util/tests: enable locking on iptables/ebtables commandlines in unit tests

All the unit tests that use iptables/ip6tables/ebtables have been written to omit the locking/exclusive use primitive on the generated commandlines. Even though none of the tests actually execute those commands (and so it doesn't matter for purposes of the test whether or not the commands support these options), it still made sense when some systems had these locking options and some didn't. We are now at a point where every supported Linux distro has supported the locking options on these commands for quite a long time, and are going to make their use non-optional. As a first step, this patch uses the virFirewallSetLockOverride() function, which is called at the beginning of all firewall-related tests, to set all the bools controlling whether or not the locking options are used to true. This means that all the test cases must be updated to include the proper locking option in their commandlines. The change to make actual execs of the commands unconditionally use the locking option will be in an upcoming patch - this one affects only the unit tests. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2024-09-30 11:25:47 +00:00 · 2020-11-16 19:20:53 -05:00 · 2020-11-16 19:20:53 -05:00 · e66451f685
commit e66451f685
parent 28a3dedddd
51 changed files with 1115 additions and 358 deletions
--- a/src/util/virfirewall.c
+++ b/src/util/virfirewall.c
@ -105,6 +105,12 @@ void
 virFirewallSetLockOverride(bool avoid)
 {
    lockOverride = avoid;
+    if (avoid) {
+        /* add the lock option to all commands */
+        iptablesUseLock = true;
+        ip6tablesUseLock = true;
+        ebtablesUseLock = true;
+    }
 }

 static void
--- a/tests/networkxml2firewalldata/base.args
+++ b/tests/networkxml2firewalldata/base.args
@ -1,116 +1,150 @@
 iptables \
+-w \
 --table filter \
 --list-rules
 iptables \
+-w \
 --table nat \
 --list-rules
 iptables \
+-w \
 --table mangle \
 --list-rules
 iptables \
+-w \
 --table filter \
 --new-chain LIBVIRT_INP
 iptables \
+-w \
 --table filter \
 --insert INPUT \
 --jump LIBVIRT_INP
 iptables \
+-w \
 --table filter \
 --new-chain LIBVIRT_OUT
 iptables \
+-w \
 --table filter \
 --insert OUTPUT \
 --jump LIBVIRT_OUT
 iptables \
+-w \
 --table filter \
 --new-chain LIBVIRT_FWO
 iptables \
+-w \
 --table filter \
 --insert FORWARD \
 --jump LIBVIRT_FWO
 iptables \
+-w \
 --table filter \
 --new-chain LIBVIRT_FWI
 iptables \
+-w \
 --table filter \
 --insert FORWARD \
 --jump LIBVIRT_FWI
 iptables \
+-w \
 --table filter \
 --new-chain LIBVIRT_FWX
 iptables \
+-w \
 --table filter \
 --insert FORWARD \
 --jump LIBVIRT_FWX
 iptables \
+-w \
 --table nat \
 --new-chain LIBVIRT_PRT
 iptables \
+-w \
 --table nat \
 --insert POSTROUTING \
 --jump LIBVIRT_PRT
 iptables \
+-w \
 --table mangle \
 --new-chain LIBVIRT_PRT
 iptables \
+-w \
 --table mangle \
 --insert POSTROUTING \
 --jump LIBVIRT_PRT
 ip6tables \
+-w \
 --table filter \
 --list-rules
 ip6tables \
+-w \
 --table nat \
 --list-rules
 ip6tables \
+-w \
 --table mangle \
 --list-rules
 ip6tables \
+-w \
 --table filter \
 --new-chain LIBVIRT_INP
 ip6tables \
+-w \
 --table filter \
 --insert INPUT \
 --jump LIBVIRT_INP
 ip6tables \
+-w \
 --table filter \
 --new-chain LIBVIRT_OUT
 ip6tables \
+-w \
 --table filter \
 --insert OUTPUT \
 --jump LIBVIRT_OUT
 ip6tables \
+-w \
 --table filter \
 --new-chain LIBVIRT_FWO
 ip6tables \
+-w \
 --table filter \
 --insert FORWARD \
 --jump LIBVIRT_FWO
 ip6tables \
+-w \
 --table filter \
 --new-chain LIBVIRT_FWI
 ip6tables \
+-w \
 --table filter \
 --insert FORWARD \
 --jump LIBVIRT_FWI
 ip6tables \
+-w \
 --table filter \
 --new-chain LIBVIRT_FWX
 ip6tables \
+-w \
 --table filter \
 --insert FORWARD \
 --jump LIBVIRT_FWX
 ip6tables \
+-w \
 --table nat \
 --new-chain LIBVIRT_PRT
 ip6tables \
+-w \
 --table nat \
 --insert POSTROUTING \
 --jump LIBVIRT_PRT
 ip6tables \
+-w \
 --table mangle \
 --new-chain LIBVIRT_PRT
 ip6tables \
+-w \
 --table mangle \
 --insert POSTROUTING \
 --jump LIBVIRT_PRT
--- a/tests/networkxml2firewalldata/nat-default-linux.args
+++ b/tests/networkxml2firewalldata/nat-default-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,28 +63,33 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
@ -85,12 +98,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -99,6 +114,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -107,18 +123,21 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
+-w \
 --table mangle \
 --insert LIBVIRT_PRT \
 --out-interface virbr0 \
--- a/tests/networkxml2firewalldata/nat-ipv6-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,38 +63,45 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -94,6 +109,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -101,6 +117,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -108,6 +125,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -115,6 +133,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -122,6 +141,7 @@ ip6tables \
 --destination-port 547 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -129,12 +149,14 @@ ip6tables \
 --destination-port 546 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
@ -143,12 +165,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -157,6 +181,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -165,30 +190,35 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table mangle \
 --insert LIBVIRT_PRT \
 --out-interface virbr0 \
--- a/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
+++ b/tests/networkxml2firewalldata/nat-ipv6-masquerade-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,38 +63,45 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -94,6 +109,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -101,6 +117,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -108,6 +125,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -115,6 +133,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -122,6 +141,7 @@ ip6tables \
 --destination-port 547 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -129,12 +149,14 @@ ip6tables \
 --destination-port 546 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
@ -143,12 +165,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -157,6 +181,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -165,24 +190,28 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
@ -191,12 +220,14 @@ ip6tables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 ip6tables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 2001:db8:ca2:2::/64 '!' \
 --destination 2001:db8:ca2:2::/64 \
 --jump MASQUERADE
 ip6tables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 2001:db8:ca2:2::/64 \
@ -205,6 +236,7 @@ ip6tables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 ip6tables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 2001:db8:ca2:2::/64 \
@ -213,12 +245,14 @@ ip6tables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 ip6tables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 2001:db8:ca2:2::/64 \
 --destination ff02::/16 \
 --jump RETURN
 iptables \
+-w \
 --table mangle \
 --insert LIBVIRT_PRT \
 --out-interface virbr0 \
--- a/tests/networkxml2firewalldata/nat-many-ips-linux.args
+++ b/tests/networkxml2firewalldata/nat-many-ips-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,28 +63,33 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
@ -85,12 +98,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -99,6 +114,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -107,24 +123,28 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.128.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.128.0/24 \
@ -133,12 +153,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.128.0/24 '!' \
 --destination 192.168.128.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
@ -147,6 +169,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
@ -155,24 +178,28 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.128.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.150.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.150.0/24 \
@ -181,12 +208,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.150.0/24 '!' \
 --destination 192.168.150.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
@ -195,6 +224,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
@ -203,18 +233,21 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.150.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
+-w \
 --table mangle \
 --insert LIBVIRT_PRT \
 --out-interface virbr0 \
--- a/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
+++ b/tests/networkxml2firewalldata/nat-no-dhcp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,38 +63,45 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -94,6 +109,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -101,6 +117,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -108,6 +125,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -115,6 +133,7 @@ ip6tables \
 --destination-port 53 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -122,6 +141,7 @@ ip6tables \
 --destination-port 547 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -129,12 +149,14 @@ ip6tables \
 --destination-port 546 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
@ -143,12 +165,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -157,6 +181,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -165,24 +190,28 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 2001:db8:ca2:2::/64 \
 --in-interface virbr0 \
 --jump ACCEPT
 ip6tables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 2001:db8:ca2:2::/64 \
--- a/tests/networkxml2firewalldata/nat-tftp-linux.args
+++ b/tests/networkxml2firewalldata/nat-tftp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,6 +63,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -62,6 +71,7 @@ iptables \
 --destination-port 69 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -69,28 +79,33 @@ iptables \
 --destination-port 69 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
@ -99,12 +114,14 @@ iptables \
 --ctstate ESTABLISHED,RELATED \
 --jump ACCEPT
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 '!' \
 --destination 192.168.122.0/24 \
 --jump MASQUERADE
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -113,6 +130,7 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
@ -121,18 +139,21 @@ iptables \
 --jump MASQUERADE \
 --to-ports 1024-65535
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 255.255.255.255/32 \
 --jump RETURN
 iptables \
+-w \
 --table nat \
 --insert LIBVIRT_PRT \
 --source 192.168.122.0/24 \
 --destination 224.0.0.0/24 \
 --jump RETURN
 iptables \
+-w \
 --table mangle \
 --insert LIBVIRT_PRT \
 --out-interface virbr0 \
--- a/tests/networkxml2firewalldata/route-default-linux.args
+++ b/tests/networkxml2firewalldata/route-default-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -6,6 +7,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -13,6 +15,7 @@ iptables \
 --destination-port 67 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -20,6 +23,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -27,6 +31,7 @@ iptables \
 --destination-port 68 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -34,6 +39,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_INP \
 --in-interface virbr0 \
@ -41,6 +47,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -48,6 +55,7 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_OUT \
 --out-interface virbr0 \
@ -55,34 +63,40 @@ iptables \
 --destination-port 53 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --in-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --out-interface virbr0 \
 --jump REJECT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWX \
 --in-interface virbr0 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWO \
 --source 192.168.122.0/24 \
 --in-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table filter \
 --insert LIBVIRT_FWI \
 --destination 192.168.122.0/24 \
 --out-interface virbr0 \
 --jump ACCEPT
 iptables \
+-w \
 --table mangle \
 --insert LIBVIRT_PRT \
 --out-interface virbr0 \
--- a/tests/nwfilterebiptablestest.c
+++ b/tests/nwfilterebiptablestest.c
@ -36,34 +36,34 @@


 #define VIR_NWFILTER_NEW_RULES_TEARDOWN \
-    "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
-    "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
-    "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
-    "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
-    "iptables -F FP-vnet0\n" \
-    "iptables -X FP-vnet0\n" \
-    "iptables -F FJ-vnet0\n" \
-    "iptables -X FJ-vnet0\n" \
-    "iptables -F HJ-vnet0\n" \
-    "iptables -X HJ-vnet0\n" \
-    "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
-    "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
-    "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
-    "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
-    "ip6tables -F FP-vnet0\n" \
-    "ip6tables -X FP-vnet0\n" \
-    "ip6tables -F FJ-vnet0\n" \
-    "ip6tables -X FJ-vnet0\n" \
-    "ip6tables -F HJ-vnet0\n" \
-    "ip6tables -X HJ-vnet0\n" \
-    "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
-    "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
-    "ebtables -t nat -L libvirt-J-vnet0\n" \
-    "ebtables -t nat -L libvirt-P-vnet0\n" \
-    "ebtables -t nat -F libvirt-J-vnet0\n" \
-    "ebtables -t nat -X libvirt-J-vnet0\n" \
-    "ebtables -t nat -F libvirt-P-vnet0\n" \
-    "ebtables -t nat -X libvirt-P-vnet0\n"
+    "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
+    "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
+    "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
+    "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
+    "iptables -w -F FP-vnet0\n" \
+    "iptables -w -X FP-vnet0\n" \
+    "iptables -w -F FJ-vnet0\n" \
+    "iptables -w -X FJ-vnet0\n" \
+    "iptables -w -F HJ-vnet0\n" \
+    "iptables -w -X HJ-vnet0\n" \
+    "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n" \
+    "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n" \
+    "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n" \
+    "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n" \
+    "ip6tables -w -F FP-vnet0\n" \
+    "ip6tables -w -X FP-vnet0\n" \
+    "ip6tables -w -F FJ-vnet0\n" \
+    "ip6tables -w -X FJ-vnet0\n" \
+    "ip6tables -w -F HJ-vnet0\n" \
+    "ip6tables -w -X HJ-vnet0\n" \
+    "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n" \
+    "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n" \
+    "ebtables --concurrent -t nat -L libvirt-J-vnet0\n" \
+    "ebtables --concurrent -t nat -L libvirt-P-vnet0\n" \
+    "ebtables --concurrent -t nat -F libvirt-J-vnet0\n" \
+    "ebtables --concurrent -t nat -X libvirt-J-vnet0\n" \
+    "ebtables --concurrent -t nat -F libvirt-P-vnet0\n" \
+    "ebtables --concurrent -t nat -X libvirt-P-vnet0\n"

 static int
 testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
@ -71,36 +71,36 @@ testNWFilterEBIPTablesAllTeardown(const void *opaque G_GNUC_UNUSED)
    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    const char *expected =
        VIR_NWFILTER_NEW_RULES_TEARDOWN
-        "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "iptables -F FO-vnet0\n"
-        "iptables -X FO-vnet0\n"
-        "iptables -F FI-vnet0\n"
-        "iptables -X FI-vnet0\n"
-        "iptables -F HI-vnet0\n"
-        "iptables -X HI-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "ip6tables -F FO-vnet0\n"
-        "ip6tables -X FO-vnet0\n"
-        "ip6tables -F FI-vnet0\n"
-        "ip6tables -X FI-vnet0\n"
-        "ip6tables -F HI-vnet0\n"
-        "ip6tables -X HI-vnet0\n"
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-I-vnet0\n"
-        "ebtables -t nat -L libvirt-O-vnet0\n"
-        "ebtables -t nat -F libvirt-I-vnet0\n"
-        "ebtables -t nat -X libvirt-I-vnet0\n"
-        "ebtables -t nat -F libvirt-O-vnet0\n"
-        "ebtables -t nat -X libvirt-O-vnet0\n";
+        "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "iptables -w -F FO-vnet0\n"
+        "iptables -w -X FO-vnet0\n"
+        "iptables -w -F FI-vnet0\n"
+        "iptables -w -X FI-vnet0\n"
+        "iptables -w -F HI-vnet0\n"
+        "iptables -w -X HI-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "ip6tables -w -F FO-vnet0\n"
+        "ip6tables -w -X FO-vnet0\n"
+        "ip6tables -w -F FI-vnet0\n"
+        "ip6tables -w -X FI-vnet0\n"
+        "ip6tables -w -F HI-vnet0\n"
+        "ip6tables -w -X HI-vnet0\n"
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-O-vnet0\n";
    char *actual = NULL;
    int ret = -1;

@ -130,44 +130,44 @@ testNWFilterEBIPTablesTearOldRules(const void *opaque G_GNUC_UNUSED)
 {
    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    const char *expected =
-        "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "iptables -F FO-vnet0\n"
-        "iptables -X FO-vnet0\n"
-        "iptables -F FI-vnet0\n"
-        "iptables -X FI-vnet0\n"
-        "iptables -F HI-vnet0\n"
-        "iptables -X HI-vnet0\n"
-        "iptables -E FP-vnet0 FO-vnet0\n"
-        "iptables -E FJ-vnet0 FI-vnet0\n"
-        "iptables -E HJ-vnet0 HI-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "ip6tables -F FO-vnet0\n"
-        "ip6tables -X FO-vnet0\n"
-        "ip6tables -F FI-vnet0\n"
-        "ip6tables -X FI-vnet0\n"
-        "ip6tables -F HI-vnet0\n"
-        "ip6tables -X HI-vnet0\n"
-        "ip6tables -E FP-vnet0 FO-vnet0\n"
-        "ip6tables -E FJ-vnet0 FI-vnet0\n"
-        "ip6tables -E HJ-vnet0 HI-vnet0\n"
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-I-vnet0\n"
-        "ebtables -t nat -L libvirt-O-vnet0\n"
-        "ebtables -t nat -F libvirt-I-vnet0\n"
-        "ebtables -t nat -X libvirt-I-vnet0\n"
-        "ebtables -t nat -F libvirt-O-vnet0\n"
-        "ebtables -t nat -X libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-J-vnet0\n"
-        "ebtables -t nat -L libvirt-P-vnet0\n"
-        "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
-        "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+        "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "iptables -w -F FO-vnet0\n"
+        "iptables -w -X FO-vnet0\n"
+        "iptables -w -F FI-vnet0\n"
+        "iptables -w -X FI-vnet0\n"
+        "iptables -w -F HI-vnet0\n"
+        "iptables -w -X HI-vnet0\n"
+        "iptables -w -E FP-vnet0 FO-vnet0\n"
+        "iptables -w -E FJ-vnet0 FI-vnet0\n"
+        "iptables -w -E HJ-vnet0 HI-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "ip6tables -w -F FO-vnet0\n"
+        "ip6tables -w -X FO-vnet0\n"
+        "ip6tables -w -F FI-vnet0\n"
+        "ip6tables -w -X FI-vnet0\n"
+        "ip6tables -w -F HI-vnet0\n"
+        "ip6tables -w -X HI-vnet0\n"
+        "ip6tables -w -E FP-vnet0 FO-vnet0\n"
+        "ip6tables -w -E FJ-vnet0 FI-vnet0\n"
+        "ip6tables -w -E HJ-vnet0 HI-vnet0\n"
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
    char *actual = NULL;
    int ret = -1;

@ -197,22 +197,22 @@ testNWFilterEBIPTablesRemoveBasicRules(const void *opaque G_GNUC_UNUSED)
 {
    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    const char *expected =
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-I-vnet0\n"
-        "ebtables -t nat -L libvirt-O-vnet0\n"
-        "ebtables -t nat -F libvirt-I-vnet0\n"
-        "ebtables -t nat -X libvirt-I-vnet0\n"
-        "ebtables -t nat -F libvirt-O-vnet0\n"
-        "ebtables -t nat -X libvirt-O-vnet0\n"
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
-        "ebtables -t nat -L libvirt-J-vnet0\n"
-        "ebtables -t nat -L libvirt-P-vnet0\n"
-        "ebtables -t nat -F libvirt-J-vnet0\n"
-        "ebtables -t nat -X libvirt-J-vnet0\n"
-        "ebtables -t nat -F libvirt-P-vnet0\n"
-        "ebtables -t nat -X libvirt-P-vnet0\n";
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-P-vnet0\n";
    char *actual = NULL;
    int ret = -1;

@ -273,43 +273,43 @@ testNWFilterEBIPTablesApplyBasicRules(const void *opaque G_GNUC_UNUSED)
    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    const char *expected =
        VIR_NWFILTER_NEW_RULES_TEARDOWN
-        "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "iptables -F FO-vnet0\n"
-        "iptables -X FO-vnet0\n"
-        "iptables -F FI-vnet0\n"
-        "iptables -X FI-vnet0\n"
-        "iptables -F HI-vnet0\n"
-        "iptables -X HI-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "ip6tables -F FO-vnet0\n"
-        "ip6tables -X FO-vnet0\n"
-        "ip6tables -F FI-vnet0\n"
-        "ip6tables -X FI-vnet0\n"
-        "ip6tables -F HI-vnet0\n"
-        "ip6tables -X HI-vnet0\n"
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-I-vnet0\n"
-        "ebtables -t nat -L libvirt-O-vnet0\n"
-        "ebtables -t nat -F libvirt-I-vnet0\n"
-        "ebtables -t nat -X libvirt-I-vnet0\n"
-        "ebtables -t nat -F libvirt-O-vnet0\n"
-        "ebtables -t nat -X libvirt-O-vnet0\n"
-        "ebtables -t nat -N libvirt-J-vnet0\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
-        "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
-        "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
+        "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "iptables -w -F FO-vnet0\n"
+        "iptables -w -X FO-vnet0\n"
+        "iptables -w -F FI-vnet0\n"
+        "iptables -w -X FI-vnet0\n"
+        "iptables -w -F HI-vnet0\n"
+        "iptables -w -X HI-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "ip6tables -w -F FO-vnet0\n"
+        "ip6tables -w -X FO-vnet0\n"
+        "ip6tables -w -F FI-vnet0\n"
+        "ip6tables -w -X FI-vnet0\n"
+        "ip6tables -w -F HI-vnet0\n"
+        "ip6tables -w -X HI-vnet0\n"
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s '!' 10:20:30:40:50:60 -j DROP\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p IPv4 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -p ARP -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
+        "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n";
    char *actual = NULL;
    int ret = -1;
    virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
@ -341,51 +341,51 @@ testNWFilterEBIPTablesApplyDHCPOnlyRules(const void *opaque G_GNUC_UNUSED)
    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    const char *expected =
        VIR_NWFILTER_NEW_RULES_TEARDOWN
-        "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "iptables -F FO-vnet0\n"
-        "iptables -X FO-vnet0\n"
-        "iptables -F FI-vnet0\n"
-        "iptables -X FI-vnet0\n"
-        "iptables -F HI-vnet0\n"
-        "iptables -X HI-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "ip6tables -F FO-vnet0\n"
-        "ip6tables -X FO-vnet0\n"
-        "ip6tables -F FI-vnet0\n"
-        "ip6tables -X FI-vnet0\n"
-        "ip6tables -F HI-vnet0\n"
-        "ip6tables -X HI-vnet0\n"
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-I-vnet0\n"
-        "ebtables -t nat -L libvirt-O-vnet0\n"
-        "ebtables -t nat -F libvirt-I-vnet0\n"
-        "ebtables -t nat -X libvirt-I-vnet0\n"
-        "ebtables -t nat -F libvirt-O-vnet0\n"
-        "ebtables -t nat -X libvirt-O-vnet0\n"
-        "ebtables -t nat -N libvirt-J-vnet0\n"
-        "ebtables -t nat -N libvirt-P-vnet0\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
-        "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
-        "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
-        "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
-        "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+        "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "iptables -w -F FO-vnet0\n"
+        "iptables -w -X FO-vnet0\n"
+        "iptables -w -F FI-vnet0\n"
+        "iptables -w -X FI-vnet0\n"
+        "iptables -w -F HI-vnet0\n"
+        "iptables -w -X HI-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "ip6tables -w -F FO-vnet0\n"
+        "ip6tables -w -X FO-vnet0\n"
+        "ip6tables -w -F FI-vnet0\n"
+        "ip6tables -w -X FI-vnet0\n"
+        "ip6tables -w -F HI-vnet0\n"
+        "ip6tables -w -X HI-vnet0\n"
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -s 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-sport 68 --ip-dport 67 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 192.168.122.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.1 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d 10:20:30:40:50:60 -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -d ff:ff:ff:ff:ff:ff -p ipv4 --ip-protocol udp --ip-src 10.0.0.2 --ip-sport 67 --ip-dport 68 -j ACCEPT\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
+        "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
    char *actual = NULL;
    int ret = -1;
    virMacAddr mac = { .addr = { 0x10, 0x20, 0x30, 0x40, 0x50, 0x60 } };
@ -428,44 +428,44 @@ testNWFilterEBIPTablesApplyDropAllRules(const void *opaque G_GNUC_UNUSED)
    g_auto(virBuffer) buf = VIR_BUFFER_INITIALIZER;
    const char *expected =
        VIR_NWFILTER_NEW_RULES_TEARDOWN
-        "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "iptables -F FO-vnet0\n"
-        "iptables -X FO-vnet0\n"
-        "iptables -F FI-vnet0\n"
-        "iptables -X FI-vnet0\n"
-        "iptables -F HI-vnet0\n"
-        "iptables -X HI-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
-        "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
-        "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
-        "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-        "ip6tables -F FO-vnet0\n"
-        "ip6tables -X FO-vnet0\n"
-        "ip6tables -F FI-vnet0\n"
-        "ip6tables -X FI-vnet0\n"
-        "ip6tables -F HI-vnet0\n"
-        "ip6tables -X HI-vnet0\n"
-        "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
-        "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
-        "ebtables -t nat -L libvirt-I-vnet0\n"
-        "ebtables -t nat -L libvirt-O-vnet0\n"
-        "ebtables -t nat -F libvirt-I-vnet0\n"
-        "ebtables -t nat -X libvirt-I-vnet0\n"
-        "ebtables -t nat -F libvirt-O-vnet0\n"
-        "ebtables -t nat -X libvirt-O-vnet0\n"
-        "ebtables -t nat -N libvirt-J-vnet0\n"
-        "ebtables -t nat -N libvirt-P-vnet0\n"
-        "ebtables -t nat -A libvirt-J-vnet0 -j DROP\n"
-        "ebtables -t nat -A libvirt-P-vnet0 -j DROP\n"
-        "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
-        "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
-        "ebtables -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
-        "ebtables -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
+        "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "iptables -w -F FO-vnet0\n"
+        "iptables -w -X FO-vnet0\n"
+        "iptables -w -F FI-vnet0\n"
+        "iptables -w -X FI-vnet0\n"
+        "iptables -w -F HI-vnet0\n"
+        "iptables -w -X HI-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FO-vnet0\n"
+        "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FI-vnet0\n"
+        "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HI-vnet0\n"
+        "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+        "ip6tables -w -F FO-vnet0\n"
+        "ip6tables -w -X FO-vnet0\n"
+        "ip6tables -w -F FI-vnet0\n"
+        "ip6tables -w -X FI-vnet0\n"
+        "ip6tables -w -F HI-vnet0\n"
+        "ip6tables -w -X HI-vnet0\n"
+        "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -L libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -F libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -X libvirt-O-vnet0\n"
+        "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -N libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -A libvirt-J-vnet0 -j DROP\n"
+        "ebtables --concurrent -t nat -A libvirt-P-vnet0 -j DROP\n"
+        "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+        "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-J-vnet0 libvirt-I-vnet0\n"
+        "ebtables --concurrent -t nat -E libvirt-P-vnet0 libvirt-O-vnet0\n";
    char *actual = NULL;
    int ret = -1;

--- a/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 -m mac \
@ -11,6 +12,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p ah \
 --destination f:e:d::c:b:a/127 \
@ -21,6 +23,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 -m mac \
@ -33,6 +36,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 --destination a:b:c::/128 \
@ -42,6 +46,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p ah \
 -m mac \
@ -53,6 +58,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 --destination a:b:c::/128 \
@ -62,6 +68,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 --destination ::10.1.2.3/128 \
@ -71,6 +78,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p ah \
 -m mac \
@ -82,6 +90,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/ah-linux.args
+++ b/tests/nwfilterxml2firewalldata/ah-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p ah \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 --destination 10.1.2.3/22 \
@ -39,6 +43,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p ah \
 -m mac \
@ -50,6 +55,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 --destination 10.1.2.3/22 \
@ -59,6 +65,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 --destination 10.1.2.3/22 \
@ -68,6 +75,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p ah \
 -m mac \
@ -79,6 +87,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 --destination 10.1.2.3/22 \
--- a/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m mac \
@ -11,6 +12,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p all \
 --destination f:e:d::c:b:a/127 \
@ -21,6 +23,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m mac \
@ -33,6 +36,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination a:b:c::/128 \
@ -42,6 +46,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -53,6 +58,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination a:b:c::/128 \
@ -62,6 +68,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination ::10.1.2.3/128 \
@ -71,6 +78,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -82,6 +90,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/all-linux.args
+++ b/tests/nwfilterxml2firewalldata/all-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -39,6 +43,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -50,6 +55,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -59,6 +65,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -68,6 +75,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -79,6 +87,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
--- a/tests/nwfilterxml2firewalldata/arp-linux.args
+++ b/tests/nwfilterxml2firewalldata/arp-linux.args
@ -1,4 +1,5 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -11,6 +12,7 @@ ebtables \
 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -20,6 +22,7 @@ ebtables \
 --arp-ptype 0xff \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -29,6 +32,7 @@ ebtables \
 --arp-ptype 0x100 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -38,6 +42,7 @@ ebtables \
 --arp-ptype 0xffff \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p 0x806 \
--- a/tests/nwfilterxml2firewalldata/comment-linux.args
+++ b/tests/nwfilterxml2firewalldata/comment-linux.args
@ -1,9 +1,11 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p 0x1234 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -17,6 +19,7 @@ ebtables \
 --ip-tos 0x32 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
@ -29,6 +32,7 @@ ebtables \
 --ip6-destination-port 13107:65535 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -41,6 +45,7 @@ ebtables \
 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 -m mac \
@ -56,6 +61,7 @@ iptables \
 --comment 'udp rule' \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 --source 10.1.2.3/32 \
@ -69,6 +75,7 @@ iptables \
 --comment 'udp rule' \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 -m mac \
@ -84,6 +91,7 @@ iptables \
 --comment 'udp rule' \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --destination a:b:c::/128 \
@ -97,6 +105,7 @@ ip6tables \
 --comment 'tcp/ipv6 rule' \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -m mac \
@ -112,6 +121,7 @@ ip6tables \
 --comment 'tcp/ipv6 rule' \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --destination a:b:c::/128 \
@ -125,6 +135,7 @@ ip6tables \
 --comment 'tcp/ipv6 rule' \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 -m state \
@ -133,6 +144,7 @@ ip6tables \
 --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3   spaces'\''' \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udp \
 -m state \
@ -141,6 +153,7 @@ ip6tables \
 --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3   spaces'\''' \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 -m state \
@ -149,6 +162,7 @@ ip6tables \
 --comment '`ls`;${COLUMNS};$(ls);"test";&'\''3   spaces'\''' \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 -m state \
@ -157,6 +171,7 @@ ip6tables \
 --comment 'comment with lone '\'', `, ", `, \, $x, and two  spaces' \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 -m state \
@ -165,6 +180,7 @@ ip6tables \
 --comment 'comment with lone '\'', `, ", `, \, $x, and two  spaces' \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 -m state \
@ -173,6 +189,7 @@ ip6tables \
 --comment 'comment with lone '\'', `, ", `, \, $x, and two  spaces' \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p ah \
 -m state \
@ -182,6 +199,7 @@ ip6tables \
 -f ${tmp}' \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p ah \
 -m state \
@ -191,6 +209,7 @@ ip6tables \
 -f ${tmp}' \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p ah \
 -m state \
--- a/tests/nwfilterxml2firewalldata/conntrack-linux.args
+++ b/tests/nwfilterxml2firewalldata/conntrack-linux.args
@ -1,40 +1,47 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 -m connlimit \
 --connlimit-above 1 \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 -m connlimit \
 --connlimit-above 1 \
 -j DROP
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 -m connlimit \
 --connlimit-above 2 \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 -m connlimit \
 --connlimit-above 2 \
 -j DROP
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
--- a/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p esp \
 -m mac \
@ -11,6 +12,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p esp \
 --destination f:e:d::c:b:a/127 \
@ -21,6 +23,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p esp \
 -m mac \
@ -33,6 +36,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p esp \
 --destination a:b:c::/128 \
@ -42,6 +46,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p esp \
 -m mac \
@ -53,6 +58,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p esp \
 --destination a:b:c::/128 \
@ -62,6 +68,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p esp \
 --destination ::10.1.2.3/128 \
@ -71,6 +78,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p esp \
 -m mac \
@ -82,6 +90,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p esp \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/esp-linux.args
+++ b/tests/nwfilterxml2firewalldata/esp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p esp \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p esp \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p esp \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p esp \
 --destination 10.1.2.3/22 \
@ -39,6 +43,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p esp \
 -m mac \
@ -50,6 +55,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p esp \
 --destination 10.1.2.3/22 \
@ -59,6 +65,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p esp \
 --destination 10.1.2.3/22 \
@ -68,6 +75,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p esp \
 -m mac \
@ -79,6 +87,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p esp \
 --destination 10.1.2.3/22 \
--- a/tests/nwfilterxml2firewalldata/example-1-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-1-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --sport 22 \
@ -6,6 +7,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --dport 22 \
@ -13,6 +15,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --sport 22 \
@ -20,50 +23,59 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 -m state \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 -m state \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 -m state \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -j DROP
--- a/tests/nwfilterxml2firewalldata/example-2-linux.args
+++ b/tests/nwfilterxml2firewalldata/example-2-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
@ -7,6 +8,7 @@ iptables \
 --comment 'out: existing and related (ftp) connections' \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
@ -15,6 +17,7 @@ iptables \
 --comment 'out: existing and related (ftp) connections' \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
@ -23,6 +26,7 @@ iptables \
 --comment 'in: existing connections' \
 -j ACCEPT
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --dport 21:22 \
@ -32,6 +36,7 @@ iptables \
 --comment 'in: ftp and ssh' \
 -j ACCEPT
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 -m state \
@ -40,6 +45,7 @@ iptables \
 --comment 'in: icmp' \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --dport 53 \
@ -49,6 +55,7 @@ iptables \
 --comment 'out: DNS lookups' \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --dport 53 \
@ -58,18 +65,21 @@ iptables \
 --comment 'out: DNS lookups' \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m comment \
 --comment 'inout: drop all non-accepted traffic' \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m comment \
 --comment 'inout: drop all non-accepted traffic' \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m comment \
--- a/tests/nwfilterxml2firewalldata/hex-data-linux.args
+++ b/tests/nwfilterxml2firewalldata/hex-data-linux.args
@ -1,9 +1,11 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p 0x1234 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -17,6 +19,7 @@ ebtables \
 --ip-tos 0x32 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
@ -29,6 +32,7 @@ ebtables \
 --ip6-destination-port 13107:65535 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -41,6 +45,7 @@ ebtables \
 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 -m mac \
@ -54,6 +59,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 --source 10.1.2.3/32 \
@ -65,6 +71,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 -m mac \
@ -78,6 +85,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --destination a:b:c::/128 \
@ -89,6 +97,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -m mac \
@ -102,6 +111,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --destination a:b:c::/128 \
--- a/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 --icmp-type 0 \
@ -6,6 +7,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 --icmp-type 8 \
@ -13,6 +15,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 --icmp-type 8 \
@ -20,14 +23,17 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 -j DROP
--- a/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction2-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 --icmp-type 8 \
@ -6,6 +7,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 --icmp-type 0 \
@ -13,6 +15,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 --icmp-type 0 \
@ -20,14 +23,17 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 -j DROP
--- a/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-direction3-linux.args
@ -1,30 +1,36 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 -m state \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 -m state \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 -m state \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -j DROP
--- a/tests/nwfilterxml2firewalldata/icmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p icmp \
 -m mac \
@ -11,6 +12,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p icmp \
 -m mac \
@ -23,6 +25,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p icmp \
 -m mac \
--- a/tests/nwfilterxml2firewalldata/icmpv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/icmpv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p icmpv6 \
 -m mac \
@ -12,6 +13,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p icmpv6 \
 -m mac \
@ -25,6 +27,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p icmpv6 \
 -m mac \
@ -37,6 +40,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p icmpv6 \
 -m mac \
--- a/tests/nwfilterxml2firewalldata/igmp-linux.args
+++ b/tests/nwfilterxml2firewalldata/igmp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p igmp \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p igmp \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p igmp \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p igmp \
 --destination 10.1.2.3/22 \
@ -39,6 +43,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p igmp \
 -m mac \
@ -50,6 +55,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p igmp \
 --destination 10.1.2.3/22 \
@ -59,6 +65,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p igmp \
 --destination 10.1.2.3/22 \
@ -68,6 +75,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p igmp \
 -m mac \
@ -79,6 +87,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p igmp \
 --destination 10.1.2.3/22 \
--- a/tests/nwfilterxml2firewalldata/ip-linux.args
+++ b/tests/nwfilterxml2firewalldata/ip-linux.args
@ -1,4 +1,5 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -11,6 +12,7 @@ ebtables \
 --ip-destination-port 100:101 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv4 \
@ -20,6 +22,7 @@ ebtables \
 --ip-tos 0x3f \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv4 \
--- a/tests/nwfilterxml2firewalldata/ipset-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipset-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
@ -7,6 +8,7 @@ iptables \
 --match-set tck_test src,dst \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
@ -15,6 +17,7 @@ iptables \
 --match-set tck_test dst,src \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
@ -23,6 +26,7 @@ iptables \
 --match-set tck_test src,dst \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m set \
@ -31,6 +35,7 @@ iptables \
 --comment in+NONE \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m set \
@ -39,6 +44,7 @@ iptables \
 --comment out+NONE \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m set \
@ -47,6 +53,7 @@ iptables \
 --comment out+NONE \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
@ -55,6 +62,7 @@ iptables \
 --match-set tck_test dst,src,dst \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
@ -63,6 +71,7 @@ iptables \
 --match-set tck_test src,dst,src \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
@ -71,6 +80,7 @@ iptables \
 --match-set tck_test dst,src,dst \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
@ -79,6 +89,7 @@ iptables \
 --match-set tck_test dst,src,dst \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
@ -87,6 +98,7 @@ iptables \
 --match-set tck_test src,dst,src \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
@ -95,6 +107,7 @@ iptables \
 --match-set tck_test dst,src,dst \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m state \
@ -103,6 +116,7 @@ iptables \
 --match-set tck_test dst,src \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m state \
@ -111,6 +125,7 @@ iptables \
 --match-set tck_test src,dst \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m state \
@ -119,6 +134,7 @@ iptables \
 --match-set tck_test dst,src \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m set \
@ -127,6 +143,7 @@ iptables \
 --comment inout \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m set \
@ -135,6 +152,7 @@ iptables \
 --comment inout \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m set \
--- a/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipt-no-macspoof-linux.args
@ -1,10 +1,12 @@
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac '!' \
 --mac-source 12:34:56:78:9a:bc \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac '!' \
--- a/tests/nwfilterxml2firewalldata/ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/ipv6-linux.args
@ -1,4 +1,5 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:fe \
@ -11,6 +12,7 @@ ebtables \
 --ip6-destination-port 100:101 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -21,6 +23,7 @@ ebtables \
 --ip6-source-port 100:101 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
@ -31,6 +34,7 @@ ebtables \
 --ip6-destination-port 100:101 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -41,6 +45,7 @@ ebtables \
 --ip6-source-port 65535:65535 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
@ -51,6 +56,7 @@ ebtables \
 --ip6-destination-port 65535:65535 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -59,6 +65,7 @@ ebtables \
 --ip6-protocol 18 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
@ -67,6 +74,7 @@ ebtables \
 --ip6-protocol 18 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -76,6 +84,7 @@ ebtables \
 --ip6-icmp-type 1:11/10:11 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
@ -85,6 +94,7 @@ ebtables \
 --ip6-icmp-type 1:11/10:11 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -94,6 +104,7 @@ ebtables \
 --ip6-icmp-type 1:1/10:10 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
@ -103,6 +114,7 @@ ebtables \
 --ip6-icmp-type 1:1/10:10 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -112,6 +124,7 @@ ebtables \
 --ip6-icmp-type 0:255/10:10 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
@ -121,6 +134,7 @@ ebtables \
 --ip6-icmp-type 0:255/10:10 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -p ipv6 \
@ -130,6 +144,7 @@ ebtables \
 --ip6-icmp-type 1:1/0:255 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -p ipv6 \
--- a/tests/nwfilterxml2firewalldata/iter1-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter1-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --source 1.1.1.1 \
@ -9,6 +10,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --destination 1.1.1.1 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --source 1.1.1.1 \
@ -29,6 +32,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --source 2.2.2.2 \
@ -39,6 +43,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --destination 2.2.2.2 \
@ -49,6 +54,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --source 2.2.2.2 \
@ -59,6 +65,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --source 3.3.3.3 \
@ -69,6 +76,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --destination 3.3.3.3 \
@ -79,6 +87,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --source 3.3.3.3 \
--- a/tests/nwfilterxml2firewalldata/iter2-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter2-linux.args
--- a/tests/nwfilterxml2firewalldata/iter3-linux.args
+++ b/tests/nwfilterxml2firewalldata/iter3-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --source 1.1.1.1 \
@ -9,6 +10,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --destination 1.1.1.1 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --source 1.1.1.1 \
@ -29,6 +32,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --source 1.1.1.1 \
@ -39,6 +43,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --destination 1.1.1.1 \
@ -49,6 +54,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --source 1.1.1.1 \
@ -59,6 +65,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --source 2.2.2.2 \
@ -69,6 +76,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 --destination 2.2.2.2 \
@ -79,6 +87,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --source 2.2.2.2 \
@ -89,6 +98,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --source 2.2.2.2 \
@ -99,6 +109,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 --destination 2.2.2.2 \
@ -109,6 +120,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --source 2.2.2.2 \
@ -119,6 +131,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 --source 2.2.2.2 \
@ -130,6 +143,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 --destination 2.2.2.2 \
@ -141,6 +155,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 --source 2.2.2.2 \
--- a/tests/nwfilterxml2firewalldata/mac-linux.args
+++ b/tests/nwfilterxml2firewalldata/mac-linux.args
@ -1,22 +1,26 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
 -p 0x806 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
 -p 0x800 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
 -p 0x600 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
--- a/tests/nwfilterxml2firewalldata/rarp-linux.args
+++ b/tests/nwfilterxml2firewalldata/rarp-linux.args
@ -1,7 +1,9 @@
 ebtables \
+--concurrent \
 -t nat \
 -N libvirt-J-vnet0
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -14,6 +16,7 @@ ebtables \
 --arp-mac-dst 0a:0b:0c:0d:0e:0f \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -23,6 +26,7 @@ ebtables \
 --arp-ptype 0xff \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -32,6 +36,7 @@ ebtables \
 --arp-ptype 0x100 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -41,6 +46,7 @@ ebtables \
 --arp-ptype 0xffff \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A PREROUTING \
 -i vnet0 \
--- a/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 -m mac \
@ -10,6 +11,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 --source a:b:c::d:e:f/128 \
@ -19,6 +21,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 -m mac \
@ -30,6 +33,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 --destination a:b:c::/128 \
@ -41,6 +45,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 -m mac \
@ -54,6 +59,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 --destination a:b:c::/128 \
@ -65,6 +71,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 --destination ::10.1.2.3/128 \
@ -76,6 +83,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 -m mac \
@ -89,6 +97,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/sctp-linux.args
+++ b/tests/nwfilterxml2firewalldata/sctp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 --destination 10.1.2.3/32 \
@ -41,6 +45,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 -m mac \
@ -54,6 +59,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 --destination 10.1.2.3/32 \
@ -65,6 +71,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p sctp \
 --destination 10.1.2.3/32 \
@ -76,6 +83,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p sctp \
 -m mac \
@ -89,6 +97,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p sctp \
 --destination 10.1.2.3/32 \
--- a/tests/nwfilterxml2firewalldata/stp-linux.args
+++ b/tests/nwfilterxml2firewalldata/stp-linux.args
@ -1,32 +1,41 @@
 ebtables \
+--concurrent \
 -t nat \
 -F J-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -X J-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -N J-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -d 01:80:c2:00:00:00 \
 -j J-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -F P-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -X P-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -N P-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d 01:80:c2:00:00:00 \
 -j P-vnet0-stp-xyz
 ebtables \
+--concurrent \
 -t nat \
 -A P-vnet0-stp-xyz \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -35,6 +44,7 @@ ebtables \
 --stp-flags 68 \
 -j CONTINUE
 ebtables \
+--concurrent \
 -t nat \
 -A J-vnet0-stp-xyz \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -44,6 +54,7 @@ ebtables \
 --stp-root-cost 287454020:573785173 \
 -j RETURN
 ebtables \
+--concurrent \
 -t nat \
 -A P-vnet0-stp-xyz \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--- a/tests/nwfilterxml2firewalldata/target-linux.args
+++ b/tests/nwfilterxml2firewalldata/target-linux.args
@ -1,40 +1,47 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
 -p 0x806 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
 -p 0x806 \
 -j DROP
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
 -p 0x806 \
 -j DROP
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
 -p 0x800 \
 -j ACCEPT
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
 -p 0x800 \
 -j DROP
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
 -p 0x800 \
 -j DROP
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m mac \
@ -49,6 +56,7 @@ iptables \
 -- dir out' \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 --source 10.1.2.3/32 \
@ -61,6 +69,7 @@ iptables \
 -- dir out' \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m mac \
@ -75,6 +84,7 @@ iptables \
 -- dir out' \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m mac \
@ -87,6 +97,7 @@ iptables \
 -- dir out' \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 --source 10.1.2.3/32 \
@ -97,6 +108,7 @@ iptables \
 -- dir out' \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m mac \
@ -109,6 +121,7 @@ iptables \
 -- dir out' \
 -j DROP
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m mac \
@ -121,6 +134,7 @@ iptables \
 -- dir out' \
 -j REJECT
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 --source 10.1.2.3/32 \
@ -131,6 +145,7 @@ iptables \
 -- dir out' \
 -j REJECT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m mac \
@ -143,6 +158,7 @@ iptables \
 -- dir out' \
 -j REJECT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -155,6 +171,7 @@ iptables \
 -- dir in' \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -169,6 +186,7 @@ iptables \
 -- dir in' \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -181,6 +199,7 @@ iptables \
 -- dir in' \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -191,6 +210,7 @@ iptables \
 -- dir in' \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -203,6 +223,7 @@ iptables \
 -- dir in' \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -213,6 +234,7 @@ iptables \
 -- dir in' \
 -j DROP
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -223,6 +245,7 @@ iptables \
 -- dir in' \
 -j REJECT
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m mac \
@ -235,6 +258,7 @@ iptables \
 -- dir in' \
 -j REJECT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 --destination 10.1.2.3/22 \
@ -245,6 +269,7 @@ iptables \
 -- dir in' \
 -j REJECT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m comment \
@ -252,6 +277,7 @@ iptables \
 -- dir inout' \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m comment \
@ -259,6 +285,7 @@ iptables \
 -- dir inout' \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m comment \
@ -266,6 +293,7 @@ iptables \
 -- dir inout' \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m comment \
@ -273,6 +301,7 @@ iptables \
 -- dir inout' \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m comment \
@ -280,6 +309,7 @@ iptables \
 -- dir inout' \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m comment \
@ -287,6 +317,7 @@ iptables \
 -- dir inout' \
 -j DROP
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -m comment \
@ -294,6 +325,7 @@ iptables \
 -- dir inout' \
 -j REJECT
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -m comment \
@ -301,6 +333,7 @@ iptables \
 -- dir inout' \
 -j REJECT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -m comment \
--- a/tests/nwfilterxml2firewalldata/target2-linux.args
+++ b/tests/nwfilterxml2firewalldata/target2-linux.args
@ -1,19 +1,23 @@
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --dport 22 \
 -j ACCEPT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --sport 22 \
 -j RETURN
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --sport 22 \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --sport 80 \
@ -21,6 +25,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --dport 80 \
@ -28,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --sport 80 \
@ -35,26 +41,32 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 -j REJECT
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -j REJECT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 -j REJECT
 iptables \
+-w \
 -A FJ-vnet0 \
 -p all \
 -j DROP
 iptables \
+-w \
 -A FP-vnet0 \
 -p all \
 -j DROP
 iptables \
+-w \
 -A HJ-vnet0 \
 -p all \
 -j DROP
--- a/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 -m mac \
@ -10,6 +11,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --source a:b:c::d:e:f/128 \
@ -19,6 +21,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 -m mac \
@ -30,6 +33,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --destination a:b:c::/128 \
@ -41,6 +45,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -m mac \
@ -54,6 +59,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --destination a:b:c::/128 \
@ -65,6 +71,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --destination ::10.1.2.3/128 \
@ -76,6 +83,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -m mac \
@ -89,6 +97,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/tcp-linux.args
+++ b/tests/nwfilterxml2firewalldata/tcp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --destination 10.1.2.3/32 \
@ -39,6 +43,7 @@ iptables \
 --sport 100:1111 \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -m mac \
@ -50,6 +55,7 @@ iptables \
 --dport 100:1111 \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --destination 10.1.2.3/32 \
@ -59,6 +65,7 @@ iptables \
 --sport 100:1111 \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p tcp \
 --destination 10.1.2.3/32 \
@ -68,6 +75,7 @@ iptables \
 --sport 65535:65535 \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 -m mac \
@ -79,6 +87,7 @@ iptables \
 --dport 65535:65535 \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p tcp \
 --destination 10.1.2.3/32 \
@ -88,21 +97,25 @@ iptables \
 --sport 65535:65535 \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --tcp-flags SYN ALL \
 -j ACCEPT
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --tcp-flags SYN SYN,ACK \
 -j ACCEPT
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --tcp-flags RST NONE \
 -j ACCEPT
 iptables \
+-w \
 -A FP-vnet0 \
 -p tcp \
 --tcp-flags PSH NONE \
--- a/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 -m mac \
@ -10,6 +11,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udp \
 --source a:b:c::d:e:f/128 \
@ -19,6 +21,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 -m mac \
@ -30,6 +33,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --destination ::a:b:c/128 \
@ -41,6 +45,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udp \
 -m mac \
@ -54,6 +59,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --destination ::a:b:c/128 \
@ -65,6 +71,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --destination ::10.1.2.3/128 \
@ -76,6 +83,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udp \
 -m mac \
@ -89,6 +97,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/udp-linux.args
+++ b/tests/nwfilterxml2firewalldata/udp-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --destination 10.1.2.3/32 \
@ -41,6 +45,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 -m mac \
@ -54,6 +59,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --destination 10.1.2.3/32 \
@ -65,6 +71,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udp \
 --destination 10.1.2.3/32 \
@ -76,6 +83,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udp \
 -m mac \
@ -89,6 +97,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udp \
 --destination 10.1.2.3/32 \
--- a/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-ipv6-linux.args
@ -1,4 +1,5 @@
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udplite \
 -m mac \
@ -11,6 +12,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udplite \
 --destination f:e:d::c:b:a/127 \
@ -21,6 +23,7 @@ ip6tables \
 --state ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udplite \
 -m mac \
@ -33,6 +36,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udplite \
 --destination a:b:c::/128 \
@ -42,6 +46,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udplite \
 -m mac \
@ -53,6 +58,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udplite \
 --destination a:b:c::/128 \
@ -62,6 +68,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FJ-vnet0 \
 -p udplite \
 --destination ::10.1.2.3/128 \
@ -71,6 +78,7 @@ ip6tables \
 --state ESTABLISHED \
 -j RETURN
 ip6tables \
+-w \
 -A FP-vnet0 \
 -p udplite \
 -m mac \
@ -82,6 +90,7 @@ ip6tables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 ip6tables \
+-w \
 -A HJ-vnet0 \
 -p udplite \
 --destination ::10.1.2.3/128 \
--- a/tests/nwfilterxml2firewalldata/udplite-linux.args
+++ b/tests/nwfilterxml2firewalldata/udplite-linux.args
@ -1,4 +1,5 @@
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udplite \
 -m mac \
@ -10,6 +11,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udplite \
 --source 10.1.2.3/32 \
@ -19,6 +21,7 @@ iptables \
 --state ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udplite \
 -m mac \
@ -30,6 +33,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udplite \
 --destination 10.1.2.3/22 \
@ -39,6 +43,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udplite \
 -m mac \
@ -50,6 +55,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udplite \
 --destination 10.1.2.3/22 \
@ -59,6 +65,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FJ-vnet0 \
 -p udplite \
 --destination 10.1.2.3/22 \
@ -68,6 +75,7 @@ iptables \
 --state ESTABLISHED \
 -j RETURN
 iptables \
+-w \
 -A FP-vnet0 \
 -p udplite \
 -m mac \
@ -79,6 +87,7 @@ iptables \
 --state NEW,ESTABLISHED \
 -j ACCEPT
 iptables \
+-w \
 -A HJ-vnet0 \
 -p udplite \
 --destination 10.1.2.3/22 \
--- a/tests/nwfilterxml2firewalldata/vlan-linux.args
+++ b/tests/nwfilterxml2firewalldata/vlan-linux.args
@ -1,4 +1,5 @@
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -7,6 +8,7 @@ ebtables \
 --vlan-id 291 \
 -j CONTINUE
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -15,6 +17,7 @@ ebtables \
 --vlan-id 291 \
 -j CONTINUE
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -d 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -23,6 +26,7 @@ ebtables \
 --vlan-id 1234 \
 -j RETURN
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -31,6 +35,7 @@ ebtables \
 --vlan-id 1234 \
 -j RETURN
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-P-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -39,6 +44,7 @@ ebtables \
 --vlan-id 291 \
 -j DROP
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
@ -47,6 +53,7 @@ ebtables \
 --vlan-encap 2054 \
 -j DROP
 ebtables \
+--concurrent \
 -t nat \
 -A libvirt-J-vnet0 \
 -s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
--- a/tests/nwfilterxml2firewalltest.c
+++ b/tests/nwfilterxml2firewalltest.c
@ -58,90 +58,90 @@ struct _virNWFilterInst {

 static const char *commonRules[] = {
    /* Dropping ebtables rules */
-    "ebtables -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
-    "ebtables -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
-    "ebtables -t nat -L libvirt-J-vnet0\n"
-    "ebtables -t nat -L libvirt-P-vnet0\n"
-    "ebtables -t nat -F libvirt-J-vnet0\n"
-    "ebtables -t nat -X libvirt-J-vnet0\n"
-    "ebtables -t nat -F libvirt-P-vnet0\n"
-    "ebtables -t nat -X libvirt-P-vnet0\n",
+    "ebtables --concurrent -t nat -D PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+    "ebtables --concurrent -t nat -D POSTROUTING -o vnet0 -j libvirt-P-vnet0\n"
+    "ebtables --concurrent -t nat -L libvirt-J-vnet0\n"
+    "ebtables --concurrent -t nat -L libvirt-P-vnet0\n"
+    "ebtables --concurrent -t nat -F libvirt-J-vnet0\n"
+    "ebtables --concurrent -t nat -X libvirt-J-vnet0\n"
+    "ebtables --concurrent -t nat -F libvirt-P-vnet0\n"
+    "ebtables --concurrent -t nat -X libvirt-P-vnet0\n",

    /* Creating ebtables chains */
-    "ebtables -t nat -N libvirt-J-vnet0\n"
-    "ebtables -t nat -N libvirt-P-vnet0\n",
+    "ebtables --concurrent -t nat -N libvirt-J-vnet0\n"
+    "ebtables --concurrent -t nat -N libvirt-P-vnet0\n",

    /* Dropping iptables rules */
-    "iptables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
-    "iptables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
-    "iptables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
-    "iptables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
-    "iptables -F FP-vnet0\n"
-    "iptables -X FP-vnet0\n"
-    "iptables -F FJ-vnet0\n"
-    "iptables -X FJ-vnet0\n"
-    "iptables -F HJ-vnet0\n"
-    "iptables -X HJ-vnet0\n",
+    "iptables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+    "iptables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
+    "iptables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+    "iptables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+    "iptables -w -F FP-vnet0\n"
+    "iptables -w -X FP-vnet0\n"
+    "iptables -w -F FJ-vnet0\n"
+    "iptables -w -X FJ-vnet0\n"
+    "iptables -w -F HJ-vnet0\n"
+    "iptables -w -X HJ-vnet0\n",

    /* Creating iptables chains */
-    "iptables -N libvirt-in\n"
-    "iptables -N libvirt-out\n"
-    "iptables -N libvirt-in-post\n"
-    "iptables -N libvirt-host-in\n"
-    "iptables -D FORWARD -j libvirt-in\n"
-    "iptables -D FORWARD -j libvirt-out\n"
-    "iptables -D FORWARD -j libvirt-in-post\n"
-    "iptables -D INPUT -j libvirt-host-in\n"
-    "iptables -I FORWARD 1 -j libvirt-in\n"
-    "iptables -I FORWARD 2 -j libvirt-out\n"
-    "iptables -I FORWARD 3 -j libvirt-in-post\n"
-    "iptables -I INPUT 1 -j libvirt-host-in\n"
-    "iptables -N FP-vnet0\n"
-    "iptables -N FJ-vnet0\n"
-    "iptables -N HJ-vnet0\n"
-    "iptables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
-    "iptables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
-    "iptables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
-    "iptables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-    "iptables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
+    "iptables -w -N libvirt-in\n"
+    "iptables -w -N libvirt-out\n"
+    "iptables -w -N libvirt-in-post\n"
+    "iptables -w -N libvirt-host-in\n"
+    "iptables -w -D FORWARD -j libvirt-in\n"
+    "iptables -w -D FORWARD -j libvirt-out\n"
+    "iptables -w -D FORWARD -j libvirt-in-post\n"
+    "iptables -w -D INPUT -j libvirt-host-in\n"
+    "iptables -w -I FORWARD 1 -j libvirt-in\n"
+    "iptables -w -I FORWARD 2 -j libvirt-out\n"
+    "iptables -w -I FORWARD 3 -j libvirt-in-post\n"
+    "iptables -w -I INPUT 1 -j libvirt-host-in\n"
+    "iptables -w -N FP-vnet0\n"
+    "iptables -w -N FJ-vnet0\n"
+    "iptables -w -N HJ-vnet0\n"
+    "iptables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+    "iptables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+    "iptables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+    "iptables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+    "iptables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",

    /* Dropping ip6tables rules */
-    "ip6tables -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
-    "ip6tables -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
-    "ip6tables -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
-    "ip6tables -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
-    "ip6tables -F FP-vnet0\n"
-    "ip6tables -X FP-vnet0\n"
-    "ip6tables -F FJ-vnet0\n"
-    "ip6tables -X FJ-vnet0\n"
-    "ip6tables -F HJ-vnet0\n"
-    "ip6tables -X HJ-vnet0\n",
+    "ip6tables -w -D libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+    "ip6tables -w -D libvirt-out -m physdev --physdev-out vnet0 -g FP-vnet0\n"
+    "ip6tables -w -D libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+    "ip6tables -w -D libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+    "ip6tables -w -F FP-vnet0\n"
+    "ip6tables -w -X FP-vnet0\n"
+    "ip6tables -w -F FJ-vnet0\n"
+    "ip6tables -w -X FJ-vnet0\n"
+    "ip6tables -w -F HJ-vnet0\n"
+    "ip6tables -w -X HJ-vnet0\n",

    /* Creating ip6tables chains */
-    "ip6tables -N libvirt-in\n"
-    "ip6tables -N libvirt-out\n"
-    "ip6tables -N libvirt-in-post\n"
-    "ip6tables -N libvirt-host-in\n"
-    "ip6tables -D FORWARD -j libvirt-in\n"
-    "ip6tables -D FORWARD -j libvirt-out\n"
-    "ip6tables -D FORWARD -j libvirt-in-post\n"
-    "ip6tables -D INPUT -j libvirt-host-in\n"
-    "ip6tables -I FORWARD 1 -j libvirt-in\n"
-    "ip6tables -I FORWARD 2 -j libvirt-out\n"
-    "ip6tables -I FORWARD 3 -j libvirt-in-post\n"
-    "ip6tables -I INPUT 1 -j libvirt-host-in\n"
-    "ip6tables -N FP-vnet0\n"
-    "ip6tables -N FJ-vnet0\n"
-    "ip6tables -N HJ-vnet0\n"
-    "ip6tables -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
-    "ip6tables -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
-    "ip6tables -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
-    "ip6tables -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
-    "ip6tables -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",
+    "ip6tables -w -N libvirt-in\n"
+    "ip6tables -w -N libvirt-out\n"
+    "ip6tables -w -N libvirt-in-post\n"
+    "ip6tables -w -N libvirt-host-in\n"
+    "ip6tables -w -D FORWARD -j libvirt-in\n"
+    "ip6tables -w -D FORWARD -j libvirt-out\n"
+    "ip6tables -w -D FORWARD -j libvirt-in-post\n"
+    "ip6tables -w -D INPUT -j libvirt-host-in\n"
+    "ip6tables -w -I FORWARD 1 -j libvirt-in\n"
+    "ip6tables -w -I FORWARD 2 -j libvirt-out\n"
+    "ip6tables -w -I FORWARD 3 -j libvirt-in-post\n"
+    "ip6tables -w -I INPUT 1 -j libvirt-host-in\n"
+    "ip6tables -w -N FP-vnet0\n"
+    "ip6tables -w -N FJ-vnet0\n"
+    "ip6tables -w -N HJ-vnet0\n"
+    "ip6tables -w -A libvirt-out -m physdev --physdev-is-bridged --physdev-out vnet0 -g FP-vnet0\n"
+    "ip6tables -w -A libvirt-in -m physdev --physdev-in vnet0 -g FJ-vnet0\n"
+    "ip6tables -w -A libvirt-host-in -m physdev --physdev-in vnet0 -g HJ-vnet0\n"
+    "ip6tables -w -D libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n"
+    "ip6tables -w -A libvirt-in-post -m physdev --physdev-in vnet0 -j ACCEPT\n",

    /* Inserting ebtables rules */
-    "ebtables -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
-    "ebtables -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
+    "ebtables --concurrent -t nat -A PREROUTING -i vnet0 -j libvirt-J-vnet0\n"
+    "ebtables --concurrent -t nat -A POSTROUTING -o vnet0 -j libvirt-P-vnet0\n",
 };


--- a/tests/virfirewalltest.c
+++ b/tests/virfirewalltest.c
@ -149,15 +149,17 @@ VIR_MOCK_WRAP_RET_ARGS(g_dbus_connection_call_sync,
                *error = g_dbus_error_new_for_dbus_error("org.firewalld.error",
                                                         "something bad happened");
        } else {
-            if (nargs == 1 &&
+            if (nargs == 2 &&
                STREQ(type, "ipv4") &&
-                STREQ(args[0], "-L")) {
+                STREQ(args[0], "-w") &&
+                STREQ(args[1], "-L")) {
                reply = g_variant_new("(s)", TEST_FILTER_TABLE_LIST);
-            } else if (nargs == 3 &&
+            } else if (nargs == 4 &&
                       STREQ(type, "ipv4") &&
-                       STREQ(args[0], "-t") &&
-                       STREQ(args[1], "nat") &&
-                       STREQ(args[2], "-L")) {
+                       STREQ(args[0], "-w") &&
+                       STREQ(args[1], "-t") &&
+                       STREQ(args[2], "nat") &&
+                       STREQ(args[3], "-L")) {
                reply = g_variant_new("(s)", TEST_NAT_TABLE_LIST);
            } else {
                reply = g_variant_new("(s)", "success");
@ -184,8 +186,8 @@ testFirewallSingleGroup(const void *opaque)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -236,8 +238,8 @@ testFirewallRemoveRule(const void *opaque)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
    const struct testFirewallData *data = opaque;
    virFirewallRulePtr fwrule;

@ -295,10 +297,10 @@ testFirewallManyGroups(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
-        IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
+        IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -382,10 +384,10 @@ testFirewallIgnoreFailGroup(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -450,10 +452,10 @@ testFirewallIgnoreFailRule(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A OUTPUT --jump DROP\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -A OUTPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A OUTPUT --jump DROP\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -517,8 +519,8 @@ testFirewallNoRollback(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -577,11 +579,11 @@ testFirewallSingleRollback(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -657,10 +659,10 @@ testFirewallManyRollback(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -740,14 +742,14 @@ testFirewallChainedRollback(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
-        IPTABLES_PATH " -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.127 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host 192.168.122.255 --jump REJECT\n"
+        IPTABLES_PATH " -w -D INPUT --source-host '!192.168.122.1' --jump REJECT\n";
    const struct testFirewallData *data = opaque;

    fwDisabled = data->fwDisabled;
@ -882,12 +884,14 @@ testFirewallQueryHook(const char *const*args,
                      void *opaque G_GNUC_UNUSED)
 {
    if (STREQ(args[0], IPTABLES_PATH) &&
-        STREQ(args[1], "-L")) {
+        STREQ(args[1], "-w") &&
+        STREQ(args[2], "-L")) {
        *output = g_strdup(TEST_FILTER_TABLE_LIST);
    } else if (STREQ(args[0], IPTABLES_PATH) &&
-               STREQ(args[1], "-t") &&
-               STREQ(args[2], "nat") &&
-               STREQ(args[3], "-L")) {
+               STREQ(args[1], "-w") &&
+               STREQ(args[2], "-t") &&
+               STREQ(args[3], "nat") &&
+               STREQ(args[4], "-L")) {
        *output = g_strdup(TEST_NAT_TABLE_LIST);
    }
 }
@ -930,15 +934,15 @@ testFirewallQuery(const void *opaque G_GNUC_UNUSED)
    int ret = -1;
    const char *actual = NULL;
    const char *expected =
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
-        IPTABLES_PATH " -L\n"
-        IPTABLES_PATH " -t nat -L\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
-        IPTABLES_PATH " -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
-        IPTABLES_PATH " -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.1 --jump ACCEPT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.127 --jump REJECT\n"
+        IPTABLES_PATH " -w -L\n"
+        IPTABLES_PATH " -w -t nat -L\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.130 --jump REJECT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.129' --jump REJECT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host 192.168.122.128 --jump REJECT\n"
+        IPTABLES_PATH " -w -A INPUT --source-host '!192.168.122.1' --jump REJECT\n";
    const struct testFirewallData *data = opaque;

    expectedLineNum = 0;