External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-05 00:13:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
02b8045517
libvirt/tests/nwfilterxml2firewalldata/target-linux.args
Daniel P. Berrangé 02b8045517 nwfilter: drop support for legacy iptables match syntax 
Long ago we adapted to iptables changes by introducing support
for '-m conntrack':

  commit 06844ccbaa
  Author: Stefan Berger <stefanb@us.ibm.com>
  Date:   Tue Aug 6 20:30:46 2013 -0400

    nwfilter: Use -m conntrack rather than -m state

    Since iptables version 1.4.16 '-m state --state NEW' is converted to
    '-m conntrack --ctstate NEW'. Therefore, when encountering this or later
    versions of iptables use '-m conntrack --ctstate'.

Given our supported platform targets, we no longer need to
consider a version of iptables before 1.4.16, so can drop
support for the old syntax.

The test suite updates are triggered because that never
probed for the new syntax, and so unconditionally
generated the old syntax.

Reviewed-by: Laine Stump <laine@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2022-03-09 11:37:12 +00:00

316 lines
4.7 KiB
Plaintext
Raw Blame History

ebtables \
--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j ACCEPT
ebtables \
--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j DROP
ebtables \
--concurrent \
-t nat \
-A libvirt-J-vnet0 \
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
-p 0x806 \
-j DROP
ebtables \
--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j ACCEPT
ebtables \
--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j DROP
ebtables \
--concurrent \
-t nat \
-A libvirt-P-vnet0 \
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
-p 0x800 \
-j DROP
iptables \
-w \
-A FJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'accept rule -- dir out' \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m conntrack \
--ctstate ESTABLISHED \
-m comment \
--comment 'accept rule -- dir out' \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'accept rule -- dir out' \
-j RETURN
iptables \
-w \
-A FJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'drop rule -- dir out' \
-j DROP
iptables \
-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'drop rule -- dir out' \
-j DROP
iptables \
-w \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'drop rule -- dir out' \
-j DROP
iptables \
-w \
-A FJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'reject rule -- dir out' \
-j REJECT
iptables \
-w \
-A FP-vnet0 \
-p all \
--source 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'reject rule -- dir out' \
-j REJECT
iptables \
-w \
-A HJ-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--destination 10.1.2.3/32 \
-m dscp \
--dscp 2 \
-m comment \
--comment 'reject rule -- dir out' \
-j REJECT
iptables \
-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
-m comment \
--comment 'accept rule -- dir in' \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m conntrack \
--ctstate NEW,ESTABLISHED \
-m comment \
--comment 'accept rule -- dir in' \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m conntrack \
--ctstate ESTABLISHED \
-m comment \
--comment 'accept rule -- dir in' \
-j RETURN
iptables \
-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'drop rule -- dir in' \
-j DROP
iptables \
-w \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'drop rule -- dir in' \
-j DROP
iptables \
-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'drop rule -- dir in' \
-j DROP
iptables \
-w \
-A FJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'reject rule -- dir in' \
-j REJECT
iptables \
-w \
-A FP-vnet0 \
-p all \
-m mac \
--mac-source 01:02:03:04:05:06 \
--source 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'reject rule -- dir in' \
-j REJECT
iptables \
-w \
-A HJ-vnet0 \
-p all \
--destination 10.1.2.3/22 \
-m dscp \
--dscp 33 \
-m comment \
--comment 'reject rule -- dir in' \
-j REJECT
iptables \
-w \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'accept rule -- dir inout' \
-j RETURN
iptables \
-w \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'accept rule -- dir inout' \
-j ACCEPT
iptables \
-w \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'accept rule -- dir inout' \
-j RETURN
iptables \
-w \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'drop rule -- dir inout' \
-j DROP
iptables \
-w \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'drop rule -- dir inout' \
-j DROP
iptables \
-w \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'drop rule -- dir inout' \
-j DROP
iptables \
-w \
-A FJ-vnet0 \
-p all \
-m comment \
--comment 'reject rule -- dir inout' \
-j REJECT
iptables \
-w \
-A FP-vnet0 \
-p all \
-m comment \
--comment 'reject rule -- dir inout' \
-j REJECT
iptables \
-w \
-A HJ-vnet0 \
-p all \
-m comment \
--comment 'reject rule -- dir inout' \
-j REJECT
Reference in New Issue View Git Blame Copy Permalink