External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-22 05:35:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

network: add more firewall test cases

Browse Source 
This patch adds some previously missing test cases that test for
proper firewall rule creation when the following are included in the
network definition:

* <forward dev='blah'>
* no forward element (an "isolated" network)
* nat port range when only ipv4 is nat-ed
* nat port range when both ipv4 & ipv6 are nated

Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Laine Stump <laine@redhat.com>
This commit is contained in:
Laine Stump 2024-06-21 08:17:58 -04:00 committed by Daniel P. Berrangé
parent aabf279ca0
commit 397c0f4b01
13 changed files with 1905 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
tests/networkxml2firewalldata/forward-dev-linux.iptables Normal file
View File

@ -0,0 +1,154 @@
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--out-interface enp0s7 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--in-interface enp0s7 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--out-interface enp0s7 \
--jump MASQUERADE
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--out-interface enp0s7 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--out-interface enp0s7 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--out-interface enp0s7 \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--out-interface enp0s7 \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

158
tests/networkxml2firewalldata/forward-dev-linux.nftables Normal file
View File

@ -0,0 +1,158 @@
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
ip \
saddr \
192.168.122.0/24 \
iif \
virbr0 \
oifname \
enp0s7 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
iifname \
enp0s7 \
oif \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
oifname \
enp0s7 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
oifname \
enp0s7 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
oifname \
enp0s7 \
counter \
masquerade \
to \
:1024-65535
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
oifname \
enp0s7 \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
oifname \
enp0s7 \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return

10
tests/networkxml2firewalldata/forward-dev.xml Normal file
View File

@ -0,0 +1,10 @@
<network>
<name>default</name>
<bridge name="virbr0"/>
<forward mode='nat' dev='enp0s7'/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
</network>

159
tests/networkxml2firewalldata/isolated-linux.iptables Normal file
View File

@ -0,0 +1,159 @@
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 546 \
--jump ACCEPT
iptables \
-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

64
tests/networkxml2firewalldata/isolated-linux.nftables Normal file
View File

@ -0,0 +1,64 @@
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept

15
tests/networkxml2firewalldata/isolated.xml Normal file
View File

@ -0,0 +1,15 @@
<network>
<name>default</name>
<bridge name="virbr0"/>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
<ip address="192.168.128.1" netmask="255.255.255.0"/>
<ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
<dhcp>
<range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
</dhcp>
</ip>
</network>

317
tests/networkxml2firewalldata/nat-port-range-ipv6-linux.iptables Normal file
View File

@ -0,0 +1,317 @@
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 546 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
ip6tables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 '!' \
--destination 2001:db8:ca2:2::/64 \
--jump MASQUERADE
ip6tables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 \
-p udp '!' \
--destination 2001:db8:ca2:2::/64 \
--jump MASQUERADE \
--to-ports 500-1000
ip6tables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 \
-p tcp '!' \
--destination 2001:db8:ca2:2::/64 \
--jump MASQUERADE \
--to-ports 500-1000
ip6tables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 2001:db8:ca2:2::/64 \
--destination ff02::/16 \
--jump RETURN
iptables \
-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

386
tests/networkxml2firewalldata/nat-port-range-ipv6-linux.nftables Normal file
View File

@ -0,0 +1,386 @@
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
ip \
saddr \
192.168.122.0/24 \
iif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
ip \
saddr \
192.168.128.0/24 \
iif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
ip \
daddr \
192.168.128.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
udp \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
iif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_input \
oif \
virbr0 \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_nat \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
'!=' \
2001:db8:ca2:2::/64 \
counter \
masquerade
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_nat \
meta \
l4proto \
udp \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
'!=' \
2001:db8:ca2:2::/64 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_nat \
meta \
l4proto \
tcp \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
'!=' \
2001:db8:ca2:2::/64 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_nat \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
ip6 \
daddr \
ff02::/16 \
counter \
return

20
tests/networkxml2firewalldata/nat-port-range-ipv6.xml Normal file
View File

@ -0,0 +1,20 @@
<network>
<name>default</name>
<bridge name="virbr0"/>
<forward mode='nat'>
<nat ipv6='yes'>
<port start='500' end='1000'/>
</nat>
</forward>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
<ip address="192.168.128.1" netmask="255.255.255.0"/>
<ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
<dhcp>
<range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
</dhcp>
</ip>
</network>

283
tests/networkxml2firewalldata/nat-port-range-linux.iptables Normal file
View File

@ -0,0 +1,283 @@
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 67 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--in-interface virbr0 \
--jump REJECT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--out-interface virbr0 \
--jump REJECT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWX \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_INP \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_OUT \
--out-interface virbr0 \
--protocol udp \
--destination-port 546 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 500-1000
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
-w \
--table nat \
--insert LIBVIRT_PRT \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWO \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
-w \
--table filter \
--insert LIBVIRT_FWI \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
-w \
--table mangle \
--insert LIBVIRT_PRT \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

314
tests/networkxml2firewalldata/nat-port-range-linux.nftables Normal file
View File

@ -0,0 +1,314 @@
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_output \
iif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_input \
oif \
virbr0 \
counter \
reject
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_cross \
iif \
virbr0 \
oif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
ip \
saddr \
192.168.122.0/24 \
iif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
ip \
daddr \
192.168.122.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
udp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
'!=' \
192.168.122.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.122.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_output \
ip \
saddr \
192.168.128.0/24 \
iif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_input \
oif \
virbr0 \
ip \
daddr \
192.168.128.0/24 \
ct \
state \
related,established \
counter \
accept
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
udp \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
meta \
l4proto \
tcp \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
'!=' \
192.168.128.0/24 \
counter \
masquerade \
to \
:500-1000
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
255.255.255.255/32 \
counter \
return
nft \
-ae insert \
rule \
ip \
libvirt_network \
guest_nat \
ip \
saddr \
192.168.128.0/24 \
ip \
daddr \
224.0.0.0/24 \
counter \
return
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_output \
ip6 \
saddr \
2001:db8:ca2:2::/64 \
iif \
virbr0 \
counter \
accept
nft \
-ae insert \
rule \
ip6 \
libvirt_network \
guest_input \
ip6 \
daddr \
2001:db8:ca2:2::/64 \
oif \
virbr0 \
counter \
accept

20
tests/networkxml2firewalldata/nat-port-range.xml Normal file
View File

@ -0,0 +1,20 @@
<network>
<name>default</name>
<bridge name="virbr0"/>
<forward mode='nat'>
<nat>
<port start='500' end='1000'/>
</nat>
</forward>
<ip address="192.168.122.1" netmask="255.255.255.0">
<dhcp>
<range start="192.168.122.2" end="192.168.122.254"/>
</dhcp>
</ip>
<ip address="192.168.128.1" netmask="255.255.255.0"/>
<ip family="ipv6" address="2001:db8:ca2:2::1" prefix="64" >
<dhcp>
<range start="2001:db8:ca2:2:1::10" end="2001:db8:ca2:2:1::ff" />
</dhcp>
</ip>
</network>

5
tests/networkxml2firewalltest.c
View File

@ -198,6 +198,11 @@ mymain(void)
DO_TEST("nat-ipv6"); DO_TEST("nat-ipv6");
DO_TEST("nat-ipv6-masquerade"); DO_TEST("nat-ipv6-masquerade");
DO_TEST("route-default"); DO_TEST("route-default");
DO_TEST("forward-dev");
DO_TEST("isolated");
DO_TEST("forward-dev");
DO_TEST("nat-port-range");
DO_TEST("nat-port-range-ipv6");
return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE; return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
} }