Add test for converting network XML to iptables rules

Using the virCommand dry run capability, capture iptables rules
created by various network XML documents.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

tests/Makefile.am

@@ -91,6 +91,7 @@ EXTRA_DIST =		\
 	networkxml2confdata \
 	networkxml2xmlupdatein \
 	networkxml2xmlupdateout \
+	networkxml2firewalldata \
 	nodedevschemadata \
 	nodedevschematest \
 	nodeinfodata     \
@@ -253,10 +254,16 @@ if WITH_YAJL
 test_programs += jsontest
 endif WITH_YAJL
 
-test_programs += networkxml2xmltest networkxml2xmlupdatetest
+test_programs += \
+		networkxml2xmltest \
+		networkxml2xmlupdatetest \
+		$(NULL)
 
 if WITH_NETWORK
-test_programs += networkxml2conftest
+test_programs += \
+		networkxml2conftest \
+		networkxml2firewalltest \
+		$(NULL)
 endif WITH_NETWORK
 
 if WITH_STORAGE_SHEEPDOG
@@ -664,6 +671,12 @@ networkxml2conftest_SOURCES = \
 	networkxml2conftest.c \
 	testutils.c testutils.h
 networkxml2conftest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
+networkxml2firewalltest_SOURCES = \
+	networkxml2firewalltest.c \
+	testutils.c testutils.h
+networkxml2firewalltest_LDADD = ../src/libvirt_driver_network_impl.la $(LDADDS)
+
 else ! WITH_NETWORK
 EXTRA_DIST += networkxml2conftest.c
 endif !	WITH_NETWORK

tests/networkxml2firewalldata/nat-default-linux.args

@@ -0,0 +1,30 @@
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill

tests/networkxml2firewalldata/nat-default.xml

@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>

tests/networkxml2firewalldata/nat-ipv6-linux.args

@@ -0,0 +1,44 @@
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT
+iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill

tests/networkxml2firewalldata/nat-ipv6.xml

@@ -0,0 +1,15 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
+    <dhcp>
+      <range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
+    </dhcp>
+  </ip>
+</network>

tests/networkxml2firewalldata/nat-many-ips-linux.args

@@ -0,0 +1,58 @@
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+iptables --table filter --insert FORWARD --source 192.168.128.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!' \
+--destination 192.168.128.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+iptables --table filter --insert FORWARD --source 192.168.150.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!' \
+--destination 192.168.150.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill

tests/networkxml2firewalldata/nat-many-ips.xml

@@ -0,0 +1,12 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+  <ip address="192.168.128.1" netmask="255.255.255.0"/>
+  <ip address="192.168.150.1" netmask="255.255.255.0"/>
+</network>

tests/networkxml2firewalldata/nat-no-dhcp-linux.args

@@ -0,0 +1,42 @@
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+ip6tables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 547 --jump ACCEPT
+iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \
+--in-interface virbr0 --jump ACCEPT
+ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \
+--out-interface virbr0 --jump ACCEPT

tests/networkxml2firewalldata/nat-no-dhcp.xml

@@ -0,0 +1,7 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0"/>
+  <ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64"/>
+</network>

tests/networkxml2firewalldata/nat-tftp-linux.args

@@ -0,0 +1,32 @@
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 69 --jump ACCEPT
+iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \
+--destination 192.168.122.0/24 --jump MASQUERADE
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 255.255.255.255/32 --jump RETURN
+iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \
+--destination 224.0.0.0/24 --jump RETURN
+iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill

tests/networkxml2firewalldata/nat-tftp.xml

@@ -0,0 +1,11 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <tftp root='/some/dir'/>
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>

tests/networkxml2firewalldata/route-default-linux.args

@@ -0,0 +1,20 @@
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 67 --jump ACCEPT
+iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \
+--destination-port 68 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \
+--destination-port 53 --jump ACCEPT
+iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+iptables --table filter --insert FORWARD --in-interface virbr0 \
+--out-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --source 192.168.122.0/24 \
+--in-interface virbr0 --jump ACCEPT
+iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \
+--out-interface virbr0 --jump ACCEPT
+iptables --table mangle --insert POSTROUTING --out-interface virbr0 \
+--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill

tests/networkxml2firewalldata/route-default.xml

@@ -0,0 +1,10 @@
+<network>
+  <name>default</name>
+  <bridge name="virbr0"/>
+  <forward mode='route'/>
+  <ip address="192.168.122.1" netmask="255.255.255.0">
+    <dhcp>
+      <range start="192.168.122.2" end="192.168.122.254"/>
+    </dhcp>
+  </ip>
+</network>

tests/networkxml2firewalltest.c

@@ -0,0 +1,163 @@
+/*
+ * networkxml2firewalltest.c: Test iptables rule generation
+ *
+ * Copyright (C) 2014 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <config.h>
+
+#if defined (__linux__)
+
+# include "testutils.h"
+# include "network/bridge_driver_platform.h"
+# include "virbuffer.h"
+
+# define __VIR_FIREWALL_PRIV_H_ALLOW__
+# include "virfirewallpriv.h"
+
+# define __VIR_COMMAND_PRIV_H_ALLOW__
+# include "vircommandpriv.h"
+
+# define VIR_FROM_THIS VIR_FROM_NONE
+
+static const char *abs_top_srcdir;
+
+# ifdef __linux__
+#  define RULESTYPE "linux"
+# else
+#  error "test case not ported to this platform"
+# endif
+
+static int testCompareXMLToArgvFiles(const char *xml,
+                                     const char *cmdline)
+{
+    char *expectargv = NULL;
+    int len;
+    char *actualargv = NULL;
+    virBuffer buf = VIR_BUFFER_INITIALIZER;
+    virNetworkDefPtr def = NULL;
+    int ret = -1;
+
+    virCommandSetDryRun(&buf, NULL, NULL);
+
+    if (!(def = virNetworkDefParseFile(xml)))
+        goto cleanup;
+
+    if (networkAddFirewallRules(def) < 0)
+        goto cleanup;
+
+    if (virBufferError(&buf))
+        goto cleanup;
+
+    actualargv = virBufferContentAndReset(&buf);
+    virtTestClearCommandPath(actualargv);
+    virCommandSetDryRun(NULL, NULL, NULL);
+
+    len = virtTestLoadFile(cmdline, &expectargv);
+    if (len < 0)
+        goto cleanup;
+
+    if (STRNEQ(expectargv, actualargv)) {
+        virtTestDifference(stderr, expectargv, actualargv);
+        goto cleanup;
+    }
+
+    ret = 0;
+
+ cleanup:
+    virBufferFreeAndReset(&buf);
+    VIR_FREE(expectargv);
+    VIR_FREE(actualargv);
+    virNetworkDefFree(def);
+    return ret;
+}
+
+struct testInfo {
+    const char *name;
+};
+
+
+static int
+testCompareXMLToIPTablesHelper(const void *data)
+{
+    int result = -1;
+    const struct testInfo *info = data;
+    char *xml = NULL;
+    char *args = NULL;
+
+    if (virAsprintf(&xml, "%s/networkxml2firewalldata/%s.xml",
+                    abs_srcdir, info->name) < 0 ||
+        virAsprintf(&args, "%s/networkxml2firewalldata/%s-%s.args",
+                    abs_srcdir, info->name, RULESTYPE) < 0)
+        goto cleanup;
+
+    result = testCompareXMLToArgvFiles(xml, args);
+
+ cleanup:
+    VIR_FREE(xml);
+    VIR_FREE(args);
+    return result;
+}
+
+
+static int
+mymain(void)
+{
+    int ret = 0;
+
+    abs_top_srcdir = getenv("abs_top_srcdir");
+    if (!abs_top_srcdir)
+        abs_top_srcdir = abs_srcdir "/..";
+
+# define DO_TEST(name)                                                  \
+    do {                                                                \
+        static struct testInfo info = {                                 \
+            name,                                                       \
+        };                                                              \
+        if (virtTestRun("Network XML-2-iptables " name,                 \
+                        testCompareXMLToIPTablesHelper, &info) < 0)     \
+            ret = -1;                                                   \
+    } while (0)
+
+    if (virFirewallSetBackend(VIR_FIREWALL_BACKEND_DIRECT) < 0) {
+        ret = -1;
+        goto cleanup;
+    }
+
+    DO_TEST("nat-default");
+    DO_TEST("nat-tftp");
+    DO_TEST("nat-many-ips");
+    DO_TEST("nat-no-dhcp");
+    DO_TEST("nat-ipv6");
+    DO_TEST("route-default");
+    DO_TEST("route-default");
+
+ cleanup:
+    return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
+}
+
+VIRT_TEST_MAIN(mymain)
+
+#else /* ! defined (__linux__) */
+
+int main(void)
+{
+    return EXIT_AM_SKIP;
+}
+
+#endif /* ! defined (__linux__) */

tests/testutils.c

@@ -855,6 +855,57 @@ int virtTestClearLineRegex(const char *pattern,
 }
 
 
+/*
+ * @cmdset contains a list of command line args, eg
+ *
+ * "/usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT
+ *  /usr/sbin/iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT
+ *  /usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+ *  /usr/sbin/iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+ *  /usr/sbin/iptables --table filter --insert FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT"
+ *
+ * And we're munging it in-place to strip the path component
+ * of the command line, to produce
+ *
+ * "iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT
+ *  iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT
+ *  iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT
+ *  iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT
+ *  iptables --table filter --insert FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT"
+ */
+void virtTestClearCommandPath(char *cmdset)
+{
+    size_t offset = 0;
+    char *lineStart = cmdset;
+    char *lineEnd = strchr(lineStart, '\n');
+
+    while (lineStart) {
+        char *dirsep;
+        char *movestart;
+        size_t movelen;
+        dirsep = strchr(lineStart, ' ');
+        if (dirsep) {
+            while (dirsep > lineStart && *dirsep != '/')
+                dirsep--;
+            if (*dirsep == '/')
+                dirsep++;
+            movestart = dirsep;
+        } else {
+            movestart = lineStart;
+        }
+        movelen = lineEnd ? lineEnd - movestart : strlen(movestart);
+
+        if (movelen) {
+            memmove(cmdset + offset, movestart, movelen + 1);
+            offset += movelen + 1;
+        }
+        lineStart = lineEnd ? lineEnd + 1 : NULL;
+        lineEnd = lineStart ? strchr(lineStart, '\n') : NULL;
+    }
+    cmdset[offset] = '\0';
+}
+
+
 virCapsPtr virTestGenericCapsInit(void)
 {
     virCapsPtr caps;

tests/testutils.h

@@ -59,6 +59,8 @@ int virtTestCaptureProgramOutput(const char *const argv[], char **buf, int maxle
 int virtTestClearLineRegex(const char *pattern,
                            char *string);
 
+void virtTestClearCommandPath(char *cmdset);
+
 int virtTestDifference(FILE *stream,
                        const char *expect,
                        const char *actual);