(&ipHdr->dataConnlimitAbove)) {
@@ -977,24 +977,24 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
 
             /* place connlimit after potential -m state --state ...
                since this is the most useful order */
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "-m", "connlimit",
-                                      NULL);
+            virFirewallCmdAddArgList(fw, fwrule,
+                                     "-m", "connlimit",
+                                     NULL);
             if (ENTRY_WANT_NEG_SIGN(&ipHdr->dataConnlimitAbove))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "--connlimit-above", number,
-                                      NULL);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArgList(fw, fwrule,
+                                     "--connlimit-above", number,
+                                     NULL);
         }
     }
 
     if (HAS_ENTRY_ITEM(&ipHdr->dataComment)) {
         /* keep comments behind everything else -- they are packet eval.
            no-ops */
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "comment",
-                                  "--comment", ipHdr->dataComment.u.string,
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "comment",
+                                 "--comment", ipHdr->dataComment.u.string,
+                                 NULL);
     }
 
     return 0;
@@ -1003,7 +1003,7 @@ iptablesHandleIPHdrAfterStateMatch(virFirewall *fw,
 
 static int
 iptablesHandlePortData(virFirewall *fw,
-                       virFirewallRule *fwrule,
+                       virFirewallCmd *fwrule,
                        virNWFilterVarCombIter *vars,
                        portDataDef *portData,
                        bool directionIn)
@@ -1024,8 +1024,8 @@ iptablesHandlePortData(virFirewall *fw,
             return -1;
 
         if (ENTRY_WANT_NEG_SIGN(&portData->dataSrcPortStart))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArg(fw, fwrule, sport);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArg(fw, fwrule, sport);
 
         if (HAS_ENTRY_ITEM(&portData->dataSrcPortEnd)) {
             if (printDataType(vars,
@@ -1033,10 +1033,10 @@ iptablesHandlePortData(virFirewall *fw,
                               &portData->dataSrcPortEnd) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s:%s", portstr, portstralt);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s:%s", portstr, portstralt);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, portstr);
+            virFirewallCmdAddArg(fw, fwrule, portstr);
         }
     }
 
@@ -1047,8 +1047,8 @@ iptablesHandlePortData(virFirewall *fw,
             return -1;
 
         if (ENTRY_WANT_NEG_SIGN(&portData->dataDstPortStart))
-            virFirewallRuleAddArg(fw, fwrule, "!");
-        virFirewallRuleAddArg(fw, fwrule, dport);
+            virFirewallCmdAddArg(fw, fwrule, "!");
+        virFirewallCmdAddArg(fw, fwrule, dport);
 
         if (HAS_ENTRY_ITEM(&portData->dataDstPortEnd)) {
             if (printDataType(vars,
@@ -1056,10 +1056,10 @@ iptablesHandlePortData(virFirewall *fw,
                               &portData->dataDstPortEnd) < 0)
                 return -1;
 
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s:%s", portstr, portstralt);
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s:%s", portstr, portstralt);
         } else {
-            virFirewallRuleAddArg(fw, fwrule, portstr);
+            virFirewallCmdAddArg(fw, fwrule, portstr);
         }
     }
 
@@ -1069,18 +1069,18 @@ iptablesHandlePortData(virFirewall *fw,
 
 static void
 iptablesEnforceDirection(virFirewall *fw,
-                         virFirewallRule *fwrule,
+                         virFirewallCmd *fwrule,
                          bool directionIn,
                          virNWFilterRuleDef *rule)
 {
     if (rule->tt != VIR_NWFILTER_RULE_DIRECTION_INOUT)
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "conntrack",
-                                  "--ctdir",
-                                  (directionIn ?
-                                   "Reply" :
-                                   "Original"),
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "conntrack",
+                                 "--ctdir",
+                                 (directionIn ?
+                                  "Reply" :
+                                  "Original"),
+                                 NULL);
 }
 
 
@@ -1123,7 +1123,7 @@ _iptablesCreateRuleInstance(virFirewall *fw,
     bool skipRule = false;
     bool skipMatch = false;
     bool hasICMPType = false;
-    virFirewallRule *fwrule;
+    virFirewallCmd *fwrule;
     size_t fwruleargs;
 
     PRINT_IPT_ROOT_CHAIN(chain, chainPrefix, ifname);
@@ -1131,12 +1131,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
     switch ((int)rule->prtclType) {
     case VIR_NWFILTER_RULE_PROTOCOL_TCP:
     case VIR_NWFILTER_RULE_PROTOCOL_TCPoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "tcp",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "tcp",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1156,16 +1156,16 @@ _iptablesCreateRuleInstance(virFirewall *fw,
             g_autofree char *mask = NULL;
             g_autofree char *flags = NULL;
             if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPFlags))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, "--tcp-flags");
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, "--tcp-flags");
 
             if (!(mask = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.mask)))
                 return -1;
-            virFirewallRuleAddArg(fw, fwrule, mask);
+            virFirewallCmdAddArg(fw, fwrule, mask);
 
             if (!(flags = virNWFilterPrintTCPFlags(rule->p.tcpHdrFilter.dataTCPFlags.u.tcpFlags.flags)))
                 return -1;
-            virFirewallRuleAddArg(fw, fwrule, flags);
+            virFirewallCmdAddArg(fw, fwrule, flags);
         }
 
         if (iptablesHandlePortData(fw, fwrule,
@@ -1181,21 +1181,21 @@ _iptablesCreateRuleInstance(virFirewall *fw,
                 return -1;
 
             if (ENTRY_WANT_NEG_SIGN(&rule->p.tcpHdrFilter.dataTCPOption))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "--tcp-option", number, NULL);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArgList(fw, fwrule,
+                                     "--tcp-option", number, NULL);
         }
 
     break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_UDP:
     case VIR_NWFILTER_RULE_PROTOCOL_UDPoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "udp",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "udp",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1220,12 +1220,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_UDPLITE:
     case VIR_NWFILTER_RULE_PROTOCOL_UDPLITEoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "udplite",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "udplite",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1245,12 +1245,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_ESP:
     case VIR_NWFILTER_RULE_PROTOCOL_ESPoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "esp",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "esp",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1270,12 +1270,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_AH:
     case VIR_NWFILTER_RULE_PROTOCOL_AHoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "ah",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "ah",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1295,12 +1295,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_SCTP:
     case VIR_NWFILTER_RULE_PROTOCOL_SCTPoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "sctp",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "sctp",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1325,18 +1325,18 @@ _iptablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_ICMP:
     case VIR_NWFILTER_RULE_PROTOCOL_ICMPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   NULL);
 
         if (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ICMP)
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "-p", "icmp", NULL);
+            virFirewallCmdAddArgList(fw, fwrule,
+                                     "-p", "icmp", NULL);
         else
-            virFirewallRuleAddArgList(fw, fwrule,
-                                      "-p", "icmpv6", NULL);
+            virFirewallCmdAddArgList(fw, fwrule,
+                                     "-p", "icmpv6", NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1358,7 +1358,7 @@ _iptablesCreateRuleInstance(virFirewall *fw,
             hasICMPType = true;
 
             if (maySkipICMP) {
-                virFirewallRemoveRule(fw, fwrule);
+                virFirewallRemoveCmd(fw, fwrule);
                 return 0;
             }
 
@@ -1373,8 +1373,8 @@ _iptablesCreateRuleInstance(virFirewall *fw,
                 return -1;
 
             if (ENTRY_WANT_NEG_SIGN(&rule->p.icmpHdrFilter.dataICMPType))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, parm);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, parm);
 
             if (HAS_ENTRY_ITEM(&rule->p.icmpHdrFilter.dataICMPCode)) {
                 if (printDataType(vars,
@@ -1382,21 +1382,21 @@ _iptablesCreateRuleInstance(virFirewall *fw,
                                   &rule->p.icmpHdrFilter.dataICMPCode) < 0)
                     return -1;
 
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s/%s", number, numberalt);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s/%s", number, numberalt);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, number);
             }
         }
     break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_IGMP:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "igmp",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "igmp",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1416,12 +1416,12 @@ _iptablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_ALL:
     case VIR_NWFILTER_RULE_PROTOCOL_ALLoIPV6:
-        fwrule = virFirewallAddRule(fw, layer,
-                                    "-A", chain,
-                                    "-p", "all",
-                                    NULL);
+        fwrule = virFirewallAddCmd(fw, layer,
+                                   "-A", chain,
+                                   "-p", "all",
+                                   NULL);
 
-        fwruleargs = virFirewallRuleGetArgCount(fwrule);
+        fwruleargs = virFirewallCmdGetArgCount(fwrule);
 
         if (iptablesHandleSrcMacAddr(fw, fwrule,
                                      vars,
@@ -1447,9 +1447,9 @@ _iptablesCreateRuleInstance(virFirewall *fw,
     }
 
     if ((srcMacSkipped &&
-         fwruleargs == virFirewallRuleGetArgCount(fwrule)) ||
+         fwruleargs == virFirewallCmdGetArgCount(fwrule)) ||
         skipRule) {
-        virFirewallRemoveRule(fw, fwrule);
+        virFirewallRemoveCmd(fw, fwrule);
         return 0;
     }
 
@@ -1461,10 +1461,10 @@ _iptablesCreateRuleInstance(virFirewall *fw,
     }
 
     if (match && !skipMatch) {
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-m", "conntrack",
-                                  "--ctstate", match,
-                                  NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-m", "conntrack",
+                                 "--ctstate", match,
+                                 NULL);
     }
 
     if (defMatch && match != NULL && !skipMatch && !hasICMPType)
@@ -1478,8 +1478,8 @@ _iptablesCreateRuleInstance(virFirewall *fw,
                                            directionIn) < 0)
         return -1;
 
-    virFirewallRuleAddArgList(fw, fwrule,
-                              "-j", target, NULL);
+    virFirewallCmdAddArgList(fw, fwrule,
+                             "-j", target, NULL);
 
     return 0;
 }
@@ -1752,7 +1752,7 @@ ebtablesCreateRuleInstance(virFirewall *fw,
     char chain[MAX_CHAINNAME_LENGTH];
     const char *target;
     bool hasMask = false;
-    virFirewallRule *fwrule;
+    virFirewallCmd *fwrule;
 
     if (STREQ(chainSuffix,
               virNWFilterChainSuffixTypeToString(
@@ -1768,10 +1768,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               field, sizeof(field), \
                               &rule->p.STRUCT.ITEM) < 0) \
                 return -1; \
-            virFirewallRuleAddArg(fw, fwrule, CLI); \
+            virFirewallCmdAddArg(fw, fwrule, CLI); \
             if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
-                virFirewallRuleAddArg(fw, fwrule, "!"); \
-            virFirewallRuleAddArg(fw, fwrule, field); \
+                virFirewallCmdAddArg(fw, fwrule, "!"); \
+            virFirewallCmdAddArg(fw, fwrule, field); \
         }
 
 #define INST_ITEM_2PARMS(STRUCT, ITEM, ITEM_HI, CLI, SEP) \
@@ -1780,18 +1780,18 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               field, sizeof(field), \
                               &rule->p.STRUCT.ITEM) < 0) \
                 return -1; \
-            virFirewallRuleAddArg(fw, fwrule, CLI); \
+            virFirewallCmdAddArg(fw, fwrule, CLI); \
             if (ENTRY_WANT_NEG_SIGN(&rule->p.STRUCT.ITEM)) \
-                virFirewallRuleAddArg(fw, fwrule, "!"); \
+                virFirewallCmdAddArg(fw, fwrule, "!"); \
             if (HAS_ENTRY_ITEM(&rule->p.STRUCT.ITEM_HI)) { \
                 if (printDataType(vars, \
                                   fieldalt, sizeof(fieldalt), \
                                   &rule->p.STRUCT.ITEM_HI) < 0) \
                     return -1; \
-                virFirewallRuleAddArgFormat(fw, fwrule, \
-                                            "%s%s%s", field, SEP, fieldalt); \
+                virFirewallCmdAddArgFormat(fw, fwrule, \
+                                           "%s%s%s", field, SEP, fieldalt); \
             } else  { \
-                virFirewallRuleAddArg(fw, fwrule, field); \
+                virFirewallCmdAddArg(fw, fwrule, field); \
             } \
         }
 #define INST_ITEM_RANGE(S, I, I_HI, C) \
@@ -1801,9 +1801,9 @@ ebtablesCreateRuleInstance(virFirewall *fw,
 
     switch ((int)rule->prtclType) {
     case VIR_NWFILTER_RULE_PROTOCOL_MAC:
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat",
-                                    "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat",
+                                   "-A", chain, NULL);
 
         if (ebtablesHandleEthHdr(fw, fwrule,
                                  vars,
@@ -1816,16 +1816,16 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                    number, sizeof(number),
                                    &rule->p.ethHdrFilter.dataProtocolID) < 0)
                 return -1;
-            virFirewallRuleAddArg(fw, fwrule, "-p");
+            virFirewallCmdAddArg(fw, fwrule, "-p");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ethHdrFilter.dataProtocolID))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
         break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_VLAN:
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat", "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-A", chain, NULL);
 
         if (ebtablesHandleEthHdr(fw, fwrule,
                                  vars,
@@ -1833,8 +1833,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                  reverse) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-p", "0x8100", NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-p", "0x8100", NULL);
 
         INST_ITEM(vlanHdrFilter, dataVlanID, "--vlan-id")
         INST_ITEM(vlanHdrFilter, dataVlanEncap, "--vlan-encap")
@@ -1852,8 +1852,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
             return -1;
         }
 
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat", "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-A", chain, NULL);
 
         if (ebtablesHandleEthHdr(fw, fwrule,
                                  vars,
@@ -1861,8 +1861,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                  reverse) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-d",  NWFILTER_MAC_BGA, NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-d",  NWFILTER_MAC_BGA, NULL);
 
         INST_ITEM(stpHdrFilter, dataType, "--stp-type")
         INST_ITEM(stpHdrFilter, dataFlags, "--stp-flags")
@@ -1888,8 +1888,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
 
     case VIR_NWFILTER_RULE_PROTOCOL_ARP:
     case VIR_NWFILTER_RULE_PROTOCOL_RARP:
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat", "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-A", chain, NULL);
 
         if (ebtablesHandleEthHdr(fw, fwrule,
                                  vars,
@@ -1897,21 +1897,21 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                  reverse) < 0)
             return -1;
 
-        virFirewallRuleAddArg(fw, fwrule, "-p");
-        virFirewallRuleAddArgFormat(fw, fwrule, "0x%x",
-                                    (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
-                                    ? l3_protocols[L3_PROTO_ARP_IDX].attr
-                                    : l3_protocols[L3_PROTO_RARP_IDX].attr);
+        virFirewallCmdAddArg(fw, fwrule, "-p");
+        virFirewallCmdAddArgFormat(fw, fwrule, "0x%x",
+                                   (rule->prtclType == VIR_NWFILTER_RULE_PROTOCOL_ARP)
+                                   ? l3_protocols[L3_PROTO_ARP_IDX].attr
+                                   : l3_protocols[L3_PROTO_RARP_IDX].attr);
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataHWType)) {
             if (printDataType(vars,
                               number, sizeof(number),
                               &rule->p.arpHdrFilter.dataHWType) < 0)
                 return -1;
-            virFirewallRuleAddArg(fw, fwrule, "--arp-htype");
+            virFirewallCmdAddArg(fw, fwrule, "--arp-htype");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataHWType))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataOpcode)) {
@@ -1919,10 +1919,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               number, sizeof(number),
                               &rule->p.arpHdrFilter.dataOpcode) < 0)
                 return -1;
-            virFirewallRuleAddArg(fw, fwrule, "--arp-opcode");
+            virFirewallCmdAddArg(fw, fwrule, "--arp-opcode");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataOpcode))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataProtocolType)) {
@@ -1930,10 +1930,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                    number, sizeof(number),
                                    &rule->p.arpHdrFilter.dataProtocolType) < 0)
                 return -1;
-            virFirewallRuleAddArg(fw, fwrule, "--arp-ptype");
+            virFirewallCmdAddArg(fw, fwrule, "--arp-ptype");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataProtocolType))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcIPAddr)) {
@@ -1950,12 +1950,12 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                 hasMask = true;
             }
 
-            virFirewallRuleAddArg(fw, fwrule,
+            virFirewallCmdAddArg(fw, fwrule,
                                   reverse ? "--arp-ip-dst" : "--arp-ip-src");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcIPAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s/%s", ipaddr, hasMask ? ipmask : "32");
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s/%s", ipaddr, hasMask ? ipmask : "32");
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstIPAddr)) {
@@ -1972,12 +1972,12 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                 hasMask = true;
             }
 
-            virFirewallRuleAddArg(fw, fwrule,
+            virFirewallCmdAddArg(fw, fwrule,
                                   reverse ? "--arp-ip-src" : "--arp-ip-dst");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstIPAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArgFormat(fw, fwrule,
-                                        "%s/%s", ipaddr, hasMask ? ipmask : "32");
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArgFormat(fw, fwrule,
+                                       "%s/%s", ipaddr, hasMask ? ipmask : "32");
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPSrcMACAddr)) {
@@ -1986,11 +1986,11 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.arpHdrFilter.dataARPSrcMACAddr) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--arp-mac-dst" : "--arp-mac-src");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--arp-mac-dst" : "--arp-mac-src");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPSrcMACAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, macaddr);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, macaddr);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataARPDstMACAddr)) {
@@ -1999,24 +1999,24 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.arpHdrFilter.dataARPDstMACAddr) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--arp-mac-src" : "--arp-mac-dst");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--arp-mac-src" : "--arp-mac-dst");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataARPDstMACAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, macaddr);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, macaddr);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.arpHdrFilter.dataGratuitousARP) &&
             rule->p.arpHdrFilter.dataGratuitousARP.u.boolean) {
             if (ENTRY_WANT_NEG_SIGN(&rule->p.arpHdrFilter.dataGratuitousARP))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, "--arp-gratuitous");
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, "--arp-gratuitous");
         }
         break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_IP:
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat", "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-A", chain, NULL);
 
         if (ebtablesHandleEthHdr(fw, fwrule,
                                  vars,
@@ -2024,8 +2024,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                  reverse) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-p", "ipv4", NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-p", "ipv4", NULL);
 
         if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr)) {
             if (printDataType(vars,
@@ -2033,20 +2033,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip-destination" : "--ip-source");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip-destination" : "--ip-source");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataSrcIPAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataSrcIPMask)) {
                 if (printDataType(vars,
                                   number, sizeof(number),
                                   &rule->p.ipHdrFilter.ipHdr.dataSrcIPMask) < 0)
                     return -1;
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s/%s", ipaddr, number);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s/%s", ipaddr, number);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, ipaddr);
+                virFirewallCmdAddArg(fw, fwrule, ipaddr);
             }
         }
 
@@ -2057,20 +2057,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipHdrFilter.ipHdr.dataDstIPAddr) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip-source" : "--ip-destination");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip-source" : "--ip-destination");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDstIPAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.ipHdr.dataDstIPMask)) {
                 if (printDataType(vars,
                                   number, sizeof(number),
                                   &rule->p.ipHdrFilter.ipHdr.dataDstIPMask) < 0)
                     return -1;
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s/%s", ipaddr, number);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s/%s", ipaddr, number);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, ipaddr);
+                virFirewallCmdAddArg(fw, fwrule, ipaddr);
             }
         }
 
@@ -2080,10 +2080,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipHdrFilter.ipHdr.dataProtocolID) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule, "--ip-protocol");
+            virFirewallCmdAddArg(fw, fwrule, "--ip-protocol");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataProtocolID))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortStart)) {
@@ -2092,10 +2092,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipHdrFilter.portData.dataSrcPortStart) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip-destination-port" : "--ip-source-port");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip-destination-port" : "--ip-source-port");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataSrcPortStart))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataSrcPortEnd)) {
                 if (printDataType(vars,
@@ -2103,10 +2103,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                   &rule->p.ipHdrFilter.portData.dataSrcPortEnd) < 0)
                     return -1;
 
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s:%s", number, numberalt);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s:%s", number, numberalt);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, number);
             }
         }
 
@@ -2116,10 +2116,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipHdrFilter.portData.dataDstPortStart) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip-source-port" : "--ip-destination-port");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip-source-port" : "--ip-destination-port");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.portData.dataDstPortStart))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipHdrFilter.portData.dataDstPortEnd)) {
                 if (printDataType(vars,
@@ -2127,10 +2127,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                   &rule->p.ipHdrFilter.portData.dataDstPortEnd) < 0)
                     return -1;
 
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s:%s", number, numberalt);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s:%s", number, numberalt);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, number);
             }
         }
 
@@ -2140,16 +2140,16 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                    &rule->p.ipHdrFilter.ipHdr.dataDSCP) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule, "--ip-tos");
+            virFirewallCmdAddArg(fw, fwrule, "--ip-tos");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipHdrFilter.ipHdr.dataDSCP))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
         break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_IPV6:
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat", "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-A", chain, NULL);
 
         if (ebtablesHandleEthHdr(fw, fwrule,
                                  vars,
@@ -2157,8 +2157,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                  reverse) < 0)
             return -1;
 
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-p", "ipv6", NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-p", "ipv6", NULL);
 
         if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr)) {
             if (printDataType(vars,
@@ -2166,20 +2166,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip6-destination" : "--ip6-source");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip6-destination" : "--ip6-source");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask)) {
                 if (printDataType(vars,
                                   number, sizeof(number),
                                   &rule->p.ipv6HdrFilter.ipHdr.dataSrcIPMask) < 0)
                     return -1;
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s/%s", ipv6addr, number);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s/%s", ipv6addr, number);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, ipv6addr);
+                virFirewallCmdAddArg(fw, fwrule, ipv6addr);
             }
         }
 
@@ -2190,20 +2190,20 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip6-source" : "--ip6-destination");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip6-source" : "--ip6-destination");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPAddr))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask)) {
                 if (printDataType(vars,
                                   number, sizeof(number),
                                   &rule->p.ipv6HdrFilter.ipHdr.dataDstIPMask) < 0)
                     return -1;
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s/%s", ipv6addr, number);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s/%s", ipv6addr, number);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, ipv6addr);
+                virFirewallCmdAddArg(fw, fwrule, ipv6addr);
             }
         }
 
@@ -2213,10 +2213,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipv6HdrFilter.ipHdr.dataProtocolID) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule, "--ip6-protocol");
+            virFirewallCmdAddArg(fw, fwrule, "--ip6-protocol");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.ipHdr.dataProtocolID))
-                virFirewallRuleAddArg(fw, fwrule, "!");
-            virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, "!");
+            virFirewallCmdAddArg(fw, fwrule, number);
         }
 
         if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart)) {
@@ -2226,10 +2226,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipv6HdrFilter.portData.dataSrcPortStart) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip6-destination-port" : "--ip6-source-port");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip6-destination-port" : "--ip6-source-port");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataSrcPortStart))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataSrcPortEnd)) {
                 if (printDataType(vars,
@@ -2237,10 +2237,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                   &rule->p.ipv6HdrFilter.portData.dataSrcPortEnd) < 0)
                     return -1;
 
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s:%s", number, numberalt);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s:%s", number, numberalt);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, number);
             }
         }
 
@@ -2251,10 +2251,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                               &rule->p.ipv6HdrFilter.portData.dataDstPortStart) < 0)
                 return -1;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  reverse ? "--ip6-source-port" : "--ip6-destination-port");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 reverse ? "--ip6-source-port" : "--ip6-destination-port");
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.portData.dataDstPortStart))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.portData.dataDstPortEnd)) {
                 if (printDataType(vars,
@@ -2262,10 +2262,10 @@ ebtablesCreateRuleInstance(virFirewall *fw,
                                   &rule->p.ipv6HdrFilter.portData.dataDstPortEnd) < 0)
                     return -1;
 
-                virFirewallRuleAddArgFormat(fw, fwrule,
-                                            "%s:%s", number, numberalt);
+                virFirewallCmdAddArgFormat(fw, fwrule,
+                                           "%s:%s", number, numberalt);
             } else {
-                virFirewallRuleAddArg(fw, fwrule, number);
+                virFirewallCmdAddArg(fw, fwrule, number);
             }
         }
 
@@ -2277,8 +2277,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
             g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
             g_autofree char *r = NULL;
 
-            virFirewallRuleAddArg(fw, fwrule,
-                                  "--ip6-icmp-type");
+            virFirewallCmdAddArg(fw, fwrule,
+                                 "--ip6-icmp-type");
 
             if (HAS_ENTRY_ITEM(&rule->p.ipv6HdrFilter.dataICMPTypeStart)) {
                 if (printDataType(vars,
@@ -2335,17 +2335,17 @@ ebtablesCreateRuleInstance(virFirewall *fw,
             virBufferStrcat(&buf, numberalt, NULL);
 
             if (ENTRY_WANT_NEG_SIGN(&rule->p.ipv6HdrFilter.dataICMPTypeStart))
-                virFirewallRuleAddArg(fw, fwrule, "!");
+                virFirewallCmdAddArg(fw, fwrule, "!");
 
             r = virBufferContentAndReset(&buf);
 
-            virFirewallRuleAddArg(fw, fwrule, r);
+            virFirewallCmdAddArg(fw, fwrule, r);
         }
         break;
 
     case VIR_NWFILTER_RULE_PROTOCOL_NONE:
-        fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                    "-t", "nat", "-A", chain, NULL);
+        fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                   "-t", "nat", "-A", chain, NULL);
         break;
 
     default:
@@ -2370,8 +2370,8 @@ ebtablesCreateRuleInstance(virFirewall *fw,
         target = virNWFilterJumpTargetTypeToString(rule->action);
     }
 
-    virFirewallRuleAddArgList(fw, fwrule,
-                              "-j", target, NULL);
+    virFirewallCmdAddArgList(fw, fwrule,
+                             "-j", target, NULL);
 
 #undef INST_ITEM_RANGE
 #undef INST_ITEM_MASK
@@ -2461,8 +2461,8 @@ ebtablesCreateTmpRootChainFW(virFirewall *fw,
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-N", chain, NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-N", chain, NULL);
 }
 
 
@@ -2476,11 +2476,11 @@ ebtablesLinkTmpRootChainFW(virFirewall *fw,
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A",
-                       incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
-                       incoming ? "-i" : "-o",
-                       ifname, "-j", chain, NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A",
+                      incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+                      incoming ? "-i" : "-o",
+                      ifname, "-j", chain, NULL);
 }
 
 
@@ -2500,12 +2500,12 @@ _ebtablesRemoveRootChainFW(virFirewall *fw,
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                           true, NULL, NULL,
-                           "-t", "nat", "-F", chain, NULL);
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                           true, NULL, NULL,
-                           "-t", "nat", "-X", chain, NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                          true, NULL, NULL,
+                          "-t", "nat", "-F", chain, NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                          true, NULL, NULL,
+                          "-t", "nat", "-X", chain, NULL);
 }
 
 
@@ -2543,12 +2543,12 @@ _ebtablesUnlinkRootChainFW(virFirewall *fw,
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
 
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                           true, NULL, NULL,
-                           "-t", "nat", "-D",
-                           incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
-                           incoming ? "-i" : "-o",
-                           ifname, "-j", chain, NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                          true, NULL, NULL,
+                          "-t", "nat", "-D",
+                          incoming ? EBTABLES_CHAIN_INCOMING : EBTABLES_CHAIN_OUTGOING,
+                          incoming ? "-i" : "-o",
+                          ifname, "-j", chain, NULL);
 }
 
 
@@ -2577,41 +2577,41 @@ ebtablesCreateTmpSubChainFW(virFirewall *fw,
     char rootchain[MAX_CHAINNAME_LENGTH], chain[MAX_CHAINNAME_LENGTH];
     char chainPrefix = incoming ? CHAINPREFIX_HOST_IN_TEMP
                                 : CHAINPREFIX_HOST_OUT_TEMP;
-    virFirewallRule *fwrule;
+    virFirewallCmd *fwrule;
 
     PRINT_ROOT_CHAIN(rootchain, chainPrefix, ifname);
     PRINT_CHAIN(chain, chainPrefix, ifname,
                 (filtername) ? filtername : l3_protocols[protoidx].val);
 
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                           true, NULL, NULL,
-                           "-t", "nat", "-F", chain, NULL);
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                           true, NULL, NULL,
-                           "-t", "nat", "-X", chain, NULL);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-N", chain, NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                          true, NULL, NULL,
+                          "-t", "nat", "-F", chain, NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                          true, NULL, NULL,
+                          "-t", "nat", "-X", chain, NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-N", chain, NULL);
 
-    fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                "-t", "nat", "-A", rootchain, NULL);
+    fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                               "-t", "nat", "-A", rootchain, NULL);
 
     switch ((int)protoidx) {
     case L2_PROTO_MAC_IDX:
         break;
     case L2_PROTO_STP_IDX:
-        virFirewallRuleAddArgList(fw, fwrule,
-                                  "-d", NWFILTER_MAC_BGA, NULL);
+        virFirewallCmdAddArgList(fw, fwrule,
+                                 "-d", NWFILTER_MAC_BGA, NULL);
         break;
     default:
-        virFirewallRuleAddArg(fw, fwrule, "-p");
-        virFirewallRuleAddArgFormat(fw, fwrule,
-                                    "0x%04x",
-                                    l3_protocols[protoidx].attr);
+        virFirewallCmdAddArg(fw, fwrule, "-p");
+        virFirewallCmdAddArgFormat(fw, fwrule,
+                                   "0x%04x",
+                                   l3_protocols[protoidx].attr);
         break;
     }
 
-    virFirewallRuleAddArgList(fw, fwrule,
-                              "-j", chain, NULL);
+    virFirewallCmdAddArgList(fw, fwrule,
+                             "-j", chain, NULL);
 }
 
 
@@ -2636,16 +2636,16 @@ ebtablesRemoveSubChainsQuery(virFirewall *fw,
             if (tmp[0] == chainprefixes[j] &&
                 tmp[1] == '-') {
                 VIR_DEBUG("Processing chain '%s'", tmp);
-                virFirewallAddRuleFull(fw, layer,
-                                       false, ebtablesRemoveSubChainsQuery,
-                                       (void *)chainprefixes,
-                                        "-t", "nat", "-L", tmp, NULL);
-                virFirewallAddRuleFull(fw, layer,
-                                       true, NULL, NULL,
-                                       "-t", "nat", "-F", tmp, NULL);
-                virFirewallAddRuleFull(fw, layer,
-                                       true, NULL, NULL,
-                                       "-t", "nat", "-X", tmp, NULL);
+                virFirewallAddCmdFull(fw, layer,
+                                      false, ebtablesRemoveSubChainsQuery,
+                                      (void *)chainprefixes,
+                                      "-t", "nat", "-L", tmp, NULL);
+                virFirewallAddCmdFull(fw, layer,
+                                      true, NULL, NULL,
+                                      "-t", "nat", "-F", tmp, NULL);
+                virFirewallAddCmdFull(fw, layer,
+                                      true, NULL, NULL,
+                                      "-t", "nat", "-X", tmp, NULL);
             }
         }
     }
@@ -2664,10 +2664,10 @@ _ebtablesRemoveSubChainsFW(virFirewall *fw,
 
     for (i = 0; chainprefixes[i] != 0; i++) {
         PRINT_ROOT_CHAIN(rootchain, chainprefixes[i], ifname);
-        virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                               false, ebtablesRemoveSubChainsQuery,
-                               (void *)chainprefixes,
-                               "-t", "nat", "-L", rootchain, NULL);
+        virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                              false, ebtablesRemoveSubChainsQuery,
+                              (void *)chainprefixes,
+                              "-t", "nat", "-L", rootchain, NULL);
     }
 }
 
@@ -2706,8 +2706,8 @@ ebtablesRenameTmpSubChainFW(virFirewall *fw,
         PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
     }
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-E", tmpchain, chain, NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-E", tmpchain, chain, NULL);
 }
 
 static void
@@ -2748,18 +2748,18 @@ ebtablesRenameTmpSubAndRootChainsQuery(virFirewall *fw,
         else
             newchain[0] = CHAINPREFIX_HOST_OUT;
         VIR_DEBUG("Renaming chain '%s' to '%s'", tmp, newchain);
-        virFirewallAddRuleFull(fw, layer,
-                               false, ebtablesRenameTmpSubAndRootChainsQuery,
-                               NULL,
-                               "-t", "nat", "-L", tmp, NULL);
-        virFirewallAddRuleFull(fw, layer,
-                               true, NULL, NULL,
-                               "-t", "nat", "-F", newchain, NULL);
-        virFirewallAddRuleFull(fw, layer,
-                               true, NULL, NULL,
-                               "-t", "nat", "-X", newchain, NULL);
-        virFirewallAddRule(fw, layer,
-                           "-t", "nat", "-E", tmp, newchain, NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              false, ebtablesRenameTmpSubAndRootChainsQuery,
+                              NULL,
+                              "-t", "nat", "-L", tmp, NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-t", "nat", "-F", newchain, NULL);
+        virFirewallAddCmdFull(fw, layer,
+                              true, NULL, NULL,
+                              "-t", "nat", "-X", newchain, NULL);
+        virFirewallAddCmd(fw, layer,
+                          "-t", "nat", "-E", tmp, newchain, NULL);
     }
 
     return 0;
@@ -2779,10 +2779,10 @@ ebtablesRenameTmpSubAndRootChainsFW(virFirewall *fw,
     };
     for (i = 0; chains[i] != 0; i++) {
         PRINT_ROOT_CHAIN(rootchain, chains[i], ifname);
-        virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                               false, ebtablesRenameTmpSubAndRootChainsQuery,
-                               NULL,
-                               "-t", "nat", "-L", rootchain, NULL);
+        virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                              false, ebtablesRenameTmpSubAndRootChainsQuery,
+                              NULL,
+                              "-t", "nat", "-L", rootchain, NULL);
     }
 
     ebtablesRenameTmpRootChainFW(fw, true, ifname);
@@ -2835,21 +2835,21 @@ ebtablesApplyBasicRules(const char *ifname,
     ebtablesCreateTmpRootChainFW(fw, true, ifname);
 
     PRINT_ROOT_CHAIN(chain, chainPrefix, ifname);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain,
-                       "-s", "!", macaddr_str,
-                       "-j", "DROP", NULL);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain,
-                       "-p", "IPv4",
-                       "-j", "ACCEPT", NULL);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain,
-                       "-p", "ARP",
-                       "-j", "ACCEPT", NULL);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain,
-                       "-j", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain,
+                      "-s", "!", macaddr_str,
+                      "-j", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain,
+                      "-p", "IPv4",
+                      "-j", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain,
+                      "-p", "ARP",
+                      "-j", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain,
+                      "-j", "DROP", NULL);
 
     ebtablesLinkTmpRootChainFW(fw, true, ifname);
     ebtablesRenameTmpRootChainFW(fw, true, ifname);
@@ -2908,16 +2908,16 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
     PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
     PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain_in,
-                       "-s", macaddr_str,
-                       "-p", "ipv4", "--ip-protocol", "udp",
-                       "--ip-sport", "68", "--ip-dport", "67",
-                       "-j", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain_in,
+                      "-s", macaddr_str,
+                      "-p", "ipv4", "--ip-protocol", "udp",
+                      "--ip-sport", "68", "--ip-dport", "67",
+                      "-j", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain_in,
-                       "-j", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain_in,
+                      "-j", "DROP", NULL);
 
     num_dhcpsrvrs = (dhcpsrvrs != NULL)
                     ? virNWFilterVarValueGetCardinality(dhcpsrvrs)
@@ -2936,20 +2936,20 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
          */
         for (ctr = 0; ctr < 2; ctr++) {
             if (dhcpserver)
-                virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                   "-t", "nat", "-A", chain_out,
-                                   "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
-                                   "-p", "ipv4", "--ip-protocol", "udp",
-                                   "--ip-src", dhcpserver,
-                                   "--ip-sport", "67", "--ip-dport", "68",
-                                   "-j", "ACCEPT", NULL);
+                virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                  "-t", "nat", "-A", chain_out,
+                                  "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
+                                  "-p", "ipv4", "--ip-protocol", "udp",
+                                  "--ip-src", dhcpserver,
+                                  "--ip-sport", "67", "--ip-dport", "68",
+                                  "-j", "ACCEPT", NULL);
             else
-                virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                                   "-t", "nat", "-A", chain_out,
-                                   "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
-                                   "-p", "ipv4", "--ip-protocol", "udp",
-                                   "--ip-sport", "67", "--ip-dport", "68",
-                                   "-j", "ACCEPT", NULL);
+                virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                                  "-t", "nat", "-A", chain_out,
+                                  "-d", (ctr == 0) ? macaddr_str : "ff:ff:ff:ff:ff:ff",
+                                  "-p", "ipv4", "--ip-protocol", "udp",
+                                  "--ip-sport", "67", "--ip-dport", "68",
+                                  "-j", "ACCEPT", NULL);
         }
 
         idx++;
@@ -2958,9 +2958,9 @@ ebtablesApplyDHCPOnlyRules(const char *ifname,
             break;
     }
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain_out,
-                       "-j", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain_out,
+                      "-j", "DROP", NULL);
 
     ebtablesLinkTmpRootChainFW(fw, true, ifname);
     ebtablesLinkTmpRootChainFW(fw, false, ifname);
@@ -3008,13 +3008,13 @@ ebtablesApplyDropAllRules(const char *ifname)
     PRINT_ROOT_CHAIN(chain_in, CHAINPREFIX_HOST_IN_TEMP, ifname);
     PRINT_ROOT_CHAIN(chain_out, CHAINPREFIX_HOST_OUT_TEMP, ifname);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain_in,
-                       "-j", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain_in,
+                      "-j", "DROP", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-t", "nat", "-A", chain_out,
-                       "-j", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-t", "nat", "-A", chain_out,
+                      "-j", "DROP", NULL);
 
     ebtablesLinkTmpRootChainFW(fw, true, ifname);
     ebtablesLinkTmpRootChainFW(fw, false, ifname);
diff --git a/src/util/virebtables.c b/src/util/virebtables.c
index a1f5f7cf1e..cabcbb3e81 100644
--- a/src/util/virebtables.c
+++ b/src/util/virebtables.c
@@ -81,17 +81,17 @@ ebtablesAddForwardPolicyReject(ebtablesContext *ctx)
     g_autoptr(virFirewall) fw = virFirewallNew();
 
     virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "--new-chain", ctx->chain,
-                       NULL);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "--insert", "FORWARD",
-                       "--jump", ctx->chain, NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "--new-chain", ctx->chain,
+                      NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "--insert", "FORWARD",
+                      "--jump", ctx->chain, NULL);
 
     virFirewallStartTransaction(fw, 0);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       "-P", ctx->chain, "DROP",
-                       NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      "-P", ctx->chain, "DROP",
+                      NULL);
 
     return virFirewallApply(fw);
 }
@@ -109,13 +109,13 @@ ebtablesForwardAllowIn(ebtablesContext *ctx,
     g_autoptr(virFirewall) fw = virFirewallNew();
 
     virFirewallStartTransaction(fw, 0);
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_ETHERNET,
-                       action == ADD ? "--insert" : "--delete",
-                       ctx->chain,
-                       "--in-interface", iface,
-                       "--source", macaddr,
-                       "--jump", "ACCEPT",
-                       NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_ETHERNET,
+                      action == ADD ? "--insert" : "--delete",
+                      ctx->chain,
+                      "--in-interface", iface,
+                      "--source", macaddr,
+                      "--jump", "ACCEPT",
+                      NULL);
 
     return virFirewallApply(fw);
 }
diff --git a/src/util/virfirewall.c b/src/util/virfirewall.c
index 30e73f603e..902cb8e445 100644
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@@ -45,7 +45,7 @@ VIR_ENUM_IMPL(virFirewallLayerCommand,
               IP6TABLES,
 );
 
-struct _virFirewallRule {
+struct _virFirewallCmd {
     virFirewallLayer layer;
 
     virFirewallQueryCallback queryCB;
@@ -62,10 +62,10 @@ struct _virFirewallGroup {
     unsigned int rollbackFlags;
 
     size_t naction;
-    virFirewallRule **action;
+    virFirewallCmd **action;
 
     size_t nrollback;
-    virFirewallRule **rollback;
+    virFirewallCmd **rollback;
 
     bool addingRollback;
 };
@@ -79,7 +79,7 @@ struct _virFirewall {
     size_t currentGroup;
 };
 
-static virMutex ruleLock = VIR_MUTEX_INITIALIZER;
+static virMutex fwCmdLock = VIR_MUTEX_INITIALIZER;
 
 static virFirewallGroup *
 virFirewallGroupNew(void)
@@ -107,17 +107,17 @@ virFirewall *virFirewallNew(void)
 
 
 static void
-virFirewallRuleFree(virFirewallRule *rule)
+virFirewallCmdFree(virFirewallCmd *fwCmd)
 {
     size_t i;
 
-    if (!rule)
+    if (!fwCmd)
         return;
 
-    for (i = 0; i < rule->argsLen; i++)
-        g_free(rule->args[i]);
-    g_free(rule->args);
-    g_free(rule);
+    for (i = 0; i < fwCmd->argsLen; i++)
+        g_free(fwCmd->args[i]);
+    g_free(fwCmd->args);
+    g_free(fwCmd);
 }
 
 
@@ -130,11 +130,11 @@ virFirewallGroupFree(virFirewallGroup *group)
         return;
 
     for (i = 0; i < group->naction; i++)
-        virFirewallRuleFree(group->action[i]);
+        virFirewallCmdFree(group->action[i]);
     g_free(group->action);
 
     for (i = 0; i < group->nrollback; i++)
-        virFirewallRuleFree(group->rollback[i]);
+        virFirewallCmdFree(group->rollback[i]);
     g_free(group->rollback);
 
     g_free(group);
@@ -167,9 +167,9 @@ void virFirewallFree(virFirewall *firewall)
             return; \
     } while (0)
 
-#define VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule)\
+#define VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd)\
     do { \
-        if (!firewall || firewall->err || !rule) \
+        if (!firewall || firewall->err || !fwCmd) \
             return; \
     } while (0)
 
@@ -179,22 +179,22 @@ void virFirewallFree(virFirewall *firewall)
             return NULL; \
     } while (0)
 
-#define ADD_ARG(rule, str) \
+#define ADD_ARG(fwCmd, str) \
     do { \
-        VIR_RESIZE_N(rule->args, rule->argsAlloc, rule->argsLen, 1); \
-        rule->args[rule->argsLen++] = g_strdup(str); \
+        VIR_RESIZE_N(fwCmd->args, fwCmd->argsAlloc, fwCmd->argsLen, 1); \
+        fwCmd->args[fwCmd->argsLen++] = g_strdup(str); \
     } while (0)
 
-static virFirewallRule *
-virFirewallAddRuleFullV(virFirewall *firewall,
-                        virFirewallLayer layer,
-                        bool ignoreErrors,
-                        virFirewallQueryCallback cb,
-                        void *opaque,
-                        va_list args)
+static virFirewallCmd *
+virFirewallAddCmdFullV(virFirewall *firewall,
+                       virFirewallLayer layer,
+                       bool ignoreErrors,
+                       virFirewallQueryCallback cb,
+                       void *opaque,
+                       va_list args)
 {
     virFirewallGroup *group;
-    virFirewallRule *rule;
+    virFirewallCmd *fwCmd;
     char *str;
 
     VIR_FIREWALL_RETURN_NULL_IF_ERROR(firewall);
@@ -206,43 +206,43 @@ virFirewallAddRuleFullV(virFirewall *firewall,
     group = firewall->groups[firewall->currentGroup];
 
 
-    rule = g_new0(virFirewallRule, 1);
+    fwCmd = g_new0(virFirewallCmd, 1);
 
-    rule->layer = layer;
-    rule->queryCB = cb;
-    rule->queryOpaque = opaque;
-    rule->ignoreErrors = ignoreErrors;
+    fwCmd->layer = layer;
+    fwCmd->queryCB = cb;
+    fwCmd->queryOpaque = opaque;
+    fwCmd->ignoreErrors = ignoreErrors;
 
-    switch (rule->layer) {
+    switch (fwCmd->layer) {
     case VIR_FIREWALL_LAYER_ETHERNET:
-        ADD_ARG(rule, "--concurrent");
+        ADD_ARG(fwCmd, "--concurrent");
         break;
     case VIR_FIREWALL_LAYER_IPV4:
-        ADD_ARG(rule, "-w");
+        ADD_ARG(fwCmd, "-w");
         break;
     case VIR_FIREWALL_LAYER_IPV6:
-        ADD_ARG(rule, "-w");
+        ADD_ARG(fwCmd, "-w");
         break;
     case VIR_FIREWALL_LAYER_LAST:
         break;
     }
 
     while ((str = va_arg(args, char *)) != NULL)
-        ADD_ARG(rule, str);
+        ADD_ARG(fwCmd, str);
 
     if (group->addingRollback) {
-        VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, rule);
+        VIR_APPEND_ELEMENT_COPY(group->rollback, group->nrollback, fwCmd);
     } else {
-        VIR_APPEND_ELEMENT_COPY(group->action, group->naction, rule);
+        VIR_APPEND_ELEMENT_COPY(group->action, group->naction, fwCmd);
     }
 
 
-    return rule;
+    return fwCmd;
 }
 
 
 /**
- * virFirewallAddRuleFull:
+ * virFirewallAddCmdFull:
  * @firewall: firewall ruleset to add to
  * @layer: the firewall layer to change
  * @ignoreErrors: true to ignore failure of the command
@@ -253,7 +253,7 @@ virFirewallAddRuleFullV(virFirewall *firewall,
  * Add any type of rule to the firewall ruleset. Any output
  * generated by the addition will be fed into the query
  * callback @cb. This callback is permitted to create new
- * rules by invoking the virFirewallAddRule method, but
+ * rules by invoking the virFirewallAddCmd method, but
  * is not permitted to start new transactions.
  *
  * If @ignoreErrors is set to TRUE, then any failure of
@@ -263,31 +263,31 @@ virFirewallAddRuleFullV(virFirewall *firewall,
  *
  * Returns the new rule
  */
-virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall,
-                                          virFirewallLayer layer,
-                                          bool ignoreErrors,
-                                          virFirewallQueryCallback cb,
-                                          void *opaque,
-                                          ...)
+virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
+                                      virFirewallLayer layer,
+                                      bool ignoreErrors,
+                                      virFirewallQueryCallback cb,
+                                      void *opaque,
+                                      ...)
 {
-    virFirewallRule *rule;
+    virFirewallCmd *fwCmd;
     va_list args;
     va_start(args, opaque);
-    rule = virFirewallAddRuleFullV(firewall, layer, ignoreErrors, cb, opaque, args);
+    fwCmd = virFirewallAddCmdFullV(firewall, layer, ignoreErrors, cb, opaque, args);
     va_end(args);
-    return rule;
+    return fwCmd;
 }
 
 
 /**
- * virFirewallRemoveRule:
+ * virFirewallRemoveCmd:
  * @firewall: firewall ruleset to remove from
  * @rule: the rule to remove
  *
  * Remove a rule from the current transaction
  */
-void virFirewallRemoveRule(virFirewall *firewall,
-                           virFirewallRule *rule)
+void virFirewallRemoveCmd(virFirewall *firewall,
+                          virFirewallCmd *fwCmd)
 {
     size_t i;
     virFirewallGroup *group;
@@ -306,21 +306,21 @@ void virFirewallRemoveRule(virFirewall *firewall,
 
     if (group->addingRollback) {
         for (i = 0; i < group->nrollback; i++) {
-            if (group->rollback[i] == rule) {
+            if (group->rollback[i] == fwCmd) {
                 VIR_DELETE_ELEMENT(group->rollback,
                                    i,
                                    group->nrollback);
-                virFirewallRuleFree(rule);
+                virFirewallCmdFree(fwCmd);
                 break;
             }
         }
     } else {
         for (i = 0; i < group->naction; i++) {
-            if (group->action[i] == rule) {
+            if (group->action[i] == fwCmd) {
                 VIR_DELETE_ELEMENT(group->action,
                                    i,
                                    group->naction);
-                virFirewallRuleFree(rule);
+                virFirewallCmdFree(fwCmd);
                 return;
             }
         }
@@ -328,45 +328,45 @@ void virFirewallRemoveRule(virFirewall *firewall,
 }
 
 
-void virFirewallRuleAddArg(virFirewall *firewall,
-                           virFirewallRule *rule,
-                           const char *arg)
+void virFirewallCmdAddArg(virFirewall *firewall,
+                          virFirewallCmd *fwCmd,
+                          const char *arg)
 {
-    VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+    VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
 
-    ADD_ARG(rule, arg);
+    ADD_ARG(fwCmd, arg);
 
     return;
 }
 
 
-void virFirewallRuleAddArgFormat(virFirewall *firewall,
-                                 virFirewallRule *rule,
-                                 const char *fmt, ...)
+void virFirewallCmdAddArgFormat(virFirewall *firewall,
+                                virFirewallCmd *fwCmd,
+                                const char *fmt, ...)
 {
     g_autofree char *arg = NULL;
     va_list list;
 
-    VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+    VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
 
     va_start(list, fmt);
     arg = g_strdup_vprintf(fmt, list);
     va_end(list);
 
-    ADD_ARG(rule, arg);
+    ADD_ARG(fwCmd, arg);
 
     return;
 }
 
 
-void virFirewallRuleAddArgSet(virFirewall *firewall,
-                              virFirewallRule *rule,
-                              const char *const *args)
+void virFirewallCmdAddArgSet(virFirewall *firewall,
+                             virFirewallCmd *fwCmd,
+                             const char *const *args)
 {
-    VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+    VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
 
     while (*args) {
-        ADD_ARG(rule, *args);
+        ADD_ARG(fwCmd, *args);
         args++;
     }
 
@@ -374,19 +374,19 @@ void virFirewallRuleAddArgSet(virFirewall *firewall,
 }
 
 
-void virFirewallRuleAddArgList(virFirewall *firewall,
-                               virFirewallRule *rule,
-                               ...)
+void virFirewallCmdAddArgList(virFirewall *firewall,
+                              virFirewallCmd *fwCmd,
+                              ...)
 {
     va_list list;
     const char *str;
 
-    VIR_FIREWALL_RULE_RETURN_IF_ERROR(firewall, rule);
+    VIR_FIREWALL_CMD_RETURN_IF_ERROR(firewall, fwCmd);
 
-    va_start(list, rule);
+    va_start(list, fwCmd);
 
     while ((str = va_arg(list, char *)) != NULL)
-        ADD_ARG(rule, str);
+        ADD_ARG(fwCmd, str);
 
     va_end(list);
 
@@ -394,11 +394,11 @@ void virFirewallRuleAddArgList(virFirewall *firewall,
 }
 
 
-size_t virFirewallRuleGetArgCount(virFirewallRule *rule)
+size_t virFirewallCmdGetArgCount(virFirewallCmd *fwCmd)
 {
-    if (!rule)
+    if (!fwCmd)
         return 0;
-    return rule->argsLen;
+    return fwCmd->argsLen;
 }
 
 
@@ -462,16 +462,16 @@ void virFirewallStartRollback(virFirewall *firewall,
 
 
 char *
-virFirewallRuleToString(const char *cmd,
-                        virFirewallRule *rule)
+virFirewallCmdToString(const char *cmd,
+                       virFirewallCmd *fwCmd)
 {
     g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
     size_t i;
 
     virBufferAdd(&buf, cmd, -1);
-    for (i = 0; i < rule->argsLen; i++) {
+    for (i = 0; i < fwCmd->argsLen; i++) {
         virBufferAddLit(&buf, " ");
-        virBufferAdd(&buf, rule->args[i], -1);
+        virBufferAdd(&buf, fwCmd->args[i], -1);
     }
 
     return virBufferContentAndReset(&buf);
@@ -479,12 +479,12 @@ virFirewallRuleToString(const char *cmd,
 
 
 static int
-virFirewallApplyRuleDirect(virFirewallRule *rule,
-                           bool ignoreErrors,
-                           char **output)
+virFirewallApplyCmdDirect(virFirewallCmd *fwCmd,
+                          bool ignoreErrors,
+                          char **output)
 {
     size_t i;
-    const char *bin = virFirewallLayerCommandTypeToString(rule->layer);
+    const char *bin = virFirewallLayerCommandTypeToString(fwCmd->layer);
     g_autoptr(virCommand) cmd = NULL;
     g_autofree char *cmdStr = NULL;
     int status;
@@ -493,17 +493,17 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
     if (!bin) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("Unknown firewall layer %1$d"),
-                       rule->layer);
+                       fwCmd->layer);
         return -1;
     }
 
     cmd = virCommandNewArgList(bin, NULL);
 
-    for (i = 0; i < rule->argsLen; i++)
-        virCommandAddArg(cmd, rule->args[i]);
+    for (i = 0; i < fwCmd->argsLen; i++)
+        virCommandAddArg(cmd, fwCmd->args[i]);
 
     cmdStr = virCommandToString(cmd, false);
-    VIR_INFO("Applying rule '%s'", NULLSTR(cmdStr));
+    VIR_INFO("Running firewall command '%s'", NULLSTR(cmdStr));
 
     virCommandSetOutputBuffer(cmd, output);
     virCommandSetErrorBuffer(cmd, &error);
@@ -516,7 +516,7 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
             VIR_DEBUG("Ignoring error running command");
         } else {
             virReportError(VIR_ERR_INTERNAL_ERROR,
-                           _("Failed to apply firewall rules %1$s: %2$s"),
+                           _("Failed to run firewall command %1$s: %2$s"),
                            NULLSTR(cmdStr), NULLSTR(error));
             VIR_FREE(*output);
             return -1;
@@ -528,30 +528,30 @@ virFirewallApplyRuleDirect(virFirewallRule *rule,
 
 
 static int
-virFirewallApplyRule(virFirewall *firewall,
-                     virFirewallRule *rule,
-                     bool ignoreErrors)
+virFirewallApplyCmd(virFirewall *firewall,
+                    virFirewallCmd *fwCmd,
+                    bool ignoreErrors)
 {
     g_autofree char *output = NULL;
     g_auto(GStrv) lines = NULL;
 
-    if (rule->ignoreErrors)
-        ignoreErrors = rule->ignoreErrors;
+    if (fwCmd->ignoreErrors)
+        ignoreErrors = fwCmd->ignoreErrors;
 
-    if (virFirewallApplyRuleDirect(rule, ignoreErrors, &output) < 0)
+    if (virFirewallApplyCmdDirect(fwCmd, ignoreErrors, &output) < 0)
         return -1;
 
-    if (rule->queryCB && output) {
+    if (fwCmd->queryCB && output) {
         if (!(lines = g_strsplit(output, "\n", -1)))
             return -1;
 
-        VIR_DEBUG("Invoking query %p with '%s'", rule->queryCB, output);
-        if (rule->queryCB(firewall, rule->layer, (const char *const *)lines, rule->queryOpaque) < 0)
+        VIR_DEBUG("Invoking query %p with '%s'", fwCmd->queryCB, output);
+        if (fwCmd->queryCB(firewall, fwCmd->layer, (const char *const *)lines, fwCmd->queryOpaque) < 0)
             return -1;
 
         if (firewall->err) {
             virReportSystemError(firewall->err, "%s",
-                                 _("Unable to create rule"));
+                                 _("Unable to create firewall command"));
             return -1;
         }
 
@@ -573,9 +573,9 @@ virFirewallApplyGroup(virFirewall *firewall,
     firewall->currentGroup = idx;
     group->addingRollback = false;
     for (i = 0; i < group->naction; i++) {
-        if (virFirewallApplyRule(firewall,
-                                 group->action[i],
-                                 ignoreErrors) < 0)
+        if (virFirewallApplyCmd(firewall,
+                                group->action[i],
+                                ignoreErrors) < 0)
             return -1;
     }
     return 0;
@@ -592,11 +592,8 @@ virFirewallRollbackGroup(virFirewall *firewall,
     VIR_INFO("Starting rollback for group %p", group);
     firewall->currentGroup = idx;
     group->addingRollback = true;
-    for (i = 0; i < group->nrollback; i++) {
-        ignore_value(virFirewallApplyRule(firewall,
-                                          group->rollback[i],
-                                          true));
-    }
+    for (i = 0; i < group->nrollback; i++)
+        ignore_value(virFirewallApplyCmd(firewall, group->rollback[i], true));
 }
 
 
@@ -604,7 +601,7 @@ int
 virFirewallApply(virFirewall *firewall)
 {
     size_t i, j;
-    VIR_LOCK_GUARD lock = virLockGuardLock(&ruleLock);
+    VIR_LOCK_GUARD lock = virLockGuardLock(&fwCmdLock);
 
     if (!firewall || firewall->err) {
         int err = EINVAL;
@@ -612,7 +609,7 @@ virFirewallApply(virFirewall *firewall)
         if (firewall)
             err = firewall->err;
 
-        virReportSystemError(err, "%s", _("Unable to create rule"));
+        virReportSystemError(err, "%s", _("Unable to create firewall command"));
         return -1;
     }
 
diff --git a/src/util/virfirewall.h b/src/util/virfirewall.h
index 187748b2bf..956bf0e2bf 100644
--- a/src/util/virfirewall.h
+++ b/src/util/virfirewall.h
@@ -24,7 +24,7 @@
 
 typedef struct _virFirewall virFirewall;
 
-typedef struct _virFirewallRule virFirewallRule;
+typedef struct _virFirewallCmd virFirewallCmd;
 
 typedef enum {
     VIR_FIREWALL_LAYER_ETHERNET,
@@ -39,7 +39,7 @@ virFirewall *virFirewallNew(void);
 void virFirewallFree(virFirewall *firewall);
 
 /**
- * virFirewallAddRule:
+ * virFirewallAddCmd:
  * @firewall: firewall ruleset to add to
  * @layer: the firewall layer to change
  * @...: NULL terminated list of strings for the rule
@@ -48,49 +48,49 @@ void virFirewallFree(virFirewall *firewall);
  *
  * Returns the new rule
  */
-#define virFirewallAddRule(firewall, layer, ...) \
-         virFirewallAddRuleFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
+#define virFirewallAddCmd(firewall, layer, ...) \
+         virFirewallAddCmdFull(firewall, layer, false, NULL, NULL, __VA_ARGS__)
 
 typedef int (*virFirewallQueryCallback)(virFirewall *firewall,
                                         virFirewallLayer layer,
                                         const char *const *lines,
                                         void *opaque);
 
-virFirewallRule *virFirewallAddRuleFull(virFirewall *firewall,
-                                          virFirewallLayer layer,
-                                          bool ignoreErrors,
-                                          virFirewallQueryCallback cb,
-                                          void *opaque,
-                                          ...)
+virFirewallCmd *virFirewallAddCmdFull(virFirewall *firewall,
+                                      virFirewallLayer layer,
+                                      bool ignoreErrors,
+                                      virFirewallQueryCallback cb,
+                                      void *opaque,
+                                      ...)
     G_GNUC_NULL_TERMINATED;
 
-void virFirewallRemoveRule(virFirewall *firewall,
-                           virFirewallRule *rule);
+void virFirewallRemoveCmd(virFirewall *firewall,
+                          virFirewallCmd *rule);
 
-void virFirewallRuleAddArg(virFirewall *firewall,
-                           virFirewallRule *rule,
-                           const char *arg)
+void virFirewallCmdAddArg(virFirewall *firewall,
+                          virFirewallCmd *rule,
+                          const char *arg)
     ATTRIBUTE_NONNULL(3);
 
-void virFirewallRuleAddArgFormat(virFirewall *firewall,
-                                 virFirewallRule *rule,
-                                 const char *fmt, ...)
+void virFirewallCmdAddArgFormat(virFirewall *firewall,
+                                virFirewallCmd *rule,
+                                const char *fmt, ...)
     ATTRIBUTE_NONNULL(3) G_GNUC_PRINTF(3, 4);
 
-void virFirewallRuleAddArgSet(virFirewall *firewall,
-                              virFirewallRule *rule,
-                              const char *const *args)
+void virFirewallCmdAddArgSet(virFirewall *firewall,
+                             virFirewallCmd *rule,
+                             const char *const *args)
     ATTRIBUTE_NONNULL(3);
 
-void virFirewallRuleAddArgList(virFirewall *firewall,
-                               virFirewallRule *rule,
-                               ...)
+void virFirewallCmdAddArgList(virFirewall *firewall,
+                              virFirewallCmd *rule,
+                              ...)
     G_GNUC_NULL_TERMINATED;
 
-size_t virFirewallRuleGetArgCount(virFirewallRule *rule);
+size_t virFirewallCmdGetArgCount(virFirewallCmd *rule);
 
-char *virFirewallRuleToString(const char *cmd,
-                              virFirewallRule *rule);
+char *virFirewallCmdToString(const char *cmd,
+                             virFirewallCmd *rule);
 
 typedef enum {
     /* Ignore all errors when applying rules, so no
diff --git a/tests/virfirewalltest.c b/tests/virfirewalltest.c
index e676a434c8..45bb67cb21 100644
--- a/tests/virfirewalltest.c
+++ b/tests/virfirewalltest.c
@@ -74,15 +74,15 @@ testFirewallSingleGroup(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) < 0)
         return -1;
@@ -107,28 +107,28 @@ testFirewallRemoveRule(const void *opaque G_GNUC_UNUSED)
     const char *expected =
         IPTABLES " -w -A INPUT --source 192.168.122.1 --jump ACCEPT\n"
         IPTABLES " -w -A INPUT --source '!192.168.122.1' --jump REJECT\n";
-    virFirewallRule *fwrule;
+    virFirewallCmd *fwrule;
     g_autoptr(virCommandDryRunToken) dryRunToken = virCommandDryRunTokenNew();
 
     virCommandSetDryRun(dryRunToken, &cmdbuf, false, false, NULL, NULL);
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                                "-A", "INPUT", NULL);
-    virFirewallRuleAddArg(fw, fwrule, "--source");
-    virFirewallRemoveRule(fw, fwrule);
+    fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                               "-A", "INPUT", NULL);
+    virFirewallCmdAddArg(fw, fwrule, "--source");
+    virFirewallRemoveCmd(fw, fwrule);
 
-    fwrule = virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                                "-A", "INPUT", NULL);
-    virFirewallRuleAddArg(fw, fwrule, "--source");
-    virFirewallRuleAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
-    virFirewallRuleAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
+    fwrule = virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                               "-A", "INPUT", NULL);
+    virFirewallCmdAddArg(fw, fwrule, "--source");
+    virFirewallCmdAddArgFormat(fw, fwrule, "%s", "!192.168.122.1");
+    virFirewallCmdAddArgList(fw, fwrule, "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) < 0)
         return -1;
@@ -161,26 +161,26 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "OUTPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "OUTPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "OUTPUT",
-                       "--jump", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "OUTPUT",
+                      "--jump", "DROP", NULL);
 
 
     if (virFirewallApply(fw) < 0)
@@ -235,26 +235,26 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, VIR_FIREWALL_TRANSACTION_IGNORE_ERRORS);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "OUTPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "OUTPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "OUTPUT",
-                       "--jump", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "OUTPUT",
+                      "--jump", "DROP", NULL);
 
 
     if (virFirewallApply(fw) < 0)
@@ -288,25 +288,25 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
-                           true, NULL, NULL,
-                           "-A", "INPUT",
-                           "--source", "192.168.122.255",
-                           "--jump", "REJECT", NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+                          true, NULL, NULL,
+                          "-A", "INPUT",
+                          "--source", "192.168.122.255",
+                          "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "OUTPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "OUTPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "OUTPUT",
-                       "--jump", "DROP", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "OUTPUT",
+                      "--jump", "DROP", NULL);
 
 
     if (virFirewallApply(fw) < 0)
@@ -338,20 +338,20 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) == 0) {
         fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -386,37 +386,37 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     virFirewallStartRollback(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) == 0) {
         fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -450,41 +450,41 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
     virFirewallStartRollback(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     virFirewallStartRollback(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) == 0) {
         fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -522,67 +522,67 @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
     virFirewallStartRollback(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.127",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.127",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     virFirewallStartRollback(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.127",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.127",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     virFirewallStartRollback(fw, VIR_FIREWALL_ROLLBACK_INHERIT_PREVIOUS);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "192.168.122.255",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "192.168.122.255",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-D", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-D", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) == 0) {
         fprintf(stderr, "Firewall apply unexpectedly worked\n");
@@ -656,10 +656,10 @@ testFirewallQueryCallback(virFirewall *fw,
                           void *opaque G_GNUC_UNUSED)
 {
     size_t i;
-    virFirewallAddRule(fw, layer,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.129",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, layer,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.129",
+                      "--jump", "REJECT", NULL);
 
     for (i = 0; lines[i] != NULL; i++) {
         if (expectedLineNum >= G_N_ELEMENTS(expectedLines)) {
@@ -703,46 +703,46 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.1",
-                       "--jump", "ACCEPT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.1",
+                      "--jump", "ACCEPT", NULL);
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.127",
-                       "--jump", "REJECT", NULL);
-
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
-                           false,
-                           testFirewallQueryCallback,
-                           NULL,
-                           "-L", NULL);
-    virFirewallAddRuleFull(fw, VIR_FIREWALL_LAYER_IPV4,
-                           false,
-                           testFirewallQueryCallback,
-                           NULL,
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.127",
+                      "--jump", "REJECT", NULL);
+
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+                          false,
+                          testFirewallQueryCallback,
+                          NULL,
+                          "-L", NULL);
+    virFirewallAddCmdFull(fw, VIR_FIREWALL_LAYER_IPV4,
+                          false,
+                          testFirewallQueryCallback,
+                          NULL,
                            "-t", "nat", "-L", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.130",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.130",
+                      "--jump", "REJECT", NULL);
 
 
     virFirewallStartTransaction(fw, 0);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "192.168.122.128",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "192.168.122.128",
+                      "--jump", "REJECT", NULL);
 
-    virFirewallAddRule(fw, VIR_FIREWALL_LAYER_IPV4,
-                       "-A", "INPUT",
-                       "--source", "!192.168.122.1",
-                       "--jump", "REJECT", NULL);
+    virFirewallAddCmd(fw, VIR_FIREWALL_LAYER_IPV4,
+                      "-A", "INPUT",
+                      "--source", "!192.168.122.1",
+                      "--jump", "REJECT", NULL);
 
     if (virFirewallApply(fw) < 0)
         return -1;
-- 
2.44.0
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux