Create a nwfilterxml2firewalltest to exercise the ebiptables_driver.applyNewRules method with a variety of different XML input files. The XML input files are taken from the libvirt-tck nwfilter tests. While the nwfilter tests verify the final state of the iptables chains, this test verifies the set of commands invoked to create the chains. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> --- src/conf/nwfilter_params.c | 15 + src/conf/nwfilter_params.h | 1 + src/libvirt_private.syms | 2 + tests/Makefile.am | 7 + tests/nwfilterxml2firewalldata/ah-ipv6-linux.args | 20 + tests/nwfilterxml2firewalldata/ah-ipv6.xml | 19 + tests/nwfilterxml2firewalldata/ah-linux.args | 18 + tests/nwfilterxml2firewalldata/ah.xml | 18 + tests/nwfilterxml2firewalldata/all-ipv6-linux.args | 20 + tests/nwfilterxml2firewalldata/all-ipv6.xml | 19 + tests/nwfilterxml2firewalldata/all-linux.args | 18 + tests/nwfilterxml2firewalldata/all.xml | 18 + tests/nwfilterxml2firewalldata/arp-linux.args | 11 + tests/nwfilterxml2firewalldata/arp.xml | 32 ++ tests/nwfilterxml2firewalldata/comment-linux.args | 49 ++ tests/nwfilterxml2firewalldata/comment.xml | 71 +++ .../nwfilterxml2firewalldata/conntrack-linux.args | 7 + tests/nwfilterxml2firewalldata/conntrack.xml | 12 + tests/nwfilterxml2firewalldata/esp-ipv6-linux.args | 20 + tests/nwfilterxml2firewalldata/esp-ipv6.xml | 19 + tests/nwfilterxml2firewalldata/esp-linux.args | 18 + tests/nwfilterxml2firewalldata/esp.xml | 18 + .../nwfilterxml2firewalldata/example-1-linux.args | 13 + tests/nwfilterxml2firewalldata/example-1.xml | 24 + .../nwfilterxml2firewalldata/example-2-linux.args | 20 + tests/nwfilterxml2firewalldata/example-2.xml | 37 ++ tests/nwfilterxml2firewalldata/hex-data-linux.args | 28 ++ tests/nwfilterxml2firewalldata/hex-data.xml | 56 +++ .../icmp-direction-linux.args | 9 + tests/nwfilterxml2firewalldata/icmp-direction.xml | 15 + .../icmp-direction2-linux.args | 9 + tests/nwfilterxml2firewalldata/icmp-direction2.xml | 15 + .../icmp-direction3-linux.args | 6 + tests/nwfilterxml2firewalldata/icmp-direction3.xml | 10 + tests/nwfilterxml2firewalldata/icmp-linux.args | 9 + tests/nwfilterxml2firewalldata/icmp.xml | 13 + tests/nwfilterxml2firewalldata/icmpv6-linux.args | 12 + tests/nwfilterxml2firewalldata/icmpv6.xml | 19 + tests/nwfilterxml2firewalldata/igmp-linux.args | 18 + tests/nwfilterxml2firewalldata/igmp.xml | 18 + tests/nwfilterxml2firewalldata/ip-linux.args | 8 + tests/nwfilterxml2firewalldata/ip.xml | 28 ++ tests/nwfilterxml2firewalldata/ipset-linux.args | 36 ++ tests/nwfilterxml2firewalldata/ipset.xml | 25 + .../ipt-no-macspoof-linux.args | 2 + tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml | 14 + tests/nwfilterxml2firewalldata/ipv6-linux.args | 20 + tests/nwfilterxml2firewalldata/ipv6.xml | 43 ++ tests/nwfilterxml2firewalldata/iter1-linux.args | 18 + tests/nwfilterxml2firewalldata/iter1.xml | 6 + tests/nwfilterxml2firewalldata/iter2-linux.args | 342 +++++++++++++ tests/nwfilterxml2firewalldata/iter2.xml | 23 + tests/nwfilterxml2firewalldata/iter3-linux.args | 30 ++ tests/nwfilterxml2firewalldata/iter3.xml | 13 + tests/nwfilterxml2firewalldata/mac-linux.args | 8 + tests/nwfilterxml2firewalldata/mac.xml | 19 + tests/nwfilterxml2firewalldata/rarp-linux.args | 12 + tests/nwfilterxml2firewalldata/rarp.xml | 28 ++ tests/nwfilterxml2firewalldata/ref-rule.xml | 18 + tests/nwfilterxml2firewalldata/ref.xml | 4 + .../nwfilterxml2firewalldata/sctp-ipv6-linux.args | 22 + tests/nwfilterxml2firewalldata/sctp-ipv6.xml | 22 + tests/nwfilterxml2firewalldata/sctp-linux.args | 20 + tests/nwfilterxml2firewalldata/sctp.xml | 22 + tests/nwfilterxml2firewalldata/stp-linux.args | 18 + tests/nwfilterxml2firewalldata/stp.xml | 26 + tests/nwfilterxml2firewalldata/target-linux.args | 75 +++ tests/nwfilterxml2firewalldata/target.xml | 66 +++ tests/nwfilterxml2firewalldata/target2-linux.args | 13 + tests/nwfilterxml2firewalldata/target2.xml | 18 + tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args | 22 + tests/nwfilterxml2firewalldata/tcp-ipv6.xml | 22 + tests/nwfilterxml2firewalldata/tcp-linux.args | 22 + tests/nwfilterxml2firewalldata/tcp.xml | 34 ++ tests/nwfilterxml2firewalldata/udp-ipv6-linux.args | 22 + tests/nwfilterxml2firewalldata/udp-ipv6.xml | 22 + tests/nwfilterxml2firewalldata/udp-linux.args | 20 + tests/nwfilterxml2firewalldata/udp.xml | 22 + .../udplite-ipv6-linux.args | 20 + tests/nwfilterxml2firewalldata/udplite-ipv6.xml | 19 + tests/nwfilterxml2firewalldata/udplite-linux.args | 18 + tests/nwfilterxml2firewalldata/udplite.xml | 18 + tests/nwfilterxml2firewalldata/vlan-linux.args | 14 + tests/nwfilterxml2firewalldata/vlan.xml | 38 ++ tests/nwfilterxml2firewalltest.c | 534 +++++++++++++++++++++ 85 files changed, 2609 insertions(+) create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/ah-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/ah-linux.args create mode 100644 tests/nwfilterxml2firewalldata/ah.xml create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/all-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/all-linux.args create mode 100644 tests/nwfilterxml2firewalldata/all.xml create mode 100644 tests/nwfilterxml2firewalldata/arp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/arp.xml create mode 100644 tests/nwfilterxml2firewalldata/comment-linux.args create mode 100644 tests/nwfilterxml2firewalldata/comment.xml create mode 100644 tests/nwfilterxml2firewalldata/conntrack-linux.args create mode 100644 tests/nwfilterxml2firewalldata/conntrack.xml create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/esp-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/esp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/esp.xml create mode 100644 tests/nwfilterxml2firewalldata/example-1-linux.args create mode 100644 tests/nwfilterxml2firewalldata/example-1.xml create mode 100644 tests/nwfilterxml2firewalldata/example-2-linux.args create mode 100644 tests/nwfilterxml2firewalldata/example-2.xml create mode 100644 tests/nwfilterxml2firewalldata/hex-data-linux.args create mode 100644 tests/nwfilterxml2firewalldata/hex-data.xml create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction-linux.args create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction.xml create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2-linux.args create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction2.xml create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3-linux.args create mode 100644 tests/nwfilterxml2firewalldata/icmp-direction3.xml create mode 100644 tests/nwfilterxml2firewalldata/icmp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/icmp.xml create mode 100644 tests/nwfilterxml2firewalldata/icmpv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/icmpv6.xml create mode 100644 tests/nwfilterxml2firewalldata/igmp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/igmp.xml create mode 100644 tests/nwfilterxml2firewalldata/ip-linux.args create mode 100644 tests/nwfilterxml2firewalldata/ip.xml create mode 100644 tests/nwfilterxml2firewalldata/ipset-linux.args create mode 100644 tests/nwfilterxml2firewalldata/ipset.xml create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args create mode 100644 tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml create mode 100644 tests/nwfilterxml2firewalldata/ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/iter1-linux.args create mode 100644 tests/nwfilterxml2firewalldata/iter1.xml create mode 100644 tests/nwfilterxml2firewalldata/iter2-linux.args create mode 100644 tests/nwfilterxml2firewalldata/iter2.xml create mode 100644 tests/nwfilterxml2firewalldata/iter3-linux.args create mode 100644 tests/nwfilterxml2firewalldata/iter3.xml create mode 100644 tests/nwfilterxml2firewalldata/mac-linux.args create mode 100644 tests/nwfilterxml2firewalldata/mac.xml create mode 100644 tests/nwfilterxml2firewalldata/rarp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/rarp.xml create mode 100644 tests/nwfilterxml2firewalldata/ref-rule.xml create mode 100644 tests/nwfilterxml2firewalldata/ref.xml create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/sctp-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/sctp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/sctp.xml create mode 100644 tests/nwfilterxml2firewalldata/stp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/stp.xml create mode 100644 tests/nwfilterxml2firewalldata/target-linux.args create mode 100644 tests/nwfilterxml2firewalldata/target.xml create mode 100644 tests/nwfilterxml2firewalldata/target2-linux.args create mode 100644 tests/nwfilterxml2firewalldata/target2.xml create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/tcp-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/tcp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/tcp.xml create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/udp-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/udp-linux.args create mode 100644 tests/nwfilterxml2firewalldata/udp.xml create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args create mode 100644 tests/nwfilterxml2firewalldata/udplite-ipv6.xml create mode 100644 tests/nwfilterxml2firewalldata/udplite-linux.args create mode 100644 tests/nwfilterxml2firewalldata/udplite.xml create mode 100644 tests/nwfilterxml2firewalldata/vlan-linux.args create mode 100644 tests/nwfilterxml2firewalldata/vlan.xml create mode 100644 tests/nwfilterxml2firewalltest.c diff --git a/src/conf/nwfilter_params.c b/src/conf/nwfilter_params.c index 7655033..ac4d4a8 100644 --- a/src/conf/nwfilter_params.c +++ b/src/conf/nwfilter_params.c @@ -252,6 +252,21 @@ virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value) return rc; } + +int +virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value) +{ + char *valdup; + if (VIR_STRDUP(valdup, value) < 0) + return -1; + if (virNWFilterVarValueAddValue(val, valdup) < 0) { + VIR_FREE(valdup); + return -1; + } + return 0; +} + + static int virNWFilterVarValueDelNthValue(virNWFilterVarValuePtr val, unsigned int pos) { diff --git a/src/conf/nwfilter_params.h b/src/conf/nwfilter_params.h index f9efc42..08e448f 100644 --- a/src/conf/nwfilter_params.h +++ b/src/conf/nwfilter_params.h @@ -60,6 +60,7 @@ unsigned int virNWFilterVarValueGetCardinality(const virNWFilterVarValue *); bool virNWFilterVarValueEqual(const virNWFilterVarValue *a, const virNWFilterVarValue *b); int virNWFilterVarValueAddValue(virNWFilterVarValuePtr val, char *value); +int virNWFilterVarValueAddValueCopy(virNWFilterVarValuePtr val, const char *value); int virNWFilterVarValueDelValue(virNWFilterVarValuePtr val, const char *value); typedef struct _virNWFilterHashTable virNWFilterHashTable; diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 18be0e1..67edd20 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -578,6 +578,7 @@ virNWFilterConfLayerInit; virNWFilterConfLayerShutdown; virNWFilterDefFormat; virNWFilterDefFree; +virNWFilterDefParseFile; virNWFilterDefParseString; virNWFilterInstFiltersOnAllVMs; virNWFilterJumpTargetTypeToString; @@ -630,6 +631,7 @@ virNWFilterVarCombIterFree; virNWFilterVarCombIterGetVarValue; virNWFilterVarCombIterNext; virNWFilterVarValueAddValue; +virNWFilterVarValueAddValueCopy; virNWFilterVarValueCopy; virNWFilterVarValueCreateSimple; virNWFilterVarValueCreateSimpleCopyValue; diff --git a/tests/Makefile.am b/tests/Makefile.am index 9547c02..4a71f37 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -270,6 +270,7 @@ test_programs += nwfilterxml2xmltest if WITH_NWFILTER test_programs += nwfilterebiptablestest +test_programs += nwfilterxml2firewalltest endif WITH_NWFILTER if WITH_STORAGE @@ -696,6 +697,12 @@ nwfilterebiptablestest_SOURCES = \ nwfilterebiptablestest.c \ testutils.c testutils.h nwfilterebiptablestest_LDADD = ../src/libvirt_driver_nwfilter_impl.la $(LDADDS) + +nwfilterxml2firewalltest_SOURCES = \ + nwfilterxml2firewalltest.c \ + testutils.c testutils.h +nwfilterxml2firewalltest_LDADD = \ + ../src/libvirt_driver_nwfilter_impl.la $(LDADDS) endif WITH_NWFILTER secretxml2xmltest_SOURCES = \ diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args new file mode 100644 index 0000000..aa7a70d --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p ah --destination f:e:d::c:b:a/127 \ +--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ah-ipv6.xml b/tests/nwfilterxml2firewalldata/ah-ipv6.xml new file mode 100644 index 0000000..95ebbc9 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ah-ipv6.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/ah-linux.args b/tests/nwfilterxml2firewalldata/ah-linux.args new file mode 100644 index 0000000..a0f5fb6 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ah-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/iptables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p ah --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ah.xml b/tests/nwfilterxml2firewalldata/ah.xml new file mode 100644 index 0000000..287c10b --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ah.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ah srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <ah srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args new file mode 100644 index 0000000..6559434 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p all --destination f:e:d::c:b:a/127 \ +--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all-ipv6.xml b/tests/nwfilterxml2firewalldata/all-ipv6.xml new file mode 100644 index 0000000..5cf3519 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/all-ipv6.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/all-linux.args b/tests/nwfilterxml2firewalldata/all-linux.args new file mode 100644 index 0000000..c8116f5 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/all-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/all.xml b/tests/nwfilterxml2firewalldata/all.xml new file mode 100644 index 0000000..a66923c --- /dev/null +++ b/tests/nwfilterxml2firewalldata/all.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/arp-linux.args b/tests/nwfilterxml2firewalldata/arp-linux.args new file mode 100644 index 0000000..469b75a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/arp-linux.args @@ -0,0 +1,11 @@ +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 12 --arp-opcode 1 \ +--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \ +-j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x806 --arp-gratuitous -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/arp.xml b/tests/nwfilterxml2firewalldata/arp.xml new file mode 100644 index 0000000..d0abf94 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/arp.xml @@ -0,0 +1,32 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> + + <rule action='accept' direction='in'> + <arp gratuitous='true'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/comment-linux.args b/tests/nwfilterxml2firewalldata/comment-linux.args new file mode 100644 index 0000000..e776d22 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/comment-linux.args @@ -0,0 +1,49 @@ +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \ +--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \ +--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \ +--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \ +--ip6-destination-port 13107:65535 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \ +--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \ +-j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ +--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \ +--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -m comment \ +--comment 'udp rule' -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ +--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ +--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \ +--comment 'tcp/ipv6 rule' -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \ +--state NEW,ESTABLISHED -m comment --comment 'tcp/ipv6 rule' -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ +--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \ +--comment 'tcp/ipv6 rule' -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \ +--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udp -m state --state NEW,ESTABLISHED -m comment \ +--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \ +--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \ +--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m state --state NEW,ESTABLISHED -m comment \ +--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \ +--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \ +--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p ah -m state --state NEW,ESTABLISHED -m comment \ +--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \ +--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN diff --git a/tests/nwfilterxml2firewalldata/comment.xml b/tests/nwfilterxml2firewalldata/comment.xml new file mode 100644 index 0000000..a154a17 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/comment.xml @@ -0,0 +1,71 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234' comment='mac rule'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32' comment='ip rule'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535' comment='ipv6 rule'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f' + comment='arp rule'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444' + comment='udp rule'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x39' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111' + comment='tcp/ipv6 rule'/> + </rule> + + <rule action='accept' direction='in'> + <udp-ipv6 comment='`ls`;${COLUMNS};$(ls);"test";&'3 spaces''/> + </rule> + + <rule action='accept' direction='in'> + <sctp-ipv6 comment='comment with lone ', `, ", `, \, $x, and two spaces'/> + </rule> + + <rule action='accept' direction='in'> + <ah-ipv6 comment='tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}'/> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/conntrack-linux.args b/tests/nwfilterxml2firewalldata/conntrack-linux.args new file mode 100644 index 0000000..96b29ac --- /dev/null +++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args @@ -0,0 +1,7 @@ +/usr/sbin/iptables -A FJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP +/usr/sbin/iptables -A FJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/conntrack.xml b/tests/nwfilterxml2firewalldata/conntrack.xml new file mode 100644 index 0000000..0682b25 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/conntrack.xml @@ -0,0 +1,12 @@ +<filter name='tck-testcase' chain='root'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + <rule action='drop' direction='out' priority='500'> + <icmp connlimit-above='1'/> + </rule> + <rule action='drop' direction='out' priority='500'> + <tcp connlimit-above='2'/> + </rule> + <rule action='accept' direction='out' priority='500'> + <all/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args new file mode 100644 index 0000000..d8c3a3c --- /dev/null +++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p esp --destination f:e:d::c:b:a/127 \ +--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp-ipv6.xml b/tests/nwfilterxml2firewalldata/esp-ipv6.xml new file mode 100644 index 0000000..295d0f9 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/esp-ipv6.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/esp-linux.args b/tests/nwfilterxml2firewalldata/esp-linux.args new file mode 100644 index 0000000..aeee6eb --- /dev/null +++ b/tests/nwfilterxml2firewalldata/esp-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/iptables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p esp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/esp.xml b/tests/nwfilterxml2firewalldata/esp.xml new file mode 100644 index 0000000..1f75df1 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/esp.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <esp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <esp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/example-1-linux.args b/tests/nwfilterxml2firewalldata/example-1-linux.args new file mode 100644 index 0000000..647980b --- /dev/null +++ b/tests/nwfilterxml2firewalldata/example-1-linux.args @@ -0,0 +1,13 @@ +/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED \ +-j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP diff --git a/tests/nwfilterxml2firewalldata/example-1.xml b/tests/nwfilterxml2firewalldata/example-1.xml new file mode 100644 index 0000000..ad15a98 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/example-1.xml @@ -0,0 +1,24 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <!-- allow incoming ssh connections --> + <rule action='accept' direction='in' priority='100'> + <tcp dstportstart='22'/> + </rule> + + <!-- allow incoming ICMP (ping) packets --> + <rule action='accept' direction='in' priority='200'> + <icmp/> + </rule> + + <!-- allow all outgoing traffic --> + <rule action='accept' direction='in' priority='300'> + <all/> + </rule> + + <!-- drop all other traffic --> + <rule action='drop' direction='inout' priority='1000'> + <all/> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/example-2-linux.args b/tests/nwfilterxml2firewalldata/example-2-linux.args new file mode 100644 index 0000000..445aa73 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/example-2-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \ +--comment 'out: existing and related (ftp) connections' -j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \ +--comment 'out: existing and related (ftp) connections' -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m comment \ +--comment 'in: existing connections' -j ACCEPT +/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 21:22 -m state --state NEW -m comment \ +--comment 'in: ftp and ssh' -j ACCEPT +/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state NEW -m comment \ +--comment 'in: icmp' -j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \ +--comment 'out: DNS lookups' -j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \ +--comment 'out: DNS lookups' -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m comment \ +--comment 'inout: drop all non-accepted traffic' -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -m comment \ +--comment 'inout: drop all non-accepted traffic' -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all -m comment \ +--comment 'inout: drop all non-accepted traffic' -j DROP diff --git a/tests/nwfilterxml2firewalldata/example-2.xml b/tests/nwfilterxml2firewalldata/example-2.xml new file mode 100644 index 0000000..7bda4e6 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/example-2.xml @@ -0,0 +1,37 @@ +<filter name='tck-testcase'> + <uuid>0a5288ea-612c-834a-6bbf-82a03a1a3244</uuid> + + <!-- VM outgoing: allow all established and related connections --> + <rule action='accept' direction='out' priority='100'> + <all state='ESTABLISHED,RELATED' + comment='out: existing and related (ftp) connections'/> + </rule> + + <!-- VM incoming: allow all established connections --> + <rule action='accept' direction='in' priority='100'> + <all state='ESTABLISHED' + comment='in: existing connections'/> + </rule> + + <!-- allow incoming ssh and ftp traffic --> + <rule action='accept' direction='in' priority='200'> + <tcp dstportstart='21' dstportend='22' state='NEW' + comment='in: ftp and ssh'/> + </rule> + + <!-- allow incoming ICMP (ping) packets --> + <rule action='accept' direction='in' priority='300'> + <icmp state='NEW' comment='in: icmp'/> + </rule> + + <!-- allow outgong DNS lookups --> + <rule action='accept' direction='out' priority='300'> + <udp dstportstart='53' state='NEW' comment='out: DNS lookups'/> + </rule> + + <!-- drop all other traffic --> + <rule action='drop' direction='inout' priority='1000'> + <all comment='inout: drop all non-accepted traffic'/> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/hex-data-linux.args b/tests/nwfilterxml2firewalldata/hex-data-linux.args new file mode 100644 index 0000000..209c863 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args @@ -0,0 +1,28 @@ +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \ +--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \ +--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \ +--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \ +--ip6-destination-port 13107:65535 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \ +--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \ +-j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \ +--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ +--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ +--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/hex-data.xml b/tests/nwfilterxml2firewalldata/hex-data.xml new file mode 100644 index 0000000..45df451 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/hex-data.xml @@ -0,0 +1,56 @@ +<filter name='tck-testcase'> + <uuid>01a992d2-f8c8-7c27-f69b-ab0a9d377379</uuid> + + <rule action='accept' direction='in'> + <mac protocolid='0x1234'/> + </rule> + + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='0x123' srcportend='0x234' + dstportstart='0x3456' dstportend='0x4567' + dscp='0x32'/> + </rule> + + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='tcp' + srcportstart='0x111' srcportend='400' + dstportstart='0x3333' dstportend='65535'/> + </rule> + + <rule action='accept' direction='out'> + <arp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='0x12' + protocoltype='0x56' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='0x22' + srcportstart='0x123' srcportend='400' + dstportstart='0x234' dstportend='0x444'/> + </rule> + + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='0x39' + srcportstart='0x20' srcportend='0x21' + dstportstart='0x100' dstportend='0x1111'/> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args new file mode 100644 index 0000000..b4df953 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args @@ -0,0 +1,9 @@ +/usr/sbin/iptables -A FP-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \ +-j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p icmp -j DROP +/usr/sbin/iptables -A FP-vnet0 -p icmp -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p icmp -j DROP diff --git a/tests/nwfilterxml2firewalldata/icmp-direction.xml b/tests/nwfilterxml2firewalldata/icmp-direction.xml new file mode 100644 index 0000000..e2184e8 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction.xml @@ -0,0 +1,15 @@ +<filter name='tck-testcase'> + <uuid>f4b3f745-d23d-2ee6-218a-d5671611229b</uuid> + <!-- allow incoming ICMP Echo Reply --> + <rule action='accept' direction='in' priority='500'> + <icmp type='0'/> + </rule> + <!-- allow outgoing ICMP Echo Request --> + <rule action='accept' direction='out' priority='500'> + <icmp type='8'/> + </rule> + <!-- drop all other ICMP traffic --> + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args new file mode 100644 index 0000000..fe1e316 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args @@ -0,0 +1,9 @@ +/usr/sbin/iptables -A FP-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \ +-j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p icmp -j DROP +/usr/sbin/iptables -A FP-vnet0 -p icmp -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p icmp -j DROP diff --git a/tests/nwfilterxml2firewalldata/icmp-direction2.xml b/tests/nwfilterxml2firewalldata/icmp-direction2.xml new file mode 100644 index 0000000..a552985 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction2.xml @@ -0,0 +1,15 @@ +<filter name='tck-testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> + <!-- allow incoming ICMP Echo Request --> + <rule action='accept' direction='in' priority='500'> + <icmp type='8'/> + </rule> + <!-- allow outgoing ICMP Echo Reply --> + <rule action='accept' direction='out' priority='500'> + <icmp type='0'/> + </rule> + <!-- drop all other ICMP traffic --> + <rule action='drop' direction='inout' priority='600'> + <icmp/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args new file mode 100644 index 0000000..31fa70e --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args @@ -0,0 +1,6 @@ +/usr/sbin/iptables -A FJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p icmp -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP diff --git a/tests/nwfilterxml2firewalldata/icmp-direction3.xml b/tests/nwfilterxml2firewalldata/icmp-direction3.xml new file mode 100644 index 0000000..c592903 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-direction3.xml @@ -0,0 +1,10 @@ +<filter name='tck-testcase'> + <uuid>d6b1a2af-def6-2898-9f8d-4a74e3c39558</uuid> + <rule action='accept' direction='out' priority='500'> + <icmp/> + </rule> + <!-- drop all other traffic --> + <rule action='drop' direction='inout' priority='600'> + <all/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/icmp-linux.args b/tests/nwfilterxml2firewalldata/icmp-linux.args new file mode 100644 index 0000000..b09941d --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp-linux.args @@ -0,0 +1,9 @@ +/usr/sbin/iptables -A FJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 --icmp-type 255/255 -m state \ +--state NEW,ESTABLISHED -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/icmp.xml b/tests/nwfilterxml2firewalldata/icmp.xml new file mode 100644 index 0000000..fff5d42 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmp.xml @@ -0,0 +1,13 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' type='255' code='255'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/icmpv6-linux.args b/tests/nwfilterxml2firewalldata/icmpv6-linux.args new file mode 100644 index 0000000..f4dd2af --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args @@ -0,0 +1,12 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \ +--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A HJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \ +--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \ +--state NEW,ESTABLISHED -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/icmpv6.xml b/tests/nwfilterxml2firewalldata/icmpv6.xml new file mode 100644 index 0000000..9d24826 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/icmpv6.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2' type='12' code='11'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' type='255' code='255'/> + </rule> + <rule action='accept' direction='in'> + <icmpv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='33' type='255' code='255'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/igmp-linux.args b/tests/nwfilterxml2firewalldata/igmp-linux.args new file mode 100644 index 0000000..b3b3ba3 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/igmp-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/iptables -A FJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p igmp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/igmp.xml b/tests/nwfilterxml2firewalldata/igmp.xml new file mode 100644 index 0000000..0f4dcd4 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/igmp.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <igmp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <igmp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/ip-linux.args b/tests/nwfilterxml2firewalldata/ip-linux.args new file mode 100644 index 0000000..a577a60 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ip-linux.args @@ -0,0 +1,8 @@ +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \ +--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 20:22 \ +--ip-destination-port 100:101 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv4 --ip-source 10.1.2.3/17 \ +--ip-destination 10.1.2.3/24 --ip-protocol 17 --ip-tos 0x3f -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv4 --ip-source 10.1.2.3/31 \ +--ip-destination 10.1.2.3/25 --ip-protocol 255 --ip-tos 0x3f -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/ip.xml b/tests/nwfilterxml2firewalldata/ip.xml new file mode 100644 index 0000000..da362a1 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ip.xml @@ -0,0 +1,28 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ip srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + srcipaddr='10.1.2.3' srcipmask='255.255.255.255' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='out'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.128.0' + dstipaddr='10.1.2.3' dstipmask='255.255.255.0' + protocol='17' dscp='63' + /> + </rule> + + <rule action='accept' direction='in'> + <ip srcipaddr='10.1.2.3' srcipmask='255.255.255.254' + dstipaddr='10.1.2.3' dstipmask='255.255.255.128' + protocol='255' dscp='63' + /> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/ipset-linux.args b/tests/nwfilterxml2firewalldata/ipset-linux.args new file mode 100644 index 0000000..4eeb208 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipset-linux.args @@ -0,0 +1,36 @@ +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ +--match-set tck_test src,dst -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ +--match-set tck_test src,dst -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ +--comment in+NONE -j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ +--comment out+NONE -j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ +--comment out+NONE -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src,dst -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ +--match-set tck_test src,dst,src -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src,dst -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src,dst -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ +--match-set tck_test src,dst,src -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src,dst -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ +--match-set tck_test src,dst -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \ +--match-set tck_test dst,src -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \ +--comment inout -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ +--comment inout -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \ +--comment inout -j RETURN diff --git a/tests/nwfilterxml2firewalldata/ipset.xml b/tests/nwfilterxml2firewalldata/ipset.xml new file mode 100644 index 0000000..cc8ccc4 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipset.xml @@ -0,0 +1,25 @@ +<!-- #ipset help && iptables -t match-set -h && ipset list tck_test || ipset create tck_test hash:ip# --> +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all ipset='tck_test' ipsetflags='src,dst' /> + </rule> + <rule action='accept' direction='in'> + <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='in+NONE'/> + </rule> + <rule action='accept' direction='out'> + <all state='NONE' ipset='tck_test' ipsetflags='src,dst' comment='out+NONE'/> + </rule> + <rule action='accept' direction='in'> + <all ipset='tck_test' ipsetflags='SRC,DST,SRC' /> + </rule> + <rule action='accept' direction='in'> + <all ipset='tck_test' ipsetflags='SRC,dSt,SRC' /> + </rule> + <rule action='accept' direction='in'> + <all ipset='$IPSETNAME' ipsetflags='src,dst' /> + </rule> + <rule action='accept' direction='inout'> + <all ipset='$IPSETNAME' ipsetflags='src,dst' comment='inout'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args new file mode 100644 index 0000000..f74f449 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args @@ -0,0 +1,2 @@ +/usr/sbin/iptables -A FP-vnet0 -p all -m mac '!' --mac-source 12:34:56:78:9a:bc -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -m mac '!' --mac-source aa:aa:aa:aa:aa:aa -j DROP diff --git a/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml b/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml new file mode 100644 index 0000000..2e8f2ce --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof.xml @@ -0,0 +1,14 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='drop' direction='inout'> + <!-- should use $MAC for MAC address, but tests would depend on VM's + MAC address --> + <all match='no' srcmacaddr='12:34:56:78:9a:bc'/> + </rule> + + <rule action='drop' direction='in'> + <!-- not accepting incoming traffic from a certain MAC address --> + <all match='no' srcmacaddr='aa:aa:aa:aa:aa:aa'/> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/ipv6-linux.args b/tests/nwfilterxml2firewalldata/ipv6-linux.args new file mode 100644 index 0000000..e6674f6 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \ +--ip6-destination ::10.1.2.3/113 --ip6-protocol 17 --ip6-source-port 20:22 \ +--ip6-destination-port 100:101 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 20:22 \ +--ip6-source-port 100:101 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 20:22 \ +--ip6-destination-port 100:101 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 255:256 \ +--ip6-source-port 65535:65535 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 255:256 \ +--ip6-destination-port 65535:65535 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ +--ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ +--ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/ipv6.xml b/tests/nwfilterxml2firewalldata/ipv6.xml new file mode 100644 index 0000000..9f67bea --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ipv6.xml @@ -0,0 +1,43 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <ipv6 srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:fe' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:80' + srcipaddr='::10.1.2.3' srcipmask='22' + dstipaddr='::10.1.2.3' + dstipmask='ffff:ffff:ffff:ffff:ffff:ffff:ffff:8000' + protocol='udp' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='20' srcportend='22' + dstportstart='100' dstportend='101' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='6' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535' + /> + </rule> + + <rule action='accept' direction='inout'> + <ipv6 srcipaddr='1::2' srcipmask='128' + dstipaddr='a:b:c::' + dstipmask='ffff:ffff:ffff:ffff:8000::' + protocol='18' + /> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/iter1-linux.args b/tests/nwfilterxml2firewalldata/iter1-linux.args new file mode 100644 index 0000000..5d8d213 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter1-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter1.xml b/tests/nwfilterxml2firewalldata/iter1.xml new file mode 100644 index 0000000..c2090e6 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter1.xml @@ -0,0 +1,6 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A' srcportstart='$B' dscp='2'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/iter2-linux.args b/tests/nwfilterxml2firewalldata/iter2-linux.args new file mode 100644 index 0000000..42d9e92 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter2-linux.args @@ -0,0 +1,342 @@ +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 1 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 1 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 1 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 1 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 -m dscp --dscp 2 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 -m dscp --dscp 2 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \ +--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \ +--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \ +--dport 80 --sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \ +--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \ +--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \ +--dport 90 --sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \ +--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \ +--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \ +--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 -m dscp --dscp 3 \ +--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 -m dscp --dscp 3 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \ +--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 -m dscp --dscp 3 \ +--dport 80 --sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 -m dscp --dscp 3 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \ +--sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \ +--sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \ +--sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \ +--sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \ +--sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \ +--sport 1080 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1080 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \ +--sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \ +--sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \ +--sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \ +--sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \ +--sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \ +--sport 1090 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1090 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \ +--sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \ +--sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \ +--sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \ +--sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \ +--sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \ +--sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 80 \ +--sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 80 \ +--sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 80 \ +--sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 80 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 4 --dport 90 \ +--sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 4 --sport 90 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 4 --dport 90 \ +--sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 4 --sport 90 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 4 --dport 90 \ +--sport 1110 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 4 --sport 90 \ +--dport 1110 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 1.1.1.1 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 1.1.1.1 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 1.1.1.1 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 1.1.1.1 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 2.2.2.2 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 2.2.2.2 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 2.2.2.2 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 2.2.2.2 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 1.1.1.1 --source 3.3.3.3 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 1.1.1.1 --destination 3.3.3.3 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 --source 3.3.3.3 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 --destination 3.3.3.3 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \ +--dscp 5 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \ +--dscp 5 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \ +--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 1.1.1.1 --source 1.1.1.1 -m dscp \ +--dscp 6 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 1.1.1.1 --destination 1.1.1.1 -m dscp \ +--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \ +--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 --source 2.2.2.2 -m dscp \ +--dscp 6 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 --destination 2.2.2.2 -m dscp \ +--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \ +--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 3.3.3.3 --source 3.3.3.3 -m dscp \ +--dscp 6 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 3.3.3.3 --destination 3.3.3.3 -m dscp \ +--dscp 6 -m state --state NEW,ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter2.xml b/tests/nwfilterxml2firewalldata/iter2.xml new file mode 100644 index 0000000..3a3174a --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter2.xml @@ -0,0 +1,23 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A' srcportstart='$B[@0]' dscp='1'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[@1]' srcportstart='$B[@2]' dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@2]' + dscp='3'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A[@1]' srcportstart='$B[@2]' dstportstart='$C[@3]' + dscp='4'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[@1]' dstipaddr='$A[@2]' dscp='5'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A' dstipaddr='$A' dscp='6'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/iter3-linux.args b/tests/nwfilterxml2firewalldata/iter3-linux.args new file mode 100644 index 0000000..c74338c --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter3-linux.args @@ -0,0 +1,30 @@ +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ +-m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \ +--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ +--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/iter3.xml b/tests/nwfilterxml2firewalldata/iter3.xml new file mode 100644 index 0000000..47f5096 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/iter3.xml @@ -0,0 +1,13 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcipaddr='$A[ 0]' srcportstart='$B[ @0 ] ' dscp='1'/> + </rule> + <rule action='accept' direction='out'> + <udp srcipaddr='$A[1 ]' srcportstart='$B[ @2 ]' dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <sctp srcipaddr='$A[ 1 ] ' srcportstart='$B[2 ] ' dstportstart='$C[ 2 ]' + dscp='3'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/mac-linux.args b/tests/nwfilterxml2firewalldata/mac-linux.args new file mode 100644 index 0000000..d03b706 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/mac-linux.args @@ -0,0 +1,8 @@ +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ +-p 0x800 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ +-p 0x600 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ +-p 0xffff -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/mac.xml b/tests/nwfilterxml2firewalldata/mac.xml new file mode 100644 index 0000000..2aec935 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/mac.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='1536'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='65535'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/rarp-linux.args b/tests/nwfilterxml2firewalldata/rarp-linux.args new file mode 100644 index 0000000..c100470 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/rarp-linux.args @@ -0,0 +1,12 @@ +/usr/sbin/ebtables -t nat -N libvirt-J-vnet0 +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8035 --arp-htype 12 --arp-opcode 1 \ +--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \ +-j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x8035 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x8035 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x8035 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT +/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0 diff --git a/tests/nwfilterxml2firewalldata/rarp.xml b/tests/nwfilterxml2firewalldata/rarp.xml new file mode 100644 index 0000000..77c1127 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/rarp.xml @@ -0,0 +1,28 @@ +<filter name='tck-testcase'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='rarp' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + hwtype='12' + protocoltype='34' + opcode='Request' + arpsrcmacaddr='1:2:3:4:5:6' + arpdstmacaddr='a:b:c:d:e:f'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='1' hwtype='255' protocoltype='255'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='11' hwtype='256' protocoltype='256'/> + </rule> + + <rule action='accept' direction='out'> + <rarp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + opcode='65535' hwtype='65535' protocoltype='65535' /> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/ref-rule.xml b/tests/nwfilterxml2firewalldata/ref-rule.xml new file mode 100644 index 0000000..5cb2fad --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ref-rule.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/ref.xml b/tests/nwfilterxml2firewalldata/ref.xml new file mode 100644 index 0000000..beb46d2 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/ref.xml @@ -0,0 +1,4 @@ +<filter name='tck-testcase'> + <uuid>83011800-f663-96d6-8841-fd836b4318c6</uuid> + <filterref filter='clean-traffic'/> +</filter> diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args new file mode 100644 index 0000000..956ab82 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args @@ -0,0 +1,22 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p sctp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp-ipv6.xml b/tests/nwfilterxml2firewalldata/sctp-ipv6.xml new file mode 100644 index 0000000..d1a57b8 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/sctp-ipv6.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/sctp-linux.args b/tests/nwfilterxml2firewalldata/sctp-linux.args new file mode 100644 index 0000000..643db68 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/sctp-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/iptables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/sctp.xml b/tests/nwfilterxml2firewalldata/sctp.xml new file mode 100644 index 0000000..c3c1000 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/sctp.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <sctp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <sctp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/stp-linux.args b/tests/nwfilterxml2firewalldata/stp-linux.args new file mode 100644 index 0000000..4f66836 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/stp-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/ebtables -t nat -F J-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -X J-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -N J-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:80:c2:00:00:00 -j J-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -F P-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -X P-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -N P-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d 01:80:c2:00:00:00 -j P-vnet0-stp-xyz +/usr/sbin/ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d 01:80:c2:00:00:00 --stp-type 18 --stp-flags 68 -j CONTINUE +/usr/sbin/ebtables -t nat -A J-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d 01:80:c2:00:00:00 --stp-root-pri 4660:9029 \ +--stp-root-addr 06:05:04:03:02:01/ff:ff:ff:ff:ff:ff \ +--stp-root-cost 287454020:573785173 -j RETURN +/usr/sbin/ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d 01:80:c2:00:00:00 --stp-sender-prio 4660 --stp-sender-addr 06:05:04:03:02:01 \ +--stp-port 123:234 --stp-msg-age 5544:5555 --stp-max-age 7777:8888 \ +--stp-hello-time 12345:12346 --stp-forward-delay 54321:65432 -j DROP diff --git a/tests/nwfilterxml2firewalldata/stp.xml b/tests/nwfilterxml2firewalldata/stp.xml new file mode 100644 index 0000000..6b5a625 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/stp.xml @@ -0,0 +1,26 @@ +<filter name='tck-testcase' chain='stp-xyz'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='continue' direction='in'> + <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + type='0x12' flags='0x44'/> + </rule> + + <rule action='return' direction='out'> + <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + root-priority='0x1234' root-priority-hi='0x2345' + root-address="6:5:4:3:2:1" root-address-mask='ff:ff:ff:ff:ff:ff' + root-cost='0x11223344' root-cost-hi='0x22334455' /> + </rule> + + <rule action='reject' direction='in'> + <stp srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + sender-priority='0x1234' + sender-address="6:5:4:3:2:1" + port='123' port-hi='234' + age='5544' age-hi='5555' + max-age='7777' max-age-hi='8888' + hello-time='12345' hello-time-hi='12346' + forward-delay='54321' forward-delay-hi='65432'/> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalldata/target-linux.args b/tests/nwfilterxml2firewalldata/target-linux.args new file mode 100644 index 0000000..bf3b2dc --- /dev/null +++ b/tests/nwfilterxml2firewalldata/target-linux.args @@ -0,0 +1,75 @@ +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 -j DROP +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-p 0x806 -j DROP +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ +-p 0x800 -j ACCEPT +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ +-p 0x800 -j DROP +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ +-p 0x800 -j DROP +/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \ +--comment 'accept rule -- dir out' -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -m comment --comment 'accept rule -- dir out' -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \ +--comment 'accept rule -- dir out' -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \ +--comment 'drop rule -- dir out' -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m comment \ +--comment 'drop rule -- dir out' -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \ +--comment 'drop rule -- dir out' -j DROP +/usr/sbin/iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \ +--comment 'reject rule -- dir out' -j REJECT +/usr/sbin/iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 \ +-m comment --comment 'reject rule -- dir out' -j REJECT +/usr/sbin/iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \ +--comment 'reject rule -- dir out' -j REJECT +/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -m comment \ +--comment 'accept rule -- dir in' -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m comment --comment 'drop rule -- dir in' -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'drop rule -- dir in' \ +-j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m comment --comment 'drop rule -- dir in' -j DROP +/usr/sbin/iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m comment --comment 'reject rule -- dir in' -j REJECT +/usr/sbin/iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'reject rule -- dir in' \ +-j REJECT +/usr/sbin/iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ +-m comment --comment 'reject rule -- dir in' -j REJECT +/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \ +-j RETURN +/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \ +-j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \ +-j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \ +-j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \ +-j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \ +-j DROP +/usr/sbin/iptables -A FJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \ +-j REJECT +/usr/sbin/iptables -A FP-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \ +-j REJECT +/usr/sbin/iptables -A HJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \ +-j REJECT diff --git a/tests/nwfilterxml2firewalldata/target.xml b/tests/nwfilterxml2firewalldata/target.xml new file mode 100644 index 0000000..aa7465b --- /dev/null +++ b/tests/nwfilterxml2firewalldata/target.xml @@ -0,0 +1,66 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' comment='accept rule -- dir out'/> + </rule> + <rule action='drop' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' comment='drop rule -- dir out'/> + </rule> + <rule action='reject' direction='out'> + <all srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2' comment='reject rule -- dir out'/> + </rule> + <rule action='accept' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' comment='accept rule -- dir in'/> + </rule> + <rule action='drop' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' comment='drop rule -- dir in'/> + </rule> + <rule action='reject' direction='in'> + <all srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33' comment='reject rule -- dir in'/> + </rule> + <rule action='accept' direction='inout'> + <all comment='accept rule -- dir inout'/> + </rule> + <rule action='drop' direction='in'> + <all comment='drop rule -- dir inout'/> + </rule> + <rule action='reject' direction='in'> + <all comment='reject rule -- dir inout'/> + </rule> + <rule action='accept' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='drop' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='reject' direction='out'> + <mac srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + protocolid='arp'/> + </rule> + <rule action='accept' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='drop' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> + <rule action='reject' direction='in'> + <mac dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + protocolid='ipv4'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/target2-linux.args b/tests/nwfilterxml2firewalldata/target2-linux.args new file mode 100644 index 0000000..a1e4c86 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/target2-linux.args @@ -0,0 +1,13 @@ +/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 22 -j ACCEPT +/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 22 -j RETURN +/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 22 -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED \ +-j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp -j REJECT +/usr/sbin/iptables -A FP-vnet0 -p tcp -j REJECT +/usr/sbin/iptables -A HJ-vnet0 -p tcp -j REJECT +/usr/sbin/iptables -A FJ-vnet0 -p all -j DROP +/usr/sbin/iptables -A FP-vnet0 -p all -j DROP +/usr/sbin/iptables -A HJ-vnet0 -p all -j DROP diff --git a/tests/nwfilterxml2firewalldata/target2.xml b/tests/nwfilterxml2firewalldata/target2.xml new file mode 100644 index 0000000..c913bf5 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/target2.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='in'> + <tcp dstportstart='22' state='NONE'/> + </rule> + <rule action='accept' direction='out'> + <tcp srcportstart='22' state='NONE'/> + </rule> + <rule action='accept' direction='in'> + <tcp dstportstart='80'/> + </rule> + <rule action='reject' direction='inout'> + <tcp/> + </rule> + <rule action='drop' direction='inout'> + <all/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args new file mode 100644 index 0000000..836937f --- /dev/null +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args @@ -0,0 +1,22 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p tcp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/tcp-ipv6.xml b/tests/nwfilterxml2firewalldata/tcp-ipv6.xml new file mode 100644 index 0000000..d4f24f4 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/tcp-ipv6.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <tcp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/tcp-linux.args b/tests/nwfilterxml2firewalldata/tcp-linux.args new file mode 100644 index 0000000..c8e351b --- /dev/null +++ b/tests/nwfilterxml2firewalldata/tcp-linux.args @@ -0,0 +1,22 @@ +/usr/sbin/iptables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags SYN ALL -j ACCEPT +/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags SYN SYN,ACK -j ACCEPT +/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags RST NONE -j ACCEPT +/usr/sbin/iptables -A FP-vnet0 -p tcp --tcp-flags PSH NONE -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/tcp.xml b/tests/nwfilterxml2firewalldata/tcp.xml new file mode 100644 index 0000000..14ebd35 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/tcp.xml @@ -0,0 +1,34 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <tcp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in' statematch='false'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in' statematch='0'> + <tcp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='SYN/ALL'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='SYN/SYN,ACK'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='RST/NONE'/> + </rule> + <rule action='accept' direction='in'> + <tcp state='NONE' flags='PSH/'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args new file mode 100644 index 0000000..d9e2060 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args @@ -0,0 +1,22 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ +-j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--source ::a:b:c/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 \ +-m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udp-ipv6.xml b/tests/nwfilterxml2firewalldata/udp-ipv6.xml new file mode 100644 index 0000000..fd4f135 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udp-ipv6.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::a:b:c' srcipmask='128' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/udp-linux.args b/tests/nwfilterxml2firewalldata/udp-linux.args new file mode 100644 index 0000000..8638d8d --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udp-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ +--state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \ +--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \ +--state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \ +--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udp.xml b/tests/nwfilterxml2firewalldata/udp.xml new file mode 100644 index 0000000..359dfa2 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udp.xml @@ -0,0 +1,22 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udp srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='33' + srcportstart='20' srcportend='21' + dstportstart='100' dstportend='1111'/> + </rule> + <rule action='accept' direction='in'> + <udp srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='32' + dscp='63' + srcportstart='255' srcportend='256' + dstportstart='65535' dstportend='65535'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args new file mode 100644 index 0000000..22d37e5 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args @@ -0,0 +1,20 @@ +/usr/sbin/ip6tables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udplite --destination f:e:d::c:b:a/127 \ +--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ +--state NEW,ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN +/usr/sbin/ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/ip6tables -A HJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite-ipv6.xml b/tests/nwfilterxml2firewalldata/udplite-ipv6.xml new file mode 100644 index 0000000..5b941a2 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udplite-ipv6.xml @@ -0,0 +1,19 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + dstipaddr='a:b:c::d:e:f' dstipmask='128' + srcipaddr='f:e:d::c:b:a' srcipmask='127' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='a:b:c::' srcipmask='128' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite-ipv6 srcmacaddr='1:2:3:4:5:6' + srcipaddr='::10.1.2.3' srcipmask='128' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/udplite-linux.args b/tests/nwfilterxml2firewalldata/udplite-linux.args new file mode 100644 index 0000000..52ca3df --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udplite-linux.args @@ -0,0 +1,18 @@ +/usr/sbin/iptables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udplite --source 10.1.2.3/32 -m dscp --dscp 2 \ +-m state --state ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN +/usr/sbin/iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ +--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT +/usr/sbin/iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ +--dscp 33 -m state --state ESTABLISHED -j RETURN diff --git a/tests/nwfilterxml2firewalldata/udplite.xml b/tests/nwfilterxml2firewalldata/udplite.xml new file mode 100644 index 0000000..91262fd --- /dev/null +++ b/tests/nwfilterxml2firewalldata/udplite.xml @@ -0,0 +1,18 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='accept' direction='out'> + <udplite srcmacaddr='1:2:3:4:5:6' + dstipaddr='10.1.2.3' dstipmask='255.255.255.255' + dscp='2'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> + <rule action='accept' direction='in'> + <udplite srcmacaddr='1:2:3:4:5:6' + srcipaddr='10.1.2.3' srcipmask='22' + dscp='33'/> + </rule> +</filter> diff --git a/tests/nwfilterxml2firewalldata/vlan-linux.args b/tests/nwfilterxml2firewalldata/vlan-linux.args new file mode 100644 index 0000000..6f858f1 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/vlan-linux.args @@ -0,0 +1,14 @@ +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN +/usr/sbin/ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j DROP +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 2054 -j DROP +/usr/sbin/ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ +-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 4660 -j ACCEPT diff --git a/tests/nwfilterxml2firewalldata/vlan.xml b/tests/nwfilterxml2firewalldata/vlan.xml new file mode 100644 index 0000000..a5e7b38 --- /dev/null +++ b/tests/nwfilterxml2firewalldata/vlan.xml @@ -0,0 +1,38 @@ +<filter name='tck-testcase' chain='root'> + <uuid>5c6d49af-b071-6127-b4ec-6f8ed4b55335</uuid> + <rule action='continue' direction='inout'> + <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + vlanid='0x123' + /> + </rule> + + <rule action='return' direction='inout'> + <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + vlanid='1234' + /> + </rule> + + <rule action='reject' direction='in'> + <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + vlanid='0x123' + /> + </rule> + + <rule action='drop' direction='out'> + <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + encap-protocol='arp' + /> + </rule> + + <rule action='accept' direction='out'> + <vlan srcmacaddr='1:2:3:4:5:6' srcmacmask='ff:ff:ff:ff:ff:ff' + dstmacaddr='aa:bb:cc:dd:ee:ff' dstmacmask='ff:ff:ff:ff:ff:ff' + encap-protocol='0x1234' + /> + </rule> + +</filter> diff --git a/tests/nwfilterxml2firewalltest.c b/tests/nwfilterxml2firewalltest.c new file mode 100644 index 0000000..653ac82 --- /dev/null +++ b/tests/nwfilterxml2firewalltest.c @@ -0,0 +1,534 @@ +/* + * nwfilterxml2firewalltest.c: Test iptables rule generation + * + * Copyright (C) 2014 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>. + * + */ + +#include <config.h> + +#if defined (__linux__) + +# include "testutils.h" +# include "nwfilter/nwfilter_ebiptables_driver.h" +# include "virbuffer.h" + +# define __VIR_FIREWALL_PRIV_H_ALLOW__ +# include "virfirewallpriv.h" + +# define __VIR_COMMAND_PRIV_H_ALLOW__ +# include "vircommandpriv.h" + +# define VIR_FROM_THIS VIR_FROM_NONE + +static const char *abs_top_srcdir; + +# ifdef __linux__ +# define RULESTYPE "linux" +# else +# error "test case not ported to this platform" +# endif + +typedef struct _virNWFilterInst virNWFilterInst; +typedef virNWFilterInst *virNWFilterInstPtr; +struct _virNWFilterInst { + virNWFilterDefPtr *filters; + size_t nfilters; + virNWFilterRuleInstPtr *rules; + size_t nrules; +}; + +/* + * Some sets of rules that will be common to all test files, + * so we don't bother including them in the test data files + * as that would just bloat them + */ + +static const char *commonRules[] = { + /* Dropping ebtables rules */ + "/usr/sbin/ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" + "/usr/sbin/ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" + "/usr/sbin/ebtables -t nat -L libvirt-J-vnet0\n" + "/usr/sbin/ebtables -t nat -L libvirt-P-vnet0\n" + "/usr/sbin/ebtables -t nat -F libvirt-J-vnet0\n" + "/usr/sbin/ebtables -t nat -X libvirt-J-vnet0\n" + "/usr/sbin/ebtables -t nat -F libvirt-P-vnet0\n" + "/usr/sbin/ebtables -t nat -X libvirt-P-vnet0\n", + + /* Creating ebtables chains */ + "/usr/sbin/ebtables -t nat -N libvirt-J-vnet0\n" + "/usr/sbin/ebtables -t nat -N libvirt-P-vnet0\n", + + /* Dropping iptables rules */ + "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" + "/usr/sbin/iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" + "/usr/sbin/iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" + "/usr/sbin/iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" + "/usr/sbin/iptables -F FP-vnet0\n" + "/usr/sbin/iptables -X FP-vnet0\n" + "/usr/sbin/iptables -F FJ-vnet0\n" + "/usr/sbin/iptables -X FJ-vnet0\n" + "/usr/sbin/iptables -F HJ-vnet0\n" + "/usr/sbin/iptables -X HJ-vnet0\n", + + /* Creating iptables chains */ + "/usr/sbin/iptables -N libvirt-in\n" + "/usr/sbin/iptables -N libvirt-out\n" + "/usr/sbin/iptables -N libvirt-in-post\n" + "/usr/sbin/iptables -N libvirt-host-in\n" + "/usr/sbin/iptables -D FORWARD -j libvirt-in\n" + "/usr/sbin/iptables -D FORWARD -j libvirt-out\n" + "/usr/sbin/iptables -D FORWARD -j libvirt-in-post\n" + "/usr/sbin/iptables -D INPUT -j libvirt-host-in\n" + "/usr/sbin/iptables -I FORWARD 1 -j libvirt-in\n" + "/usr/sbin/iptables -I FORWARD 2 -j libvirt-out\n" + "/usr/sbin/iptables -I FORWARD 3 -j libvirt-in-post\n" + "/usr/sbin/iptables -I INPUT 1 -j libvirt-host-in\n" + "/usr/sbin/iptables -N FP-vnet0\n" + "/usr/sbin/iptables -N FJ-vnet0\n" + "/usr/sbin/iptables -N HJ-vnet0\n" + "/usr/sbin/iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" + "/usr/sbin/iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" + "/usr/sbin/iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" + "/usr/sbin/iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n" + "/usr/sbin/iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n", + + /* Dropping ip6tables rules */ + "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" + "/usr/sbin/ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" + "/usr/sbin/ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" + "/usr/sbin/ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" + "/usr/sbin/ip6tables -F FP-vnet0\n" + "/usr/sbin/ip6tables -X FP-vnet0\n" + "/usr/sbin/ip6tables -F FJ-vnet0\n" + "/usr/sbin/ip6tables -X FJ-vnet0\n" + "/usr/sbin/ip6tables -F HJ-vnet0\n" + "/usr/sbin/ip6tables -X HJ-vnet0\n", + + /* Creating ip6tables chains */ + "/usr/sbin/ip6tables -N libvirt-in\n" + "/usr/sbin/ip6tables -N libvirt-out\n" + "/usr/sbin/ip6tables -N libvirt-in-post\n" + "/usr/sbin/ip6tables -N libvirt-host-in\n" + "/usr/sbin/ip6tables -D FORWARD -j libvirt-in\n" + "/usr/sbin/ip6tables -D FORWARD -j libvirt-out\n" + "/usr/sbin/ip6tables -D FORWARD -j libvirt-in-post\n" + "/usr/sbin/ip6tables -D INPUT -j libvirt-host-in\n" + "/usr/sbin/ip6tables -I FORWARD 1 -j libvirt-in\n" + "/usr/sbin/ip6tables -I FORWARD 2 -j libvirt-out\n" + "/usr/sbin/ip6tables -I FORWARD 3 -j libvirt-in-post\n" + "/usr/sbin/ip6tables -I INPUT 1 -j libvirt-host-in\n" + "/usr/sbin/ip6tables -N FP-vnet0\n" + "/usr/sbin/ip6tables -N FJ-vnet0\n" + "/usr/sbin/ip6tables -N HJ-vnet0\n" + "/usr/sbin/ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" + "/usr/sbin/ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" + "/usr/sbin/ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" + "/usr/sbin/ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n" + "/usr/sbin/ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n", + + /* Inserting ebtables rules */ + "/usr/sbin/ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n" + "/usr/sbin/ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n", +}; + + +static virNWFilterHashTablePtr +virNWFilterCreateVarsFrom(virNWFilterHashTablePtr vars1, + virNWFilterHashTablePtr vars2) +{ + virNWFilterHashTablePtr res = virNWFilterHashTableCreate(0); + if (!res) + return NULL; + + if (virNWFilterHashTablePutAll(vars1, res) < 0) + goto err_exit; + + if (virNWFilterHashTablePutAll(vars2, res) < 0) + goto err_exit; + + return res; + + err_exit: + virNWFilterHashTableFree(res); + return NULL; +} + + +static void +virNWFilterRuleInstFree(virNWFilterRuleInstPtr inst) +{ + if (!inst) + return; + + virNWFilterHashTableFree(inst->vars); + VIR_FREE(inst); +} + + +static void +virNWFilterInstReset(virNWFilterInstPtr inst) +{ + size_t i; + + for (i = 0; i < inst->nfilters; i++) + virNWFilterDefFree(inst->filters[i]); + VIR_FREE(inst->filters); + inst->nfilters = 0; + + for (i = 0; i < inst->nrules; i++) + virNWFilterRuleInstFree(inst->rules[i]); + inst->nrules = 0; + VIR_FREE(inst->rules); +} + + +static int +virNWFilterDefToInst(const char *xml, + virNWFilterHashTablePtr vars, + virNWFilterInstPtr inst); + +static int +virNWFilterRuleDefToRuleInst(virNWFilterDefPtr def, + virNWFilterRuleDefPtr rule, + virNWFilterHashTablePtr vars, + virNWFilterInstPtr inst) +{ + virNWFilterRuleInstPtr ruleinst; + int ret = -1; + + if (VIR_ALLOC(ruleinst) < 0) + goto cleanup; + + ruleinst->chainSuffix = def->chainsuffix; + ruleinst->chainPriority = def->chainPriority; + ruleinst->def = rule; + ruleinst->priority = rule->priority; + if (!(ruleinst->vars = virNWFilterHashTableCreate(0))) + goto cleanup; + if (virNWFilterHashTablePutAll(vars, ruleinst->vars) < 0) + goto cleanup; + + if (VIR_APPEND_ELEMENT(inst->rules, + inst->nrules, + ruleinst) < 0) + goto cleanup; + ruleinst = NULL; + + ret = 0; + cleanup: + virNWFilterRuleInstFree(ruleinst); + return ret; +} + + +static int +virNWFilterIncludeDefToRuleInst(virNWFilterIncludeDefPtr inc, + virNWFilterHashTablePtr vars, + virNWFilterInstPtr inst) +{ + virNWFilterHashTablePtr tmpvars = NULL; + int ret = -1; + char *xml; + + if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml", + abs_srcdir, inc->filterref) < 0) + return -1; + + /* create a temporary hashmap for depth-first tree traversal */ + if (!(tmpvars = virNWFilterCreateVarsFrom(inc->params, + vars))) + goto cleanup; + + if (virNWFilterDefToInst(xml, + tmpvars, + inst) < 0) + goto cleanup; + + ret = 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + virNWFilterHashTableFree(tmpvars); + VIR_FREE(xml); + return ret; +} + +static int +virNWFilterDefToInst(const char *xml, + virNWFilterHashTablePtr vars, + virNWFilterInstPtr inst) +{ + size_t i; + int ret = -1; + virNWFilterDefPtr def = virNWFilterDefParseFile(xml); + + if (!def) + return -1; + + if (VIR_APPEND_ELEMENT_COPY(inst->filters, + inst->nfilters, + def) < 0) { + virNWFilterDefFree(def); + goto cleanup; + } + + for (i = 0; i < def->nentries; i++) { + if (def->filterEntries[i]->rule) { + if (virNWFilterRuleDefToRuleInst(def, + def->filterEntries[i]->rule, + vars, + inst) < 0) + goto cleanup; + } else if (def->filterEntries[i]->include) { + if (virNWFilterIncludeDefToRuleInst(def->filterEntries[i]->include, + vars, + inst) < 0) + goto cleanup; + } + } + + ret = 0; + cleanup: + if (ret < 0) + virNWFilterInstReset(inst); + return ret; +} + + +static void testRemoveCommonRules(char *rules) +{ + size_t i; + char *offset = rules; + + for (i = 0; i < ARRAY_CARDINALITY(commonRules); i++) { + char *tmp = strstr(offset, commonRules[i]); + size_t len = strlen(commonRules[i]); + if (tmp) { + memmove(tmp, tmp + len, (strlen(tmp) + 1) - len); + offset = tmp; + } + } +} + + +static int testSetOneParameter(virNWFilterHashTablePtr vars, + const char *name, + const char *value) +{ + int ret = -1; + virNWFilterVarValuePtr val; + + if ((val = virHashLookup(vars->hashTable, name)) == NULL) { + val = virNWFilterVarValueCreateSimpleCopyValue(value); + if (!val) + goto cleanup; + if (virNWFilterHashTablePut(vars, name, val) < 0) { + virNWFilterVarValueFree(val); + goto cleanup; + } + } else { + if (virNWFilterVarValueAddValueCopy(val, value) < 0) + goto cleanup; + } + ret = 0; + cleanup: + return ret; +} + +static int testSetDefaultParameters(virNWFilterHashTablePtr vars) +{ + if (testSetOneParameter(vars, "IPSETNAME", "tck_test") < 0 || + testSetOneParameter(vars, "A", "1.1.1.1") || + testSetOneParameter(vars, "A", "2.2.2.2") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "A", "3.3.3.3") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "90") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "B", "80") || + testSetOneParameter(vars, "C", "1080") || + testSetOneParameter(vars, "C", "1090") || + testSetOneParameter(vars, "C", "1100") || + testSetOneParameter(vars, "C", "1110")) + return -1; + return 0; +} + +static int testCompareXMLToArgvFiles(const char *xml, + const char *cmdline) +{ + char *expectargv = NULL; + int len; + char *actualargv = NULL; + virBuffer buf = VIR_BUFFER_INITIALIZER; + virNWFilterHashTablePtr vars = virNWFilterHashTableCreate(0); + virNWFilterInst inst; + int ret = -1; + + memset(&inst, 0, sizeof(inst)); + + virCommandSetDryRun(&buf, NULL, NULL); + + if (!vars) + goto cleanup; + + if (testSetDefaultParameters(vars) < 0) + goto cleanup; + + if (virNWFilterDefToInst(xml, + vars, + &inst) < 0) + goto cleanup; + + if (ebiptables_driver.applyNewRules("vnet0", inst.rules, inst.nrules) < 0) + goto cleanup; + + if (virBufferError(&buf)) + goto cleanup; + + actualargv = virBufferContentAndReset(&buf); + virCommandSetDryRun(NULL, NULL, NULL); + + testRemoveCommonRules(actualargv); + + len = virtTestLoadFile(cmdline, &expectargv); + if (len < 0) + goto cleanup; + + if (STRNEQ(expectargv, actualargv)) { + virtTestDifference(stderr, expectargv, actualargv); + goto cleanup; + } + + ret = 0; + + cleanup: + virBufferFreeAndReset(&buf); + VIR_FREE(expectargv); + VIR_FREE(actualargv); + virNWFilterInstReset(&inst); + virNWFilterHashTableFree(vars); + return ret; +} + +struct testInfo { + const char *name; +}; + + +static int +testCompareXMLToIPTablesHelper(const void *data) +{ + int result = -1; + const struct testInfo *info = data; + char *xml = NULL; + char *args = NULL; + + if (virAsprintf(&xml, "%s/nwfilterxml2firewalldata/%s.xml", + abs_srcdir, info->name) < 0 || + virAsprintf(&args, "%s/nwfilterxml2firewalldata/%s-%s.args", + abs_srcdir, info->name, RULESTYPE) < 0) + goto cleanup; + + result = testCompareXMLToArgvFiles(xml, args); + + cleanup: + VIR_FREE(xml); + VIR_FREE(args); + return result; +} + + +static int +mymain(void) +{ + int ret = 0; + + abs_top_srcdir = getenv("abs_top_srcdir"); + if (!abs_top_srcdir) + abs_top_srcdir = abs_srcdir "/.."; + +# define DO_TEST(name) \ + do { \ + static struct testInfo info = { \ + name, \ + }; \ + if (virtTestRun("NWFilter XML-2-firewall " name, \ + testCompareXMLToIPTablesHelper, &info) < 0) \ + ret = -1; \ + } while (0) + + if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) { + ret = -1; + goto cleanup; + } + + DO_TEST("ah"); + DO_TEST("ah-ipv6"); + DO_TEST("all"); + DO_TEST("all-ipv6"); + DO_TEST("arp"); + DO_TEST("comment"); + DO_TEST("conntrack"); + DO_TEST("esp"); + DO_TEST("esp-ipv6"); + DO_TEST("example-1"); + DO_TEST("example-2"); + DO_TEST("hex-data"); + DO_TEST("icmp-direction2"); + DO_TEST("icmp-direction3"); + DO_TEST("icmp-direction"); + DO_TEST("icmp"); + DO_TEST("icmpv6"); + DO_TEST("igmp"); + DO_TEST("ip"); + DO_TEST("ipset"); + DO_TEST("ipt-no-macspoof"); + DO_TEST("ipv6"); + DO_TEST("iter1"); + DO_TEST("iter2"); + DO_TEST("iter3"); + DO_TEST("mac"); + DO_TEST("rarp"); + DO_TEST("sctp"); + DO_TEST("sctp-ipv6"); + DO_TEST("stp"); + DO_TEST("target2"); + DO_TEST("target"); + DO_TEST("tcp"); + DO_TEST("tcp-ipv6"); + DO_TEST("udp"); + DO_TEST("udp-ipv6"); + DO_TEST("udplite"); + DO_TEST("udplite-ipv6"); + DO_TEST("vlan"); + + cleanup: + return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; +} + +VIRT_TEST_MAIN(mymain) + +#else /* ! defined (__linux__) */ + +int main(void) +{ + return EXIT_AM_SKIP; +} + +#endif /* ! defined (__linux__) */ -- 1.9.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list