This patch adds test cases for the reject, drop and accept targets. Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxxxxxxx> --- scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall | 61 ++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/target-test.xml | 66 ++++++++++++++++ scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml | 18 ++++ 3 files changed, 145 insertions(+) Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test.xml @@ -0,0 +1,66 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' comment='accept rule -- dir out'/> + </rule> + <rule action='drop' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' comment='drop rule -- dir out'/> + </rule> + <rule action='reject' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' comment='reject rule -- dir out'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' comment='accept rule -- dir in'/> + </rule> + <rule action='drop' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' comment='drop rule -- dir in'/> + </rule> + <rule action='reject' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' comment='reject rule -- dir in'/> + </rule> + <rule action='accept' direction='inout'> + <all comment='accept rule -- dir inout'/> + </rule> + <rule action='drop' direction='in'> + <all comment='drop rule -- dir inout'/> + </rule> + <rule action='reject' direction='in'> + <all comment='reject rule -- dir inout'/> + </rule> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='drop' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='reject' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='drop' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='reject' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> +</filter> Index: libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2fwallout/target-test.fwall @@ -0,0 +1,61 @@ +#iptables -L FI-vnet0 -n +Chain FI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/* accept rule -- dir out */ +DROP all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */ +REJECT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */ +DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* drop rule -- dir in */ +REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable +RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept rule -- dir inout */ +DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop rule -- dir inout */ +REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject rule -- dir inout */ reject-with icmp-port-unreachable +#iptables -L FO-vnet0 -n +Chain FO-vnet0 (1 references) +target prot opt source destination +ACCEPT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir out */ +DROP all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02/* drop rule -- dir out */ +REJECT all -- 10.1.2.3 0.0.0.0/0 DSCP match 0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable +ACCEPT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21state NEW,ESTABLISHED ctdir REPLY/* accept rule -- dir in */ +DROP all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21/* drop rule -- dir in */ +REJECT all -- 10.1.0.0/22 0.0.0.0/0 MAC 01:02:03:04:05:06 DSCP match 0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* accept rule -- dir inout */ +DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop rule -- dir inout */ +REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject rule -- dir inout */ reject-with icmp-port-unreachable +#iptables -L HI-vnet0 -n +Chain HI-vnet0 (1 references) +target prot opt source destination +RETURN all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02state NEW,ESTABLISHED ctdir REPLY/* accept rule -- dir out */ +DROP all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* drop rule -- dir out */ +REJECT all -- 0.0.0.0/0 10.1.2.3 MAC 01:02:03:04:05:06 DSCP match 0x02/* reject rule -- dir out */ reject-with icmp-port-unreachable +RETURN all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21state ESTABLISHED ctdir ORIGINAL/* accept rule -- dir in */ +DROP all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* drop rule -- dir in */ +REJECT all -- 0.0.0.0/0 10.1.0.0/22 DSCP match 0x21/* reject rule -- dir in */ reject-with icmp-port-unreachable +RETURN all -- 0.0.0.0/0 0.0.0.0/0 /* accept rule -- dir inout */ +DROP all -- 0.0.0.0/0 0.0.0.0/0 /* drop rule -- dir inout */ +REJECT all -- 0.0.0.0/0 0.0.0.0/0 /* reject rule -- dir inout */ reject-with icmp-port-unreachable +#iptables -L libvirt-host-in -n | grep vnet0 | tr -s " " +HI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in -n | grep vnet0 | tr -s " " +FI-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-in-post -n | grep vnet0 +ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vnet0 +#iptables -L libvirt-out -n | grep vnet0 | tr -s " " +FO-vnet0 all -- 0.0.0.0/0 0.0.0.0/0 [goto] PHYSDEV match --physdev-out vnet0 +#iptables -L FORWARD --line-number | grep libvirt +1 libvirt-in all -- anywhere anywhere +2 libvirt-out all -- anywhere anywhere +3 libvirt-in-post all -- anywhere anywhere +#ebtables -t nat -L PREROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-i vnet0 -j libvirt-I-vnet0 +#ebtables -t nat -L POSTROUTING | grep vnet0 | grep -v "^Bridge" | grep -v "^$" +-o vnet0 -j libvirt-O-vnet0 +#ebtables -t nat -L libvirt-I-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p ARP -s 1:2:3:4:5:6 -j ACCEPT +-p ARP -s 1:2:3:4:5:6 -j DROP +-p ARP -s 1:2:3:4:5:6 -j DROP +#ebtables -t nat -L libvirt-O-vnet0 | grep -v "^Bridge" | grep -v "^$" +-p IPv4 -d aa:bb:cc:dd:ee:ff -j ACCEPT +-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP +-p IPv4 -d aa:bb:cc:dd:ee:ff -j DROP + Index: libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml =================================================================== --- /dev/null +++ libvirt-tck/scripts/nwfilter/nwfilterxml2xmlin/target-test2.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='in'> + <tcp dstportstart='22' state='NONE'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcportstart='22' state='NONE'/> + </rule> + <rule action='accept' direction='in'> + <tcp dstportstart='80'/> + </rule> + <rule action='reject' direction='inout'> + <tcp/> + </rule> + <rule action='drop' direction='inout'> + <all/> + </rule> +</filter> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list