mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-28 08:35:22 +00:00
e66451f685
All the unit tests that use iptables/ip6tables/ebtables have been written to omit the locking/exclusive use primitive on the generated commandlines. Even though none of the tests actually execute those commands (and so it doesn't matter for purposes of the test whether or not the commands support these options), it still made sense when some systems had these locking options and some didn't. We are now at a point where every supported Linux distro has supported the locking options on these commands for quite a long time, and are going to make their use non-optional. As a first step, this patch uses the virFirewallSetLockOverride() function, which is called at the beginning of all firewall-related tests, to set all the bools controlling whether or not the locking options are used to true. This means that all the test cases must be updated to include the proper locking option in their commandlines. The change to make actual execs of the commands unconditionally use the locking option will be in an upcoming patch - this one affects only the unit tests. Signed-off-by: Laine Stump <laine@redhat.com> Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
343 lines
4.8 KiB
Plaintext
343 lines
4.8 KiB
Plaintext
ebtables \
|
|
--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j DROP
|
|
ebtables \
|
|
--concurrent \
|
|
-t nat \
|
|
-A libvirt-J-vnet0 \
|
|
-s 01:02:03:04:05:06/ff:ff:ff:ff:ff:ff \
|
|
-p 0x806 \
|
|
-j DROP
|
|
ebtables \
|
|
--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j ACCEPT
|
|
ebtables \
|
|
--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j DROP
|
|
ebtables \
|
|
--concurrent \
|
|
-t nat \
|
|
-A libvirt-P-vnet0 \
|
|
-d aa:bb:cc:dd:ee:ff/ff:ff:ff:ff:ff:ff \
|
|
-p 0x800 \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir out' \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir out' \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir out' \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir out' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir out' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir out' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir out' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
--source 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir out' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--destination 10.1.2.3/32 \
|
|
-m dscp \
|
|
--dscp 2 \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir out' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir in' \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--source 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m state \
|
|
--state NEW,ESTABLISHED \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir in' \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m state \
|
|
--state ESTABLISHED \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir in' \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir in' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--source 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir in' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir in' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir in' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m mac \
|
|
--mac-source 01:02:03:04:05:06 \
|
|
--source 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir in' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
--destination 10.1.2.3/22 \
|
|
-m dscp \
|
|
--dscp 33 \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir in' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir inout' \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir inout' \
|
|
-j ACCEPT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'accept rule \
|
|
-- dir inout' \
|
|
-j RETURN
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir inout' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir inout' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'drop rule \
|
|
-- dir inout' \
|
|
-j DROP
|
|
iptables \
|
|
-w \
|
|
-A FJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir inout' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A FP-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir inout' \
|
|
-j REJECT
|
|
iptables \
|
|
-w \
|
|
-A HJ-vnet0 \
|
|
-p all \
|
|
-m comment \
|
|
--comment 'reject rule \
|
|
-- dir inout' \
|
|
-j REJECT
|