mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-19 14:10:58 +00:00
397c0f4b01
This patch adds some previously missing test cases that test for proper firewall rule creation when the following are included in the network definition: * <forward dev='blah'> * no forward element (an "isolated" network) * nat port range when only ipv4 is nat-ed * nat port range when both ipv4 & ipv6 are nated Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Signed-off-by: Laine Stump <laine@redhat.com>
387 lines
3.7 KiB
Plaintext
387 lines
3.7 KiB
Plaintext
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_output \
|
|
iif \
|
|
virbr0 \
|
|
counter \
|
|
reject
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_input \
|
|
oif \
|
|
virbr0 \
|
|
counter \
|
|
reject
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_cross \
|
|
iif \
|
|
virbr0 \
|
|
oif \
|
|
virbr0 \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_output \
|
|
iif \
|
|
virbr0 \
|
|
counter \
|
|
reject
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_input \
|
|
oif \
|
|
virbr0 \
|
|
counter \
|
|
reject
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_cross \
|
|
iif \
|
|
virbr0 \
|
|
oif \
|
|
virbr0 \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_output \
|
|
ip \
|
|
saddr \
|
|
192.168.122.0/24 \
|
|
iif \
|
|
virbr0 \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_input \
|
|
oif \
|
|
virbr0 \
|
|
ip \
|
|
daddr \
|
|
192.168.122.0/24 \
|
|
ct \
|
|
state \
|
|
related,established \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip \
|
|
saddr \
|
|
192.168.122.0/24 \
|
|
ip \
|
|
daddr \
|
|
'!=' \
|
|
192.168.122.0/24 \
|
|
counter \
|
|
masquerade
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
meta \
|
|
l4proto \
|
|
udp \
|
|
ip \
|
|
saddr \
|
|
192.168.122.0/24 \
|
|
ip \
|
|
daddr \
|
|
'!=' \
|
|
192.168.122.0/24 \
|
|
counter \
|
|
masquerade \
|
|
to \
|
|
:500-1000
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
meta \
|
|
l4proto \
|
|
tcp \
|
|
ip \
|
|
saddr \
|
|
192.168.122.0/24 \
|
|
ip \
|
|
daddr \
|
|
'!=' \
|
|
192.168.122.0/24 \
|
|
counter \
|
|
masquerade \
|
|
to \
|
|
:500-1000
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip \
|
|
saddr \
|
|
192.168.122.0/24 \
|
|
ip \
|
|
daddr \
|
|
255.255.255.255/32 \
|
|
counter \
|
|
return
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip \
|
|
saddr \
|
|
192.168.122.0/24 \
|
|
ip \
|
|
daddr \
|
|
224.0.0.0/24 \
|
|
counter \
|
|
return
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_output \
|
|
ip \
|
|
saddr \
|
|
192.168.128.0/24 \
|
|
iif \
|
|
virbr0 \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_input \
|
|
oif \
|
|
virbr0 \
|
|
ip \
|
|
daddr \
|
|
192.168.128.0/24 \
|
|
ct \
|
|
state \
|
|
related,established \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip \
|
|
saddr \
|
|
192.168.128.0/24 \
|
|
ip \
|
|
daddr \
|
|
'!=' \
|
|
192.168.128.0/24 \
|
|
counter \
|
|
masquerade
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
meta \
|
|
l4proto \
|
|
udp \
|
|
ip \
|
|
saddr \
|
|
192.168.128.0/24 \
|
|
ip \
|
|
daddr \
|
|
'!=' \
|
|
192.168.128.0/24 \
|
|
counter \
|
|
masquerade \
|
|
to \
|
|
:500-1000
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
meta \
|
|
l4proto \
|
|
tcp \
|
|
ip \
|
|
saddr \
|
|
192.168.128.0/24 \
|
|
ip \
|
|
daddr \
|
|
'!=' \
|
|
192.168.128.0/24 \
|
|
counter \
|
|
masquerade \
|
|
to \
|
|
:500-1000
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip \
|
|
saddr \
|
|
192.168.128.0/24 \
|
|
ip \
|
|
daddr \
|
|
255.255.255.255/32 \
|
|
counter \
|
|
return
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip \
|
|
saddr \
|
|
192.168.128.0/24 \
|
|
ip \
|
|
daddr \
|
|
224.0.0.0/24 \
|
|
counter \
|
|
return
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_output \
|
|
ip6 \
|
|
saddr \
|
|
2001:db8:ca2:2::/64 \
|
|
iif \
|
|
virbr0 \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_input \
|
|
oif \
|
|
virbr0 \
|
|
ip6 \
|
|
daddr \
|
|
2001:db8:ca2:2::/64 \
|
|
ct \
|
|
state \
|
|
related,established \
|
|
counter \
|
|
accept
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip6 \
|
|
saddr \
|
|
2001:db8:ca2:2::/64 \
|
|
ip6 \
|
|
daddr \
|
|
'!=' \
|
|
2001:db8:ca2:2::/64 \
|
|
counter \
|
|
masquerade
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_nat \
|
|
meta \
|
|
l4proto \
|
|
udp \
|
|
ip6 \
|
|
saddr \
|
|
2001:db8:ca2:2::/64 \
|
|
ip6 \
|
|
daddr \
|
|
'!=' \
|
|
2001:db8:ca2:2::/64 \
|
|
counter \
|
|
masquerade \
|
|
to \
|
|
:500-1000
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_nat \
|
|
meta \
|
|
l4proto \
|
|
tcp \
|
|
ip6 \
|
|
saddr \
|
|
2001:db8:ca2:2::/64 \
|
|
ip6 \
|
|
daddr \
|
|
'!=' \
|
|
2001:db8:ca2:2::/64 \
|
|
counter \
|
|
masquerade \
|
|
to \
|
|
:500-1000
|
|
nft \
|
|
-ae insert \
|
|
rule \
|
|
ip6 \
|
|
libvirt_network \
|
|
guest_nat \
|
|
ip6 \
|
|
saddr \
|
|
2001:db8:ca2:2::/64 \
|
|
ip6 \
|
|
daddr \
|
|
ff02::/16 \
|
|
counter \
|
|
return
|