External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-21 02:42:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

tests: redo test argv file line wrapping

Browse Source 
Back in

  commit bd6c46fa0cfe275c24debc1152cfc5206c04b59b
  Author: Juerg Haefliger <juerg.haefliger@hp.com>
  Date:   Mon Jan 31 06:42:57 2011 -0500

    tests: handle backspace-newline pairs in test input files

all the test argv files were line wrapped so that the args
were less than 80 characters.

The way the line wrapping was done turns out to be quite
undesirable, because it often leaves multiple parameters
on the same line. If we later need to add or remove
individual parameters, then it leaves us having to redo
line wrapping.

This commit changes the line wrapping so that every
single "-param value" is one its own new line. If the
"value" is still too long, then we break on ',' or ':'
or ' ' as needed.

This means that when we come to add / remove parameters
from the test files line, the patch diffs will only
ever show a single line added/removed which will greatly
simplify review work.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2015-11-06 13:20:06 +00:00
parent edc88e2084
commit 8afd34f2d8
531 changed files with 15361 additions and 3944 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
cfg.mk
View File

@ -1068,7 +1068,7 @@ _autogen:
# regenerate HACKING as part of the syntax-check # regenerate HACKING as part of the syntax-check
ifneq ($(_gl-Makefile),) ifneq ($(_gl-Makefile),)
syntax-check: $(top_srcdir)/HACKING bracket-spacing-check syntax-check: $(top_srcdir)/HACKING bracket-spacing-check test-wrap-argv
endif endif
bracket-spacing-check: bracket-spacing-check:
@ -1077,6 +1077,20 @@ bracket-spacing-check:
{ echo '$(ME): incorrect formatting, see HACKING for rules' 1>&2; \ { echo '$(ME): incorrect formatting, see HACKING for rules' 1>&2; \
exit 1; } exit 1; }
test-wrap-argv:
$(AM_V_GEN)files=`$(VC_LIST) | grep -E '\.(ldargs|args)'`; \
for file in $$files ; \
do \
$(PERL) $(top_srcdir)/tests/test-wrap-argv.pl $$file > $${file}-t ; \
diff $$file $${file}-t; \
res=$$? ; \
rm $${file}-t ; \
test $$res == 0 || { \
echo "$(ME): Incorrect line wrapping in $$file." 1>&2; \
echo "$(ME): Use test-wrap-argv.pl to wrap test data files" 1>&2; \
exit 1; } \
done
# sc_po_check can fail if generated files are not built first # sc_po_check can fail if generated files are not built first
sc_po_check: \ sc_po_check: \
$(srcdir)/daemon/remote_dispatch.h \ $(srcdir)/daemon/remote_dispatch.h \

10
tests/bhyvexml2argvdata/bhyvexml2argv-acpiapic.args
View File

@ -1,3 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -A -I -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-A \
-I \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-acpiapic.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-base.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-base.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-explicitargs.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

5
tests/bhyvexml2argvdata/bhyvexml2argv-bhyveload-explicitargs.ldargs
View File

@ -1 +1,4 @@
/usr/sbin/bhyveload -X -Y -Z /usr/sbin/bhyveload \
-X \
-Y \
-Z

11
tests/bhyvexml2argvdata/bhyvexml2argv-console.args
View File

@ -1,4 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img \ -s 2:0,ahci-hd,/tmp/freebsd.img \
-s 1,lpc -l com1,/dev/nmdm0A bhyve -s 1,lpc \
-l com1,/dev/nmdm0A bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-console.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-custom-loader.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

5
tests/bhyvexml2argvdata/bhyvexml2argv-custom-loader.ldargs
View File

@ -1 +1,4 @@
/fizz_buzz_bazz -X -Y -Z /fizz_buzz_bazz \
-X \
-Y \
-Z

8
tests/bhyvexml2argvdata/bhyvexml2argv-disk-cdrom-grub.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-cd,/tmp/cdrom.iso bhyve -s 2:0,ahci-cd,/tmp/cdrom.iso bhyve

6
tests/bhyvexml2argvdata/bhyvexml2argv-disk-cdrom-grub.ldargs
View File

@ -1,2 +1,4 @@
/usr/local/sbin/grub-bhyve --root cd --device-map '<device.map>' --memory 214 \ /usr/local/sbin/grub-bhyve \
bhyve --root cd \
--device-map '<device.map>' \
--memory 214 bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-disk-cdrom.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-cd,/tmp/cdrom.iso bhyve -s 2:0,ahci-cd,/tmp/cdrom.iso bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-disk-cdrom.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/cdrom.iso bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/cdrom.iso bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-disk-virtio.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,virtio-blk,/tmp/freebsd.img bhyve -s 2:0,virtio-blk,/tmp/freebsd.img bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-disk-virtio.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

11
tests/bhyvexml2argvdata/bhyvexml2argv-grub-bootorder.args
View File

@ -1,6 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd1.img \ -s 2:0,ahci-hd,/tmp/freebsd1.img \
-s 2:0,ahci-hd,/tmp/freebsd2.img \ -s 2:0,ahci-hd,/tmp/freebsd2.img \
-s 2:0,ahci-hd,/tmp/freebsd3.img \ -s 2:0,ahci-hd,/tmp/freebsd3.img bhyve
bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-grub-bootorder.ldargs
View File

@ -1,2 +1,4 @@
/usr/local/sbin/grub-bhyve --root hd0,msdos1 --device-map '<device.map>' \ /usr/local/sbin/grub-bhyve \
--root hd0,msdos1 \
--device-map '<device.map>' \
--memory 214 bhyve --memory 214 bhyve

11
tests/bhyvexml2argvdata/bhyvexml2argv-grub-bootorder2.args
View File

@ -1,6 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd1.img \ -s 2:0,ahci-hd,/tmp/freebsd1.img \
-s 2:0,ahci-hd,/tmp/freebsd2.img \ -s 2:0,ahci-hd,/tmp/freebsd2.img \
-s 2:0,ahci-hd,/tmp/freebsd3.img \ -s 2:0,ahci-hd,/tmp/freebsd3.img bhyve
bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-grub-bootorder2.ldargs
View File

@ -1,2 +1,4 @@
/usr/local/sbin/grub-bhyve --root hd0,msdos1 --device-map '<device.map>' \ /usr/local/sbin/grub-bhyve \
--root hd0,msdos1 \
--device-map '<device.map>' \
--memory 214 bhyve --memory 214 bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-grub-defaults.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-grub-defaults.ldargs
View File

@ -1,2 +1,4 @@
/usr/local/sbin/grub-bhyve --root hd0,msdos1 --device-map '<device.map>' \ /usr/local/sbin/grub-bhyve \
--root hd0,msdos1 \
--device-map '<device.map>' \
--memory 214 bhyve --memory 214 bhyve

7
tests/bhyvexml2argvdata/bhyvexml2argv-localtime.args
View File

@ -1,3 +1,8 @@
/usr/sbin/bhyve -c 1 -m 214 -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-localtime.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

8
tests/bhyvexml2argvdata/bhyvexml2argv-macaddr.args
View File

@ -1,3 +1,9 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:22:ee:11 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:22:ee:11 \
-s 2:0,ahci-hd,/tmp/freebsd.img bhyve -s 2:0,ahci-hd,/tmp/freebsd.img bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-macaddr.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

11
tests/bhyvexml2argvdata/bhyvexml2argv-serial-grub-nocons.args
View File

@ -1,4 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img \ -s 2:0,ahci-hd,/tmp/freebsd.img \
-s 1,lpc -l com1,/dev/nmdm0A bhyve -s 1,lpc \
-l com1,/dev/nmdm0A bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-serial-grub-nocons.ldargs
View File

@ -1,2 +1,4 @@
/usr/local/sbin/grub-bhyve --root hd0,msdos1 --device-map '<device.map>' \ /usr/local/sbin/grub-bhyve \
--root hd0,msdos1 \
--device-map '<device.map>' \
--memory 214 bhyve --memory 214 bhyve

11
tests/bhyvexml2argvdata/bhyvexml2argv-serial-grub.args
View File

@ -1,4 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img \ -s 2:0,ahci-hd,/tmp/freebsd.img \
-s 1,lpc -l com1,/dev/nmdm0A bhyve -s 1,lpc \
-l com1,/dev/nmdm0A bhyve

7
tests/bhyvexml2argvdata/bhyvexml2argv-serial-grub.ldargs
View File

@ -1,2 +1,5 @@
/usr/local/sbin/grub-bhyve --root hd0,msdos1 --device-map '<device.map>' \ /usr/local/sbin/grub-bhyve \
--memory 214 --cons-dev /dev/nmdm0A bhyve --root hd0,msdos1 \
--device-map '<device.map>' \
--memory 214 \
--cons-dev /dev/nmdm0A bhyve

11
tests/bhyvexml2argvdata/bhyvexml2argv-serial.args
View File

@ -1,4 +1,11 @@
/usr/sbin/bhyve -c 1 -m 214 -u -H -P -s 0:0,hostbridge \ /usr/sbin/bhyve \
-c 1 \
-m 214 \
-u \
-H \
-P \
-s 0:0,hostbridge \
-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ -s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
-s 2:0,ahci-hd,/tmp/freebsd.img \ -s 2:0,ahci-hd,/tmp/freebsd.img \
-s 1,lpc -l com1,/dev/nmdm0A bhyve -s 1,lpc \
-l com1,/dev/nmdm0A bhyve

4
tests/bhyvexml2argvdata/bhyvexml2argv-serial.ldargs
View File

@ -1 +1,3 @@
/usr/sbin/bhyveload -m 214 -d /tmp/freebsd.img bhyve /usr/sbin/bhyveload \
-m 214 \
-d /tmp/freebsd.img bhyve

137
tests/networkxml2firewalldata/nat-default-linux.args
View File

@ -1,30 +1,107 @@
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ iptables \
--destination-port 67 --jump ACCEPT --table filter \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --insert INPUT \
--destination-port 67 --jump ACCEPT --in-interface virbr0 \
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ --protocol tcp \
--destination-port 68 --jump ACCEPT --destination-port 67 \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 53 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT --in-interface virbr0 \
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --protocol udp \
iptables --table filter --insert FORWARD --in-interface virbr0 \ --destination-port 67 \
--out-interface virbr0 --jump ACCEPT --jump ACCEPT
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ iptables \
--in-interface virbr0 --jump ACCEPT --table filter \
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ --insert OUTPUT \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT --out-interface virbr0 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ --protocol udp \
--destination 192.168.122.0/24 --jump MASQUERADE --destination-port 68 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --jump ACCEPT
-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 iptables \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --table filter \
-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --insert INPUT \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --in-interface virbr0 \
--destination 255.255.255.255/32 --jump RETURN --protocol tcp \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --destination-port 53 \
--destination 224.0.0.0/24 --jump RETURN --jump ACCEPT
iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ iptables \
--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill --table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

200
tests/networkxml2firewalldata/nat-ipv6-linux.args
View File

@ -1,44 +1,156 @@
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ iptables \
--destination-port 67 --jump ACCEPT --table filter \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --insert INPUT \
--destination-port 67 --jump ACCEPT --in-interface virbr0 \
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ --protocol tcp \
--destination-port 68 --jump ACCEPT --destination-port 67 \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 53 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT --in-interface virbr0 \
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --protocol udp \
iptables --table filter --insert FORWARD --in-interface virbr0 \ --destination-port 67 \
--out-interface virbr0 --jump ACCEPT --jump ACCEPT
ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT iptables \
ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --table filter \
ip6tables --table filter --insert FORWARD --in-interface virbr0 \ --insert OUTPUT \
--out-interface virbr0 --jump ACCEPT --out-interface virbr0 \
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --protocol udp \
--destination-port 53 --jump ACCEPT --destination-port 68 \
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 547 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ --in-interface virbr0 \
--in-interface virbr0 --jump ACCEPT --protocol tcp \
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ --destination-port 53 \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT --jump ACCEPT
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ iptables \
--destination 192.168.122.0/24 --jump MASQUERADE --table filter \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --insert INPUT \
-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --in-interface virbr0 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --protocol udp \
-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --destination-port 53 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --jump ACCEPT
--destination 255.255.255.255/32 --jump RETURN iptables \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --table filter \
--destination 224.0.0.0/24 --jump RETURN --insert FORWARD \
ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \
--in-interface virbr0 --jump ACCEPT --jump REJECT
ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \ iptables \
--out-interface virbr0 --jump ACCEPT --table filter \
iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ --insert FORWARD \
--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill --out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
--insert FORWARD \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
--insert FORWARD \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

261
tests/networkxml2firewalldata/nat-many-ips-linux.args
View File

@ -1,58 +1,203 @@
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ iptables \
--destination-port 67 --jump ACCEPT --table filter \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --insert INPUT \
--destination-port 67 --jump ACCEPT --in-interface virbr0 \
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ --protocol tcp \
--destination-port 68 --jump ACCEPT --destination-port 67 \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 53 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT --in-interface virbr0 \
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --protocol udp \
iptables --table filter --insert FORWARD --in-interface virbr0 \ --destination-port 67 \
--out-interface virbr0 --jump ACCEPT --jump ACCEPT
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ iptables \
--in-interface virbr0 --jump ACCEPT --table filter \
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ --insert OUTPUT \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT --out-interface virbr0 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ --protocol udp \
--destination 192.168.122.0/24 --jump MASQUERADE --destination-port 68 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --jump ACCEPT
-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 iptables \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --table filter \
-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --insert INPUT \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --in-interface virbr0 \
--destination 255.255.255.255/32 --jump RETURN --protocol tcp \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --destination-port 53 \
--destination 224.0.0.0/24 --jump RETURN --jump ACCEPT
iptables --table filter --insert FORWARD --source 192.168.128.0/24 \ iptables \
--in-interface virbr0 --jump ACCEPT --table filter \
iptables --table filter --insert FORWARD --destination 192.168.128.0/24 \ --insert INPUT \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT --in-interface virbr0 \
iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 '!' \ --protocol udp \
--destination 192.168.128.0/24 --jump MASQUERADE --destination-port 53 \
iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ --jump ACCEPT
-p udp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535 iptables \
iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ --table filter \
-p tcp '!' --destination 192.168.128.0/24 --jump MASQUERADE --to-ports 1024-65535 --insert FORWARD \
iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ --in-interface virbr0 \
--destination 255.255.255.255/32 --jump RETURN --jump REJECT
iptables --table nat --insert POSTROUTING --source 192.168.128.0/24 \ iptables \
--destination 224.0.0.0/24 --jump RETURN --table filter \
iptables --table filter --insert FORWARD --source 192.168.150.0/24 \ --insert FORWARD \
--in-interface virbr0 --jump ACCEPT --out-interface virbr0 \
iptables --table filter --insert FORWARD --destination 192.168.150.0/24 \ --jump REJECT
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT iptables \
iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 '!' \ --table filter \
--destination 192.168.150.0/24 --jump MASQUERADE --insert FORWARD \
iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ --in-interface virbr0 \
-p udp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535 --out-interface virbr0 \
iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ --jump ACCEPT
-p tcp '!' --destination 192.168.150.0/24 --jump MASQUERADE --to-ports 1024-65535 iptables \
iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ --table filter \
--destination 255.255.255.255/32 --jump RETURN --insert FORWARD \
iptables --table nat --insert POSTROUTING --source 192.168.150.0/24 \ --source 192.168.122.0/24 \
--destination 224.0.0.0/24 --jump RETURN --in-interface virbr0 \
iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ --jump ACCEPT
--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill iptables \
--table filter \
--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
--insert FORWARD \
--source 192.168.128.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.128.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.128.0/24 '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.128.0/24 \
-p udp '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.128.0/24 \
-p tcp '!' \
--destination 192.168.128.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.128.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.128.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table filter \
--insert FORWARD \
--source 192.168.150.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.150.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.150.0/24 '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.150.0/24 \
-p udp '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.150.0/24 \
-p tcp '!' \
--destination 192.168.150.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.150.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.150.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

190
tests/networkxml2firewalldata/nat-no-dhcp-linux.args
View File

@ -1,42 +1,148 @@
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ iptables \
--destination-port 67 --jump ACCEPT --table filter \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --insert INPUT \
--destination-port 67 --jump ACCEPT --in-interface virbr0 \
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ --protocol tcp \
--destination-port 68 --jump ACCEPT --destination-port 67 \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 53 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT --in-interface virbr0 \
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --protocol udp \
iptables --table filter --insert FORWARD --in-interface virbr0 \ --destination-port 67 \
--out-interface virbr0 --jump ACCEPT --jump ACCEPT
ip6tables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT iptables \
ip6tables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --table filter \
ip6tables --table filter --insert FORWARD --in-interface virbr0 \ --insert OUTPUT \
--out-interface virbr0 --jump ACCEPT --out-interface virbr0 \
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --protocol udp \
--destination-port 53 --jump ACCEPT --destination-port 68 \
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
ip6tables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 547 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ --in-interface virbr0 \
--in-interface virbr0 --jump ACCEPT --protocol tcp \
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ --destination-port 53 \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT --jump ACCEPT
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ iptables \
--destination 192.168.122.0/24 --jump MASQUERADE --table filter \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --insert INPUT \
-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --in-interface virbr0 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --protocol udp \
-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --destination-port 53 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --jump ACCEPT
--destination 255.255.255.255/32 --jump RETURN iptables \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --table filter \
--destination 224.0.0.0/24 --jump RETURN --insert FORWARD \
ip6tables --table filter --insert FORWARD --source 2001:db8:ca2:2::/64 \ --in-interface virbr0 \
--in-interface virbr0 --jump ACCEPT --jump REJECT
ip6tables --table filter --insert FORWARD --destination 2001:db8:ca2:2::/64 \ iptables \
--out-interface virbr0 --jump ACCEPT --table filter \
--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
ip6tables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
ip6tables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 547 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
ip6tables \
--table filter \
--insert FORWARD \
--source 2001:db8:ca2:2::/64 \
--in-interface virbr0 \
--jump ACCEPT
ip6tables \
--table filter \
--insert FORWARD \
--destination 2001:db8:ca2:2::/64 \
--out-interface virbr0 \
--jump ACCEPT

146
tests/networkxml2firewalldata/nat-tftp-linux.args
View File

@ -1,32 +1,114 @@
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ iptables \
--destination-port 67 --jump ACCEPT --table filter \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --insert INPUT \
--destination-port 67 --jump ACCEPT --in-interface virbr0 \
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ --protocol tcp \
--destination-port 68 --jump ACCEPT --destination-port 67 \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 53 --jump ACCEPT --insert INPUT \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --in-interface virbr0 \
--destination-port 69 --jump ACCEPT --protocol udp \
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT --destination-port 67 \
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --jump ACCEPT
iptables --table filter --insert FORWARD --in-interface virbr0 \ iptables \
--out-interface virbr0 --jump ACCEPT --table filter \
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ --insert OUTPUT \
--in-interface virbr0 --jump ACCEPT --out-interface virbr0 \
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ --protocol udp \
--out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT --destination-port 68 \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' \ --jump ACCEPT
--destination 192.168.122.0/24 --jump MASQUERADE iptables \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --table filter \
-p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --insert INPUT \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --in-interface virbr0 \
-p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535 --protocol tcp \
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ --destination-port 53 \
--destination 255.255.255.255/32 --jump RETURN --jump ACCEPT
iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 \ iptables \
--destination 224.0.0.0/24 --jump RETURN --table filter \
iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ --insert INPUT \
--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill --in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 69 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--match conntrack \
--ctstate ESTABLISHED,RELATED \
--jump ACCEPT
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p udp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
-p tcp '!' \
--destination 192.168.122.0/24 \
--jump MASQUERADE \
--to-ports 1024-65535
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 255.255.255.255/32 \
--jump RETURN
iptables \
--table nat \
--insert POSTROUTING \
--source 192.168.122.0/24 \
--destination 224.0.0.0/24 \
--jump RETURN
iptables \
--table mangle \
--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

91
tests/networkxml2firewalldata/route-default-linux.args
View File

@ -1,20 +1,71 @@
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ iptables \
--destination-port 67 --jump ACCEPT --table filter \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --insert INPUT \
--destination-port 67 --jump ACCEPT --in-interface virbr0 \
iptables --table filter --insert OUTPUT --out-interface virbr0 --protocol udp \ --protocol tcp \
--destination-port 68 --jump ACCEPT --destination-port 67 \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol tcp \ --jump ACCEPT
--destination-port 53 --jump ACCEPT iptables \
iptables --table filter --insert INPUT --in-interface virbr0 --protocol udp \ --table filter \
--destination-port 53 --jump ACCEPT --insert INPUT \
iptables --table filter --insert FORWARD --in-interface virbr0 --jump REJECT --in-interface virbr0 \
iptables --table filter --insert FORWARD --out-interface virbr0 --jump REJECT --protocol udp \
iptables --table filter --insert FORWARD --in-interface virbr0 \ --destination-port 67 \
--out-interface virbr0 --jump ACCEPT --jump ACCEPT
iptables --table filter --insert FORWARD --source 192.168.122.0/24 \ iptables \
--in-interface virbr0 --jump ACCEPT --table filter \
iptables --table filter --insert FORWARD --destination 192.168.122.0/24 \ --insert OUTPUT \
--out-interface virbr0 --jump ACCEPT --out-interface virbr0 \
iptables --table mangle --insert POSTROUTING --out-interface virbr0 \ --protocol udp \
--protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill --destination-port 68 \
--jump ACCEPT
iptables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol tcp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
--insert INPUT \
--in-interface virbr0 \
--protocol udp \
--destination-port 53 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--out-interface virbr0 \
--jump REJECT
iptables \
--table filter \
--insert FORWARD \
--in-interface virbr0 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--source 192.168.122.0/24 \
--in-interface virbr0 \
--jump ACCEPT
iptables \
--table filter \
--insert FORWARD \
--destination 192.168.122.0/24 \
--out-interface virbr0 \
--jump ACCEPT
iptables \
--table mangle \
--insert POSTROUTING \
--out-interface virbr0 \
--protocol udp \
--destination-port 68 \
--jump CHECKSUM \
--checksum-fill

112
tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
View File

@ -1,20 +1,92 @@
ip6tables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ -A FJ-vnet0 \
--state NEW,ESTABLISHED -j RETURN -p ah \
ip6tables -A FP-vnet0 -p ah --destination f:e:d::c:b:a/127 \ -m mac \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT --mac-source 01:02:03:04:05:06 \
ip6tables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ --source f:e:d::c:b:a/127 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ --destination a:b:c::d:e:f/128 \
--state NEW,ESTABLISHED -j RETURN -m dscp \
ip6tables -A FJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ --state NEW,ESTABLISHED \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -j RETURN
ip6tables -A HJ-vnet0 -p ah --destination a:b:c::/128 -m dscp --dscp 33 \ ip6tables \
-m state --state ESTABLISHED -j RETURN -A FP-vnet0 \
ip6tables -A FJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \ -p ah \
-m state --state ESTABLISHED -j RETURN --destination f:e:d::c:b:a/127 \
ip6tables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ --source a:b:c::d:e:f/128 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
ip6tables -A HJ-vnet0 -p ah --destination ::10.1.2.3/128 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p ah \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p ah \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p ah \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p ah \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p ah \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p ah \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p ah \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

107
tests/nwfilterxml2firewalldata/ah-linux.args
View File

@ -1,18 +1,89 @@
iptables -A FJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p ah --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p ah \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ -m dscp \
-m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ -j RETURN
-m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ -A FP-vnet0 \
-m state --state ESTABLISHED -j RETURN -p ah \
iptables -A FP-vnet0 -p ah -m mac --mac-source 01:02:03:04:05:06 \ --source 10.1.2.3/32 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
iptables -A HJ-vnet0 -p ah --destination 10.1.2.3/22 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p ah \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p ah \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p ah \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p ah \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

112
tests/nwfilterxml2firewalldata/all-ipv6-linux.args
View File

@ -1,20 +1,92 @@
ip6tables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ -A FJ-vnet0 \
--state NEW,ESTABLISHED -j RETURN -p all \
ip6tables -A FP-vnet0 -p all --destination f:e:d::c:b:a/127 \ -m mac \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT --mac-source 01:02:03:04:05:06 \
ip6tables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ --source f:e:d::c:b:a/127 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ --destination a:b:c::d:e:f/128 \
--state NEW,ESTABLISHED -j RETURN -m dscp \
ip6tables -A FJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ --state NEW,ESTABLISHED \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -j RETURN
ip6tables -A HJ-vnet0 -p all --destination a:b:c::/128 -m dscp --dscp 33 \ ip6tables \
-m state --state ESTABLISHED -j RETURN -A FP-vnet0 \
ip6tables -A FJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \ -p all \
-m state --state ESTABLISHED -j RETURN --destination f:e:d::c:b:a/127 \
ip6tables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ --source a:b:c::d:e:f/128 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
ip6tables -A HJ-vnet0 -p all --destination ::10.1.2.3/128 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p all \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p all \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p all \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p all \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

107
tests/nwfilterxml2firewalldata/all-linux.args
View File

@ -1,18 +1,89 @@
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p all \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ -m dscp \
-m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ -j RETURN
-m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ -A FP-vnet0 \
-m state --state ESTABLISHED -j RETURN -p all \
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \ --source 10.1.2.3/32 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

54
tests/nwfilterxml2firewalldata/arp-linux.args
View File

@ -1,11 +1,45 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 12 --arp-opcode 1 \ -t nat \
--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \ -A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x806 \
--arp-htype 12 \
--arp-opcode 1 \
--arp-ptype 0x22 \
--arp-mac-src 01:02:03:04:05:06 \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
--arp-htype 255 \
--arp-opcode 1 \
--arp-ptype 0xff \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
--arp-htype 256 \
--arp-opcode 11 \
--arp-ptype 0x100 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
--arp-htype 65535 \
--arp-opcode 65535 \
--arp-ptype 0xffff \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p 0x806 \
--arp-gratuitous \
-j ACCEPT -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p 0x806 --arp-gratuitous -j ACCEPT

248
tests/nwfilterxml2firewalldata/comment-linux.args
View File

@ -1,49 +1,201 @@
ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT ebtables \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -t nat \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \ -A libvirt-P-vnet0 \
--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \ -p 0x1234 \
--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
--ip6-destination-port 13107:65535 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT -j ACCEPT
iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ ebtables \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ -t nat \
--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN -A libvirt-J-vnet0 \
iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -m comment \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
--comment 'udp rule' -j ACCEPT -p ipv4 \
iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ --ip-source 10.1.2.3/32 \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ --ip-destination 10.1.2.3/32 \
--state NEW,ESTABLISHED -m comment --comment 'udp rule' -j RETURN --ip-protocol 17 \
ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ --ip-source-port 291:564 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \ --ip-destination-port 13398:17767 \
--comment 'tcp/ipv6 rule' -j RETURN --ip-tos 0x32 \
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ -j ACCEPT
--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \ ebtables \
--state NEW,ESTABLISHED -m comment --comment 'tcp/ipv6 rule' -j ACCEPT -t nat \
ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ -A libvirt-J-vnet0 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -m comment \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
--comment 'tcp/ipv6 rule' -j RETURN -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 \
ip6tables -A FJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \ -p ipv6 \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN --ip6-source ::10.1.2.3/22 \
ip6tables -A FP-vnet0 -p udp -m state --state NEW,ESTABLISHED -m comment \ --ip6-destination ::10.1.2.3/113 \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j ACCEPT --ip6-protocol 6 \
ip6tables -A HJ-vnet0 -p udp -m state --state ESTABLISHED -m comment \ --ip6-source-port 273:400 \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' -j RETURN --ip6-destination-port 13107:65535 \
ip6tables -A FJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \ -j ACCEPT
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN ebtables \
ip6tables -A FP-vnet0 -p sctp -m state --state NEW,ESTABLISHED -m comment \ -t nat \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j ACCEPT -A libvirt-J-vnet0 \
ip6tables -A HJ-vnet0 -p sctp -m state --state ESTABLISHED -m comment \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' -j RETURN -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
ip6tables -A FJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \ -p 0x806 \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN --arp-htype 18 \
ip6tables -A FP-vnet0 -p ah -m state --state NEW,ESTABLISHED -m comment \ --arp-opcode 1 \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j ACCEPT --arp-ptype 0x56 \
ip6tables -A HJ-vnet0 -p ah -m state --state ESTABLISHED -m comment \ --arp-mac-src 01:02:03:04:05:06 \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm -f ${tmp}' -j RETURN --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
iptables \
-A FJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'udp rule' \
-j RETURN
iptables \
-A FP-vnet0 \
-p udp \
--source 10.1.2.3/32 \
-m dscp \
--dscp 34 \
--dport 291:400 \
--sport 564:1092 \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'udp rule' \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'udp rule' \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
-m dscp \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'tcp/ipv6 rule' \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 57 \
--sport 32:33 \
--dport 256:4369 \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'tcp/ipv6 rule' \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
-m dscp \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'tcp/ipv6 rule' \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p udp \
-m state \
--state ESTABLISHED \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p udp \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udp \
-m state \
--state ESTABLISHED \
-m comment \
--comment '`ls`;${COLUMNS};$(ls);"test";&'\''3 spaces'\''' \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p sctp \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p sctp \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p sctp \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'comment with lone '\'', `, ", `, \, $x, and two spaces' \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p ah \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm \
-f ${tmp}' \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p ah \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm \
-f ${tmp}' \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p ah \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'tmp=`mktemp`; echo ${RANDOM} > ${tmp} ; cat < ${tmp}; rm \
-f ${tmp}' \
-j RETURN

49
tests/nwfilterxml2firewalldata/conntrack-linux.args
View File

@ -1,7 +1,42 @@
iptables -A FJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP iptables \
iptables -A HJ-vnet0 -p icmp -m connlimit --connlimit-above 1 -j DROP -A FJ-vnet0 \
iptables -A FJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP -p icmp \
iptables -A HJ-vnet0 -p tcp -m connlimit --connlimit-above 2 -j DROP -m connlimit \
iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN --connlimit-above 1 \
iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -j ACCEPT -j DROP
iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -j RETURN iptables \
-A HJ-vnet0 \
-p icmp \
-m connlimit \
--connlimit-above 1 \
-j DROP
iptables \
-A FJ-vnet0 \
-p tcp \
-m connlimit \
--connlimit-above 2 \
-j DROP
iptables \
-A HJ-vnet0 \
-p tcp \
-m connlimit \
--connlimit-above 2 \
-j DROP
iptables \
-A FJ-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-j RETURN

112
tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
View File

@ -1,20 +1,92 @@
ip6tables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ -A FJ-vnet0 \
--state NEW,ESTABLISHED -j RETURN -p esp \
ip6tables -A FP-vnet0 -p esp --destination f:e:d::c:b:a/127 \ -m mac \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT --mac-source 01:02:03:04:05:06 \
ip6tables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ --source f:e:d::c:b:a/127 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ --destination a:b:c::d:e:f/128 \
--state NEW,ESTABLISHED -j RETURN -m dscp \
ip6tables -A FJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ --state NEW,ESTABLISHED \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -j RETURN
ip6tables -A HJ-vnet0 -p esp --destination a:b:c::/128 -m dscp --dscp 33 \ ip6tables \
-m state --state ESTABLISHED -j RETURN -A FP-vnet0 \
ip6tables -A FJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \ -p esp \
-m state --state ESTABLISHED -j RETURN --destination f:e:d::c:b:a/127 \
ip6tables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ --source a:b:c::d:e:f/128 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
ip6tables -A HJ-vnet0 -p esp --destination ::10.1.2.3/128 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p esp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p esp \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p esp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p esp \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p esp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p esp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p esp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

107
tests/nwfilterxml2firewalldata/esp-linux.args
View File

@ -1,18 +1,89 @@
iptables -A FJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p esp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p esp \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ -m dscp \
-m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ -j RETURN
-m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ -A FP-vnet0 \
-m state --state ESTABLISHED -j RETURN -p esp \
iptables -A FP-vnet0 -p esp -m mac --mac-source 01:02:03:04:05:06 \ --source 10.1.2.3/32 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
iptables -A HJ-vnet0 -p esp --destination 10.1.2.3/22 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p esp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p esp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p esp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p esp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

80
tests/nwfilterxml2firewalldata/example-1-linux.args
View File

@ -1,13 +1,69 @@
iptables -A FJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN iptables \
iptables -A FP-vnet0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED \ -A FJ-vnet0 \
-p tcp \
--sport 22 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
--dport 22 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT -j ACCEPT
iptables -A HJ-vnet0 -p tcp --sport 22 -m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN -A HJ-vnet0 \
iptables -A FP-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT -p tcp \
iptables -A HJ-vnet0 -p icmp -m state --state ESTABLISHED -j RETURN --sport 22 \
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN -m state \
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -j ACCEPT --state ESTABLISHED \
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -j RETURN -j RETURN
iptables -A FJ-vnet0 -p all -j DROP iptables \
iptables -A FP-vnet0 -p all -j DROP -A FJ-vnet0 \
iptables -A HJ-vnet0 -p all -j DROP -p icmp \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p icmp \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p icmp \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-j DROP
iptables \
-A HJ-vnet0 \
-p all \
-j DROP

97
tests/nwfilterxml2firewalldata/example-2-linux.args
View File

@ -1,20 +1,77 @@
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \ iptables \
--comment 'out: existing and related (ftp) connections' -j RETURN -A FJ-vnet0 \
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED,RELATED -m comment \ -p all \
--comment 'out: existing and related (ftp) connections' -j RETURN -m state \
iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m comment \ --state ESTABLISHED,RELATED \
--comment 'in: existing connections' -j ACCEPT -m comment \
iptables -A FP-vnet0 -p tcp --dport 21:22 -m state --state NEW -m comment \ --comment 'out: existing and related (ftp) connections' \
--comment 'in: ftp and ssh' -j ACCEPT -j RETURN
iptables -A FP-vnet0 -p icmp -m state --state NEW -m comment \ iptables \
--comment 'in: icmp' -j ACCEPT -A HJ-vnet0 \
iptables -A FJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \ -p all \
--comment 'out: DNS lookups' -j RETURN -m state \
iptables -A HJ-vnet0 -p udp --dport 53 -m state --state NEW -m comment \ --state ESTABLISHED,RELATED \
--comment 'out: DNS lookups' -j RETURN -m comment \
iptables -A FJ-vnet0 -p all -m comment \ --comment 'out: existing and related (ftp) connections' \
--comment 'inout: drop all non-accepted traffic' -j DROP -j RETURN
iptables -A FP-vnet0 -p all -m comment \ iptables \
--comment 'inout: drop all non-accepted traffic' -j DROP -A FP-vnet0 \
iptables -A HJ-vnet0 -p all -m comment \ -p all \
--comment 'inout: drop all non-accepted traffic' -j DROP -m state \
--state ESTABLISHED \
-m comment \
--comment 'in: existing connections' \
-j ACCEPT
iptables \
-A FP-vnet0 \
-p tcp \
--dport 21:22 \
-m state \
--state NEW \
-m comment \
--comment 'in: ftp and ssh' \
-j ACCEPT
iptables \
-A FP-vnet0 \
-p icmp \
-m state \
--state NEW \
-m comment \
--comment 'in: icmp' \
-j ACCEPT
iptables \
-A FJ-vnet0 \
-p udp \
--dport 53 \
-m state \
--state NEW \
-m comment \
--comment 'out: DNS lookups' \
-j RETURN
iptables \
-A HJ-vnet0 \
-p udp \
--dport 53 \
-m state \
--state NEW \
-m comment \
--comment 'out: DNS lookups' \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'inout: drop all non-accepted traffic' \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'inout: drop all non-accepted traffic' \
-j DROP
iptables \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'inout: drop all non-accepted traffic' \
-j DROP

140
tests/nwfilterxml2firewalldata/hex-data-linux.args
View File

@ -1,28 +1,114 @@
ebtables -t nat -A libvirt-P-vnet0 -p 0x1234 -j ACCEPT ebtables \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -t nat \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \ -A libvirt-P-vnet0 \
--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 291:564 \ -p 0x1234 \
--ip-destination-port 13398:17767 --ip-tos 0x32 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \
--ip6-destination ::10.1.2.3/113 --ip6-protocol 6 --ip6-source-port 273:400 \
--ip6-destination-port 13107:65535 -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x806 --arp-htype 18 --arp-opcode 1 \
--arp-ptype 0x56 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT -j ACCEPT
iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ ebtables \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ -t nat \
--state NEW,ESTABLISHED -j RETURN -A libvirt-J-vnet0 \
iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 34 \ -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--dport 291:400 --sport 564:1092 -m state --state ESTABLISHED -j ACCEPT -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ -p ipv4 \
--destination 10.1.2.3/32 -m dscp --dscp 34 --sport 291:400 --dport 564:1092 -m state \ --ip-source 10.1.2.3/32 \
--state NEW,ESTABLISHED -j RETURN --ip-destination 10.1.2.3/32 \
ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ --ip-protocol 17 \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN --ip-source-port 291:564 \
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ --ip-destination-port 13398:17767 \
--source a:b:c::/128 -m dscp --dscp 57 --sport 32:33 --dport 256:4369 -m state \ --ip-tos 0x32 \
--state NEW,ESTABLISHED -j ACCEPT -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 57 \ ebtables \
--dport 32:33 --sport 256:4369 -m state --state ESTABLISHED -j RETURN -t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 \
-p ipv6 \
--ip6-source ::10.1.2.3/22 \
--ip6-destination ::10.1.2.3/113 \
--ip6-protocol 6 \
--ip6-source-port 273:400 \
--ip6-destination-port 13107:65535 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x806 \
--arp-htype 18 \
--arp-opcode 1 \
--arp-ptype 0x56 \
--arp-mac-src 01:02:03:04:05:06 \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT
iptables \
-A FJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udp \
--source 10.1.2.3/32 \
-m dscp \
--dscp 34 \
--dport 291:400 \
--sport 564:1092 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 34 \
--sport 291:400 \
--dport 564:1092 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
-m dscp \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 57 \
--sport 32:33 \
--dport 256:4369 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
-m dscp \
--dscp 57 \
--dport 32:33 \
--sport 256:4369 \
-m state \
--state ESTABLISHED \
-j RETURN

36
tests/nwfilterxml2firewalldata/icmp-direction-linux.args
View File

@ -1,9 +1,33 @@
iptables -A FP-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \ iptables \
-A FP-vnet0 \
-p icmp \
--icmp-type 0 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT -j ACCEPT
iptables -A FJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \ iptables \
-A FJ-vnet0 \
-p icmp \
--icmp-type 8 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
iptables -A HJ-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \ iptables \
-A HJ-vnet0 \
-p icmp \
--icmp-type 8 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
iptables -A FJ-vnet0 -p icmp -j DROP iptables \
iptables -A FP-vnet0 -p icmp -j DROP -A FJ-vnet0 \
iptables -A HJ-vnet0 -p icmp -j DROP -p icmp \
-j DROP
iptables \
-A FP-vnet0 \
-p icmp \
-j DROP
iptables \
-A HJ-vnet0 \
-p icmp \
-j DROP

36
tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
View File

@ -1,9 +1,33 @@
iptables -A FP-vnet0 -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED \ iptables \
-A FP-vnet0 \
-p icmp \
--icmp-type 8 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT -j ACCEPT
iptables -A FJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \ iptables \
-A FJ-vnet0 \
-p icmp \
--icmp-type 0 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
iptables -A HJ-vnet0 -p icmp --icmp-type 0 -m state --state NEW,ESTABLISHED \ iptables \
-A HJ-vnet0 \
-p icmp \
--icmp-type 0 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
iptables -A FJ-vnet0 -p icmp -j DROP iptables \
iptables -A FP-vnet0 -p icmp -j DROP -A FJ-vnet0 \
iptables -A HJ-vnet0 -p icmp -j DROP -p icmp \
-j DROP
iptables \
-A FP-vnet0 \
-p icmp \
-j DROP
iptables \
-A HJ-vnet0 \
-p icmp \
-j DROP

36
tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
View File

@ -1,6 +1,30 @@
iptables -A FJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN iptables \
iptables -A FP-vnet0 -p icmp -m state --state ESTABLISHED -j ACCEPT -A FJ-vnet0 \
iptables -A HJ-vnet0 -p icmp -m state --state NEW,ESTABLISHED -j RETURN -p icmp \
iptables -A FJ-vnet0 -p all -j DROP -m state \
iptables -A FP-vnet0 -p all -j DROP --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p all -j DROP -j RETURN
iptables \
-A FP-vnet0 \
-p icmp \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p icmp \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-j DROP
iptables \
-A HJ-vnet0 \
-p all \
-j DROP

45
tests/nwfilterxml2firewalldata/icmp-linux.args
View File

@ -1,9 +1,36 @@
iptables -A FJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \ -A FJ-vnet0 \
--state NEW,ESTABLISHED -j RETURN -p icmp \
iptables -A HJ-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \ -m mac \
--destination 10.1.2.3/32 -m dscp --dscp 2 --icmp-type 12/11 -m state \ --mac-source 01:02:03:04:05:06 \
--state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FP-vnet0 -p icmp -m mac --mac-source 01:02:03:04:05:06 \ -m dscp \
--source 10.1.2.3/22 -m dscp --dscp 33 --icmp-type 255/255 -m state \ --dscp 2 \
--state NEW,ESTABLISHED -j ACCEPT --icmp-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A HJ-vnet0 \
-p icmp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
--icmp-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p icmp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
--icmp-type 255/255 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT

62
tests/nwfilterxml2firewalldata/icmpv6-linux.args
View File

@ -1,12 +1,50 @@
ip6tables -A FJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \ -A FJ-vnet0 \
--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN -p icmpv6 \
ip6tables -A HJ-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ -m mac \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 \ --mac-source 01:02:03:04:05:06 \
--icmpv6-type 12/11 -m state --state NEW,ESTABLISHED -j RETURN --source f:e:d::c:b:a/127 \
ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ --destination a:b:c::d:e:f/128 \
--source a:b:c::/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \ -m dscp \
--state NEW,ESTABLISHED -j ACCEPT --dscp 2 \
ip6tables -A FP-vnet0 -p icmpv6 -m mac --mac-source 01:02:03:04:05:06 \ --icmpv6-type 12/11 \
--source ::10.1.2.3/128 -m dscp --dscp 33 --icmpv6-type 255/255 -m state \ -m state \
--state NEW,ESTABLISHED -j ACCEPT --state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A HJ-vnet0 \
-p icmpv6 \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
--icmpv6-type 12/11 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p icmpv6 \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--icmpv6-type 255/255 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A FP-vnet0 \
-p icmpv6 \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
--icmpv6-type 255/255 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT

107
tests/nwfilterxml2firewalldata/igmp-linux.args
View File

@ -1,18 +1,89 @@
iptables -A FJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p igmp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p igmp \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ -m dscp \
-m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ -j RETURN
-m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ -A FP-vnet0 \
-m state --state ESTABLISHED -j RETURN -p igmp \
iptables -A FP-vnet0 -p igmp -m mac --mac-source 01:02:03:04:05:06 \ --source 10.1.2.3/32 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
iptables -A HJ-vnet0 -p igmp --destination 10.1.2.3/22 -m dscp --dscp 33 \ --dscp 2 \
-m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p igmp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p igmp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p igmp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p igmp \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

38
tests/nwfilterxml2firewalldata/ip-linux.args
View File

@ -1,8 +1,30 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p ipv4 --ip-source 10.1.2.3/32 \ -t nat \
--ip-destination 10.1.2.3/32 --ip-protocol 17 --ip-source-port 20:22 \ -A libvirt-J-vnet0 \
--ip-destination-port 100:101 -j ACCEPT -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables -t nat -A libvirt-J-vnet0 -p ipv4 --ip-source 10.1.2.3/17 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
--ip-destination 10.1.2.3/24 --ip-protocol 17 --ip-tos 0x3f -j ACCEPT -p ipv4 \
ebtables -t nat -A libvirt-P-vnet0 -p ipv4 --ip-source 10.1.2.3/31 \ --ip-source 10.1.2.3/32 \
--ip-destination 10.1.2.3/25 --ip-protocol 255 --ip-tos 0x3f -j ACCEPT --ip-destination 10.1.2.3/32 \
--ip-protocol 17 \
--ip-source-port 20:22 \
--ip-destination-port 100:101 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-p ipv4 \
--ip-source 10.1.2.3/17 \
--ip-destination 10.1.2.3/24 \
--ip-protocol 17 \
--ip-tos 0x3f \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv4 \
--ip-source 10.1.2.3/31 \
--ip-destination 10.1.2.3/25 \
--ip-protocol 255 \
--ip-tos 0x3f \
-j ACCEPT

180
tests/nwfilterxml2firewalldata/ipset-linux.args
View File

@ -1,36 +1,144 @@
iptables -A FJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ iptables \
--match-set tck_test src,dst -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p all -m state --state ESTABLISHED -m set \ -p all \
--match-set tck_test dst,src -j ACCEPT -m state \
iptables -A HJ-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ --state NEW,ESTABLISHED \
--match-set tck_test src,dst -j RETURN -m set \
iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ --match-set tck_test src,dst \
--comment in+NONE -j ACCEPT -j RETURN
iptables -A FJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ iptables \
--comment out+NONE -j RETURN -A FP-vnet0 \
iptables -A HJ-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ -p all \
--comment out+NONE -j RETURN -m state \
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \ --state ESTABLISHED \
--match-set tck_test dst,src,dst -j RETURN -m set \
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ --match-set tck_test dst,src \
--match-set tck_test src,dst,src -j ACCEPT -j ACCEPT
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \ iptables \
--match-set tck_test dst,src,dst -j RETURN -A HJ-vnet0 \
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \ -p all \
--match-set tck_test dst,src,dst -j RETURN -m state \
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ --state NEW,ESTABLISHED \
--match-set tck_test src,dst,src -j ACCEPT -m set \
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \ --match-set tck_test src,dst \
--match-set tck_test dst,src,dst -j RETURN -j RETURN
iptables -A FJ-vnet0 -p all -m state --state ESTABLISHED -m set \ iptables \
--match-set tck_test dst,src -j RETURN -A FP-vnet0 \
iptables -A FP-vnet0 -p all -m state --state NEW,ESTABLISHED -m set \ -p all \
--match-set tck_test src,dst -j ACCEPT -m set \
iptables -A HJ-vnet0 -p all -m state --state ESTABLISHED -m set \ --match-set tck_test src,dst \
--match-set tck_test dst,src -j RETURN -m comment \
iptables -A FJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \ --comment in+NONE \
--comment inout -j RETURN -j ACCEPT
iptables -A FP-vnet0 -p all -m set --match-set tck_test src,dst -m comment \ iptables \
--comment inout -j ACCEPT -A FJ-vnet0 \
iptables -A HJ-vnet0 -p all -m set --match-set tck_test dst,src -m comment \ -p all \
--comment inout -j RETURN -m set \
--match-set tck_test src,dst \
-m comment \
--comment out+NONE \
-j RETURN
iptables \
-A HJ-vnet0 \
-p all \
-m set \
--match-set tck_test src,dst \
-m comment \
--comment out+NONE \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst,src \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst,src \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-m set \
--match-set tck_test dst,src,dst \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-m set \
--match-set tck_test dst,src \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m state \
--state NEW,ESTABLISHED \
-m set \
--match-set tck_test src,dst \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m state \
--state ESTABLISHED \
-m set \
--match-set tck_test dst,src \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m set \
--match-set tck_test dst,src \
-m comment \
--comment inout \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m set \
--match-set tck_test src,dst \
-m comment \
--comment inout \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m set \
--match-set tck_test dst,src \
-m comment \
--comment inout \
-j RETURN

14
tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
View File

@ -1,2 +1,12 @@
iptables -A FP-vnet0 -p all -m mac '!' --mac-source 12:34:56:78:9a:bc -j DROP iptables \
iptables -A FP-vnet0 -p all -m mac '!' --mac-source aa:aa:aa:aa:aa:aa -j DROP -A FP-vnet0 \
-p all \
-m mac '!' \
--mac-source 12:34:56:78:9a:bc \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-m mac '!' \
--mac-source aa:aa:aa:aa:aa:aa \
-j DROP

176
tests/nwfilterxml2firewalldata/ipv6-linux.args
View File

@ -1,36 +1,140 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \ ebtables \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 -p ipv6 --ip6-source ::10.1.2.3/22 \ -t nat \
--ip6-destination ::10.1.2.3/113 --ip6-protocol 17 --ip6-source-port 20:22 \ -A libvirt-J-vnet0 \
--ip6-destination-port 100:101 -j ACCEPT -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:80 \
--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 20:22 \ -p ipv6 \
--ip6-source-port 100:101 -j ACCEPT --ip6-source ::10.1.2.3/22 \
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ --ip6-destination ::10.1.2.3/113 \
--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 20:22 \ --ip6-protocol 17 \
--ip6-destination-port 100:101 -j ACCEPT --ip6-source-port 20:22 \
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ --ip6-destination-port 100:101 \
--ip6-source a:b:c::/65 --ip6-protocol 6 --ip6-destination-port 255:256 \ -j ACCEPT
--ip6-source-port 65535:65535 -j ACCEPT ebtables \
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ -t nat \
--ip6-destination a:b:c::/65 --ip6-protocol 6 --ip6-source-port 255:256 \ -A libvirt-J-vnet0 \
--ip6-destination-port 65535:65535 -j ACCEPT -p ipv6 \
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ --ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 --ip6-protocol 18 -j ACCEPT --ip6-source a:b:c::/65 \
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ --ip6-protocol 6 \
--ip6-destination a:b:c::/65 --ip6-protocol 18 -j ACCEPT --ip6-destination-port 20:22 \
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ --ip6-source-port 100:101 \
--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:11/10:11 -j ACCEPT -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ ebtables \
--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:11/10:11 -j ACCEPT -t nat \
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ -A libvirt-P-vnet0 \
--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/10:10 -j ACCEPT -p ipv6 \
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ --ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/10:10 -j ACCEPT --ip6-destination a:b:c::/65 \
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ --ip6-protocol 6 \
--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 0:255/10:10 -j ACCEPT --ip6-source-port 20:22 \
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ --ip6-destination-port 100:101 \
--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 0:255/10:10 -j ACCEPT -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -p ipv6 --ip6-destination 1::2/128 \ ebtables \
--ip6-source a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/0:255 -j ACCEPT -t nat \
ebtables -t nat -A libvirt-P-vnet0 -p ipv6 --ip6-source 1::2/128 \ -A libvirt-J-vnet0 \
--ip6-destination a:b:c::/65 --ip6-protocol 58 --ip6-icmp-type 1:1/0:255 -j ACCEPT -p ipv6 \
--ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 \
--ip6-protocol 6 \
--ip6-destination-port 255:256 \
--ip6-source-port 65535:65535 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 \
--ip6-protocol 6 \
--ip6-source-port 255:256 \
--ip6-destination-port 65535:65535 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 \
--ip6-protocol 18 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 \
--ip6-protocol 18 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 1:11/10:11 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 1:11/10:11 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 1:1/10:10 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 1:1/10:10 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 0:255/10:10 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 0:255/10:10 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-p ipv6 \
--ip6-destination 1::2/128 \
--ip6-source a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 1:1/0:255 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-p ipv6 \
--ip6-source 1::2/128 \
--ip6-destination a:b:c::/65 \
--ip6-protocol 58 \
--ip6-icmp-type 1:1/0:255 \
-j ACCEPT

108
tests/nwfilterxml2firewalldata/iter1-linux.args
View File

@ -1,18 +1,90 @@
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \ iptables \
-m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 2 --dport 80 \ -p tcp \
-m state --state ESTABLISHED -j ACCEPT --source 1.1.1.1 \
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 2 --sport 80 \ -m dscp \
-m state --state NEW,ESTABLISHED -j RETURN --dscp 2 \
iptables -A FJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN -m state \
iptables -A FP-vnet0 -p tcp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \ --state NEW,ESTABLISHED \
-m state --state ESTABLISHED -j ACCEPT -j RETURN
iptables -A HJ-vnet0 -p tcp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ iptables \
-m state --state NEW,ESTABLISHED -j RETURN -A FP-vnet0 \
iptables -A FJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \ -p tcp \
-m state --state NEW,ESTABLISHED -j RETURN --destination 1.1.1.1 \
iptables -A FP-vnet0 -p tcp --destination 3.3.3.3 -m dscp --dscp 2 --dport 80 \ -m dscp \
-m state --state ESTABLISHED -j ACCEPT --dscp 2 \
iptables -A HJ-vnet0 -p tcp --source 3.3.3.3 -m dscp --dscp 2 --sport 80 \ --dport 80 \
-m state --state NEW,ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
-m dscp \
--dscp 2 \
--sport 80 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
-m dscp \
--dscp 2 \
--sport 90 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
--destination 2.2.2.2 \
-m dscp \
--dscp 2 \
--dport 90 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--source 2.2.2.2 \
-m dscp \
--dscp 2 \
--sport 90 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
-m dscp \
--dscp 2 \
--sport 80 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
--destination 3.3.3.3 \
-m dscp \
--dscp 2 \
--dport 80 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--source 3.3.3.3 \
-m dscp \
--dscp 2 \
--sport 80 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN

2160
tests/nwfilterxml2firewalldata/iter2-linux.args
View File

File diff suppressed because it is too large Load Diff

183
tests/nwfilterxml2firewalldata/iter3-linux.args
View File

@ -1,30 +1,153 @@
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \ iptables \
-m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 80 \ -p tcp \
-m state --state ESTABLISHED -j ACCEPT --source 1.1.1.1 \
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 80 \ -m dscp \
-m state --state NEW,ESTABLISHED -j RETURN --dscp 1 \
iptables -A FJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \ --sport 80 \
-m state --state NEW,ESTABLISHED -j RETURN -m state \
iptables -A FP-vnet0 -p tcp --destination 1.1.1.1 -m dscp --dscp 1 --dport 90 \ --state NEW,ESTABLISHED \
-m state --state ESTABLISHED -j ACCEPT -j RETURN
iptables -A HJ-vnet0 -p tcp --source 1.1.1.1 -m dscp --dscp 1 --sport 90 \ iptables \
-m state --state NEW,ESTABLISHED -j RETURN -A FP-vnet0 \
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \ -p tcp \
-m state --state NEW,ESTABLISHED -j RETURN --destination 1.1.1.1 \
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 80 \ -m dscp \
-m state --state ESTABLISHED -j ACCEPT --dscp 1 \
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 80 \ --dport 80 \
-m state --state NEW,ESTABLISHED -j RETURN -m state \
iptables -A FJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ --state ESTABLISHED \
-m state --state NEW,ESTABLISHED -j RETURN -j ACCEPT
iptables -A FP-vnet0 -p udp --destination 2.2.2.2 -m dscp --dscp 2 --dport 90 \ iptables \
-m state --state ESTABLISHED -j ACCEPT -A HJ-vnet0 \
iptables -A HJ-vnet0 -p udp --source 2.2.2.2 -m dscp --dscp 2 --sport 90 \ -p tcp \
-m state --state NEW,ESTABLISHED -j RETURN --source 1.1.1.1 \
iptables -A FJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ -m dscp \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN --dscp 1 \
iptables -A FP-vnet0 -p sctp --destination 2.2.2.2 -m dscp --dscp 3 \ --sport 80 \
--dport 80 --sport 1100 -m state --state ESTABLISHED -j ACCEPT -m state \
iptables -A HJ-vnet0 -p sctp --source 2.2.2.2 -m dscp --dscp 3 --sport 80 \ --state NEW,ESTABLISHED \
--dport 1100 -m state --state NEW,ESTABLISHED -j RETURN -j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
-m dscp \
--dscp 1 \
--sport 90 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
--destination 1.1.1.1 \
-m dscp \
--dscp 1 \
--dport 90 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--source 1.1.1.1 \
-m dscp \
--dscp 1 \
--sport 90 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
-m dscp \
--dscp 2 \
--sport 80 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
-m dscp \
--dscp 2 \
--dport 80 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
-m dscp \
--dscp 2 \
--sport 80 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p udp \
--source 2.2.2.2 \
-m dscp \
--dscp 2 \
--sport 90 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udp \
--destination 2.2.2.2 \
-m dscp \
--dscp 2 \
--dport 90 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
--source 2.2.2.2 \
-m dscp \
--dscp 2 \
--sport 90 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
-m dscp \
--dscp 3 \
--sport 80 \
--dport 1100 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p sctp \
--destination 2.2.2.2 \
-m dscp \
--dscp 3 \
--dport 80 \
--sport 1100 \
-m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p sctp \
--source 2.2.2.2 \
-m dscp \
--dscp 3 \
--sport 80 \
--dport 1100 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN

32
tests/nwfilterxml2firewalldata/mac-linux.args
View File

@ -1,8 +1,24 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-p 0x806 -j ACCEPT -t nat \
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -A libvirt-J-vnet0 \
-p 0x800 -j ACCEPT -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ -p 0x806 \
-p 0x600 -j ACCEPT -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \ ebtables \
-p 0xffff -j ACCEPT -t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x600 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0xffff \
-j ACCEPT

57
tests/nwfilterxml2firewalldata/rarp-linux.args
View File

@ -1,12 +1,47 @@
ebtables -t nat -N libvirt-J-vnet0 ebtables \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -t nat \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8035 --arp-htype 12 --arp-opcode 1 \ -N libvirt-J-vnet0
--arp-ptype 0x22 --arp-mac-src 01:02:03:04:05:06 --arp-mac-dst 0a:0b:0c:0d:0e:0f \ ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x8035 \
--arp-htype 12 \
--arp-opcode 1 \
--arp-ptype 0x22 \
--arp-mac-src 01:02:03:04:05:06 \
--arp-mac-dst 0a:0b:0c:0d:0e:0f \
-j ACCEPT -j ACCEPT
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-p 0x8035 --arp-htype 255 --arp-opcode 1 --arp-ptype 0xff -j ACCEPT -t nat \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -A libvirt-J-vnet0 \
-p 0x8035 --arp-htype 256 --arp-opcode 11 --arp-ptype 0x100 -j ACCEPT -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -p 0x8035 \
-p 0x8035 --arp-htype 65535 --arp-opcode 65535 --arp-ptype 0xffff -j ACCEPT --arp-htype 255 \
ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0 --arp-opcode 1 \
--arp-ptype 0xff \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x8035 \
--arp-htype 256 \
--arp-opcode 11 \
--arp-ptype 0x100 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x8035 \
--arp-htype 65535 \
--arp-opcode 65535 \
--arp-ptype 0xffff \
-j ACCEPT
ebtables \
-t nat \
-A PREROUTING \
-i vnet0 \
-j libvirt-J-vnet0

119
tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
View File

@ -1,22 +1,101 @@
ip6tables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ -A FJ-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
ip6tables -A FP-vnet0 -p sctp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \ ip6tables \
-m state --state ESTABLISHED -j ACCEPT -A FP-vnet0 \
ip6tables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ -p sctp \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ --source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p sctp \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p sctp \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p sctp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p sctp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN -j RETURN
ip6tables -A FJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p sctp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p sctp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

121
tests/nwfilterxml2firewalldata/sctp-linux.args
View File

@ -1,20 +1,101 @@
iptables -A FJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p sctp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p sctp \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \ -m dscp \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ --state NEW,ESTABLISHED \
--state NEW,ESTABLISHED -j ACCEPT -j RETURN
iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 33 \ iptables \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN -A FP-vnet0 \
iptables -A FJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \ -p sctp \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN --source 10.1.2.3/32 \
iptables -A FP-vnet0 -p sctp -m mac --mac-source 01:02:03:04:05:06 \ -m dscp \
--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \ --dscp 2 \
--state NEW,ESTABLISHED -j ACCEPT -m state \
iptables -A HJ-vnet0 -p sctp --destination 10.1.2.3/32 -m dscp --dscp 63 \ --state ESTABLISHED \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN -j ACCEPT
iptables \
-A HJ-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p sctp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p sctp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN

74
tests/nwfilterxml2firewalldata/stp-linux.args
View File

@ -1,18 +1,58 @@
ebtables -t nat -F J-vnet0-stp-xyz ebtables \
ebtables -t nat -X J-vnet0-stp-xyz -t nat \
ebtables -t nat -N J-vnet0-stp-xyz -F J-vnet0-stp-xyz
ebtables -t nat -A libvirt-J-vnet0 -d 01:80:c2:00:00:00 -j J-vnet0-stp-xyz ebtables \
ebtables -t nat -F P-vnet0-stp-xyz -t nat \
ebtables -t nat -X P-vnet0-stp-xyz -X J-vnet0-stp-xyz
ebtables -t nat -N P-vnet0-stp-xyz ebtables \
ebtables -t nat -A libvirt-P-vnet0 -d 01:80:c2:00:00:00 -j P-vnet0-stp-xyz -t nat \
ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -N J-vnet0-stp-xyz
-d 01:80:c2:00:00:00 --stp-type 18 --stp-flags 68 -j CONTINUE ebtables \
ebtables -t nat -A J-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -t nat \
-d 01:80:c2:00:00:00 --stp-root-pri 4660:9029 \ -A libvirt-J-vnet0 \
-d 01:80:c2:00:00:00 \
-j J-vnet0-stp-xyz
ebtables \
-t nat \
-F P-vnet0-stp-xyz
ebtables \
-t nat \
-X P-vnet0-stp-xyz
ebtables \
-t nat \
-N P-vnet0-stp-xyz
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-d 01:80:c2:00:00:00 \
-j P-vnet0-stp-xyz
ebtables \
-t nat \
-A P-vnet0-stp-xyz \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d 01:80:c2:00:00:00 \
--stp-type 18 \
--stp-flags 68 \
-j CONTINUE
ebtables \
-t nat \
-A J-vnet0-stp-xyz \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d 01:80:c2:00:00:00 \
--stp-root-pri 4660:9029 \
--stp-root-addr 06:05:04:03:02:01/ff:ff:ff:ff:ff:ff \ --stp-root-addr 06:05:04:03:02:01/ff:ff:ff:ff:ff:ff \
--stp-root-cost 287454020:573785173 -j RETURN --stp-root-cost 287454020:573785173 \
ebtables -t nat -A P-vnet0-stp-xyz -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -j RETURN
-d 01:80:c2:00:00:00 --stp-sender-prio 4660 --stp-sender-addr 06:05:04:03:02:01 \ ebtables \
--stp-port 123:234 --stp-msg-age 5544:5555 --stp-max-age 7777:8888 \ -t nat \
--stp-hello-time 12345:12346 --stp-forward-delay 54321:65432 -j DROP -A P-vnet0-stp-xyz \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d 01:80:c2:00:00:00 \
--stp-sender-prio 4660 \
--stp-sender-addr 06:05:04:03:02:01 \
--stp-port 123:234 \
--stp-msg-age 5544:5555 \
--stp-max-age 7777:8888 \
--stp-hello-time 12345:12346 \
--stp-forward-delay 54321:65432 \
-j DROP

368
tests/nwfilterxml2firewalldata/target-linux.args
View File

@ -1,75 +1,309 @@
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-p 0x806 -j ACCEPT -t nat \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -A libvirt-J-vnet0 \
-p 0x806 -j DROP -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -p 0x806 \
-p 0x806 -j DROP
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j ACCEPT
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j DROP
ebtables -t nat -A libvirt-P-vnet0 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 -j DROP
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
--comment 'accept rule -- dir out' -j RETURN
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m state \
--state ESTABLISHED -m comment --comment 'accept rule -- dir out' -j ACCEPT
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -m comment \
--comment 'accept rule -- dir out' -j RETURN
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'drop rule -- dir out' -j DROP
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'drop rule -- dir out' -j DROP
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'drop rule -- dir out' -j DROP
iptables -A FJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'reject rule -- dir out' -j REJECT
iptables -A FP-vnet0 -p all --source 10.1.2.3/32 -m dscp --dscp 2 \
-m comment --comment 'reject rule -- dir out' -j REJECT
iptables -A HJ-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m comment \
--comment 'reject rule -- dir out' -j REJECT
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -m comment \
--comment 'accept rule -- dir in' -j ACCEPT
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m state --state ESTABLISHED -m comment --comment 'accept rule -- dir in' -j RETURN
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'drop rule -- dir in' -j DROP
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'drop rule -- dir in' \
-j DROP
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'drop rule -- dir in' -j DROP
iptables -A FJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'reject rule -- dir in' -j REJECT
iptables -A FP-vnet0 -p all -m mac --mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m comment --comment 'reject rule -- dir in' \
-j REJECT
iptables -A HJ-vnet0 -p all --destination 10.1.2.3/22 -m dscp --dscp 33 \
-m comment --comment 'reject rule -- dir in' -j REJECT
iptables -A FJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
-j RETURN
iptables -A FP-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \
-j ACCEPT -j ACCEPT
iptables -A HJ-vnet0 -p all -m comment --comment 'accept rule -- dir inout' \ ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j DROP
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j DROP
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j ACCEPT
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j DROP
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j DROP
iptables \
-A FJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'accept rule \
-- dir out' \
-j RETURN -j RETURN
iptables -A FJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \ iptables \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'accept rule \
-- dir out' \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'accept rule \
-- dir out' \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'drop rule \
-- dir out' \
-j DROP -j DROP
iptables -A FP-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \ iptables \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'drop rule \
-- dir out' \
-j DROP -j DROP
iptables -A HJ-vnet0 -p all -m comment --comment 'drop rule -- dir inout' \ iptables \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'drop rule \
-- dir out' \
-j DROP -j DROP
iptables -A FJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \ iptables \
-A FJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'reject rule \
-- dir out' \
-j REJECT -j REJECT
iptables -A FP-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \ iptables \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'reject rule \
-- dir out' \
-j REJECT -j REJECT
iptables -A HJ-vnet0 -p all -m comment --comment 'reject rule -- dir inout' \ iptables \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'reject rule \
-- dir out' \
-j REJECT
iptables \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'accept rule \
-- dir in' \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-m comment \
--comment 'accept rule \
-- dir in' \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-m comment \
--comment 'accept rule \
-- dir in' \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'drop rule \
-- dir in' \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'drop rule \
-- dir in' \
-j DROP
iptables \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'drop rule \
-- dir in' \
-j DROP
iptables \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'reject rule \
-- dir in' \
-j REJECT
iptables \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'reject rule \
-- dir in' \
-j REJECT
iptables \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'reject rule \
-- dir in' \
-j REJECT
iptables \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'accept rule \
-- dir inout' \
-j RETURN
iptables \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'accept rule \
-- dir inout' \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'accept rule \
-- dir inout' \
-j RETURN
iptables \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'drop rule \
-- dir inout' \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'drop rule \
-- dir inout' \
-j DROP
iptables \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'drop rule \
-- dir inout' \
-j DROP
iptables \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'reject rule \
-- dir inout' \
-j REJECT
iptables \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'reject rule \
-- dir inout' \
-j REJECT
iptables \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'reject rule \
-- dir inout' \
-j REJECT -j REJECT

71
tests/nwfilterxml2firewalldata/target2-linux.args
View File

@ -1,13 +1,60 @@
iptables -A FP-vnet0 -p tcp --dport 22 -j ACCEPT iptables \
iptables -A FJ-vnet0 -p tcp --sport 22 -j RETURN -A FP-vnet0 \
iptables -A HJ-vnet0 -p tcp --sport 22 -j RETURN -p tcp \
iptables -A FJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN --dport 22 \
iptables -A FP-vnet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED \
-j ACCEPT -j ACCEPT
iptables -A HJ-vnet0 -p tcp --sport 80 -m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p tcp -j REJECT -A FJ-vnet0 \
iptables -A FP-vnet0 -p tcp -j REJECT -p tcp \
iptables -A HJ-vnet0 -p tcp -j REJECT --sport 22 \
iptables -A FJ-vnet0 -p all -j DROP -j RETURN
iptables -A FP-vnet0 -p all -j DROP iptables \
iptables -A HJ-vnet0 -p all -j DROP -A HJ-vnet0 \
-p tcp \
--sport 22 \
-j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
--sport 80 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
--dport 80 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--sport 80 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
-j REJECT
iptables \
-A FP-vnet0 \
-p tcp \
-j REJECT
iptables \
-A HJ-vnet0 \
-p tcp \
-j REJECT
iptables \
-A FJ-vnet0 \
-p all \
-j DROP
iptables \
-A FP-vnet0 \
-p all \
-j DROP
iptables \
-A HJ-vnet0 \
-p all \
-j DROP

119
tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
View File

@ -1,22 +1,101 @@
ip6tables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ -A FJ-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
ip6tables -A FP-vnet0 -p tcp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \ ip6tables \
-m state --state ESTABLISHED -j ACCEPT -A FP-vnet0 \
ip6tables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ -p tcp \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ --source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p tcp \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p tcp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p tcp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN -j RETURN
ip6tables -A FJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination a:b:c::/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p tcp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

131
tests/nwfilterxml2firewalldata/tcp-linux.args
View File

@ -1,22 +1,109 @@
iptables -A FJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p tcp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p tcp \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \ -m dscp \
--dport 20:21 --sport 100:1111 -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -j ACCEPT --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 33 \ -j RETURN
--dport 20:21 --sport 100:1111 -j RETURN iptables \
iptables -A FJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \ -A FP-vnet0 \
--dport 255:256 --sport 65535:65535 -j RETURN -p tcp \
iptables -A FP-vnet0 -p tcp -m mac --mac-source 01:02:03:04:05:06 \ --source 10.1.2.3/32 \
--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -j ACCEPT -m dscp \
iptables -A HJ-vnet0 -p tcp --destination 10.1.2.3/32 -m dscp --dscp 63 \ --dscp 2 \
--dport 255:256 --sport 65535:65535 -j RETURN -m state \
iptables -A FP-vnet0 -p tcp --tcp-flags SYN ALL -j ACCEPT --state ESTABLISHED \
iptables -A FP-vnet0 -p tcp --tcp-flags SYN SYN,ACK -j ACCEPT -j ACCEPT
iptables -A FP-vnet0 -p tcp --tcp-flags RST NONE -j ACCEPT iptables \
iptables -A FP-vnet0 -p tcp --tcp-flags PSH NONE -j ACCEPT -A HJ-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-j RETURN
iptables \
-A FJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p tcp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-j RETURN
iptables \
-A FP-vnet0 \
-p tcp \
--tcp-flags SYN ALL \
-j ACCEPT
iptables \
-A FP-vnet0 \
-p tcp \
--tcp-flags SYN SYN,ACK \
-j ACCEPT
iptables \
-A FP-vnet0 \
-p tcp \
--tcp-flags RST NONE \
-j ACCEPT
iptables \
-A FP-vnet0 \
-p tcp \
--tcp-flags PSH NONE \
-j ACCEPT

119
tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
View File

@ -1,22 +1,101 @@
ip6tables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ -A FJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN -j RETURN
ip6tables -A FP-vnet0 -p udp --source a:b:c::d:e:f/128 -m dscp --dscp 2 \ ip6tables \
-m state --state ESTABLISHED -j ACCEPT -A FP-vnet0 \
ip6tables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ -p udp \
--destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED \ --source a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p udp \
--destination ::a:b:c/128 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::a:b:c/128 \
-m dscp \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udp \
--destination ::a:b:c/128 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p udp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udp \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN -j RETURN
ip6tables -A FJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--source ::a:b:c/128 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \
--state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udp --destination ::a:b:c/128 -m dscp --dscp 33 \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN
ip6tables -A FJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN
ip6tables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 \
-m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A HJ-vnet0 -p udp --destination ::10.1.2.3/128 -m dscp --dscp 63 \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN

121
tests/nwfilterxml2firewalldata/udp-linux.args
View File

@ -1,20 +1,101 @@
iptables -A FJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p udp --source 10.1.2.3/32 -m dscp --dscp 2 -m state \ -p udp \
--state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \ -m dscp \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/32 -m dscp --dscp 33 --sport 20:21 --dport 100:1111 -m state \ --state NEW,ESTABLISHED \
--state NEW,ESTABLISHED -j ACCEPT -j RETURN
iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 33 \ iptables \
--dport 20:21 --sport 100:1111 -m state --state ESTABLISHED -j RETURN -A FP-vnet0 \
iptables -A FJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \ -p udp \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN --source 10.1.2.3/32 \
iptables -A FP-vnet0 -p udp -m mac --mac-source 01:02:03:04:05:06 \ -m dscp \
--source 10.1.2.3/32 -m dscp --dscp 63 --sport 255:256 --dport 65535:65535 -m state \ --dscp 2 \
--state NEW,ESTABLISHED -j ACCEPT -m state \
iptables -A HJ-vnet0 -p udp --destination 10.1.2.3/32 -m dscp --dscp 63 \ --state ESTABLISHED \
--dport 255:256 --sport 65535:65535 -m state --state ESTABLISHED -j RETURN -j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--sport 20:21 \
--dport 100:1111 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 33 \
--dport 20:21 \
--sport 100:1111 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udp \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--sport 255:256 \
--dport 65535:65535 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udp \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 63 \
--dport 255:256 \
--sport 65535:65535 \
-m state \
--state ESTABLISHED \
-j RETURN

112
tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
View File

@ -1,20 +1,92 @@
ip6tables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ ip6tables \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ -A FJ-vnet0 \
--state NEW,ESTABLISHED -j RETURN -p udplite \
ip6tables -A FP-vnet0 -p udplite --destination f:e:d::c:b:a/127 \ -m mac \
--source a:b:c::d:e:f/128 -m dscp --dscp 2 -m state --state ESTABLISHED -j ACCEPT --mac-source 01:02:03:04:05:06 \
ip6tables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ --source f:e:d::c:b:a/127 \
--source f:e:d::c:b:a/127 --destination a:b:c::d:e:f/128 -m dscp --dscp 2 -m state \ --destination a:b:c::d:e:f/128 \
--state NEW,ESTABLISHED -j RETURN -m dscp \
ip6tables -A FJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \ --dscp 2 \
--dscp 33 -m state --state ESTABLISHED -j RETURN -m state \
ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ --state NEW,ESTABLISHED \
--source a:b:c::/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -j RETURN
ip6tables -A HJ-vnet0 -p udplite --destination a:b:c::/128 -m dscp \ ip6tables \
--dscp 33 -m state --state ESTABLISHED -j RETURN -A FP-vnet0 \
ip6tables -A FJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \ -p udplite \
--dscp 33 -m state --state ESTABLISHED -j RETURN --destination f:e:d::c:b:a/127 \
ip6tables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ --source a:b:c::d:e:f/128 \
--source ::10.1.2.3/128 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
ip6tables -A HJ-vnet0 -p udplite --destination ::10.1.2.3/128 -m dscp \ --dscp 2 \
--dscp 33 -m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udplite \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source f:e:d::c:b:a/127 \
--destination a:b:c::d:e:f/128 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p udplite \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p udplite \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udplite \
--destination a:b:c::/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FJ-vnet0 \
-p udplite \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
ip6tables \
-A FP-vnet0 \
-p udplite \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
ip6tables \
-A HJ-vnet0 \
-p udplite \
--destination ::10.1.2.3/128 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

107
tests/nwfilterxml2firewalldata/udplite-linux.args
View File

@ -1,18 +1,89 @@
iptables -A FJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ iptables \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN -A FJ-vnet0 \
iptables -A FP-vnet0 -p udplite --source 10.1.2.3/32 -m dscp --dscp 2 \ -p udplite \
-m state --state ESTABLISHED -j ACCEPT -m mac \
iptables -A HJ-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ --mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 -m dscp --dscp 2 -m state --state NEW,ESTABLISHED -j RETURN --destination 10.1.2.3/32 \
iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ -m dscp \
--dscp 33 -m state --state ESTABLISHED -j RETURN --dscp 2 \
iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ -m state \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT --state NEW,ESTABLISHED \
iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ -j RETURN
--dscp 33 -m state --state ESTABLISHED -j RETURN iptables \
iptables -A FJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ -A FP-vnet0 \
--dscp 33 -m state --state ESTABLISHED -j RETURN -p udplite \
iptables -A FP-vnet0 -p udplite -m mac --mac-source 01:02:03:04:05:06 \ --source 10.1.2.3/32 \
--source 10.1.2.3/22 -m dscp --dscp 33 -m state --state NEW,ESTABLISHED -j ACCEPT -m dscp \
iptables -A HJ-vnet0 -p udplite --destination 10.1.2.3/22 -m dscp \ --dscp 2 \
--dscp 33 -m state --state ESTABLISHED -j RETURN -m state \
--state ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udplite \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m state \
--state NEW,ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udplite \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN
iptables \
-A FP-vnet0 \
-p udplite \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state NEW,ESTABLISHED \
-j ACCEPT
iptables \
-A HJ-vnet0 \
-p udplite \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m state \
--state ESTABLISHED \
-j RETURN

70
tests/nwfilterxml2firewalldata/vlan-linux.args
View File

@ -1,14 +1,56 @@
ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE -t nat \
ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -A libvirt-J-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j CONTINUE -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables -t nat -A libvirt-J-vnet0 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN -p 0x8100 \
ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ --vlan-id 291 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 1234 -j RETURN -j CONTINUE
ebtables -t nat -A libvirt-P-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ ebtables \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-id 291 -j DROP -t nat \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 2054 -j DROP -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
ebtables -t nat -A libvirt-J-vnet0 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \ -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff -p 0x8100 --vlan-encap 4660 -j ACCEPT -p 0x8100 \
--vlan-id 291 \
-j CONTINUE
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-s aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x8100 \
--vlan-id 1234 \
-j RETURN
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x8100 \
--vlan-id 1234 \
-j RETURN
ebtables \
-t nat \
-A libvirt-P-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x8100 \
--vlan-id 291 \
-j DROP
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x8100 \
--vlan-encap 2054 \
-j DROP
ebtables \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x8100 \
--vlan-encap 4660 \
-j ACCEPT

33
tests/qemuxml2argvdata/qemuxml2argv-aarch64-aavmf-virtio-mmio.args
View File

@ -1,14 +1,31 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu cortex-a53 \ PATH=/bin \
-m 1024 -smp 1 -nographic \ HOME=/home/test \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ USER=test \
-boot c -kernel /aarch64.kernel -initrd /aarch64.initrd -append \ LOGNAME=test \
'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \ QEMU_AUDIO_DRV=none \
-dtb /aarch64.dtb -device virtio-serial-device,id=virtio-serial0 -usb \ /usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append 'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \
-dtb /aarch64.dtb \
-device virtio-serial-device,id=virtio-serial0 \
-usb \
-drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \ -drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \ -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -chardev pty,id=charconsole0 \ -net user,vlan=0,name=hostnet0 \
-chardev pty,id=charconsole0 \
-device virtconsole,chardev=charconsole0,id=console0 \ -device virtconsole,chardev=charconsole0,id=console0 \
-device virtio-balloon-device,id=balloon0 \ -device virtio-balloon-device,id=balloon0 \
-object rng-random,id=objrng0,filename=/dev/random \ -object rng-random,id=objrng0,filename=/dev/random \

23
tests/qemuxml2argvdata/qemuxml2argv-aarch64-cpu-passthrough.args
View File

@ -1,5 +1,20 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu host -m 1024 -smp 1 -nographic \ PATH=/bin \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ HOME=/home/test \
-boot c -usb -drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \ USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu host \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-usb \
-drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0

25
tests/qemuxml2argvdata/qemuxml2argv-aarch64-gic.args
View File

@ -1,6 +1,23 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -no-kvm -cpu cortex-a53 -m 1024 -smp 1 \ PATH=/bin \
-nographic -nodefaults -monitor unix:/tmp/test-monitor,server,nowait -boot c \ HOME=/home/test \
-kernel /aarch64.kernel -initrd /aarch64.initrd -append console=ttyAMA0 -usb \ USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-no-kvm \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append console=ttyAMA0 \
-usb \
-net nic,macaddr=52:54:00:09:a4:37,vlan=0,model=virtio,name=net0 \ -net nic,macaddr=52:54:00:09:a4:37,vlan=0,model=virtio,name=net0 \
-net user,vlan=0,name=hostnet0 -net user,vlan=0,name=hostnet0

25
tests/qemuxml2argvdata/qemuxml2argv-aarch64-gicv3.args
View File

@ -1,7 +1,22 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -machine virt,accel=tcg,gic-version=3 \ PATH=/bin \
-cpu cortex-a53 -m 1024 -smp 1 \ HOME=/home/test \
-nographic -nodefaults -monitor unix:/tmp/test-monitor,server,nowait -boot c \ USER=test \
-kernel /aarch64.kernel -initrd /aarch64.initrd -append console=ttyAMA0 -usb \ LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-machine virt,accel=tcg,gic-version=3 \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append console=ttyAMA0 \
-usb \
-net nic,macaddr=52:54:00:09:a4:37,vlan=0,model=virtio,name=net0 \ -net nic,macaddr=52:54:00:09:a4:37,vlan=0,model=virtio,name=net0 \
-net user,vlan=0,name=hostnet0 -net user,vlan=0,name=hostnet0

28
tests/qemuxml2argvdata/qemuxml2argv-aarch64-kvm-32-on-64.args
View File

@ -1,10 +1,26 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu host,aarch64=off -m 1024 -smp 1 \ PATH=/bin \
-nographic -nodefconfig -nodefaults \ HOME=/home/test \
USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu host,aarch64=off \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \ -monitor unix:/tmp/test-monitor,server,nowait \
-boot c -kernel /arm.kernel -initrd /arm.initrd \ -boot c \
-kernel /arm.kernel \
-initrd /arm.initrd \
-append 'console=ttyAMA0,115200n8 rw root=/dev/vda rootwait physmap.enabled=0' \ -append 'console=ttyAMA0,115200n8 rw root=/dev/vda rootwait physmap.enabled=0' \
-usb -drive file=/arm.raw,if=none,id=drive-virtio-disk0 \ -usb \
-drive file=/arm.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \ -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -serial pty -net user,vlan=0,name=hostnet0 \
-serial pty

34
tests/qemuxml2argvdata/qemuxml2argv-aarch64-mmio-default-pci.args
View File

@ -1,16 +1,34 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu cortex-a53 -m 1024 -smp 1 \ PATH=/bin \
-nographic -nodefconfig -nodefaults \ HOME=/home/test \
-monitor unix:/tmp/test-monitor,server,nowait -boot c \ USER=test \
-kernel /aarch64.kernel -initrd /aarch64.initrd \ LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append 'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \ -append 'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \
-dtb /aarch64.dtb -device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1 \ -dtb /aarch64.dtb \
-device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1 \
-device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 \ -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 \
-device virtio-serial-device,id=virtio-serial0 -usb \ -device virtio-serial-device,id=virtio-serial0 \
-usb \
-drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \ -drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \ -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -serial pty -chardev pty,id=charconsole1 \ -net user,vlan=0,name=hostnet0 \
-serial pty \
-chardev pty,id=charconsole1 \
-device virtconsole,chardev=charconsole1,id=console1 \ -device virtconsole,chardev=charconsole1,id=console1 \
-device virtio-balloon-device,id=balloon0 \ -device virtio-balloon-device,id=balloon0 \
-object rng-random,id=objrng0,filename=/dev/random \ -object rng-random,id=objrng0,filename=/dev/random \

28
tests/qemuxml2argvdata/qemuxml2argv-aarch64-virt-default-nic.args
View File

@ -1,7 +1,23 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu cortex-a53 \ PATH=/bin \
-m 1024 -smp 1 -nographic \ HOME=/home/test \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ USER=test \
-boot c -kernel /aarch64.kernel -initrd /aarch64.initrd -append console=ttyAMA0 \ LOGNAME=test \
-usb -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append console=ttyAMA0 \
-usb \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -net user,vlan=0,name=hostnet0

34
tests/qemuxml2argvdata/qemuxml2argv-aarch64-virt-virtio.args
View File

@ -1,14 +1,32 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu cortex-a53 \ PATH=/bin \
-m 1024 -smp 1 -nographic \ HOME=/home/test \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ USER=test \
-boot c -kernel /aarch64.kernel -initrd /aarch64.initrd -append \ LOGNAME=test \
'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \ QEMU_AUDIO_DRV=none \
-dtb /aarch64.dtb -device virtio-serial-device,id=virtio-serial0 -usb \ /usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append 'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \
-dtb /aarch64.dtb \
-device virtio-serial-device,id=virtio-serial0 \
-usb \
-drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \ -drive file=/aarch64.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \ -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -serial pty -chardev pty,id=charconsole1 \ -net user,vlan=0,name=hostnet0 \
-serial pty \
-chardev pty,id=charconsole1 \
-device virtconsole,chardev=charconsole1,id=console1 \ -device virtconsole,chardev=charconsole1,id=console1 \
-device virtio-balloon-device,id=balloon0 \ -device virtio-balloon-device,id=balloon0 \
-object rng-random,id=objrng0,filename=/dev/random \ -object rng-random,id=objrng0,filename=/dev/random \

37
tests/qemuxml2argvdata/qemuxml2argv-aarch64-virtio-pci.args
View File

@ -1,15 +1,30 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-aarch64 -S -M virt -cpu cortex-a53 -m 1024 -smp 1 \ PATH=/bin \
-nographic -nodefconfig -nodefaults \ HOME=/home/test \
-monitor unix:/tmp/test-monitor,server,nowait -boot c \ USER=test \
-kernel /aarch64.kernel -initrd /aarch64.initrd \ LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-aarch64 \
-S \
-M virt \
-cpu cortex-a53 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /aarch64.kernel \
-initrd /aarch64.initrd \
-append 'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \ -append 'earlyprintk console=ttyAMA0,115200n8 rw root=/dev/vda rootwait' \
-dtb /aarch64.dtb -device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1 \ -dtb /aarch64.dtb \
-device i82801b11-bridge,id=pci.1,bus=pcie.0,addr=0x1 \
-device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 \ -device pci-bridge,chassis_nr=2,id=pci.2,bus=pci.1,addr=0x1 \
-device virtio-scsi-pci,id=scsi0,bus=pcie.0,addr=0x3 \ -device virtio-scsi-pci,id=scsi0,bus=pcie.0,addr=0x3 \
-usb -drive file=/aarch64.raw,if=none,id=drive-scsi0-0-0-0 \ -usb \
-device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,\ -drive file=/aarch64.raw,if=none,id=drive-scsi0-0-0-0 \
drive=drive-scsi0-0-0-0,id=scsi0-0-0-0 \ -device scsi-disk,bus=scsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0-0-0-0,\
-device virtio-net-pci,vlan=0,id=net0,\ id=scsi0-0-0-0 \
mac=52:54:00:09:a4:37,bus=pcie.0,addr=0x2 \ -device virtio-net-pci,vlan=0,id=net0,mac=52:54:00:09:a4:37,bus=pcie.0,addr=0x2 \
-net user,vlan=0,name=hostnet0 -net user,vlan=0,name=hostnet0

32
tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-basic.args
View File

@ -1,8 +1,26 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-arm -S -M vexpress-a9 -m 1024 -smp 1 -nographic \ PATH=/bin \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ HOME=/home/test \
-boot c -kernel /arm.kernel -initrd /arm.initrd -append \ USER=test \
'console=ttyAMA0,115200n8 rw root=/dev/mmcblk0p3 rootwait physmap.enabled=0' \ LOGNAME=test \
-dtb /arm.dtb -usb -drive file=/arm.raw,if=sd,index=0 \ QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-arm \
-S \
-M vexpress-a9 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /arm.kernel \
-initrd /arm.initrd \
-append 'console=ttyAMA0,\
115200n8 rw root=/dev/mmcblk0p3 rootwait physmap.enabled=0' \
-dtb /arm.dtb \
-usb \
-drive file=/arm.raw,if=sd,index=0 \
-net nic,macaddr=52:54:00:09:a4:37,vlan=0,model=lan9118,name=net0 \ -net nic,macaddr=52:54:00:09:a4:37,vlan=0,model=lan9118,name=net0 \
-net user,vlan=0,name=hostnet0 -serial pty -net user,vlan=0,name=hostnet0 \
-serial pty

26
tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-nodevs.args
View File

@ -1,5 +1,21 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-arm -S -M vexpress-a9 -m 1024 -smp 1 -nographic \ PATH=/bin \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ HOME=/home/test \
-boot c -kernel /arm.kernel -initrd /arm.initrd \ USER=test \
-append console=ttyAMA0,115200n8 -dtb /arm.dtb -usb LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-arm \
-S \
-M vexpress-a9 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /arm.kernel \
-initrd /arm.initrd \
-append console=ttyAMA0,115200n8 \
-dtb /arm.dtb \
-usb

32
tests/qemuxml2argvdata/qemuxml2argv-arm-vexpressa9-virtio.args
View File

@ -1,13 +1,31 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-arm -S -M vexpress-a9 -m 1024 -smp 1 -nographic \ PATH=/bin \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ HOME=/home/test \
-boot c -kernel /arm.kernel -initrd /arm.initrd -append \ USER=test \
'console=ttyAMA0,115200n8 rw root=/dev/vda3 rootwait physmap.enabled=0' \ LOGNAME=test \
-dtb /arm.dtb -device virtio-serial-device,id=virtio-serial0 -usb \ QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-arm \
-S \
-M vexpress-a9 \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /arm.kernel \
-initrd /arm.initrd \
-append 'console=ttyAMA0,115200n8 rw root=/dev/vda3 rootwait physmap.enabled=0' \
-dtb /arm.dtb \
-device virtio-serial-device,id=virtio-serial0 \
-usb \
-drive file=/arm.raw,if=none,id=drive-virtio-disk0 \ -drive file=/arm.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \ -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -serial pty -chardev pty,id=charconsole1 \ -net user,vlan=0,name=hostnet0 \
-serial pty \
-chardev pty,id=charconsole1 \
-device virtconsole,chardev=charconsole1,id=console1 \ -device virtconsole,chardev=charconsole1,id=console1 \
-device virtio-balloon-device,id=balloon0 \ -device virtio-balloon-device,id=balloon0 \
-object rng-random,id=objrng0,filename=/dev/random \ -object rng-random,id=objrng0,filename=/dev/random \

32
tests/qemuxml2argvdata/qemuxml2argv-arm-virt-virtio.args
View File

@ -1,13 +1,31 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu-system-arm -S -M virt -m 1024 -smp 1 -nographic \ PATH=/bin \
-nodefconfig -nodefaults -monitor unix:/tmp/test-monitor,server,nowait \ HOME=/home/test \
-boot c -kernel /arm.kernel -initrd /arm.initrd -append \ USER=test \
'console=ttyAMA0,115200n8 rw root=/dev/vda rootwait physmap.enabled=0' \ LOGNAME=test \
-dtb /arm.dtb -device virtio-serial-device,id=virtio-serial0 -usb \ QEMU_AUDIO_DRV=none \
/usr/bin/qemu-system-arm \
-S \
-M virt \
-m 1024 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-kernel /arm.kernel \
-initrd /arm.initrd \
-append 'console=ttyAMA0,115200n8 rw root=/dev/vda rootwait physmap.enabled=0' \
-dtb /arm.dtb \
-device virtio-serial-device,id=virtio-serial0 \
-usb \
-drive file=/arm.raw,if=none,id=drive-virtio-disk0 \ -drive file=/arm.raw,if=none,id=drive-virtio-disk0 \
-device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \ -device virtio-blk-device,drive=drive-virtio-disk0,id=virtio-disk0 \
-device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \ -device virtio-net-device,vlan=0,id=net0,mac=52:54:00:09:a4:37 \
-net user,vlan=0,name=hostnet0 -serial pty -chardev pty,id=charconsole1 \ -net user,vlan=0,name=hostnet0 \
-serial pty \
-chardev pty,id=charconsole1 \
-device virtconsole,chardev=charconsole1,id=console1 \ -device virtconsole,chardev=charconsole1,id=console1 \
-device virtio-balloon-device,id=balloon0 \ -device virtio-balloon-device,id=balloon0 \
-object rng-random,id=objrng0,filename=/dev/random \ -object rng-random,id=objrng0,filename=/dev/random \

26
tests/qemuxml2argvdata/qemuxml2argv-balloon-device-auto.args
View File

@ -1,6 +1,20 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu -S -M \ PATH=/bin \
pc -m 214 -smp 1 -nographic -nodefconfig -nodefaults -monitor \ HOME=/home/test \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \ USER=test \
/dev/HostVG/QEMUGuest1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,\ LOGNAME=test \
addr=0x3 QEMU_AUDIO_DRV=none \
/usr/bin/qemu \
-S \
-M pc \
-m 214 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-hda /dev/HostVG/QEMUGuest1 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

26
tests/qemuxml2argvdata/qemuxml2argv-balloon-device-period.args
View File

@ -1,6 +1,20 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu -S -M \ PATH=/bin \
pc -m 214 -smp 1 -nographic -nodefconfig -nodefaults -monitor \ HOME=/home/test \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \ USER=test \
/dev/HostVG/QEMUGuest1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,\ LOGNAME=test \
addr=0x12 QEMU_AUDIO_DRV=none \
/usr/bin/qemu \
-S \
-M pc \
-m 214 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-hda /dev/HostVG/QEMUGuest1 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x12

26
tests/qemuxml2argvdata/qemuxml2argv-balloon-device.args
View File

@ -1,6 +1,20 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu -S -M \ PATH=/bin \
pc -m 214 -smp 1 -nographic -nodefconfig -nodefaults -monitor \ HOME=/home/test \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \ USER=test \
/dev/HostVG/QEMUGuest1 -device virtio-balloon-pci,id=balloon0,bus=pci.0,\ LOGNAME=test \
addr=0x12 QEMU_AUDIO_DRV=none \
/usr/bin/qemu \
-S \
-M pc \
-m 214 \
-smp 1 \
-nographic \
-nodefconfig \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-hda /dev/HostVG/QEMUGuest1 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x12

23
tests/qemuxml2argvdata/qemuxml2argv-bios-nvram.args
View File

@ -1,10 +1,23 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu -S -M pc \ PATH=/bin \
HOME=/home/test \
USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu \
-S \
-M pc \
-drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \ -drive file=/usr/share/OVMF/OVMF_CODE.fd,if=pflash,format=raw,unit=0,readonly=on \
-drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \ -drive file=/usr/share/OVMF/OVMF_VARS.fd,if=pflash,format=raw,unit=1 \
-m 1024 -smp 1 -nographic -nodefaults \ -m 1024 \
-monitor unix:/tmp/test-monitor,server,nowait -boot c -usb \ -smp 1 \
-nographic \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-boot c \
-usb \
-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-ide0-0-0,format=raw \ -drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-ide0-0-0,format=raw \
-device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \ -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
-serial pty -device usb-tablet,id=input0 \ -serial pty \
-device usb-tablet,id=input0 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

26
tests/qemuxml2argvdata/qemuxml2argv-bios.args
View File

@ -1,7 +1,23 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
/usr/bin/qemu -S -M pc -bios /usr/share/seabios/bios.bin \ PATH=/bin \
-m 1024 -smp 1 -nographic -nodefaults -device sga \ HOME=/home/test \
-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \ USER=test \
-usb -hda /dev/HostVG/QEMUGuest1 -serial pty \ LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu \
-S \
-M pc \
-bios /usr/share/seabios/bios.bin \
-m 1024 \
-smp 1 \
-nographic \
-nodefaults \
-device sga \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-hda /dev/HostVG/QEMUGuest1 \
-serial pty \
-device usb-tablet,id=input0 \ -device usb-tablet,id=input0 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

26
tests/qemuxml2argvdata/qemuxml2argv-blkdeviotune-max.args
View File

@ -1,10 +1,24 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
PATH=/bin \
HOME=/home/test \
USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu \ /usr/bin/qemu \
-name QEMUGuest1 -S -M pc -m 214 -smp 1 -nographic -nodefaults \ -name QEMUGuest1 \
-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \ -S \
-usb -drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-ide0-0-0,cache=off,\ -M pc \
bps=5000,iops=6000,bps_max=10000,iops_max=11000 -device \ -m 214 \
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \ -smp 1 \
-nographic \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-ide0-0-0,cache=off,bps=5000,\
iops=6000,bps_max=10000,iops_max=11000 \
-device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
-drive file=/dev/HostVG/QEMUGuest2,if=none,id=drive-ide0-0-1,cache=off,\ -drive file=/dev/HostVG/QEMUGuest2,if=none,id=drive-ide0-0-1,cache=off,\
bps_rd=5000,bps_wr=5500,iops_rd=3500,iops_wr=4000,bps_rd_max=6000,\ bps_rd=5000,bps_wr=5500,iops_rd=3500,iops_wr=4000,bps_rd_max=6000,\
bps_wr_max=6500,iops_rd_max=7000,iops_wr_max=7500,iops_size=2000 \ bps_wr_max=6500,iops_rd_max=7000,iops_wr_max=7500,iops_size=2000 \

30
tests/qemuxml2argvdata/qemuxml2argv-blkdeviotune.args
View File

@ -1,11 +1,25 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
PATH=/bin \
HOME=/home/test \
USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu \ /usr/bin/qemu \
-name QEMUGuest1 -S -M pc -m 214 -smp 1 -nographic -nodefaults \ -name QEMUGuest1 \
-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \ -S \
-usb -drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-ide0-0-0,cache=off,\ -M pc \
bps=5000,iops=6000 -device \ -m 214 \
ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \ -smp 1 \
-nographic \
-nodefaults \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-drive file=/dev/HostVG/QEMUGuest1,if=none,id=drive-ide0-0-0,cache=off,bps=5000,\
iops=6000 \
-device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 \
-drive file=/dev/HostVG/QEMUGuest2,if=none,id=drive-ide0-0-1,cache=off,\ -drive file=/dev/HostVG/QEMUGuest2,if=none,id=drive-ide0-0-1,cache=off,\
bps_rd=5000,bps_wr=5000,iops=7000 -device \ bps_rd=5000,bps_wr=5000,iops=7000 \
ide-drive,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 \ -device ide-drive,bus=ide.0,unit=1,drive=drive-ide0-0-1,id=ide0-0-1 \
-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3

25
tests/qemuxml2argvdata/qemuxml2argv-blkiotune-device.args
View File

@ -1,6 +1,21 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
PATH=/bin \
HOME=/home/test \
USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu \ /usr/bin/qemu \
-name QEMUGuest1 -S -M pc -m 214 -smp 1 -nographic -monitor \ -name QEMUGuest1 \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \ -S \
-usb -hda /dev/HostVG/QEMUGuest1 -net none -serial \ -M pc \
none -parallel none -m 214 \
-smp 1 \
-nographic \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-hda /dev/HostVG/QEMUGuest1 \
-net none \
-serial none \
-parallel none

25
tests/qemuxml2argvdata/qemuxml2argv-blkiotune.args
View File

@ -1,6 +1,21 @@
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=none \ LC_ALL=C \
PATH=/bin \
HOME=/home/test \
USER=test \
LOGNAME=test \
QEMU_AUDIO_DRV=none \
/usr/bin/qemu \ /usr/bin/qemu \
-name QEMUGuest1 -S -M pc -m 214 -smp 1 -nographic -monitor \ -name QEMUGuest1 \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c \ -S \
-usb -hda /dev/HostVG/QEMUGuest1 -net none -serial \ -M pc \
none -parallel none -m 214 \
-smp 1 \
-nographic \
-monitor unix:/tmp/test-monitor,server,nowait \
-no-acpi \
-boot c \
-usb \
-hda /dev/HostVG/QEMUGuest1 \
-net none \
-serial none \
-parallel none

Some files were not shown because too many files have changed in this diff Show More