[PATCH] network: add more firewall test cases

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This patch adds some previously missing test cases that test for
proper firewall rule creation when the following are included in the
network definition:

* <forward dev='blah'>
* no forward element (an "isolated" network)
* nat port range when only ipv4 is nat-ed
* nat port range when both ipv4 & ipv6 are nated

Signed-off-by: Laine Stump <laine@xxxxxxxxxx>
---

If you ack this, please also push it, as I'm on vacation and only
sporadically connected.

 .../forward-dev-linux.iptables                | 154 +++++++
 .../forward-dev-linux.nftables                | 158 +++++++
 tests/networkxml2firewalldata/forward-dev.xml |  10 +
 .../isolated-linux.iptables                   | 159 ++++++++
 .../isolated-linux.nftables                   |  64 +++
 tests/networkxml2firewalldata/isolated.xml    |  15 +
 .../nat-port-range-ipv6-linux.iptables        | 317 ++++++++++++++
 .../nat-port-range-ipv6-linux.nftables        | 386 ++++++++++++++++++
 .../nat-port-range-ipv6.xml                   |  20 +
 .../nat-port-range-linux.iptables             | 283 +++++++++++++
 .../nat-port-range-linux.nftables             | 314 ++++++++++++++
 .../nat-port-range.xml                        |  20 +
 tests/networkxml2firewalltest.c               |   5 +
 13 files changed, 1905 insertions(+)
 create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.iptables
 create mode 100644 tests/networkxml2firewalldata/forward-dev-linux.nftables
 create mode 100644 tests/networkxml2firewalldata/forward-dev.xml
 create mode 100644 tests/networkxml2firewalldata/isolated-linux.iptables
 create mode 100644 tests/networkxml2firewalldata/isolated-linux.nftables
 create mode 100644 tests/networkxml2firewalldata/isolated.xml
 create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables
 create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
 create mode 100644 tests/networkxml2firewalldata/nat-port-range-ipv6.xml
 create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.iptables
 create mode 100644 tests/networkxml2firewalldata/nat-port-range-linux.nftables
 create mode 100644 tests/networkxml2firewalldata/nat-port-range.xml

diff --git a/tests/networkxml2firewalldata/forward-dev-linux.iptables b/tests/networkxml2firewalldata/forward-dev-linux.iptables
new file mode 100644
index 0000000000..bc483c4512
--- /dev/null
+++ b/tests/networkxml2firewalldata/forward-dev-linux.iptables
@@ -0,0 +1,154 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--out-interface enp0s7 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--in-interface enp0s7 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--out-interface enp0s7 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--out-interface enp0s7 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--out-interface enp0s7 \
+--jump MASQUERADE \
+--to-ports 1024-65535
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--out-interface enp0s7 \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--out-interface enp0s7 \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill
diff --git a/tests/networkxml2firewalldata/forward-dev-linux.nftables b/tests/networkxml2firewalldata/forward-dev-linux.nftables
new file mode 100644
index 0000000000..8badb74beb
--- /dev/null
+++ b/tests/networkxml2firewalldata/forward-dev-linux.nftables
@@ -0,0 +1,158 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+ip \
+saddr \
+192.168.122.0/24 \
+iif \
+virbr0 \
+oifname \
+enp0s7 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+iifname \
+enp0s7 \
+oif \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+oifname \
+enp0s7 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+oifname \
+enp0s7 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+oifname \
+enp0s7 \
+counter \
+masquerade \
+to \
+:1024-65535
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+oifname \
+enp0s7 \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+oifname \
+enp0s7 \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/forward-dev.xml b/tests/networkxml2firewalldata/forward-dev.xml
new file mode 100644
index 0000000000..8e49d3984d
--- /dev/null
+++ b/tests/networkxml2firewalldata/forward-dev.xml
@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward mode='nat' dev='enp0s7'/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/isolated-linux.iptables b/tests/networkxml2firewalldata/isolated-linux.iptables
new file mode 100644
index 0000000000..135189ce41
--- /dev/null
+++ b/tests/networkxml2firewalldata/isolated-linux.iptables
@@ -0,0 +1,159 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 547 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 546 \
+--jump ACCEPT
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill
diff --git a/tests/networkxml2firewalldata/isolated-linux.nftables b/tests/networkxml2firewalldata/isolated-linux.nftables
new file mode 100644
index 0000000000..d1b4dac178
--- /dev/null
+++ b/tests/networkxml2firewalldata/isolated-linux.nftables
@@ -0,0 +1,64 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalldata/isolated.xml b/tests/networkxml2firewalldata/isolated.xml
new file mode 100644
index 0000000000..0e3bed10d1
--- /dev/null
+++ b/tests/networkxml2firewalldata/isolated.xml
@@ -0,0 +1,15 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip address="192.168.128.1" netmask="255.255.255.0"/>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
+    <dhcp>
+      <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables
new file mode 100644
index 0000000000..c2e845cc4f
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables
@@ -0,0 +1,317 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 547 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 546 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.128.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.128.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+-p udp '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+-p tcp '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 '!' \
+--destination 2001:db8:ca2:2::/64 \
+--jump MASQUERADE
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 \
+-p udp '!' \
+--destination 2001:db8:ca2:2::/64 \
+--jump MASQUERADE \
+--to-ports 500-1000
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 \
+-p tcp '!' \
+--destination 2001:db8:ca2:2::/64 \
+--jump MASQUERADE \
+--to-ports 500-1000
+ip6tables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 2001:db8:ca2:2::/64 \
+--destination ff02::/16 \
+--jump RETURN
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
new file mode 100644
index 0000000000..ceaed6fa40
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables
@@ -0,0 +1,386 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+ip \
+saddr \
+192.168.122.0/24 \
+iif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+ip \
+saddr \
+192.168.128.0/24 \
+iif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+ip \
+daddr \
+192.168.128.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_output \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_nat \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+udp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+tcp \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+'!=' \
+2001:db8:ca2:2::/64 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_nat \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+ip6 \
+daddr \
+ff02::/16 \
+counter \
+return
diff --git a/tests/networkxml2firewalldata/nat-port-range-ipv6.xml b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml
new file mode 100644
index 0000000000..9a70764fa0
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-port-range-ipv6.xml
@@ -0,0 +1,20 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward mode='nat'>
+    <nat ipv6='yes'>
+      <port start='500' end='1000'/>
+    </nat>
+  </forward>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip address="192.168.128.1" netmask="255.255.255.0"/>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
+    <dhcp>
+      <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.iptables b/tests/networkxml2firewalldata/nat-port-range-linux.iptables
new file mode 100644
index 0000000000..8e5c2c8193
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-port-range-linux.iptables
@@ -0,0 +1,283 @@
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 67 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--in-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--out-interface virbr0 \
+--jump REJECT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWX \
+--in-interface virbr0 \
+--out-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol tcp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 53 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_INP \
+--in-interface virbr0 \
+--protocol udp \
+--destination-port 547 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_OUT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 546 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.122.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.122.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p udp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+-p tcp '!' \
+--destination 192.168.122.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.122.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 192.168.128.0/24 \
+--in-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 192.168.128.0/24 \
+--out-interface virbr0 \
+--match conntrack \
+--ctstate ESTABLISHED,RELATED \
+--jump ACCEPT
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+-p udp '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+-p tcp '!' \
+--destination 192.168.128.0/24 \
+--jump MASQUERADE \
+--to-ports 500-1000
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+--destination 255.255.255.255/32 \
+--jump RETURN
+iptables \
+-w \
+--table nat \
+--insert LIBVIRT_PRT \
+--source 192.168.128.0/24 \
+--destination 224.0.0.0/24 \
+--jump RETURN
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWO \
+--source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 \
+--jump ACCEPT
+ip6tables \
+-w \
+--table filter \
+--insert LIBVIRT_FWI \
+--destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 \
+--jump ACCEPT
+iptables \
+-w \
+--table mangle \
+--insert LIBVIRT_PRT \
+--out-interface virbr0 \
+--protocol udp \
+--destination-port 68 \
+--jump CHECKSUM \
+--checksum-fill
diff --git a/tests/networkxml2firewalldata/nat-port-range-linux.nftables b/tests/networkxml2firewalldata/nat-port-range-linux.nftables
new file mode 100644
index 0000000000..1dc37a26ec
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-port-range-linux.nftables
@@ -0,0 +1,314 @@
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_output \
+iif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+counter \
+reject
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_cross \
+iif \
+virbr0 \
+oif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+ip \
+saddr \
+192.168.122.0/24 \
+iif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+ip \
+daddr \
+192.168.122.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.122.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.122.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_output \
+ip \
+saddr \
+192.168.128.0/24 \
+iif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_input \
+oif \
+virbr0 \
+ip \
+daddr \
+192.168.128.0/24 \
+ct \
+state \
+related,established \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+udp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+meta \
+l4proto \
+tcp \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+'!=' \
+192.168.128.0/24 \
+counter \
+masquerade \
+to \
+:500-1000
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+255.255.255.255/32 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip \
+libvirt_network \
+guest_nat \
+ip \
+saddr \
+192.168.128.0/24 \
+ip \
+daddr \
+224.0.0.0/24 \
+counter \
+return
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_output \
+ip6 \
+saddr \
+2001:db8:ca2:2::/64 \
+iif \
+virbr0 \
+counter \
+accept
+nft \
+-ae insert \
+rule \
+ip6 \
+libvirt_network \
+guest_input \
+ip6 \
+daddr \
+2001:db8:ca2:2::/64 \
+oif \
+virbr0 \
+counter \
+accept
diff --git a/tests/networkxml2firewalldata/nat-port-range.xml b/tests/networkxml2firewalldata/nat-port-range.xml
new file mode 100644
index 0000000000..81b29d3b72
--- /dev/null
+++ b/tests/networkxml2firewalldata/nat-port-range.xml
@@ -0,0 +1,20 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward mode='nat'>
+    <nat>
+      <port start='500' end='1000'/>
+    </nat>
+  </forward>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip address="192.168.128.1" netmask="255.255.255.0"/>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
+    <dhcp>
+      <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
+    </dhcp>
+  </ip>
+</network>
diff --git a/tests/networkxml2firewalltest.c b/tests/networkxml2firewalltest.c
index 4cabe39d1d..f7b87ff798 100644
--- a/tests/networkxml2firewalltest.c
+++ b/tests/networkxml2firewalltest.c
@@ -198,6 +198,11 @@ mymain(void)
     DO_TEST("nat-ipv6");
     DO_TEST("nat-ipv6-masquerade");
     DO_TEST("route-default");
+    DO_TEST("forward-dev");
+    DO_TEST("isolated");
+    DO_TEST("forward-dev");
+    DO_TEST("nat-port-range");
+    DO_TEST("nat-port-range-ipv6");
 
     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }
-- 
2.45.2
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux